Bug 1439378 - Re-enable the imminent distrust browser-console test r=…

…fkiefer,keeler

This patch does a few things:
1) It removes the symantecRoot and symantec_affected certs from build/pgo/certs'
   DB.
2) It upgrades that DB from the old format to SQLite (and this 8/3 to 9/4).
3) It adds a new cert "imminently_distrusted" to that DB for the bc test.
4) It changes the Subject of the immient distrust test to only have the CN
   field: this is because certutil reorders C to come after CN, and just like
   with the real Symantec certs, I had put C first. So rather than deal with
   importing the end entity for the pgo tests, I decided to just make things
   simple and change the tested subject.
5) Finally, it re-enables the test that was disabled in Bug 1434300.

MozReview-Commit-ID: Bt2RKyInJje

build/pgo/certs/README

@@ -6,4 +6,11 @@ You can generate a new CA cert by running:
 You can generate new server certificates by running:
 ./mach python build/pgo/genpgocert.py --gen-server
 
-These commands will modify cert8.db and key3.db. The changes to these should be committed.
+These commands will modify cert9.db and key4.db. The changes to these should be
+committed.
+
+WARNING: These commands do not recreate all necessary certificates; some are
+mentioned only on their tests. Before completely replacing these DBs, you should
+be careful that you include all the correct certificates. Or fix genpgocert.py
+to create the correct certs. See bug 1441338.
+

build/pgo/genpgocert.py

@@ -159,6 +159,30 @@ def createSSLServerCertificate(build, srcDir):
       if status:
         return status
 
+      status = runUtil(certutil, ["-S", "-s", "CN=Imminently Distrusted End Entity", "-t", "P,,", "-c", "pgo temporary ca", "-k", "rsa", "-g", "2048", "-Z", "SHA256", "-m", "1519140221", "-n", "imminently_distrusted", "-v", "120", "-8", "imminently-distrusted.example.com", "-d", srcDir, "-z", rndfile.name, "-f", pwfile.name])
+      if status:
+        return status
+
+    """
+    As of February 2018, there are 15 more certificates which are not created by
+    this script. See bug 1441338:
+
+    selfsigned                                                   Pu,u,u
+    Unknown CA                                                   Cu,u,u
+    escapeattack1                                                Pu,u,u
+    untrustedandexpired                                          Pu,u,u
+    alternateTrustedAuthority                                    Cu,u,u
+    dynamicPinningGood                                           Pu,u,u
+    staticPinningBad                                             Pu,u,u
+    sha1_end_entity                                              Pu,u,u
+    bug413909cert                                                u,u,u
+    untrusted                                                    Pu,u,u
+    escapeattack2                                                Pu,u,u
+    expired                                                      Pu,u,u
+    dynamicPinningBad                                            Pu,u,u
+    sha256_end_entity                                            Pu,u,u
+    """
+
   return 0
 
 if len(sys.argv) == 1:

build/pgo/server-locations.txt

@@ -277,8 +277,8 @@ https://fail-handshake.example.com:443                            privileged,fai
 https://sha1ee.example.com:443                                    privileged,cert=sha1_end_entity
 https://sha256ee.example.com:443                                  privileged,cert=sha256_end_entity
 
-# Hosts for Symantec distrust warning tests
-https://symantec-not-whitelisted-before-cutoff.example.com:443    privileged,cert=symantec_affected
+# Hosts for imminent distrust warning tests
+https://imminently-distrusted.example.com:443                     privileged,cert=imminently_distrusted
 
 # Hosts for ssl3/rc4 console warning tests
 https://ssl3.example.com:443        privileged,ssl3

devtools/client/webconsole/test/browser.ini

@@ -162,7 +162,6 @@ skip-if = (e10s && (os == 'win' || os == 'mac')) # Bug 1243976
 [browser_console.js]
 [browser_console_addonsdk_loader_exception.js]
 [browser_console_certificate_imminent_distrust.js]
-disabled=bug 1439378 to re-enable due to nss cert/key db upgrade issue
 [browser_console_clear_method.js]
 [browser_console_clear_on_reload.js]
 [browser_console_click_focus.js]

devtools/client/webconsole/test/browser_console_certificate_imminent_distrust.js

@@ -3,43 +3,16 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 "use strict";
 
