bug 1188100 - fold PSM's test_client_cert.js into necko's test_tls_server.js r=mcmanus
authorDavid Keeler <dkeeler@mozilla.com>
Wed, 29 Jul 2015 14:27:54 -0700
changeset 287610 947359cbc15353a8c8865741e3bb52a5432eb423
parent 287609 5ba973a43c12931c3538803459de5cb71e4c1d81
child 287611 502c196722eb86425d9f8f9fd7fd6f5d431f3e9b
push id5067
push userraliiev@mozilla.com
push dateMon, 21 Sep 2015 14:04:52 +0000
treeherdermozilla-beta@14221ffe5b2f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmcmanus
bugs1188100
milestone42.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1188100 - fold PSM's test_client_cert.js into necko's test_tls_server.js r=mcmanus
netwerk/test/unit/client_cert_chooser.js
netwerk/test/unit/client_cert_chooser.manifest
netwerk/test/unit/test_tls_server.js
netwerk/test/unit/xpcshell.ini
security/manager/ssl/tests/unit/test_client_cert.js
security/manager/ssl/tests/unit/test_client_cert/cert_dialog.js
security/manager/ssl/tests/unit/test_client_cert/cert_dialog.manifest
security/manager/ssl/tests/unit/test_client_cert/client-cert.p12
security/manager/ssl/tests/unit/test_client_cert/generate.py
security/manager/ssl/tests/unit/tlsserver/cmd/ClientAuthServer.cpp
security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
security/manager/ssl/tests/unit/xpcshell.ini
testing/mochitest/Makefile.in
testing/xpcshell/remotexpcshelltests.py
toolkit/mozapps/installer/upload-files.mk
rename from security/manager/ssl/tests/unit/test_client_cert/cert_dialog.js
rename to netwerk/test/unit/client_cert_chooser.js
--- a/security/manager/ssl/tests/unit/test_client_cert/cert_dialog.js
+++ b/netwerk/test/unit/client_cert_chooser.js
@@ -1,37 +1,26 @@
 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 const { utils: Cu, interfaces: Ci } = Components;
 const { XPCOMUtils } = Cu.import("resource://gre/modules/XPCOMUtils.jsm", {});
 
-function CertDialogService() {}
-CertDialogService.prototype = {
-  classID: Components.ID("{a70153f2-3590-4317-93e9-73b3e7ffca5d}"),
-  QueryInterface: XPCOMUtils.generateQI([Ci.nsICertificateDialogs]),
-
-  getPKCS12FilePassword: function() {
-    return true; // Simulates entering an empty password
-  }
-};
-
 let Prompter = {
   QueryInterface: XPCOMUtils.generateQI([Ci.nsIPrompt]),
   alert: function() {} // Do nothing when asked to show an alert
 };
 
 function WindowWatcherService() {}
 WindowWatcherService.prototype = {
   classID: Components.ID("{01ae923c-81bb-45db-b860-d423b0fc4fe1}"),
   QueryInterface: XPCOMUtils.generateQI([Ci.nsIWindowWatcher]),
 
   getNewPrompter: function() {
     return Prompter;
   }
 };
 
 this.NSGetFactory = XPCOMUtils.generateNSGetFactory([
-  CertDialogService,
   WindowWatcherService
 ]);
rename from security/manager/ssl/tests/unit/test_client_cert/cert_dialog.manifest
rename to netwerk/test/unit/client_cert_chooser.manifest
--- a/security/manager/ssl/tests/unit/test_client_cert/cert_dialog.manifest
+++ b/netwerk/test/unit/client_cert_chooser.manifest
@@ -1,4 +1,2 @@
-component {a70153f2-3590-4317-93e9-73b3e7ffca5d} cert_dialog.js
-contract @mozilla.org/nsCertificateDialogs;1 {a70153f2-3590-4317-93e9-73b3e7ffca5d}
 component {01ae923c-81bb-45db-b860-d423b0fc4fe1} cert_dialog.js
 contract @mozilla.org/embedcomp/window-watcher;1 {01ae923c-81bb-45db-b860-d423b0fc4fe1}
--- a/netwerk/test/unit/test_tls_server.js
+++ b/netwerk/test/unit/test_tls_server.js
@@ -33,17 +33,17 @@ function getCert() {
         return;
       }
       deferred.resolve(c);
     }
   });
   return deferred.promise;
 }
 
