WPT tests are needed for serverCertificateHash feature

[javifernandez]

There is only one test in the WPT repository to cover the functionality of this feature, which just checks an invalid hash doesn't match.

According to the WPT folks:

generally most wpt configurations use the certificates checked in to https://github.com/web-platform-tests/wpt/tree/master/tools/certs (although other configurations are possible). Those are regenerated by a GitHub action, and we can likely change the certificate type if necessary.

The main problems we have to implement tests in the WPT infrastructure are the following:

1- the feature imposes a restriction of 14 days maximum expiration time 2- the RSA keys are forbidden

Additionally, we would expect these WPT will be valid as well when they are executed by the browser's testing infrastructure, and as far as I know, the HTTP servers running there may have a different SSL certificate.

[javifernandez]

I've been told in the WPT channel that generating new certificates with a different algorithm wouldn't be a problem, so we can easily solve (2).

Regarding the issue of having different certificates to check against by the tests, we may use the sub function of the WPT Pipes APIs to define a template for the server certificate, which will be resolved depending on the testing infrastructure where the tests run.

[jan-ivar]

Meeting:

• Broad support. @javifernandez to pursue this.