diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile b/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile new file mode 100644 index 0000000..ea65d87 --- /dev/null +++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when +# Description: NSS tools should not use SHA1 by default when +# Author: Hubert Kario +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Hubert Kario " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: nss openssl" >> $(METADATA) + @echo "Requires: nss nss-tools openssl" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE b/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE new file mode 100644 index 0000000..7caf493 --- /dev/null +++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when +Description: NSS tools should not use SHA1 by default when +Author: Hubert Kario +Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh b/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh new file mode 100755 index 0000000..8290d92 --- /dev/null +++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh @@ -0,0 +1,125 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when +# Description: NSS tools should not use SHA1 by default when +# Author: Hubert Kario +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="nss" +PACKAGES="nss openssl" +DBDIR="nssdb" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm --all + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "mkdir nssdb" + rlRun "certutil -N -d $DBDIR --empty-password" + rlLogInfo "Create a JAR file" + rlRun "mkdir java-dir" + rlRun "pushd java-dir" + rlRun "mkdir META-INF mypackage" + rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF" + rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class" + #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class" + rlRun "popd" + #rlRun "mv java-dir/package.jar ." + rlPhaseEnd + + rlPhaseStartTest "Self signing certificates" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise" + rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Signing certificates" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime" + rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Certificate request" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "mkdir srv2db" + rlRun "certutil -d srv2db -N --empty-password" + rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise" + rlRun -s "openssl req -noout -text -in srv2.req" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt" + rlRun -s "openssl x509 -in srv2.crt -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlRun "rm -rf srv2db" + rlPhaseEnd + + rlPhaseStartTest "Certificate request with SHA1" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "mkdir srv2db" + rlRun "certutil -d srv2db -N --empty-password" + rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1" + rlRun -s "openssl req -noout -text -in srv2.req" + rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG" + rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt" + rlRun -s "openssl x509 -in srv2.crt -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlRun "rm -rf srv2db" + rlPhaseEnd + + rlPhaseStartTest "Signing CMS messages" + rlRun "echo 'This is a document' > document.txt" + rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms" + rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print" + rlAssertGrep "algorithm: sha256" $rlRun_LOG + rlAssertNotGrep "algorithm: sha1" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "CRL signing" + rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script" + rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script" + rlRun "echo addext crlNumber 0 1245 >>script" + rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script" + rlRun "echo addext reasonCode 0 0 >>script" + rlRun "cat script" + rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl" + rlRun -s "openssl crl -in ca.crl -inform der -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..df64aa2 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,12 @@ +--- +# This first play always runs on the local staging system +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + tests: + - NSS-tools-should-not-use-SHA1-by-default-when + required_packages: + - nss-tools + - nss