-function startServer(cert) {
+function startServer(cert, expectingPeerCert, clientCertificateConfig) {
   let tlsServer = Cc["@mozilla.org/network/tls-server-socket;1"]
                   .createInstance(Ci.nsITLSServerSocket);
   tlsServer.init(-1, true, -1);
   tlsServer.serverCert = cert;
 
   let input, output;
 
   let listener = {
@@ -52,18 +52,22 @@ function startServer(cert) {
       let connectionInfo = transport.securityInfo
                            .QueryInterface(Ci.nsITLSServerConnectionInfo);
       connectionInfo.setSecurityObserver(listener);
       input = transport.openInputStream(0, 0, 0);
       output = transport.openOutputStream(0, 0, 0);
     },
     onHandshakeDone: function(socket, status) {
       do_print("TLS handshake done");
-      ok(!!status.peerCert, "Has peer cert");
-      ok(status.peerCert.equals(cert), "Peer cert matches expected cert");
+      if (expectingPeerCert) {
+        ok(!!status.peerCert, "Has peer cert");
+        ok(status.peerCert.equals(cert), "Peer cert matches expected cert");
+      } else {
+        ok(!status.peerCert, "No peer cert (as expected)");
+      }
 
       equal(status.tlsVersionUsed, Ci.nsITLSClientStatus.TLS_VERSION_1_2,
             "Using TLS 1.2");
       equal(status.cipherName, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
             "Using expected cipher");
       equal(status.keyLength, 128, "Using 128-bit key");
       equal(status.macLength, 128, "Using 128-bit MAC");
 
@@ -73,31 +77,33 @@ function startServer(cert) {
         }
       }, 0, 0, Services.tm.currentThread);
     },
     onStopListening: function() {}
   };
 
   tlsServer.setSessionCache(false);
   tlsServer.setSessionTickets(false);
-  tlsServer.setRequestClientCertificate(Ci.nsITLSServerSocket.REQUIRE_ALWAYS);
+  tlsServer.setRequestClientCertificate(clientCertificateConfig);
 
   tlsServer.asyncListen(listener);
 
   return tlsServer.port;
 }
 
 function storeCertOverride(port, cert) {
   let overrideBits = Ci.nsICertOverrideService.ERROR_UNTRUSTED |
                      Ci.nsICertOverrideService.ERROR_MISMATCH;
   certOverrideService.rememberValidityOverride("127.0.0.1", port, cert,
                                                overrideBits, true);
 }
 
-function startClient(port, cert) {
+function startClient(port, cert, expectingBadCertAlert) {
+  let SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
+  let SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
   let transport =
     socketTransportService.createTransport(["ssl"], 1, "127.0.0.1", port, null);
   let input;
   let output;
 
   let inputDeferred = promise.defer();
   let outputDeferred = promise.defer();
 
@@ -112,56 +118,98 @@ function startClient(port, cert) {
     onInputStreamReady: function(input) {
       try {
         let data = NetUtil.readInputStreamToString(input, input.available());
         equal(data, "HELLO", "Echoed data received");
         input.close();
         output.close();
         inputDeferred.resolve();
       } catch (e) {
-        let SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
-        let SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
         let errorCode = -1 * (e.result & 0xFFFF);
-        if (errorCode == SEC_ERROR_UNKNOWN_ISSUER) {
-          do_print("Client doesn't like server cert");
+        if (expectingBadCertAlert && errorCode == SSL_ERROR_BAD_CERT_ALERT) {
+          inputDeferred.resolve();
+        } else {
+          inputDeferred.reject(e);
         }
-        inputDeferred.reject(e);
       }
     },
 
