Update to NSS 3.39

.gitignore

@@ -27,3 +27,4 @@ TestUser51.cert
 /nss-3.36.1.tar.gz
 /nss-3.37.3.tar.gz
 /nss-3.38.0.tar.gz
+/nss-3.39.tar.gz

nss-3.14.0.0-disble-ocsp-test.patch

@@ -1,11 +0,0 @@
-diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
---- nss/tests/chains/scenarios/scenarios.noocsptest	2013-06-27 10:58:08.000000000 -0700
-+++ nss/tests/chains/scenarios/scenarios	2013-07-02 16:13:27.075038930 -0700
-@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
- realcerts.cfg
- dsa.cfg
- revoc.cfg
--ocsp.cfg
- crldp.cfg
- trustanchors.cfg
- nameconstraints.cfg

nss-check-policy-file.patch

@@ -1,49 +0,0 @@
-diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
---- nss/lib/pk11wrap/pk11pars.c.check_policy_file	2017-01-06 13:21:47.002952050 +0100
-+++ nss/lib/pk11wrap/pk11pars.c	2017-01-06 13:28:18.972536334 +0100
-@@ -109,6 +109,7 @@ secmod_NewModule(void)
-                                                  *other flags are set */
- #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
- #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
-+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
- 
- /* private flags for internal (field in SECMODModule). */
- /* The meaing of these flags is as follows:
-@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
-         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
-             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
-         }
-+	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
-+	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
-+	}
-         /* additional moduleDB flags could be added here in the future */
-         mod->isModuleDB = (PRBool)flags;
-     }
-@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
- }
- 
- PRBool
-+secmod_PolicyOnly(SECMODModule *mod)
-+{
-+   char flags = (char) mod->isModuleDB;
-+
-+   return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
-+}
-+
-+PRBool
- secmod_IsInternalKeySlot(SECMODModule *mod)
- {
-     char flags = (char)mod->internal;
-@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
-     if (!module) {
-         goto loser;
-     }
-+
-+    /* a policy only stanza doesn't actually get 'loaded'. policy has already
-+     * been parsed as a side effect of the CreateModuleEx call */
-+    if (secmod_PolicyOnly(module)) {
-+	return module;
-+    }
-     if (parent) {
-         module->parent = SECMOD_ReferenceModule(parent);
-         if (module->internal && secmod_IsInternalKeySlot(parent)) {

nss-p11-kit.config

@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+

nss.spec

@@ -1,24 +1,21 @@
-%global nspr_version 4.19.0
-%global nss_util_version 3.38.0
-%global nss_softokn_version 3.38.0
+%global nspr_version 4.20.0
+%global nss_util_version 3.39.0
+%global nss_softokn_version 3.39.0
+%global nss_version 3.39.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
-# solution taken from icedtea-web.spec
-%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
-%ifarch %{multilib_arches}
-%define alt_ckbi  libnssckbi.so.%{_arch}
-%else
-%define alt_ckbi  libnssckbi.so
-%endif
-
-# Define if using a source archive like "nss-version.with.ckbi.version".
-# To "disable", add "#" to start of line, AND a space after "%".
-#% define nss_ckbi_suffix .with.ckbi.1.93
+# The upstream omits the trailing ".0", while we need it for
+# consistency with the pkg-config version:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
+%{lua:
+rpm.define(string.format("nss_archive_version %s",
+           string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
+}
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.38.0
+Version:          %{nss_version}
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
 Release:          1.0%{?dist}
@@ -30,9 +27,7 @@ Requires:         nss-util >= %{nss_util_version}
 # TODO: revert to same version as nss once we are done with the merge
 Requires:         nss-softokn%{_isa} >= %{nss_softokn_version}
 Requires:         nss-system-init
-Requires(post):   %{_sbindir}/update-alternatives
-Requires(postun): %{_sbindir}/update-alternatives
-BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Requires:         p11-kit-trust
 BuildRequires:    nspr-devel >= %{nspr_version}
 # TODO: revert to same version as nss once we are done with the merge
 # Using '>=' but on RHEL the requires should be '='
@@ -65,13 +60,7 @@ Conflicts:        seamonkey < 2.46-2
 # https://bugzilla.redhat.com/show_bug.cgi?id=1414987
 # Conflicts:        icecat < 45.5.1-5
 
-%if %{defined nss_ckbi_suffix}
-%define full_nss_version %{version}%{nss_ckbi_suffix}
-%else
-%define full_nss_version %{version}
-%endif
-
-Source0:          %{name}-%{full_nss_version}.tar.gz
+Source0:          %{name}-%{nss_archive_version}.tar.gz
 Source1:          nss.pc.in
 Source2:          nss-config.in
 Source3:          blank-cert8.db
@@ -94,8 +83,6 @@ Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
 Patch16:          nss-539183.patch
-# TODO: Remove this patch when the ocsp test are fixed
-Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
 Patch47:          utilwrap-include-templates.patch
 # TODO remove when we switch to building nss without softoken
@@ -114,9 +101,6 @@ Patch49:          nss-skip-bltest-and-fipstest.patch
 Patch50:          iquote.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
-Patch59: nss-check-policy-file.patch
-Patch60: nss-load-policy-file.patch
 Patch62: nss-skip-util-gtest.patch
 Patch63: nss-sql-default.patch
 
@@ -188,20 +172,16 @@ low level services.
 
