summaryrefslogtreecommitdiff
path: root/tests/chains
Commit message (Collapse)AuthorAgeFilesLines
* Bug 1750624 - Pin validation date for PayPalEE test cert. ↵John M. Schanck2022-02-052-1/+6
| | | | | | r=nss-reviewers,bbeurdouche,rrelyea Differential Revision: https://phabricator.services.mozilla.com/D136289
* Bug 1686134 - Renew two chains libpkix test certificates. r=rrelyeaKevin Jacobs2021-01-231-2/+10
| | | | Differential Revision: https://phabricator.services.mozilla.com/D102670
* Bug 1537927 - IPsec usage is too restrictive for existing deploymentsRobert Relyea2019-03-211-0/+88
| | | | | | try: -p linux64,linux64-fuzz -u gtest -t clang-format,scan-build Differential Revision: https://phabricator.services.mozilla.com/D24399
* Bug 1523484 - do not treat CN as DNS name for non-server certs, r=uenoFraser Tweedale2019-02-061-0/+9
| | | | | | | | | | | | | | libpkix, when validating a leaf certificate against the CAs' name constraints, treats the Subject DN CN attribute as a DNS name. This may be reasonable behaviour for server certificates, but does not make sense for other kinds of certificates (e.g. user certificates, OCSP signing certificates, etc.) Update the libpkix name constraints checker to only treat the CN as a DNS name for server certificates (i.e. when id-kp-serverAuth is asserted in the Extended Key Usage extension). For compatibility, the behaviour is unchanged (i.e. CN is still treated as a DNS name) when the certificate does not have an Extended Key Usage extension.
* # Bug 1252891 Implement certUsageIPSec as defined in RFC 4945Robert Relyea2018-11-093-0/+76
| | | | | Patch by Kai r=rrelyea
* Bug 1505317, update PayPal test certs, r=franziskusDaiki Ueno2018-11-071-1/+1
|
* Bug 1488148 - Rework CI images, r=jcjMartin Thomson2018-09-031-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This does some fairly major restructuring of the docker images we use for CI. The genesis of the change is that we were pulling a version of clang that didn't work for fuzzing tests. It turns out that is a use case that is not well-supported anyway, and we have open bugs on it, but this installs workarounds for all the problems I found. Firstly, our images were bloated. This slims down most of the images. The biggest gains are in the clang-format image (down to around a fifth of its previous size). The main linux image we use for building and running tests is also less than half its original size. To achieve that, I had to make two new images. One for all the esoteric builds we run (we compile with multiple gcc and clang versions, and I've added some more to that list). That's a fairly sizeable image. The other is for the interop and bogo suites, where we rely on having Rust and go available. go adds a tidy 250Mb to an image, and Rust adds 750Mb. Using an image with both of those for regular builds can't be good for performance. I didn't expect to see real performance gains here, but the Linux build (32-bit, default config) went from 4:18 down to 2:42 (roughly). The bulk of that time is accounted for by downloading the docker image, so it's clear that an optimization worth spending the time on. Secondly, we had a lot of custom configuration stuff in the builds. This removes most of that in favour of using stock Ubuntu packages from 18.04. The one exception here is - I hope - temporary. As noted in the bug comments, the current release of LLVM 6 has a bug where you can't run address sanitizer on a 32-bit machine if it has glibc 2.27 (which Ubuntu 18.04 does). That's fairly crippling because we need a newer version of LLVM than runs by default on Ubuntu 16.04, so we're stuck with installing a non-stock version for 32-bit runs. I've opted to (temporarily) run 16.04 with an LLVM from the LLVM project. The final change, which is minor, but a little odd and worth noting: the images now rely on "localhost.localdomain" being aliased to the local machine. This is something :wcosta has done for us (thanks!). Thus, we no longer have to run as root so that we can tweak /etc/hosts before we run. There is a little cleanup related to this, but nothing significant. (The scripts still include the `su worker` tweak for aarch64, but I've added a guard and we can remove that with bug 1488325.) There is still more work to be done for the HACL* and SAW builds, which use some very strange configurations. Also, all of the aarch64 images aren't built automatically, so we use images from Franziskus' dockerhub account. This is not good. After digging around a little, there's probably something to be done with QEMU, but I decided that was a project for another time.
* Bug 1227795 - allow disabling tests using pkix; add TC build, r=ttaubertFranziskus Kiefer2016-06-271-2/+4
|
* Bug 1151037 - Expired nss/test/libpkix/certs/PayPalEE.cert, r=bustageKai Engert2015-04-091-1/+1
|
* Bug 863076 - Some NSS files still contain the old triple license, r=gervKai Engert2015-01-191-44/+3
|
* Bug 1057161 - NSS hangs with 100% CPU on invalid EC key. r=rrelyeaNSS_3_17_2_BETA1Richard Barnes2014-09-301-0/+0
|
* Bug 1028647: Fix comments in test scripts. r=cviecco.Wan-Teh Chang2014-06-261-1/+1
|
* Bug 952572, Hard code ANSSI(DCISS) to french gov dns space, r=kaieNSS_3_16_1_BETA1Camilo Viecco2014-04-081-0/+8
|
* Bug 743700: Enforce name constriants for root certificates, r=rsleeviNSS_3_16_BETA1Camilo Viecco2014-02-051-0/+25
|
* Bug 962760: Fix handling of CN when processing name constraints in libpkix, ↵Camilo Viecco2014-02-031-0/+106
| | | | r=rsleevi, r=wtc
* Bug 436414, bustage fix, long hostnames, allow pp to not wrap the OCSP URL, ↵Kai Engert2013-10-081-2/+2
| | | | TBR=rrelyea
* Bug 436414, bustage fix, regular expression to extract port number failed if ↵Kai Engert2013-10-081-1/+2
| | | | hostname contains a digit
* Bug 436414, support OCSP via HTTP GET. Part 2, local testing. r=rrelyeaKai Engert2013-10-086-88/+242
|
* BUG 856060: Enforce nameConstraints on the commonName in libpkix mode when ↵Ryan Sleevi2013-06-112-0/+23
| | | | | | | | | no SAN is present. Strictly speaking, this is not required by RFC 3280/5280, but reflects a common approach of ensuring that "DNS-like" names are appropriately constrained by nameConstraints. This should never happen in the real world, due to the CA/Browser Forum's Baseline Requirements always requiring a SAN.
* Bug 845556, reorganize NSS directory layout, moving files, very large ↵Kai Engert2013-02-2825-0/+3691
changeset! r=wtc
View Lorry Controller Status