     onOutputStreamReady: function(output) {
       try {
-        // Set the cert we want to avoid any cert UI prompts
-        let clientSecInfo = transport.securityInfo;
-        let tlsControl = clientSecInfo.QueryInterface(Ci.nsISSLSocketControl);
-        tlsControl.clientCert = cert;
+        // Set the client certificate as appropriate.
+        if (cert) {
+          let clientSecInfo = transport.securityInfo;
+          let tlsControl = clientSecInfo.QueryInterface(Ci.nsISSLSocketControl);
+          tlsControl.clientCert = cert;
+        }
 
         output.write("HELLO", 5);
         do_print("Output to server written");
         outputDeferred.resolve();
         input = transport.openInputStream(0, 0, 0);
         input.asyncWait(handler, 0, 0, Services.tm.currentThread);
       } catch (e) {
-        let SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
-        let SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
         let errorCode = -1 * (e.result & 0xFFFF);
         if (errorCode == SSL_ERROR_BAD_CERT_ALERT) {
           do_print("Server doesn't like client cert");
         }
         outputDeferred.reject(e);
       }
     }
 
   };
 
   transport.setEventSink(handler, Services.tm.currentThread);
   output = transport.openOutputStream(0, 0, 0);
 
   return promise.all([inputDeferred.promise, outputDeferred.promise]);
 }
 
+// Replace the UI dialog that prompts the user to pick a client certificate.
+do_load_manifest("client_cert_chooser.manifest");
+
+add_task(function*() {
+  let cert = yield getCert();
+  ok(!!cert, "Got self-signed cert");
+  let port = startServer(cert, true, Ci.nsITLSServerSocket.REQUIRE_ALWAYS);
+  storeCertOverride(port, cert);
+  yield startClient(port, cert, false);
+});
+
+add_task(function*() {
+  let cert = yield getCert();
+  ok(!!cert, "Got self-signed cert");
+  let port = startServer(cert, true, Ci.nsITLSServerSocket.REQUIRE_ALWAYS);
+  storeCertOverride(port, cert);
+  yield startClient(port, null, true);
+});
+
 add_task(function*() {
   let cert = yield getCert();
   ok(!!cert, "Got self-signed cert");
-  let port = startServer(cert);
+  let port = startServer(cert, true, Ci.nsITLSServerSocket.REQUEST_ALWAYS);
+  storeCertOverride(port, cert);
+  yield startClient(port, cert, false);
+});
+
+add_task(function*() {
+  let cert = yield getCert();
+  ok(!!cert, "Got self-signed cert");
+  let port = startServer(cert, false, Ci.nsITLSServerSocket.REQUEST_ALWAYS);
   storeCertOverride(port, cert);
-  yield startClient(port, cert);
+  yield startClient(port, null, false);
 });
+
+add_task(function*() {
+  let cert = yield getCert();
+  ok(!!cert, "Got self-signed cert");
+  let port = startServer(cert, false, Ci.nsITLSServerSocket.REQUEST_NEVER);
+  storeCertOverride(port, cert);
+  yield startClient(port, cert, false);
+});
+
+add_task(function*() {
+  let cert = yield getCert();
+  ok(!!cert, "Got self-signed cert");
+  let port = startServer(cert, false, Ci.nsITLSServerSocket.REQUEST_NEVER);
+  storeCertOverride(port, cert);
+  yield startClient(port, null, false);
+});
--- a/netwerk/test/unit/xpcshell.ini
+++ b/netwerk/test/unit/xpcshell.ini
@@ -1,14 +1,16 @@
 [DEFAULT]
 head = head_channels.js head_cache.js head_cache2.js
 tail =
 skip-if = toolkit == 'gonk'
 support-files =
   CA.cert.der
+  client_cert_chooser.js
+  client_cert_chooser.manifest
   data/image.png
   data/system_root.lnk
   data/test_psl.txt
   data/test_readline1.txt
   data/test_readline2.txt
   data/test_readline3.txt
   data/test_readline4.txt
   data/test_readline5.txt
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_client_cert.js
+++ /dev/null
@@ -1,68 +0,0 @@
-// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-"use strict";