-// Tests handling of certificates issued by Symantec. If such
-// certificates have a notBefore before 1 June 2016, and are not
-// issued by an Apple or Google intermediate, they should emit a
-// warning to the console.
+// Tests handling of certificates that will be imminently distrusted, and thus
+// should emit a warning to the console.
 //
-// This test required two certs to be created in build/pgo/certs:
-// 1. A new trusted root. This should theoretically be built with certutil, but
-//    because it needs to have a perfectly-matching Subject, this wasn't
-//    (currently) practical.
-// 2. An affected certificate from before the cutoff
+// This test requires a cert to be created in build/pgo/certs.
 //
 // Change directories to build/pgo/certs:
 //  cd build/pgo/certs
 //
-// Figure out the months-warp-factor for the cutoff, first. We'll use this later.
+//  certutil -S -d . -n "imminently_distrusted" -s "CN=Imminently Distrusted End Entity" -c "pgo temporary ca" -t "P,," -k rsa -g 2048 -Z SHA256 -m 1519140221 -v 120 -8 "imminently-distrusted.example.com"
 //
-//   monthsSince=$(( ( $(date -u +"%s") - $(date -u -d "2016-06-01 00:00:00" +"%s") ) / (60*60*24*30) + 1 ))
-//
-// Constructing the root with certutil should look like this:
-//   certutil -S -s "C=US,O=GeoTrust Inc.,CN=GeoTrust Universal CA" -t "C,," -x -m 1 -w -${monthsSince} -v 120 -n "symantecRoot" -Z SHA256 -g 2048 -2 -d .
-//   (export) certutil -L -d . -n "symantecRoot" -a -o symantecRoot.ca
-//
-// Unfortunately, certutil reorders the RDNs so that C doesn't come first.
-// Instead, we'll use one of the precisely-created certificates from the xpcshell
-// tests: security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem
-//
-// We'll need to cheat and make a pkcs12 file to import to get the key.
-//   openssl pkcs12 -export -out symantecRoot.p12 -inkey ../../../security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key -in ../../../security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem
-//   certutil -A -d . -n "symantecRoot" -t "C,," -a -i ../../../security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem
-//   pk12util -d . -i symantecRoot.p12
-//
-// With that in hand, we can generate a keypair for the test site:
-//   certutil -S -d . -n "symantec_affected" -s "CN=symantec-not-whitelisted-before-cutoff.example.com" -c "symantecRoot" -t "P,," -k rsa -g 2048 -Z SHA256 -m 8939454 -w -${monthsSince} -v 120 -8 "symantec-not-whitelisted-before-cutoff.example.com"
-//
-// Finally, copy in that key as a .ca file:
-// (NOTE: files ended in .ca are added as trusted roots by the mochitest harness)
-//   cp ../../../security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem symantecRoot.ca
 
 
 const TEST_URI = "data:text/html;charset=utf8,Browser Console imminent " +
@@ -51,7 +24,7 @@ var gWebconsoleTests = [
   {url: "https://sha256ee.example.com" + TEST_URI_PATH,
    name: "Imminent distrust warnings appropriately not present",
    warning: [], nowarning: ["Upcoming_Distrust_Actions"]},
-  {url: "https://symantec-not-whitelisted-before-cutoff.example.com" +
+  {url: "https://imminently-distrusted.example.com" +
           TEST_URI_PATH,
    name: "Imminent distrust warning displayed successfully",
    warning: ["Upcoming_Distrust_Actions"], nowarning: []},

security/certverifier/TrustOverride-TestImminentDistrustData.inc

@@ -5,12 +5,11 @@
 // browser_console_certificate_imminent_distrust.js to ensure that the UI for
 // alerting users to an upcoming CA distrust action continues to function.
 
