QA/Firefox3.1/Cryptography Test Plan

From MozillaWiki
Jump to navigation Jump to search

« QA/Firefox3.1/TestPlan

Cryptography Test Plan

Overview

This test document details the features of Firefox that deal with cryptography, including SSL/TLS, client-side certificates, validation checking, UI, and so on.

Some of these tests require the use of a Mozilla-run certificate authority such as the Dogtag open source project's CA.

Test Strategy

 List major areas of test coverage
 List areas that will NOT be covered (by developer, third party, etc.)
 Describe how testcases will be created (litmus, mochitests, reftests, gristmill, etc..)

Certificate Issuance

Users can obtain personal certificates for the following purposes:

  1. Client-auth: Some HTTPS servers request/require users to present a personal certificate while negotiating the SSL/TLS connection. We sometimes refer to this connection as an "SSL client auth" connection. Read more here...
  2. Form signing: Firefox supports a mechanism for a web page developer to request that users digitally sign forms at the time of submission. Read more here...
  3. Plug-ins: There are a few plug-ins that require users to have personal certificates. One example is the S/MIME plug-in for GMail. Read more here...


Some times these personal certificates live on smartcards, and sometimes they live on the hard drive in the form of a "soft token". Interestingly, Firefox's NSS cryptography libraries treat software-based certificates as if they were hardware tokens. In other words, there's just one way for Firefox to talk to both software and hardware tokens (PKCS#11). Read more here...

Public CA Test

For these tests, we will use the Thawte CA: Get a cert from Thawte on Linux, Windows XP, Vista, and OSX

Thawte: http://www.thawte.com/

Mozilla-owned CA Test

Mozilla should install an instance of the Dogtag Certificate Authority 1.0 and run the following tests against that CA.

Dogtag open source CA home page: http://pki.fedoraproject.org/wiki/PKI_Main_Page

Certificate Usage

This section comprises the bulk of the testing Firefox needs before shipping.

SSL Server Authentication

All SSL server-auth tests should be automated. Mozilla should set up servers that will disable all ciphersuites, and them enable them one at a time. For each ciphersuite, the browser will then make a connection to a test SSL server that supports all the default ciphersuites. After the browser makes a connection to the server, the test script will confirm that the ciphersuite in question was actually negotiated.

The ciphersuites that are enabled by default are:

security.ssl3.rsa_rc4_128_md5
security.ssl3.rsa_rc4_128_sha
security.ssl3.rsa_fips_des_ede3_sha
security.ssl3.rsa_des_ede3_sha
security.ssl3.dhe_rsa_camellia_256_sha
security.ssl3.dhe_dss_camellia_256_sha
security.ssl3.rsa_camellia_256_sha
security.ssl3.dhe_rsa_camellia_128_sha
security.ssl3.dhe_dss_camellia_128_sha
security.ssl3.rsa_camellia_128_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.dhe_dss_aes_256_sha
security.ssl3.rsa_aes_256_sha
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.ecdhe_ecdsa_aes_128_sha
security.ssl3.ecdhe_ecdsa_des_ede3_sha
security.ssl3.ecdhe_ecdsa_rc4_128_sha
security.ssl3.ecdhe_rsa_aes_256_sha
security.ssl3.ecdhe_rsa_aes_128_sha
security.ssl3.ecdhe_rsa_des_ede3_sha
security.ssl3.ecdhe_rsa_rc4_128_sha
security.ssl3.ecdh_ecdsa_aes_256_sha
security.ssl3.ecdh_ecdsa_aes_128_sha
security.ssl3.ecdh_ecdsa_des_ede3_sha
security.ssl3.ecdh_ecdsa_rc4_128_sha
security.ssl3.ecdh_rsa_aes_256_sha
security.ssl3.ecdh_rsa_aes_128_sha
security.ssl3.ecdh_rsa_des_ede3_sha
security.ssl3.ecdh_rsa_rc4_128_sha
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_dss_aes_128_sha
security.ssl3.rsa_aes_128_sha
security.ssl3.dhe_rsa_des_ede3_sha
security.ssl3.dhe_dss_des_ede3_sha

The above represent positive test cases. The ciphersuite tests should also include negative test cases. For example, the browser should attempt to make an SSL connection to the server with a ciphersuite they do not have in common. The test should ensure that the browser displays the proper error message

SSL Client Authentication

Kai's spreadsheet

Basic chrome

Schedule Scoping

 Estimate amount of time it will take to complete feature
 (Consider nightly builds, security reviews, bugs turnaround time)

References

 Include notes, links, specs, relevant bugs
Retrieved from "https://wiki.mozilla.org/index.php?title=QA/Firefox3.1/Cryptography_Test_Plan&oldid=105136"