SecurityEngineering/mozpkix-testing: Difference between revisions
mNo edit summary |
|||
| Line 16: | Line 16: | ||
#* After downloading, extract and run this debug browser, which will be called FirefoxNightlyDebug. | #* After downloading, extract and run this debug browser, which will be called FirefoxNightlyDebug. | ||
# Flip switch to enable mozpkix verification | # Flip switch to enable mozpkix verification | ||
#* | #* Open about:config in Firefox, http://kb.mozillazine.org/About:config | ||
# Restart FirefoxNightlyDebug | #* Add a new Boolean Preference "security.use_insanity_verification" | ||
#* Add a new Boolean Preference "security.use_libpkix_verification" | |||
#* To test mozpkix for both non-EV and EV certificates, set both of these preferences to 1 (true). | |||
# '''Restart''' FirefoxNightlyDebug | |||
# Browse to various websites with known valid and expired/revoked/etc SSL certificates. | # Browse to various websites with known valid and expired/revoked/etc SSL certificates. | ||
# If | # If you don't get the expected result, then compare with a current Firefox release to see if result is same or different. | ||
# If issue | # If you find an issue, please file a Bugzilla bug (https://bugzilla.mozilla.org/enter_bug.cgi) with Product= ? and Component= ? | ||
== Request for Code Review == | == Request for Code Review == | ||
Revision as of 23:16, 18 March 2014
MozPKIX
NSS provides a robust implementation and API for abstracting many of the complex, easy-to-get-wrong parts of a number of protocols. NSS consists of code that supports certificate verification, S/MIME, SSL, and crypto. NSS currently has two code paths for doing certificate verification. "Classic" verification has historically been used for verification of non-EV certificates, and libPKIX has historically been used for verification of EV certificates.
As many of you are aware, the NSS team has wanted to replace the "classic" verification with libPKIX for a long time. However, the current libPKIX code was auto-translated from Java to C, and has proven to be very difficult to work with. Therefore, Mozilla has created a new certificate verification library called mozpkix.
Request for Testing
Replacing the certificate verification library can only be done after gaining sufficient confidence in the new code by having as many people test it as possible. So we ask that all of you help us test this new library as follows.
- Download Firefox 30 or later
- Browse to ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/
- Scroll down to mozilla-aurora-<platform>-debug and select the folder that matches the platform you are working on.
- Select the most recent build in the list.
- Download by selecting the .tar.bz2 (Linux), .dmg (Mac), or .exe (Windows) file.
- After downloading, extract and run this debug browser, which will be called FirefoxNightlyDebug.
- Flip switch to enable mozpkix verification
- Open about:config in Firefox, http://kb.mozillazine.org/About:config
- Add a new Boolean Preference "security.use_insanity_verification"
- Add a new Boolean Preference "security.use_libpkix_verification"
- To test mozpkix for both non-EV and EV certificates, set both of these preferences to 1 (true).
- Restart FirefoxNightlyDebug
- Browse to various websites with known valid and expired/revoked/etc SSL certificates.
- If you don't get the expected result, then compare with a current Firefox release to see if result is same or different.
- If you find an issue, please file a Bugzilla bug (https://bugzilla.mozilla.org/enter_bug.cgi) with Product= ? and Component= ?
Request for Code Review
The mozpkix code can be found ....
- High level description of the folders/files/classes - Suggestions on what to look for