-// /C=US/CN=Imminently Distrusted End Entity
-// SHA256 Fingerprint: 63:3A:70:8A:67:42:91:95:98:E9:D1:CB:8B:5D:73:80
-//                     BA:6D:AD:25:82:62:52:AD:5E:5E:DC:06:BF:03:1F:D0
-static const uint8_t CAImminentlyDistrustedEndEntityDN[58] = {
-  0x30, 0x38, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-  0x55, 0x53, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x20,
+// /CN=Imminently Distrusted End Entity
+// SHA256 Fingerprint: DB:4E:B0:BA:38:93:02:E8:32:87:03:FA:C3:C8:F7:6A
+//                     88:77:03:B2:9E:CE:C0:C8:27:26:CC:8F:F5:64:E6:B5
+static const uint8_t CAImminentlyDistrustedEndEntityDN[45] = {
+  0x30, 0x2B, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x20,
   0x49, 0x6D, 0x6D, 0x69, 0x6E, 0x65, 0x6E, 0x74, 0x6C, 0x79, 0x20, 0x44, 0x69,
   0x73, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x20, 0x45, 0x6E, 0x64, 0x20,
   0x45, 0x6E, 0x74, 0x69, 0x74, 0x79,

security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem

@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDSzCCAjOgAwIBAgIUa5hfI/44eCaBMFte+oFrCN4wsOAwDQYJKoZIhvcNAQEL
+MIIDPjCCAiagAwIBAgIUBfMdgOrncol53tt16EE4flETpVwwDQYJKoZIhvcNAQEL
 BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE2MTEyNzAwMDAwMFoYDzIwMTkw
-MjA1MDAwMDAwWjA4MQswCQYDVQQGEwJVUzEpMCcGA1UEAxMgSW1taW5lbnRseSBE
-aXN0cnVzdGVkIEVuZCBFbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
-m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
-bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
-SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
-/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
-FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjbzBtMDcGA1UdEQQwMC6CCWxvY2Fs
-aG9zdIIhaW1taW5lbnRseS1kaXN0cnVzdGVkLmV4YW1wbGUuY29tMDIGCCsGAQUF
-BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkq
-hkiG9w0BAQsFAAOCAQEAZbcXYrr6V3GvIjGsHEvI7X5P5kwuu7XADxBZItcu9eLv
-s3Sa7U3tIlhZkLYzsLuPz2q3ZkG+baFayOJgXPPaleEDrxDpElyPYtD+oTvO5oVv
-2G8UlObIdzuym5FPDpvuiQIcDIZELUOQO9V+fjeK0CZ4luFnox+cIvnB39pLa5Xd
-hHUyWMgsf9cW/T1yjjRAS2YX/HUYGjSH9MNhSriiAABers1fyJkn7fdVTav2pQTp
-5yNdtwrFYkWjw1DG17uj/gtkll3ACw9oztjYTGj/okDI+ViLJqL4QeQb4G4Lpp77
-+A8JfHGf/yFprXMMExy8FNN8FLIxdN2lX4WwBS5WHQ==
+MjA1MDAwMDAwWjArMSkwJwYDVQQDEyBJbW1pbmVudGx5IERpc3RydXN0ZWQgRW5k
+IEVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaNvMG0wNwYDVR0RBDAwLoIJbG9jYWxob3N0giFpbW1pbmVu
+dGx5LWRpc3RydXN0ZWQuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsG
+AQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IB
+AQB5mcAyrmSdUxwgZEe8yM2ERG//SO0aGavM+xpMVyk0Pzje5iRQ2nMWpjpY8QWQ
+bfCs1d80XZ10eeJoUC7YvA5EbNk4JUUlIi4NDNJEgazrfgDfpBwDrVtdVUTt7m0J
+wI6n4UkCLRa6A9LzUuujh69BbU9C4XK9xr/4sRdp0o/BS7M3MCFwgGttXMKQ1+Te
+Goo24jV2Jm+PmcBYnOn4yyBZM1+oOuwBdvaNkTI8zaO8W8gfcuOni5rgUUoW0ycD
+XyMsUlXEKdQdfgl5j09Alu2IQaSw09pJlulbqp7h70QDDUL8Lkh0IjH6vkdeArHM
+Zn+daUiyU4fU78KVZDe/vyWh
 -----END CERTIFICATE-----
 

security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec

@@ -1,4 +1,4 @@
 issuer:Test CA
-subject:printableString/C=US/CN=Imminently Distrusted End Entity
+subject:printableString/CN=Imminently Distrusted End Entity
 extension:subjectAlternativeName:localhost,imminently-distrusted.example.com
 extension:authorityInformationAccess:http://localhost:8888/