 
 %prep
-%setup -q
-%setup -q -T -D -n %{name}-%{version}
+%setup -q -n %{name}-%{nss_archive_version}
 
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
 %patch16 -p0 -b .539183
-%patch40 -p0 -b .noocsptest
 %patch47 -p0 -b .templates
 %patch49 -p0 -b .skipthem
 %patch50 -p0 -b .iquote
 %patch58 -p0 -b .1185708_3des
 pushd nss
-%patch59 -p1 -b .check_policy_file
-%patch60 -p1 -b .load_policy_file
 %patch62 -p1 -b .skip_util_gtest
 %patch63 -p1 -R -b .sql-default
 popd
@@ -235,9 +215,6 @@ popd
 
 %build
 
-NSS_NO_PKCS11_BYPASS=1
-export NSS_NO_PKCS11_BYPASS
-
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
@@ -255,6 +232,9 @@ export BUILD_OPT=1
 XCFLAGS=$RPM_OPT_FLAGS
 export XCFLAGS
 
+LDFLAGS=$RPM_LD_FLAGS
+export LDFLAGS
+
 PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
 PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
 
@@ -541,9 +521,6 @@ echo "test suite completed"
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
 
-touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
-%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
-
 # Copy the binary libraries we want
 for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
@@ -568,7 +545,7 @@ do
 done
 
 # Copy the binaries we want
-for file in certutil cmsutil crlutil modutil pk12util signver ssltap
+for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
 do
   %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
 done
@@ -623,8 +600,8 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
    install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
 done
 
-%clean
-%{__rm} -rf $RPM_BUILD_ROOT
+# Copy the crypto-policies configuration file
+%{__install} -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
 
 %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
 # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
@@ -632,33 +609,9 @@ done
 /usr/bin/setup-nsssysinit.sh on
 
 %post
-# If we upgrade, and the shared filename is a regular file, then we must
-# remove it, before we can install the alternatives symbolic link.
-if [ $1 -gt 1 ] ; then
-  # when upgrading or downgrading
-  if ! test -L %{_libdir}/libnssckbi.so; then
-    rm -f %{_libdir}/libnssckbi.so
-  fi
-fi
-# Install the symbolic link
-# FYI: Certain other packages use alternatives --set to enforce that the first
-# installed package is preferred. We don't do that. Highest priority wins.
-%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
-  %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
 /sbin/ldconfig
 
 %postun
-if [ $1 -eq 0 ] ; then
-  # package removal
-  %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
-else
-  # upgrade or downgrade
-  # If the new installed package uses a regular file (not a symblic link),
-  # then cleanup the alternatives link.
-  if ! test -L %{_libdir}/libnssckbi.so; then
-    %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
-  fi
-fi
 /sbin/ldconfig
 
 
@@ -669,8 +622,6 @@ fi
 %{_libdir}/libnss3.so
 %{_libdir}/libssl3.so
 %{_libdir}/libsmime3.so
-%ghost %{_libdir}/libnssckbi.so
-%{_libdir}/nss/libnssckbi.so
 %dir %{_sysconfdir}/pki/nssdb
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
@@ -699,6 +650,7 @@ fi
 %{_bindir}/cmsutil
 %{_bindir}/crlutil
 %{_bindir}/modutil
+%{_bindir}/nss-policy-check
 %{_bindir}/pk12util
 %{_bindir}/signver
 %{_bindir}/ssltap
@@ -811,6 +763,10 @@ fi
 
 
 %changelog
+* Mon Sep  3 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.0
+- Update to NSS 3.39
+- Use the upstream tarball as it is (rhbz#1578106)
+
 * Tue Jul  3 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.0
 - Update to NSS 3.38
 

sources

@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.38.0.tar.gz) = eb63f1c44adbbd97dc766e8545c72303f3cb18f1bfb2af67c33cdb1a1a9a1cc432a64afbafabd7a5bb3f08cb36db74ed81e5cfa1fc4bd35ae76e183f3205afed
+SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f

tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
+#   Description: NSS tools should not use SHA1 by default when
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          nss openssl" >> $(METADATA)
+	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE

@@ -0,0 +1,4 @@
+PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
+Description: NSS tools should not use SHA1 by default when
+Author: Hubert Kario <hkario@redhat.com>
+Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
+#   Description: NSS tools should not use SHA1 by default when
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="nss"
+PACKAGES="nss openssl"
+DBDIR="nssdb"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm --all
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+        rlRun "mkdir nssdb"
+        rlRun "certutil -N -d $DBDIR --empty-password"
+        rlLogInfo "Create a JAR file"
+        rlRun "mkdir java-dir"
+        rlRun "pushd java-dir"
+        rlRun "mkdir META-INF mypackage"
+        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
+        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
+        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
+        rlRun "popd"
+        #rlRun "mv java-dir/package.jar ."
+    rlPhaseEnd
+
+    rlPhaseStartTest "Self signing certificates"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
+        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Signing certificates"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
+        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Certificate request"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "mkdir srv2db"
+        rlRun "certutil -d srv2db -N --empty-password"
+        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
+        rlRun -s "openssl req -noout -text -in srv2.req"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
+        rlRun -s "openssl x509 -in srv2.crt -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "rm -rf srv2db"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Certificate request with SHA1"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "mkdir srv2db"
+        rlRun "certutil -d srv2db -N --empty-password"
+        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
+        rlRun -s "openssl req -noout -text -in srv2.req"
+        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
+        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
+        rlRun -s "openssl x509 -in srv2.crt -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "rm -rf srv2db"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Signing CMS messages"
+        rlRun "echo 'This is a document' > document.txt"
+        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
+        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
+        rlAssertGrep "algorithm: sha256" $rlRun_LOG
+        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "CRL signing"
+        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
+        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
+        rlRun "echo addext crlNumber 0 1245 >>script"
+        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
+        rlRun "echo addext reasonCode 0 0 >>script"
+        rlRun "cat script"
+        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
+        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/tests.yml

@@ -0,0 +1,12 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    tests:
+    - NSS-tools-should-not-use-SHA1-by-default-when
+    required_packages:
+    - nss-tools
+    - nss