WPT tests are needed for serverCertificateHash feature

[javifernandez]

There is only one test in the WPT repository to cover the functionality of this feature, which just checks an invalid hash doesn't match.

According to the WPT folks:

generally most wpt configurations use the certificates checked in to https://github.com/web-platform-tests/wpt/tree/master/tools/certs (although other configurations are possible). Those are regenerated by a GitHub action, and we can likely change the certificate type if necessary.

The main problems we have to implement tests in the WPT infrastructure are the following:

1- the feature imposes a restriction of 14 days maximum expiration time
2- the RSA keys are forbidden

Additionally, we would expect these WPT will be valid as well when they are executed by the browser's testing infrastructure, and as far as I know, the HTTP servers running there may have a different SSL certificate.

[javifernandez]

I've been told in the WPT channel that generating new certificates with a different algorithm wouldn't be a problem, so we can easily solve (2).

Regarding the issue of having different certificates to check against by the tests, we may use the sub function of the WPT Pipes APIs to define a template for the server certificate, which will be resolved depending on the testing infrastructure where the tests run.

[jan-ivar]

Meeting:

• Broad support. @javifernandez to pursue this.

[martenrichter]

What is the status of updated wpt tests for certificate hashes?
Firefox just broke the current implementation, so the current test does not seem to be sufficient:
https://bugzilla.mozilla.org/show_bug.cgi?id=1934402
The problem was, that it failed with a certificate with an unknown (third-party) root certificate.

[javifernandez]

I haven't had time to work on this lately. I don't have a clear idea of how to do it either, so if anybody has more time and knowledge, I'd be happy to reassign the issue.

I totally agree that we need more tests for the serverCertificateHashes.

[martenrichter]

I have tried to make some:
https://phabricator.services.mozilla.com/D231479