Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WPT tests are needed for serverCertificateHash feature #589

Open
javifernandez opened this issue Feb 8, 2024 · 5 comments
Open

WPT tests are needed for serverCertificateHash feature #589

javifernandez opened this issue Feb 8, 2024 · 5 comments
Assignees
@javifernandez
Milestone
Future version

Comments

@javifernandez
Copy link

There is only one test in the WPT repository to cover the functionality of this feature, which just checks an invalid hash doesn't match.

According to the WPT folks:

generally most wpt configurations use the certificates checked in to /~https://github.com/web-platform-tests/wpt/tree/master/tools/certs (although other configurations are possible). Those are regenerated by a GitHub action, and we can likely change the certificate type if necessary.

The main problems we have to implement tests in the WPT infrastructure are the following:

1- the feature imposes a restriction of 14 days maximum expiration time
2- the RSA keys are forbidden

Additionally, we would expect these WPT will be valid as well when they are executed by the browser's testing infrastructure, and as far as I know, the HTTP servers running there may have a different SSL certificate.
@javifernandez
Copy link
Author

javifernandez commented Feb 8, 2024
edited
Loading

I've been told in the WPT channel that generating new certificates with a different algorithm wouldn't be a problem, so we can easily solve (2).

Regarding the issue of having different certificates to check against by the tests, we may use the sub function of the WPT Pipes APIs to define a template for the server certificate, which will be resolved depending on the testing infrastructure where the tests run.

@wilaw wilaw added the Discuss at next meeting Flags an issue to be discussed at the next WG working label Feb 14, 2024
@lidel lidel mentioned this issue Mar 11, 2024
Open
@jan-ivar
Copy link
Member

Meeting:

@javifernandez javifernandez self-assigned this Mar 27, 2024
@wilaw wilaw removed the Discuss at next meeting Flags an issue to be discussed at the next WG working label Mar 27, 2024
@wilaw wilaw added this to the Future version milestone Mar 27, 2024
@martenrichter
Copy link

What is the status of updated wpt tests for certificate hashes?
Firefox just broke the current implementation, so the current test does not seem to be sufficient:
https://bugzilla.mozilla.org/show_bug.cgi?id=1934402
The problem was, that it failed with a certificate with an unknown (third-party) root certificate.

@javifernandez
Copy link
Author

I haven't had time to work on this lately. I don't have a clear idea of how to do it either, so if anybody has more time and knowledge, I'd be happy to reassign the issue.

I totally agree that we need more tests for the serverCertificateHashes.

@martenrichter
Copy link

I have tried to make some:
https://phabricator.services.mozilla.com/D231479

@martenrichter martenrichter mentioned this issue Dec 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@javifernandez javifernandez

Labels
None yet
Projects
None yet
Milestone
Future version
Development

No branches or pull requests
4 participants
@javifernandez @wilaw @jan-ivar @martenrichter