tests/core_watch
author Robert Relyea <rrelyea@redhat.com>
Mon, 26 Oct 2020 15:50:51 -0700
changeset 15786 035110dfa0b9a7f755860020fbbb7296c543d63b
parent 10685 6c43fe3ab5dd41803bbd6705979f73275d7668f6
permissions -rwxr-xr-x
Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. r=mt When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)). Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. This patch updates the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 so we still do the other validation checking on the certs (making sure it's trusted as a CA). Differential Revision: https://phabricator.services.mozilla.com/D94661

#############################################################
# script to watch for cores during QA runs, so they won't overwrite one
# another
# Not activated for efficiency reasons, and problems on MKS, us
# only when needed and remember to remove afterwards
#############################################################

#############################################################
# to activate put the following into all.sh (after the HOSTDIR 
# has been exported
#############################################################
# sh `dirname $0`/core_watch $HOSTDIR ${HOSTDIR} &    
# CORE_WATCH_PID=$!
# if [ -n "${KILLPIDS}" ]
# then
#     echo $CORE_WATCH_PID >>"${KILLPIDS}"            
# fi
#############################################################

#############################################################
# or put the following into nssqa to watch the whole RESULTDIR
# start it shortly before run_all
#
# NOTE: the more efficient way is above, this is potentially going
# thru 1000ds of files every 30 seconds
#############################################################
# sh `dirname $0`/core_watch $RESULTDIR &    
# echo $! >>"${KILLPIDS}"        #so Exit() can hopefully kill the core_watch
#############################################################

# in both cases remember to kill the process when done, since 
# the PIDs that end up in ${KILLPIDS} might not work for all OS
# something like "kill_by_name core_watch

echo $$ >>"${KILLPIDS}"     #so Exit() can hopefully kill this shell
while [ 1 ]
do
    for w in `find $1 -name "core" -print`
    do
        echo "Found core $w"
        mv $w $w.`date +%H%M%S`
    done
    sleep 30
done