-
-// Tests specifying a particular client cert to use via the nsISSLSocketControl
-// |clientCert| attribute prior to connecting to the server.
-
-function run_test() {
-  do_get_profile();
-
-  // Init key token (to prevent password prompt)
-  const tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"]
-                    .getService(Ci.nsIPK11TokenDB);
-  let keyToken = tokenDB.getInternalKeyToken();
-  if (keyToken.needsUserInit) {
-    keyToken.initPassword("");
-  }
-
-  // Replace the UI dialog that would prompt for the following PKCS #12 file's
-  // password, as well as an alert that appears after it succeeds.
-  do_load_manifest("test_client_cert/cert_dialog.manifest");
-
-  // Load the user cert and look it up in XPCOM format
-  const certDB = Cc["@mozilla.org/security/x509certdb;1"]
-                   .getService(Ci.nsIX509CertDB);
-  let clientCertFile = do_get_file("test_client_cert/client-cert.p12", false);
-  certDB.importPKCS12File(null, clientCertFile);
-
-  // Find the cert by its common name
-  let clientCert;
-  let certs = certDB.getCerts().getEnumerator();
-  while (certs.hasMoreElements()) {
-    let cert = certs.getNext().QueryInterface(Ci.nsIX509Cert);
-    if (cert.certType === Ci.nsIX509Cert.USER_CERT &&
-        cert.commonName === "client-cert") {
-      clientCert = cert;
-      break;
-    }
-  }
-  ok(clientCert, "Client cert found");
-
-  add_tls_server_setup("ClientAuthServer");
-
-  add_connection_test("noclientauth.example.com", PRErrorCodeSuccess);
-
-  add_connection_test("requestclientauth.example.com", PRErrorCodeSuccess);
-  add_connection_test("requestclientauth.example.com", PRErrorCodeSuccess,
-                      null, null, transport => {
-    do_print("Setting client cert on transport");
-    let sslSocketControl = transport.securityInfo
-                           .QueryInterface(Ci.nsISSLSocketControl);
-    sslSocketControl.clientCert = clientCert;
-  });
-
-  add_connection_test("requireclientauth.example.com",
-                      SSL_ERROR_BAD_CERT_ALERT);
-  add_connection_test("requireclientauth.example.com", PRErrorCodeSuccess,
-                      null, null, transport => {
-    do_print("Setting client cert on transport");
-    let sslSocketControl =
-      transport.securityInfo.QueryInterface(Ci.nsISSLSocketControl);
-    sslSocketControl.clientCert = clientCert;
-  });
-
-  run_next_test();
-}
deleted file mode 100644
index cb939cb0f41cf41d7c3ed2b034102fdc6e52ec22..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100755
--- a/security/manager/ssl/tests/unit/test_client_cert/generate.py
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/python
-# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python
-
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-import tempfile, os, sys, random
-
-libpath = os.path.abspath("../psm_common_py")
-sys.path.append(libpath)
-
-import CertUtils
-
-dest_dir = os.getcwd()
-db = tempfile.mkdtemp()
-
-serial = random.randint(100, 40000000)
-name = "client-cert"
-[key, cert] = CertUtils.generate_cert_generic(db, dest_dir, serial, "rsa",
-                                              name, "")
-CertUtils.generate_pkcs12(db, dest_dir, cert, key, name)
-
-# Print a blank line and the fingerprint of the cert that ClientAuthServer.cpp
-# should be modified with.
-print
-CertUtils.print_cert_info(cert)
-print ('You now MUST update the fingerprint in ClientAuthServer.cpp to match ' +
-       'the fingerprint printed above.')
-
-# Remove unnecessary .der file
-os.remove(dest_dir + "/" + name + ".der")
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/ClientAuthServer.cpp
+++ /dev/null
