mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-08 02:14:43 +00:00
55cfe61a1d
2020-09-23 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj This will allow Firefox to make decisions based on the earliest known time that a certificate exists (with respect to certificate transparency) that a CA is unlikely to back-date. In particular, this is essential for CRLite. Note that if the SCT signature isn't validated, a CA could still make a certificate appear to have existed for longer than it really has. However, this change is not an attempt to catch malicious CAs. The aim is to avoid false positives in CRLite resulting from CAs backdating the notBefore field on certificates they issue. Depends on D90595 [8ebee3cec9cf] [tip] 2020-09-18 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj Bug 1593141 added the certificate's notBefore field as an argument to TrustDomain::CheckRevocation so that Firefox could use it with CRLite. However, since CAs can backdate that field, we need to use the earliest embedded SCT timestamp instead. [c1f4d565ceda] Differential Revision: https://phabricator.services.mozilla.com/D91211 |
||
---|---|---|
.. | ||
mozpkix_gtest.gyp | ||
pkixbuild_tests.cpp | ||
pkixcert_extension_tests.cpp | ||
pkixcert_signature_algorithm_tests.cpp | ||
pkixcheck_CheckExtendedKeyUsage_tests.cpp | ||
pkixcheck_CheckIssuer_tests.cpp | ||
pkixcheck_CheckKeyUsage_tests.cpp | ||
pkixcheck_CheckSignatureAlgorithm_tests.cpp | ||
pkixcheck_CheckValidity_tests.cpp | ||
pkixcheck_ParseValidity_tests.cpp | ||
pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp | ||
pkixder_input_tests.cpp | ||
pkixder_pki_types_tests.cpp | ||
pkixder_universal_types_tests.cpp | ||
pkixgtest.cpp | ||
pkixgtest.h | ||
pkixnames_tests.cpp | ||
pkixocsp_CreateEncodedOCSPRequest_tests.cpp | ||
pkixocsp_VerifyEncodedOCSPResponse.cpp | ||
README.txt |
------------- Running Tests ------------- Because of the rules below, you can run all the unit tests in this directory, and only these tests, with: mach gtest "pkix*" You can run just the tests for functions defined in filename pkixfoo.cpp with: mach gtest "pkixfoo*" If you run "mach gtest" then you'll end up running every gtest in Gecko. ------------ Naming Files ------------ Name files containing tests according to one of the following patterns: * <filename>_tests.cpp * <filename>_<Function>_tests.cpp * <filename>_<category>_tests.cpp <filename> is the name of the file containing the definitions of the function(s) being tested by every test. <Function> is the name of the function that is being tested by every test. <category> describes the group of related functions that are being tested by every test. ------------------------------------------------ Always Use a Fixture Class: TEST_F(), not TEST() ------------------------------------------------ Many tests don't technically need a fixture, and so TEST() could technically be used to define the test. However, when you use TEST_F() instead of TEST(), the compiler will not allow you to make any typos in the test case name, but if you use TEST() then the name of the test case is not checked. See https://code.google.com/p/googletest/wiki/Primer#Test_Fixtures:_Using_the_Same_Data_Configuration_for_Multiple_Te to learn more about test fixtures. --------------- Naming Fixtures --------------- When all tests in a file use the same fixture, use the base name of the file without the "_tests" suffix as the name of the fixture class; e.g. tests in "pkixocsp.cpp" should use a fixture "class pkixocsp" by default. Sometimes tests in a file need separate fixtures. In this case, name the fixture class according to the pattern <fixture_base>_<fixture_suffix>, where <fixture_base> is the base name of the file without the "_tests" suffix, and <fixture_suffix> is a descriptive name for the fixture class, e.g. "class pkixocsp_DelegatedResponder".