diff --git a/STAGE2-nss b/STAGE2-nss new file mode 100644 index 0000000..3d43b92 --- /dev/null +++ b/STAGE2-nss @@ -0,0 +1,68 @@ +#requires nspr +#requires perl +#requires nss-util +#requires nss-softokn + +mcd $BUILDDIR/nss + +export BUILD_OPT=1 +export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 +export NSPR_INCLUDE_DIR=/usr/include/nspr +export NSPR_LIB_DIR=/usr/lib${SUFFIX} +export NSS_USE_SYSTEM_SQLITE=1 +export NSS_BUILD_WITHOUT_SOFTOKEN=1 +export USE_SYSTEM_SOFTOKEN=1 +export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX} +export NSSUTIL_INCLUDE_DIR=/usr/include/nss3 +export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX} +export USE_SYSTEM_NSSUTIL=1 +export FREEBL_INCLUDE_DIR=/usr/include/nss3 +export FREEBL_LIB_DIR=/usr/lib${SUFFIX} +export USE_SYSTEM_FREEBL=1 +export NSS_USE_SYSTEM_FREEBL=1 +export FREEBL_NO_DEPEND=1 +export IN_TREE_FREEBL_HEADERS_FIRST=1 +export NSS_BLTEST_NOT_AVAILABLE=1 +export NSS_NO_SSL2_NO_EXPORT=1 +export NSS_ECC_MORE_THAN_SUITE_B=1 +export NSS_NO_PKCS11_BYPASS=1 +#export NSDISTMODE="copy" + +if [ "$SUFFIX" = "64" ]; then + USE_64=1 + export USE_64 +fi + +(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/) + +make -C $SRC/nss-3.*/nss/coreconf +make -C $SRC/nss-3.*/nss/lib/dbm + +# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c +# need nss/verref.h which is exported privately, move it to where it can be found. +(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/) + +make -C $SRC/nss-3.*/nss +cd $SRC/nss-3.*/nss/coreconf +make install +cd $SRC/nss-3.*/nss/lib/dbm +make install +cd $SRC/nss-3.*/nss +make install +# Copy the binary libraries we want +NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so" +# BOZO: temporarily disable FIPS140 support +#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk" +NSSLIBCHKS="" +# END BOZO +cd $SRC/nss-3.* +for file in $NSSLIBS $NSSLIBCHKS +do + install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/ +done +# Copy the include files we want +for file in $SRC/nss-*/dist/public/nss/*.h +do + install -p -m 644 $file /usr/include/nss3/ +done diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile b/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile new file mode 100644 index 0000000..ea65d87 --- /dev/null +++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when +# Description: NSS tools should not use SHA1 by default when +# Author: Hubert Kario +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Hubert Kario " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: nss openssl" >> $(METADATA) + @echo "Requires: nss nss-tools openssl" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE b/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE new file mode 100644 index 0000000..7caf493 --- /dev/null +++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when +Description: NSS tools should not use SHA1 by default when +Author: Hubert Kario +Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh b/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh new file mode 100755 index 0000000..8290d92 --- /dev/null +++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh @@ -0,0 +1,125 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when +# Description: NSS tools should not use SHA1 by default when +# Author: Hubert Kario +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="nss" +PACKAGES="nss openssl" +DBDIR="nssdb" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm --all + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "mkdir nssdb" + rlRun "certutil -N -d $DBDIR --empty-password" + rlLogInfo "Create a JAR file" + rlRun "mkdir java-dir" + rlRun "pushd java-dir" + rlRun "mkdir META-INF mypackage" + rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF" + rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class" + #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class" + rlRun "popd" + #rlRun "mv java-dir/package.jar ." + rlPhaseEnd + + rlPhaseStartTest "Self signing certificates" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise" + rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Signing certificates" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime" + rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Certificate request" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "mkdir srv2db" + rlRun "certutil -d srv2db -N --empty-password" + rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise" + rlRun -s "openssl req -noout -text -in srv2.req" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt" + rlRun -s "openssl x509 -in srv2.crt -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlRun "rm -rf srv2db" + rlPhaseEnd + + rlPhaseStartTest "Certificate request with SHA1" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "mkdir srv2db" + rlRun "certutil -d srv2db -N --empty-password" + rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1" + rlRun -s "openssl req -noout -text -in srv2.req" + rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG" + rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt" + rlRun -s "openssl x509 -in srv2.crt -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlRun "rm -rf srv2db" + rlPhaseEnd + + rlPhaseStartTest "Signing CMS messages" + rlRun "echo 'This is a document' > document.txt" + rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms" + rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print" + rlAssertGrep "algorithm: sha256" $rlRun_LOG + rlAssertNotGrep "algorithm: sha1" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "CRL signing" + rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script" + rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script" + rlRun "echo addext crlNumber 0 1245 >>script" + rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script" + rlRun "echo addext reasonCode 0 0 >>script" + rlRun "cat script" + rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl" + rlRun -s "openssl crl -in ca.crl -inform der -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..df64aa2 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,12 @@ +--- +# This first play always runs on the local staging system +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + tests: + - NSS-tools-should-not-use-SHA1-by-default-when + required_packages: + - nss-tools + - nss