From f002359684418bc4aef613619ba12978b10d4688 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 3 Sep 2018 14:49:57 +0200 Subject: [PATCH] Update to NSS 3.39 --- .gitignore | 1 + nss-3.14.0.0-disble-ocsp-test.patch | 11 -- nss-check-policy-file.patch | 49 ------- nss-p11-kit.config | 4 + nss.spec | 96 ++++---------- sources | 2 +- .../Makefile | 64 +++++++++ .../PURPOSE | 4 + .../runtest.sh | 125 ++++++++++++++++++ tests/tests.yml | 12 ++ 10 files changed, 237 insertions(+), 131 deletions(-) delete mode 100644 nss-3.14.0.0-disble-ocsp-test.patch delete mode 100644 nss-check-policy-file.patch create mode 100644 nss-p11-kit.config create mode 100644 tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile create mode 100644 tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE create mode 100755 tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh create mode 100644 tests/tests.yml diff --git a/.gitignore b/.gitignore index c7566e0..edaba7a 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ TestUser51.cert /nss-3.36.1.tar.gz /nss-3.37.3.tar.gz /nss-3.38.0.tar.gz +/nss-3.39.tar.gz diff --git a/nss-3.14.0.0-disble-ocsp-test.patch b/nss-3.14.0.0-disble-ocsp-test.patch deleted file mode 100644 index 3347ee9..0000000 --- a/nss-3.14.0.0-disble-ocsp-test.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios ---- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700 -+++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700 -@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg - realcerts.cfg - dsa.cfg - revoc.cfg --ocsp.cfg - crldp.cfg - trustanchors.cfg - nameconstraints.cfg diff --git a/nss-check-policy-file.patch b/nss-check-policy-file.patch deleted file mode 100644 index 1898173..0000000 --- a/nss-check-policy-file.patch +++ /dev/null @@ -1,49 +0,0 @@ -diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c ---- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-01-06 13:21:47.002952050 +0100 -+++ nss/lib/pk11wrap/pk11pars.c 2017-01-06 13:28:18.972536334 +0100 -@@ -109,6 +109,7 @@ secmod_NewModule(void) - *other flags are set */ - #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02 - #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04 -+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08 - - /* private flags for internal (field in SECMODModule). */ - /* The meaing of these flags is as follows: -@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar - if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) { - flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB; - } -+ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) { -+ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY; -+ } - /* additional moduleDB flags could be added here in the future */ - mod->isModuleDB = (PRBool)flags; - } -@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule - } - - PRBool -+secmod_PolicyOnly(SECMODModule *mod) -+{ -+ char flags = (char) mod->isModuleDB; -+ -+ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE; -+} -+ -+PRBool - secmod_IsInternalKeySlot(SECMODModule *mod) - { - char flags = (char)mod->internal; -@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM - if (!module) { - goto loser; - } -+ -+ /* a policy only stanza doesn't actually get 'loaded'. policy has already -+ * been parsed as a side effect of the CreateModuleEx call */ -+ if (secmod_PolicyOnly(module)) { -+ return module; -+ } - if (parent) { - module->parent = SECMOD_ReferenceModule(parent); - if (module->internal && secmod_IsInternalKeySlot(parent)) { diff --git a/nss-p11-kit.config b/nss-p11-kit.config new file mode 100644 index 0000000..0ebf073 --- /dev/null +++ b/nss-p11-kit.config @@ -0,0 +1,4 @@ +name=p11-kit-proxy +library=p11-kit-proxy.so + + diff --git a/nss.spec b/nss.spec index 61a1012..689a640 100644 --- a/nss.spec +++ b/nss.spec @@ -1,24 +1,21 @@ -%global nspr_version 4.19.0 -%global nss_util_version 3.38.0 -%global nss_softokn_version 3.38.0 +%global nspr_version 4.20.0 +%global nss_util_version 3.39.0 +%global nss_softokn_version 3.39.0 +%global nss_version 3.39.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" -# solution taken from icedtea-web.spec -%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el -%ifarch %{multilib_arches} -%define alt_ckbi libnssckbi.so.