The incorrect LEGACY_BUILD_ID will be fixed in a subsequent changeset.
We must add https://www.mozilla.org/ to server-locations.txt and regenerate the mochitest certificates [1] because the new navigator.buildID test pretends to load content from https://www.mozilla.org/.
[1] https://searchfox.org/mozilla-central/source/build/pgo/certs/README
Differential Revision: https://phabricator.services.mozilla.com/D7982
--HG--
rename : dom/tests/mochitest/bugs/test_bug351601.html => dom/tests/mochitest/bugs/test_navigator_buildID.html
extra : rebase_source : 1deb142930f1a7a570cf719c4cb2bed8adfeabe2
extra : source : 408bff32f9623513a271cdf043d11ba6d1318e03
(This also fixes Bug 879740 and Bug 1204543.)
build/pgo/certs contains an NSS database set that has a bunch of hand-generated
certificates, and many of these hand-generated certificates are specifically
depended upon for a variety of unit tests. This patch changes all of these to
use the "pycert.py" and "pykey.py" utilities that produce deterministic keys
and certificates.
The naming convention here is new, and defined in the README. It is based on
the mochitest runtest.py naming convention that imports .ca and .client
PEM-encoded certificates.
Unfortunately, the updates to build/pgo/genpgocert.py to generate these files
depends on OpenSSL in order to produce PKCS12 archives for pk11tool to import
into NSS. This could be done with pure-NSS tooling, but it'd require some new
command line functionality, which is out-of-scope for this change.
Note that build/pgo/genpgocert.py no longer takes arguments when run. It's not
run automatically anywhere that I can see, but could (reasonably) be, now.
Differential Revision: https://phabricator.services.mozilla.com/D971
--HG--
extra : amend_source : bc389b9b0a807a4889feb14db439daa28635dfe9
This patch does a few things:
1) It removes the symantecRoot and symantec_affected certs from build/pgo/certs'
DB.
2) It upgrades that DB from the old format to SQLite (and this 8/3 to 9/4).
3) It adds a new cert "imminently_distrusted" to that DB for the bc test.
4) It changes the Subject of the immient distrust test to only have the CN
field: this is because certutil reorders C to come after CN, and just like
with the real Symantec certs, I had put C first. So rather than deal with
importing the end entity for the pgo tests, I decided to just make things
simple and change the tested subject.
5) Finally, it re-enables the test that was disabled in Bug 1434300.
MozReview-Commit-ID: Bt2RKyInJje
--HG--
rename : build/pgo/certs/cert8.db => build/pgo/certs/cert9.db
rename : build/pgo/certs/key3.db => build/pgo/certs/key4.db
extra : rebase_source : efceb67ae16f0af617bbd8bec201d52eee0f467d
There are xpcshell tests to verify that the appropriate distrust flag is set
upon reaching an affected end entity certificate; this test checks that the
distrust flag prints a warning to console.
MozReview-Commit-ID: OMG246WOOT
--HG--
rename : devtools/client/webconsole/test/browser_webconsole_certificate_messages.js => devtools/client/webconsole/test/browser_console_certificate_imminent_distrust.js
extra : rebase_source : a5fed5457e7789e742ee461b988463b81cd2c214
The previous implementation regarding to the Flash Blocking Subdocument list blocked all subdocuments that matched the list. This patch changes that so that subdocuments are only blocked if they are on the Subdocument Block List and also are loaded in a Third-Party context.
The changes to cert8.db and key3.db add the https certificate for subdocument.example.com so that testing can verify that a scheme mismatch between the document and its parent results in a third-party classification.
MozReview-Commit-ID: IXnA4iPzB4y
--HG--
extra : rebase_source : 103c1e184d4219e6db9d00da1ea54674a0e216dd
This is a dump of the new certificate information obtained by running
`certutil -L -d . -n 'pgo server certificate'`:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Temporary Certificate Authority,O=Mozilla Testing,OU=Prof
ile Guided Optimization"
Validity:
Not Before: Mon Nov 07 20:38:29 2011
Not After : Sun Nov 07 20:38:29 2021
Subject: "CN=example.com"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d8:43:79:cf:52:ce:49:08:47:9c:57:9b:f8:0b:de:7a:
ca:ba:1c:88:9f:fd:d8:0b:df:a8:98:92:22:46:08:3e:
d2:25:4c:09:c2:32:3f:51:f9:79:60:b6:ac:94:0e:7a:
33:13:e7:0b:f7:97:72:3b:37:8f:d4:e5:ea:0c:e2:9e:
4a:5b:28:1d:8c:eb:a1:b4:96:47:37:bf:fc:f0:87:d3:
ca:13:7e:38:45:f5:3f:75:1d:45:0d:72:36:b3:cf:57:
13:99:cd:6d:3c:b8:e9:9c:ec:af:2e:2c:25:3a:d5:13:
7e:6f:51:63:2a:eb:e1:4f:ee:68:42:63:c2:f4:e1:a3
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Subject Alt Name
DNS name: "example.com"
DNS name: "test1.example.com"
DNS name: "test2.example.com"
DNS name: "sub1.test1.example.com"
DNS name: "sub1.test2.example.com"
DNS name: "sub2.test1.example.com"
DNS name: "sub2.test2.example.com"
DNS name: "requestclientcert.example.com"
DNS name: "requireclientcert.example.com"
DNS name: "xn--hxajbheg2az3al.xn--jxalpdlp"
DNS name: "sub1.xn--hxajbheg2az3al.xn--jxalpdlp"
DNS name: "sectest1.example.org"
DNS name: "sub.sectest2.example.org"
DNS name: "sectest2.example.org"
DNS name: "sub.sectest1.example.org"
DNS name: "redirproxy.example.com"
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
a2:f1:08:1c:de:74:27:95:34:a0:1a:6c:9c:fe:8f:7f:
45:38:af:1f:bb:04:b6:e5:f8:e4:35:bf:ce:23:53:74:
ca:89:26:6b:22:d7:f3:f7:66:d4:f1:8b:95:7d:c4:27:
44:57:10:f3:3d:ea:bb:0c:88:d2:09:67:e3:d1:47:6c:
2c:2b:6d:78:41🆎7e:64:59:e3:df:05:fa:65:72:c9:
fd:5b:f6:0e:39:7d:02:31:99:5b:fb:29:17:9a:c9:0e:
64:4d:8c💿bf:6e:d0:9e:b0:68:a6:d9:ee:a0:16:ec:
50:dc:58:7e:7b:82:3e:ce:98:a6:20:4d:a6:bd:ad:05
Fingerprint (MD5):
CC:F2:AD:07:F9:B8:A5:3B:A6:BB:75:80:4E:E6:BB:08
Fingerprint (SHA1):
2D:E7:9A:AE:80:CB:FD:51:B1:23:E0:CF:6F:6B:51:19:E5:28:BB:95
Certificate Trust Flags:
SSL Flags:
Terminal Record
Trusted
User
Email Flags:
User
Object Signing Flags:
User
