Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More Comprehensive Certificate Testing #1172

Open
10 of 46 tasks
nibanks opened this issue Jan 19, 2021 · 1 comment
Open
10 of 46 tasks

More Comprehensive Certificate Testing #1172

nibanks opened this issue Jan 19, 2021 · 1 comment
Assignees
@anrossi
Labels
Area: Security Related to security or quality testing Area: Testing Related to test coverage
Milestone
Release 2.5

Comments

@nibanks
Copy link
Member

nibanks commented Jan 19, 2021
edited by anrossi
Loading

Describe the feature you'd like supported

We support a number of scenarios related to certificates (and will have more coming with client certs in the queue) but we have minimal testing for these. We should add more positive and negative test cases in these areas.

  • Accept valid server certificate (chain to trusted root)
  • Accept valid client certificate (chain to trusted root)
  • Specific invalid certificate failures (expired, wrong EKU, etc.)
    • Expired server certificate
    • Expired client certificate
    • Untrusted server certificate
    • Untrusted client certificate
  • Specific look-up mechanisms (hash, principal name, different stores, etc.)
  • More coverage of the cert callback mechanism (at QUIC layer). Cover the flag for cert validation.
    • Portable certificates flag
      • Client certificate
        • OpenSSL
        • Schannel
      • Server certificate
        • OpenSSL
        • Schannel
    • Ensure certificates are usable
      • Client certificate
        • OpenSSL
        • Schannel
      • Server certificate
        • OpenSSL
        • Schannel
  • Revocation checking
    • Valid certificate
      • CRL Offline
      • Check the whole chain
      • Check only the leaf
      • Check chain excluding root
      • Cache only
      • Cache only with cache expired
    • Revoked certificate
      • CRL Offline
      • Check the whole chain
      • Check only the leaf
      • Check chain excluding root
      • Cache only
      • Cache only with cache expired
  • OCSP

How do different error codes get exposed to the app? Might need core work around exposing individual error codes (might be worth a separate task).
@nibanks nibanks added Area: Testing Related to test coverage Area: Security Related to security or quality testing labels Jan 19, 2021
@nibanks nibanks added this to the Future milestone Jan 19, 2021
@nibanks nibanks modified the milestones: Future, Cobalt Feb 18, 2021
@nibanks nibanks modified the milestones: Cobalt, Nickel Apr 6, 2021
@anrossi
Copy link
Contributor

anrossi commented Sep 30, 2021

Since the above are not in any particular priority, I'm going to list the top-level bullets in priority order

  1. Specific look-up mechanisms (hash, principal name, different stores, etc.)
  2. More coverage of the cert callback mechanism (at QUIC layer)
  3. Specific invalid certificate failures (expired, wrong EKU, etc.)
  4. Revocation checking

@nibanks nibanks modified the milestones: Nickel, Release 2.0 Jan 12, 2022
@nibanks nibanks modified the milestones: Release 2.0, Future Feb 10, 2022
@nibanks nibanks modified the milestones: Future, Release 2.2 Aug 9, 2022
@nibanks nibanks modified the milestones: Release 2.2, Release 2.3 Mar 9, 2023
@nibanks nibanks modified the milestones: Release 2.3, Release 2.4 Oct 12, 2023
@nibanks nibanks modified the milestones: Release 2.4, Release 2.5 Aug 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anrossi anrossi

Labels
Area: Security Related to security or quality testing Area: Testing Related to test coverage
Projects
MsQuic Walkthroughs
Status: No status
Milestone
Release 2.5
Development

No branches or pull requests
2 participants
@nibanks @anrossi