Bug 1399334 - Workaround buggy pki.js cert verifier implementation r?keeler
There's an intermittent on the call attestationCert.verify() to test the self-
signed cert from our not-shipped software U2F implementation. Collection of the
intermittents shows these certs are fine, and should verify correctly, but they
don't. The bug must be in pki.js, which is out-of-scope as we only use it for
mochitests.
This patch removes the offending call to xxxx.verify(), because it doesn't
really matter whether the self-signed-cert looks OK to pki.js; we just need
the public key from inside it to proceed with the rest of the tests.
As an example of a so-called "invalid" self-signed cert that failed, we have:
https://treeherder.mozilla.org/logviewer.html#?repo=mozilla-central&job_id=134282931&lineNumber=2673
-----BEGIN CERTIFICATE-----
MIIBMTCB2aADAgECAgUA55x6LTAKBggqhkjOPQQDAjAhMR8wHQYDVQQDExZGaXJl
Zm94IFUyRiBTb2Z0IFRva2VuMB4XDTE3MDkzMDE5MjIzMloXDTE3MTAwMjE5MjIz
MlowITEfMB0GA1UEAxMWRmlyZWZveCBVMkYgU29mdCBUb2tlbjBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABIWu4L8ky7s8I7qVv+JwMRHpippH4b6h7rN0jlKpFbHK
hnEwaCPLrTx04Eh9xT4GK9JWuuP759hnAxsWD5wk0H0wCgYIKoZIzj0EAwIDRwAw
RAIgRIeRcn6LkwU8VOmX+mdQ3jUQrUOp5f2xH/qBECGi5EcCIADBjsm/EDKkAwLZ
pGdX7+N+kgf9No4uuLV4dsNVJ1pa
-----END CERTIFICATE-----
There's nothing wrong with this cert, actually. Checking it with OpenSSL shows
all OK:
openssl verify -purpose any -CAfile /tmp/cert2.pem /tmp/cert2.pem
/tmp/cert2.pem: OK
So this intermittent is a bug outside of our U2F and U2F test soft token code.
MozReview-Commit-ID: K142toVWtcv
--- a/dom/u2f/tests/frame_register_sign.html
+++ b/dom/u2f/tests/frame_register_sign.html
@@ -104,25 +104,17 @@ async function doTests() {
var signedData = assembleRegistrationSignedData(state.appParam, state.challengeParam, state.keyHandleBytes, state.publicKeyBytes);
return verifySignature(attestationPublicKey, signedData, state.attestationSig);
}).then(function(verified) {
local_ok(verified, "Attestation Certificate signature verified");
// Import the public key of the U2F token into WebCrypto
return importPublicKey(state.publicKeyBytes);
}).then(function(key) {
state.publicKey = key;
- local_ok(true, "Imported public key");
-
- // Ensure the attestation certificate is properly self-signed
- return state.attestationCert.verify();
- }).then(function(verified) {
- if (!verified) {
- local_ok(verified, "Cert problem: " + bytesToBase64UrlSafe(state.attestation));
- }
- local_ok(verified, "Register attestation signature verified");
+ local_isnot(key, undefined, "Imported public key");
});
state.regKey = {
version: state.version,
keyHandle: state.keyHandle,
};
// Test that we don't re-register if we provide regKey as an