Update to NSS 3.39
This commit is contained in:
parent
5c8d0c9dc8
commit
f002359684
|
@ -27,3 +27,4 @@ TestUser51.cert
|
||||||
/nss-3.36.1.tar.gz
|
/nss-3.36.1.tar.gz
|
||||||
/nss-3.37.3.tar.gz
|
/nss-3.37.3.tar.gz
|
||||||
/nss-3.38.0.tar.gz
|
/nss-3.38.0.tar.gz
|
||||||
|
/nss-3.39.tar.gz
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
|
|
||||||
--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700
|
|
||||||
+++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700
|
|
||||||
@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
|
|
||||||
realcerts.cfg
|
|
||||||
dsa.cfg
|
|
||||||
revoc.cfg
|
|
||||||
-ocsp.cfg
|
|
||||||
crldp.cfg
|
|
||||||
trustanchors.cfg
|
|
||||||
nameconstraints.cfg
|
|
|
@ -1,49 +0,0 @@
|
||||||
diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
|
|
||||||
--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-01-06 13:21:47.002952050 +0100
|
|
||||||
+++ nss/lib/pk11wrap/pk11pars.c 2017-01-06 13:28:18.972536334 +0100
|
|
||||||
@@ -109,6 +109,7 @@ secmod_NewModule(void)
|
|
||||||
*other flags are set */
|
|
||||||
#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
|
|
||||||
#define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
|
|
||||||
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
|
|
||||||
|
|
||||||
/* private flags for internal (field in SECMODModule). */
|
|
||||||
/* The meaing of these flags is as follows:
|
|
||||||
@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
|
|
||||||
if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
|
|
||||||
flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
|
|
||||||
}
|
|
||||||
+ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
|
|
||||||
+ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
|
|
||||||
+ }
|
|
||||||
/* additional moduleDB flags could be added here in the future */
|
|
||||||
mod->isModuleDB = (PRBool)flags;
|
|
||||||
}
|
|
||||||
@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
|
|
||||||
}
|
|
||||||
|
|
||||||
PRBool
|
|
||||||
+secmod_PolicyOnly(SECMODModule *mod)
|
|
||||||
+{
|
|
||||||
+ char flags = (char) mod->isModuleDB;
|
|
||||||
+
|
|
||||||
+ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+PRBool
|
|
||||||
secmod_IsInternalKeySlot(SECMODModule *mod)
|
|
||||||
{
|
|
||||||
char flags = (char)mod->internal;
|
|
||||||
@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
|
|
||||||
if (!module) {
|
|
||||||
goto loser;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* a policy only stanza doesn't actually get 'loaded'. policy has already
|
|
||||||
+ * been parsed as a side effect of the CreateModuleEx call */
|
|
||||||
+ if (secmod_PolicyOnly(module)) {
|
|
||||||
+ return module;
|
|
||||||
+ }
|
|
||||||
if (parent) {
|
|
||||||
module->parent = SECMOD_ReferenceModule(parent);
|
|
||||||
if (module->internal && secmod_IsInternalKeySlot(parent)) {
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
name=p11-kit-proxy
|
||||||
|
library=p11-kit-proxy.so
|
||||||
|
|
||||||
|
|
96
nss.spec
96
nss.spec
|
@ -1,24 +1,21 @@
|
||||||
%global nspr_version 4.19.0
|
%global nspr_version 4.20.0
|
||||||
%global nss_util_version 3.38.0
|
%global nss_util_version 3.39.0
|
||||||
%global nss_softokn_version 3.38.0
|
%global nss_softokn_version 3.39.0
|
||||||
|
%global nss_version 3.39.0
|
||||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
||||||
|
|
||||||
# solution taken from icedtea-web.spec
|
# The upstream omits the trailing ".0", while we need it for
|
||||||
%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
|
# consistency with the pkg-config version:
|
||||||
%ifarch %{multilib_arches}
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
|
||||||
%define alt_ckbi libnssckbi.so.%{_arch}
|
%{lua:
