gecko-dev/build/pgo/certs
J.C. Jones 6fad8e3ff1 Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus
(This also fixes Bug 879740 and Bug 1204543.)

build/pgo/certs contains an NSS database set that has a bunch of hand-generated
certificates, and many of these hand-generated certificates are specifically
depended upon for a variety of unit tests. This patch changes all of these to
use the "pycert.py" and "pykey.py" utilities that produce deterministic keys
and certificates.

The naming convention here is new, and defined in the README. It is based on
the mochitest runtest.py naming convention that imports .ca and .client
PEM-encoded certificates.

Unfortunately, the updates to build/pgo/genpgocert.py to generate these files
depends on OpenSSL in order to produce PKCS12 archives for pk11tool to import
into NSS. This could be done with pure-NSS tooling, but it'd require some new
command line functionality, which is out-of-scope for this change.

Note that build/pgo/genpgocert.py no longer takes arguments when run. It's not
run automatically anywhere that I can see, but could (reasonably) be, now.

Differential Revision: https://phabricator.services.mozilla.com/D971

--HG--
extra : amend_source : bc389b9b0a807a4889feb14db439daa28635dfe9
2018-04-23 11:14:17 +02:00
..
README Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
alternateroot.ca Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
alternateroot.ca.keyspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
alternateroot.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
bug413909cert.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
cert9.db Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
dynamicPinningBad.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
dynamicPinningBad.server.keyspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
dynamicPinningGood.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
escapeattack1.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
evintermediate.ca Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
evintermediate.ca.keyspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
evintermediate.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
expired.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
imminently_distrusted.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
key4.db Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
mochitest.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
mochitest.client Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
mochitest.client.keyspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
pgoca.ca Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
pgoca.ca.keyspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
pgoca.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
selfsigned.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
sha1_end_entity.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
sha256_end_entity.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
staticPinningBad.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
staticPinningBad.server.keyspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
unknown_ca.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
untrusted.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00
untrustedandexpired.certspec Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus 2018-04-23 11:14:17 +02:00

README

The certificate authority and server certificates here are generated by
$topsrcdir/build/pgo/genpgocert.py.

You can regenerate the certificates by running: ./mach python
build/pgo/genpgocert.py

To add a new CA, add a ${cert_name}.ca.keyspec as well as a corresponding
${cert_name}.certspec to this folder.

To add new server certificates, add a ${cert_name}.certspec file to this folder.
If it needs a non-default private key, add a corresponding
${cert_name}.server.keyspec.

For new client certificates, add a ${cert_name}.client.keyspec and corresponding
${cert_name}.certspec.

The naming convention here is because the generated ".client" and ".ca" PEM
files need to be copied into this folder for Mochitests' runtests.py to import.

These commands will modify cert9.db and key4.db. The changes to these should be
committed.

Specific notes for certs:

  dynamicPinningGood: Changing this keyspec will require changing
  browser/base/content/test/general/pinning_headers.sjs . You can obtain a new
  valid pin via:

  certutil -L -d . -n dynamicPinningGood -r | openssl x509 -inform der -pubkey \
  -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary \
  | openssl enc -base64