%{_arch} -%else -%define alt_ckbi libnssckbi.so -%endif - -# Define if using a source archive like "nss-version.with.ckbi.version". -# To "disable", add "#" to start of line, AND a space after "%". -#% define nss_ckbi_suffix .with.ckbi.1.93 +# The upstream omits the trailing ".0", while we need it for +# consistency with the pkg-config version: +# https://bugzilla.redhat.com/show_bug.cgi?id=1578106 +%{lua: +rpm.define(string.format("nss_archive_version %s", + string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1"))) +} Summary: Network Security Services Name: nss -Version: 3.38.0 +Version: %{nss_version} # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) Release: 1.0%{?dist} @@ -30,9 +27,7 @@ Requires: nss-util >= %{nss_util_version} # TODO: revert to same version as nss once we are done with the merge Requires: nss-softokn%{_isa} >= %{nss_softokn_version} Requires: nss-system-init -Requires(post): %{_sbindir}/update-alternatives -Requires(postun): %{_sbindir}/update-alternatives -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Requires: p11-kit-trust BuildRequires: nspr-devel >= %{nspr_version} # TODO: revert to same version as nss once we are done with the merge # Using '>=' but on RHEL the requires should be '=' @@ -65,13 +60,7 @@ Conflicts: seamonkey < 2.46-2 # https://bugzilla.redhat.com/show_bug.cgi?id=1414987 # Conflicts: icecat < 45.5.1-5 -%if %{defined nss_ckbi_suffix} -%define full_nss_version %{version}%{nss_ckbi_suffix} -%else -%define full_nss_version %{version} -%endif - -Source0: %{name}-%{full_nss_version}.tar.gz +Source0: %{name}-%{nss_archive_version}.tar.gz Source1: nss.pc.in Source2: nss-config.in Source3: blank-cert8.db @@ -94,8 +83,6 @@ Patch2: add-relro-linker-option.patch Patch3: renegotiate-transitional.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 Patch16: nss-539183.patch -# TODO: Remove this patch when the ocsp test are fixed -Patch40: nss-3.14.0.0-disble-ocsp-test.patch # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator Patch47: utilwrap-include-templates.patch # TODO remove when we switch to building nss without softoken @@ -114,9 +101,6 @@ Patch49: nss-skip-bltest-and-fipstest.patch Patch50: iquote.patch # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 -Patch59: nss-check-policy-file.patch -Patch60: nss-load-policy-file.patch Patch62: nss-skip-util-gtest.patch Patch63: nss-sql-default.patch @@ -188,20 +172,16 @@ low level services. %prep -%setup -q -%setup -q -T -D -n %{name}-%{version} +%setup -q -n %{name}-%{nss_archive_version} %patch2 -p0 -b .relro %patch3 -p0 -b .transitional %patch16 -p0 -b .539183 -%patch40 -p0 -b .noocsptest %patch47 -p0 -b .templates %patch49 -p0 -b .skipthem %patch50 -p0 -b .iquote %patch58 -p0 -b .1185708_3des pushd nss -%patch59 -p1 -b .check_policy_file -%patch60 -p1 -b .load_policy_file %patch62 -p1 -b .skip_util_gtest %patch63 -p1 -R -b .sql-default popd @@ -235,9 +215,6 @@ popd %build -NSS_NO_PKCS11_BYPASS=1 -export NSS_NO_PKCS11_BYPASS - FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND @@ -255,6 +232,9 @@ export BUILD_OPT=1 XCFLAGS=$RPM_OPT_FLAGS export XCFLAGS +LDFLAGS=$RPM_LD_FLAGS +export LDFLAGS + PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 @@ -541,9 +521,6 @@ echo "test suite completed" mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 -touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so -%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so - # Copy the binary libraries we want for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so do @@ -568,7 +545,7 @@ do done # Copy the binaries we want -for file in certutil cmsutil crlutil modutil pk12util signver ssltap +for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap do %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} done @@ -623,8 +600,8 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 done -%clean -%{__rm} -rf $RPM_BUILD_ROOT +# Copy the crypto-policies configuration file +%{__install} -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3 # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet @@ -632,33 +609,9 @@ done /usr/bin/setup-nsssysinit.sh on %post -# If we upgrade, and the shared filename is a regular file, then we must -# remove it, before we can install the alternatives symbolic link. -if [ $1 -gt 1 ] ; then - # when upgrading or downgrading - if ! test -L %{_libdir}/libnssckbi.so; then - rm -f %{_libdir}/libnssckbi.so - fi -fi -# Install the symbolic link -# FYI: Certain other packages use alternatives --set to enforce that the first -# installed package is preferred. We don't do that. Highest priority wins. -%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ - %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10 /sbin/ldconfig %postun -if [ $1 -eq 0 ] ; then - # package removal - %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so -else - # upgrade or downgrade - # If the new installed package uses a regular file (not a symblic link), - # then cleanup the alternatives link. - if ! test -L %{_libdir}/libnssckbi.so; then - %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so - fi -fi /sbin/ldconfig @@ -669,8 +622,6 @@ fi %{_libdir}/libnss3.so %{_libdir}/libssl3.so %{_libdir}/libsmime3.so -%ghost %{_libdir}/libnssckbi.so -%{_libdir}/nss/libnssckbi.so %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db @@ -699,6 +650,7 @@ fi %{_bindir}/cmsutil %{_bindir}/crlutil %{_bindir}/modutil +%{_bindir}/nss-policy-check %{_bindir}/pk12util %{_bindir}/signver %{_bindir}/ssltap @@ -811,6 +763,10 @@ fi %changelog +* Mon Sep 3 2018 Daiki Ueno - 3.39.0-1.0 +- Update to NSS 3.39 +- Use the upstream tarball as it is (rhbz#1578106) + * Tue Jul 3 2018 Daiki Ueno - 3.38.0-1.0 - Update to NSS 3.38 diff --git a/sources b/sources index 8c91f7f..bc02822 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 -SHA512 (nss-3.38.0.tar.gz) = eb63f1c44adbbd97dc766e8545c72303f3cb18f1bfb2af67c33cdb1a1a9a1cc432a64afbafabd7a5bb3f08cb36db74ed81e5cfa1fc4bd35ae76e183f3205afed +SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile b/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile new file mode 100644 index 0000000..ea65d87 --- /dev/null +++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when +# Description: NSS tools should not use SHA1 by default when +# Author: Hubert Kario +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Hubert Kario " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: nss openssl" >> $(METADATA) + @echo "Requires: nss nss-tools openssl" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE b/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE new file mode 100644 index 0000000..7caf493 --- /dev/null +++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when +Description: NSS tools should not use SHA1 by default when +Author: Hubert Kario +Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh b/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh new file mode 100755 index 0000000..8290d92 --- /dev/null +++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh @@ -0,0 +1,125 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when +# Description: NSS tools should not use SHA1 by default when +# Author: Hubert Kario +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="nss" +PACKAGES="nss openssl" +DBDIR="nssdb" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm --all + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "mkdir nssdb" + rlRun "certutil -N -d $DBDIR --empty-password" + rlLogInfo "Create a JAR file" + rlRun "mkdir java-dir" + rlRun "pushd java-dir" + rlRun "mkdir META-INF mypackage" + rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF" + rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class" + #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class" + rlRun "popd" + #rlRun "mv java-dir/package.jar ." + rlPhaseEnd + + rlPhaseStartTest "Self signing certificates" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise" + rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Signing certificates" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime" + rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "Certificate request" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "mkdir srv2db" + rlRun "certutil -d srv2db -N --empty-password" + rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise" + rlRun -s "openssl req -noout -text -in srv2.req" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt" + rlRun -s "openssl x509 -in srv2.crt -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlRun "rm -rf srv2db" + rlPhaseEnd + + rlPhaseStartTest "Certificate request with SHA1" + rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" + rlRun "mkdir srv2db" + rlRun "certutil -d srv2db -N --empty-password" + rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1" + rlRun -s "openssl req -noout -text -in srv2.req" + rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG" + rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt" + rlRun -s "openssl x509 -in srv2.crt -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlRun "rm -rf srv2db" + rlPhaseEnd + + rlPhaseStartTest "Signing CMS messages" + rlRun "echo 'This is a document' > document.txt" + rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms" + rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print" + rlAssertGrep "algorithm: sha256" $rlRun_LOG + rlAssertNotGrep "algorithm: sha1" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartTest "CRL signing" + rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script" + rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script" + rlRun "echo addext crlNumber 0 1245 >>script" + rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script" + rlRun "echo addext reasonCode 0 0 >>script" + rlRun "cat script" + rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl" + rlRun -s "openssl crl -in ca.crl -inform der -noout -text" + rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG + rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..df64aa2 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,12 @@ +--- +# This first play always runs on the local staging system +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + tests: + - NSS-tools-should-not-use-SHA1-by-default-when + required_packages: + - nss-tools + - nss