SecurityEngineering/mozpkix-testing: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 1: | Line 1: | ||
= | = mozilla::pkix = | ||
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, OCSP, PKIX, and other security standards. | Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, OCSP, PKIX, and other security standards. | ||
NSS currently has two code paths for doing certificate verification. "Classic" verification has been used for verification of non-EV certificates, and libPKIX has been used for verification of EV certificates. | NSS currently has two code paths for doing certificate verification. "Classic" verification has been used for verification of non-EV certificates, and libPKIX has been used for verification of EV certificates. | ||
As many of you are aware, the NSS team has wanted to replace the "classic" verification with libPKIX for a long time. However, the current libPKIX code was auto-translated from Java to C, and has proven to be very difficult to work with. Therefore, Mozilla has created a new certificate verification library called | As many of you are aware, the NSS team has wanted to replace the "classic" verification with libPKIX for a long time. However, the current libPKIX code was auto-translated from Java to C, and has proven to be very difficult to work with. Therefore, Mozilla has created a new certificate verification library called mozilla::pkix. | ||
== Request for Testing == | == Request for Testing == | ||
| Line 10: | Line 10: | ||
Replacing the certificate verification library can only be done after gaining sufficient confidence in the new code by having as many people test it as possible. So we ask that all of you help us test this new library as follows. | Replacing the certificate verification library can only be done after gaining sufficient confidence in the new code by having as many people test it as possible. So we ask that all of you help us test this new library as follows. | ||
# Download Firefox | # Download Firefox 31 or later | ||
#* Browse to ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/ | #* Browse to ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/ | ||
#* Scroll down to mozilla- | #* Scroll down to mozilla-central-<platform>-debug and select the folder that matches the platform you are working on. | ||
#* Select the most recent build in the list. | #* Select the most recent build in the list. | ||
#* Download by selecting the .tar.bz2 (Linux), .dmg (Mac), or .exe (Windows) file. | #* Download by selecting the .tar.bz2 (Linux), .dmg (Mac), or .exe (Windows) file. | ||
#* After downloading, extract and run this debug browser, which will be called | #* After downloading, extract and run this debug browser, which will be called FirefoxNightlyDebug. | ||
# Flip switch to enable | # Flip switch to enable mozilla::pkix verification | ||
#* Open about:config in Firefox, http://kb.mozillazine.org/About:config | #* Open about:config in Firefox, http://kb.mozillazine.org/About:config | ||
#* Add a new Boolean Preference "security. | #* Add a new Boolean Preference "security.use_mozillapkix_verification", setting it to true. | ||
# Browse to various websites with known valid and expired/revoked/etc SSL certificates. | # Browse to various websites with known valid and expired/revoked/etc SSL certificates. | ||
# If you don't get the expected result, then try again without using | # If you don't get the expected result, then try again without using mozilla::pkix to see if the unexpected result is actually due to mozilla::pkix. | ||
#* Reset (remove) the | #* Reset (remove) the preference that you added in [http://kb.mozillazine.org/About:config about:config]. | ||
# If you find an issue, please file a Bugzilla bug (https://bugzilla.mozilla.org/enter_bug.cgi) with Product=Core, Component=Security:PSM, and put "(mozilla::pkix)" at the beginning of the Summary. | # If you find an issue, please file a Bugzilla bug (https://bugzilla.mozilla.org/enter_bug.cgi) with Product=Core, Component=Security:PSM, and put "(mozilla::pkix)" at the beginning of the Summary. | ||
# When you are done testing, reset (remove) the | # When you are done testing, reset (remove) the preference that you added in [http://kb.mozillazine.org/About:config about:config] and restart your Firefox browser. | ||
=== Check if | === Check if mozilla::pkix is being used === | ||
* With your browser correctly set to use | * With your browser correctly set to use mozilla::pkix, browsing to this example URL will result in.... | ||
* When your browser is not set to use | * When your browser is not set to use mozilla::pkix, browsing to this example URL will result in... | ||
== Request for Code Review == | == Request for Code Review == | ||
| Line 35: | Line 33: | ||
We will greatly appreciate your help in reviewing the new code, which may be found here: | We will greatly appreciate your help in reviewing the new code, which may be found here: | ||
* | * mozilla::pkix: https://mxr.mozilla.org/mozilla-central/source/security/pkix/ | ||
* trust domain: https://mxr.mozilla.org/mozilla-central/source/security/certverifier/ | * trust domain: https://mxr.mozilla.org/mozilla-central/source/security/certverifier/ | ||
| Line 44: | Line 42: | ||
For reference, the NSS certificate verification code is here: | For reference, the NSS certificate verification code is here: | ||
* NSS Classic Verification: https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/certhigh/ | * NSS Classic Verification: https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/certhigh/ | ||
* NSS LibPKIX Verification: https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/libpkix | * NSS LibPKIX Verification: https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/libpkix/ | ||
Revision as of 20:37, 21 March 2014
mozilla::pkix
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, OCSP, PKIX, and other security standards.
NSS currently has two code paths for doing certificate verification. "Classic" verification has been used for verification of non-EV certificates, and libPKIX has been used for verification of EV certificates.
As many of you are aware, the NSS team has wanted to replace the "classic" verification with libPKIX for a long time. However, the current libPKIX code was auto-translated from Java to C, and has proven to be very difficult to work with. Therefore, Mozilla has created a new certificate verification library called mozilla::pkix.
Request for Testing
Replacing the certificate verification library can only be done after gaining sufficient confidence in the new code by having as many people test it as possible. So we ask that all of you help us test this new library as follows.
- Download Firefox 31 or later
- Browse to ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/
- Scroll down to mozilla-central-<platform>-debug and select the folder that matches the platform you are working on.
- Select the most recent build in the list.
- Download by selecting the .tar.bz2 (Linux), .dmg (Mac), or .exe (Windows) file.
- After downloading, extract and run this debug browser, which will be called FirefoxNightlyDebug.
- Flip switch to enable mozilla::pkix verification
- Open about:config in Firefox, http://kb.mozillazine.org/About:config
- Add a new Boolean Preference "security.use_mozillapkix_verification", setting it to true.
- Browse to various websites with known valid and expired/revoked/etc SSL certificates.
- If you don't get the expected result, then try again without using mozilla::pkix to see if the unexpected result is actually due to mozilla::pkix.
- Reset (remove) the preference that you added in about:config.
- If you find an issue, please file a Bugzilla bug (https://bugzilla.mozilla.org/enter_bug.cgi) with Product=Core, Component=Security:PSM, and put "(mozilla::pkix)" at the beginning of the Summary.
- When you are done testing, reset (remove) the preference that you added in about:config and restart your Firefox browser.
Check if mozilla::pkix is being used
- With your browser correctly set to use mozilla::pkix, browsing to this example URL will result in....
- When your browser is not set to use mozilla::pkix, browsing to this example URL will result in...
Request for Code Review
We will greatly appreciate your help in reviewing the new code, which may be found here:
- mozilla::pkix: https://mxr.mozilla.org/mozilla-central/source/security/pkix/
- trust domain: https://mxr.mozilla.org/mozilla-central/source/security/certverifier/
Need: High level description of the folders/files/classes
If you find an issue, please file a Bugzilla bug (https://bugzilla.mozilla.org/enter_bug.cgi) with Product=Core, Component=Security:PSM, and put "(mozilla::pkix)" at the beginning of the Summary.
For reference, the NSS certificate verification code is here:
- NSS Classic Verification: https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/certhigh/
- NSS LibPKIX Verification: https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/libpkix/