@@ -1,116 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 sw=2 tw=80 et: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// This is a standalone server for testing client cert authentication.
-// The client is expected to connect, initiate an SSL handshake (with SNI
-// to indicate which "server" to connect to), and verify the certificate.
-// If all is good, the client then sends one encrypted byte and receives that
-// same byte back.
-// This server also has the ability to "call back" another process waiting on
-// it. That is, when the server is all set up and ready to receive connections,
-// it will connect to a specified port and issue a simple HTTP request.
-
-#include <stdio.h>
-
-#include "hasht.h"
-#include "ScopedNSSTypes.h"
-#include "ssl.h"
-#include "TLSServer.h"
-
-using namespace mozilla;
-using namespace mozilla::test;
-
-struct ClientAuthHost
-{
-  const char *mHostName;
-  bool mRequestClientAuth;
-  bool mRequireClientAuth;
-};
-
-// Hostname, cert nickname pairs.
-static const ClientAuthHost sClientAuthHosts[] =
-{
-  { "noclientauth.example.com", false, false },
-  { "requestclientauth.example.com", true, false },
-  { "requireclientauth.example.com", true, true },
-  { nullptr, false, false }
-};
-
-static const unsigned char sClientCertFingerprint[] =
-{
-  0xD2, 0x2F, 0x00, 0x9A, 0x9E, 0xED, 0x79, 0xDC,
-  0x8D, 0x17, 0x98, 0x8E, 0xEC, 0x76, 0x05, 0x91,
-  0xA5, 0xF6, 0xC9, 0xFA, 0x16, 0x8B, 0xD2, 0x5F,
-  0xE1, 0x52, 0x04, 0x7C, 0xF4, 0x76, 0x42, 0x9D
-};
-
-SECStatus
-AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
-                    PRBool isServer)
-{
-  ScopedCERTCertificate clientCert(SSL_PeerCertificate(fd));
-
-  unsigned char certFingerprint[SHA256_LENGTH];
-  SECStatus rv = PK11_HashBuf(SEC_OID_SHA256, certFingerprint,
-                              clientCert->derCert.data,
-                              clientCert->derCert.len);
-  if (rv != SECSuccess) {
-    return rv;
-  }
-
-  static_assert(sizeof(sClientCertFingerprint) == SHA256_LENGTH,
-                "Ensure fingerprint has corrent length");
-  bool match = !memcmp(certFingerprint, sClientCertFingerprint,
-                       sizeof(certFingerprint));
-  return match ? SECSuccess : SECFailure;
-}
-
-int32_t
-DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
-                  uint32_t aSrvNameArrSize, void* aArg)
-{
-  const ClientAuthHost *host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
-                                             sClientAuthHosts);
-  if (!host) {
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  if (gDebugLevel >= DEBUG_VERBOSE) {
-    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
-  }
-
-  SECStatus srv = ConfigSecureServerWithNamedCert(aFd, DEFAULT_CERT_NICKNAME,
-                                                  nullptr, nullptr);
-  if (srv != SECSuccess) {
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  SSL_OptionSet(aFd, SSL_REQUEST_CERTIFICATE, host->mRequestClientAuth);
-  if (host->mRequireClientAuth) {
-    SSL_OptionSet(aFd, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
-  } else {
-    SSL_OptionSet(aFd, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
-  }
-
-  // Override default client auth hook to just check fingerprint
-  srv = SSL_AuthCertificateHook(aFd, AuthCertificateHook, nullptr);
-  if (srv != SECSuccess) {
-    return SSL_SNI_SEND_ALERT;
-  }
-
-  return 0;
-}
-
-int
-main(int argc, char* argv[])
-{
-  if (argc != 2) {
-    fprintf(stderr, "usage: %s <NSS DB directory>\n", argv[0]);
-    return 1;
-  }
-
-  return StartServer(argv[1], DoSNISocketConfig, nullptr);
-}
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
@@ -3,17 +3,16 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 FAIL_ON_WARNINGS = True
 
