Yesterday marks an incredible victory for myself and MozQA -- I've successfully set up an environment for MozQA to test EVCerts in house. Looking back on this victory, it is really multiple victories; but more on that later. I'd like to talk briefly about how and why this is a win.

The Win

Historically, manual test coverage of certificate handling in Firefox has been minimal at best. The tests we had relied heavily on third party sites. For example, many of our tests asked the user to navigate to Verisign and Pay Pal. Using third party websites is bad from a testing perspective as it creates a situation of dependency. Should the sites go down or the certificates expire, our tests would become broken.

Most recently there was a test which required a cert with rather specific information. We had no way to run this test as we did not have a valid cert to test this scenario. MozQA spent a lot of work hours trying to track down a cert which could be used for this test but we were unable to find one. In the end, we looked to our security team to generate a cert for us. While it's great that Mozilla can collaborate internally, it is a less than ideal situation. In other words, MozQA should be as self-sufficient as possible.

Now that we have an EVCert server we can create our own certs with numerous unique configurations. No more do we need to track down sites which are using the certs we need. Nor do we have to rely on the security team to do the grunt work of creating certs when needed. It gives us the ability to test multiple, seemingly any, scenarios. In a nutshell, it allows us to expand our test coverage which leads to earlier and easier identification of security bugs related to certificates and the security UI (aka Certificate Manager and Larry).

For more background on this story see bug 428587

The Victory

Much of the way this works is done based on a couple weeks of trial and error going through Geekboy's (aka Sid Stamm) EVCert guide found here. As I said earlier, this victory is really many smaller victories; each aligning themselves with the steps from Sid's guide.

1. Creating the EV-SSL CA
   This would have required a lot more work had I not already had the openssl.cnf config file provided by Sid. After running through the procedure in his guide a few times, I was able to write a shell script which makes the process much simpler.
2. Adding the EV-SSL CA to Firefox
   As you can see in Sid's guide, this required a bit of voodoo to work. Essentially, you are twisting Firefox's arm in an effort to make it trust your certificate. You see, Firefox is actually really secure -- it won't blindly trust just any EVCert and CA. Without going into too much detail you need to:
   1. Download the source
   2. Apply two specific patches to the source
   3. Build a debug build of Firefox
   4. Build the NSS tools

   Now you will have a build which will take your cert. But wait...there's more.

3. Installing the EV-SSL CA
   Now that I had a build of Firefox that would take my cert, I had to get it to trust it without question. In other words, make the site identification and Larry appear green (not blue or grey). This involved two things:
   1. Installing the CA cert through Firefox's certificate manager
   2. Plugging a configuration file (containing specific information about the cert) into my profile

Having successfully completed all of the above, I'm happy to say that MozQA now has access to a server which can be used to generate certificates for the purposes of testing.

Special Thanks

At this time, I'd like to thank everyone involved in getting this working:

• Juan Becerra and Marcia Knous from MozQA for spearheading the initiative
• Justin Fitzhugh, Reed Loden, Shyam Mani, Dave Miller, Mark Smith and Matthew Zeier for all their help getting the server up and running
• and of course Sid Stamm for the excellent guide and being there to answer my questions

If anyone has any questions or feedback feel free to post a comment here.

Cheers!