 GeckoSimplePrograms([
     'BadCertServer',
-    'ClientAuthServer',
     'GenerateOCSPResponse',
     'OCSPStaplingServer',
 ], linkage=None)
 
 LOCAL_INCLUDES += [
     '../lib',
 ]
 
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -3,17 +3,16 @@ head = head_psm.js
 tail =
 tags = psm
 support-files =
   test_cert_keyUsage/**
   test_signed_apps/**
   tlsserver/**
   test_cert_signatures/**
   test_certviewer_invalid_oids/**
-  test_client_cert/**
   test_ev_certs/**
   test_getchain/**
   test_intermediate_basic_usage_constraints/**
   test_name_constraints/**
   test_cert_trust/**
   test_cert_version/**
   test_cert_eku/**
   test_cert_embedded_null/**
@@ -129,18 +128,16 @@ run-sequentially = hardcoded ports
 [test_keysize.js]
 [test_keysize_ev.js]
 # OCSP requests in this test time out on slow B2G Emulator debug builds.
 # See Bug 1147726.
 skip-if = toolkit == 'gonk' && debug
 run-sequentially = hardcoded ports
 [test_cert_chains.js]
 run-sequentially = hardcoded ports
-[test_client_cert.js]
-run-sequentially = hardcoded ports
 [test_nsCertType.js]
 run-sequentially = hardcoded ports
 [test_nsIX509Cert_utf8.js]
 [test_constructX509FromBase64.js]
 [test_validity.js]
 run-sequentially = hardcoded ports
 [test_certviewer_invalid_oids.js]
 skip-if = toolkit == 'android' || buildapp == 'b2g'
--- a/testing/mochitest/Makefile.in
+++ b/testing/mochitest/Makefile.in
@@ -18,17 +18,16 @@ libs::
 # Binaries and scripts that don't get packaged with the build,
 # but that we need for the test harness
 TEST_HARNESS_BINS := \
   xpcshell$(BIN_SUFFIX) \
   ssltunnel$(BIN_SUFFIX) \
   certutil$(BIN_SUFFIX) \
   pk12util$(BIN_SUFFIX) \
   BadCertServer$(BIN_SUFFIX) \
-  ClientAuthServer$(BIN_SUFFIX) \
   OCSPStaplingServer$(BIN_SUFFIX) \
   GenerateOCSPResponse$(BIN_SUFFIX) \
   fix_stack_using_bpsyms.py \
   $(NULL)
 
 ifeq ($(OS_ARCH),WINNT)
 TEST_HARNESS_BINS += \
   crashinject$(BIN_SUFFIX) \
--- a/testing/xpcshell/remotexpcshelltests.py
+++ b/testing/xpcshell/remotexpcshelltests.py
@@ -382,17 +382,16 @@ class XPCShellRemote(xpcshell.XPCShellTe
         # The xpcshell binary is required for all tests. Additional binaries
         # are required for some tests. This list should be similar to
         # TEST_HARNESS_BINS in testing/mochitest/Makefile.in.
         binaries = ["xpcshell",
                     "ssltunnel",
                     "certutil",
                     "pk12util",
                     "BadCertServer",
-                    "ClientAuthServer",
                     "OCSPStaplingServer",
                     "GenerateOCSPResponse"]
         for fname in binaries:
             local = os.path.join(self.localBin, fname)
             if os.path.isfile(local):
                 print >> sys.stderr, "Pushing %s.." % fname
                 remoteFile = remoteJoin(self.remoteBinDir, fname)
                 self.device.pushFile(local, remoteFile)
--- a/toolkit/mozapps/installer/upload-files.mk
+++ b/toolkit/mozapps/installer/upload-files.mk
@@ -609,17 +609,16 @@ NO_PKG_FILES += \
 	nm2tsv* \
 	nsinstall* \
 	res/samples \
 	res/throbber \
 	shlibsign* \
 	certutil* \
 	pk12util* \
 	BadCertServer* \
-	ClientAuthServer* \
 	OCSPStaplingServer* \
 	GenerateOCSPResponse* \
 	chrome/chrome.rdf \
 	chrome/app-chrome.manifest \
 	chrome/overlayinfo \
 	components/compreg.dat \
 	components/xpti.dat \
 	content_unit_tests \