|
||||||
%else
|
rpm.define(string.format("nss_archive_version %s",
|
||||||
%define alt_ckbi libnssckbi.so
|
string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
|
||||||
%endif
|
}
|
||||||
|
|
||||||
# Define if using a source archive like "nss-version.with.ckbi.version".
|
|
||||||
# To "disable", add "#" to start of line, AND a space after "%".
|
|
||||||
#% define nss_ckbi_suffix .with.ckbi.1.93
|
|
||||||
|
|
||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: 3.38.0
|
Version: %{nss_version}
|
||||||
# for Rawhide, please always use release >= 2
|
# for Rawhide, please always use release >= 2
|
||||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||||
Release: 1.0%{?dist}
|
Release: 1.0%{?dist}
|
||||||
|
@ -30,9 +27,7 @@ Requires: nss-util >= %{nss_util_version}
|
||||||
# TODO: revert to same version as nss once we are done with the merge
|
# TODO: revert to same version as nss once we are done with the merge
|
||||||
Requires: nss-softokn%{_isa} >= %{nss_softokn_version}
|
Requires: nss-softokn%{_isa} >= %{nss_softokn_version}
|
||||||
Requires: nss-system-init
|
Requires: nss-system-init
|
||||||
Requires(post): %{_sbindir}/update-alternatives
|
Requires: p11-kit-trust
|
||||||
Requires(postun): %{_sbindir}/update-alternatives
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
||||||
BuildRequires: nspr-devel >= %{nspr_version}
|
BuildRequires: nspr-devel >= %{nspr_version}
|
||||||
# TODO: revert to same version as nss once we are done with the merge
|
# TODO: revert to same version as nss once we are done with the merge
|
||||||
# Using '>=' but on RHEL the requires should be '='
|
# Using '>=' but on RHEL the requires should be '='
|
||||||
|
@ -65,13 +60,7 @@ Conflicts: seamonkey < 2.46-2
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1414987
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1414987
|
||||||
# Conflicts: icecat < 45.5.1-5
|
# Conflicts: icecat < 45.5.1-5
|
||||||
|
|
||||||
%if %{defined nss_ckbi_suffix}
|
Source0: %{name}-%{nss_archive_version}.tar.gz
|
||||||
%define full_nss_version %{version}%{nss_ckbi_suffix}
|
|
||||||
%else
|
|
||||||
%define full_nss_version %{version}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
Source0: %{name}-%{full_nss_version}.tar.gz
|
|
||||||
Source1: nss.pc.in
|
Source1: nss.pc.in
|
||||||
Source2: nss-config.in
|
Source2: nss-config.in
|
||||||
Source3: blank-cert8.db
|
Source3: blank-cert8.db
|
||||||
|
@ -94,8 +83,6 @@ Patch2: add-relro-linker-option.patch
|
||||||
Patch3: renegotiate-transitional.patch
|
Patch3: renegotiate-transitional.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
||||||
Patch16: nss-539183.patch
|
Patch16: nss-539183.patch
|
||||||
# TODO: Remove this patch when the ocsp test are fixed
|
|
||||||
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
|
||||||
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
||||||
Patch47: utilwrap-include-templates.patch
|
Patch47: utilwrap-include-templates.patch
|
||||||
# TODO remove when we switch to building nss without softoken
|
# TODO remove when we switch to building nss without softoken
|
||||||
|
@ -114,9 +101,6 @@ Patch49: nss-skip-bltest-and-fipstest.patch
|
||||||
Patch50: iquote.patch
|
Patch50: iquote.patch
|
||||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
|
||||||
Patch59: nss-check-policy-file.patch
|
|
||||||
Patch60: nss-load-policy-file.patch
|
|
||||||
Patch62: nss-skip-util-gtest.patch
|
Patch62: nss-skip-util-gtest.patch
|
||||||
Patch63: nss-sql-default.patch
|
Patch63: nss-sql-default.patch
|
||||||
|
|
||||||
|
@ -188,20 +172,16 @@ low level services.
|
||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q -n %{name}-%{nss_archive_version}
|
||||||
%setup -q -T -D -n %{name}-%{version}
|
|
||||||
|
|
||||||
%patch2 -p0 -b .relro
|
%patch2 -p0 -b .relro
|
||||||
%patch3 -p0 -b .transitional
|
%patch3 -p0 -b .transitional
|
||||||
%patch16 -p0 -b .539183
|
%patch16 -p0 -b .539183
|
||||||
%patch40 -p0 -b .noocsptest
|
|
||||||
%patch47 -p0 -b .templates
|
%patch47 -p0 -b .templates
|
||||||
%patch49 -p0 -b .skipthem
|
%patch49 -p0 -b .skipthem
|
||||||
%patch50 -p0 -b .iquote
|
%patch50 -p0 -b .iquote
|
||||||
%patch58 -p0 -b .1185708_3des
|
%patch58 -p0 -b .1185708_3des
|
||||||
pushd nss
|
pushd nss
|
||||||
%patch59 -p1 -b .check_policy_file
|
|
||||||
%patch60 -p1 -b .load_policy_file
|
|
||||||
%patch62 -p1 -b .skip_util_gtest
|
%patch62 -p1 -b .skip_util_gtest
|
||||||
%patch63 -p1 -R -b .sql-default
|
%patch63 -p1 -R -b .sql-default
|
||||||
popd
|
popd
|
||||||
|
@ -235,9 +215,6 @@ popd
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
NSS_NO_PKCS11_BYPASS=1
|
|
||||||
export NSS_NO_PKCS11_BYPASS
|
|
||||||
|
|
||||||
FREEBL_NO_DEPEND=1
|
FREEBL_NO_DEPEND=1
|
||||||
export FREEBL_NO_DEPEND
|
export FREEBL_NO_DEPEND
|
||||||
|
|
||||||
|
@ -255,6 +232,9 @@ export BUILD_OPT=1
|
||||||
XCFLAGS=$RPM_OPT_FLAGS
|
XCFLAGS=$RPM_OPT_FLAGS
|
||||||
export XCFLAGS
|
export XCFLAGS
|
||||||
|
|
||||||
|
LDFLAGS=$RPM_LD_FLAGS
|
||||||
|
export LDFLAGS
|
||||||
|
|
||||||
PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
|
PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
|
||||||
PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
|
PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
|
||||||
|
|
||||||
|
@ -541,9 +521,6 @@ echo "test suite completed"
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
|
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
|
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
|
||||||
|
|
||||||
touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
|
|
||||||
%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
|
|
||||||
|
|
||||||
# Copy the binary libraries we want
|
# Copy the binary libraries we want
|
||||||
for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
|
for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
|
||||||
do
|
do
|
||||||
|
@ -568,7 +545,7 @@ do
|
||||||
done
|
done
|
||||||
|
|
||||||
# Copy the binaries we want
|
# Copy the binaries we want
|
||||||
for file in certutil cmsutil crlutil modutil pk12util signver ssltap
|
for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
|
||||||
do
|
do
|
||||||
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
|
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
|
||||||
done
|
done
|
||||||
|
@ -623,8 +600,8 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
|
||||||
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
|
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
|
||||||
done
|
done
|
||||||
|
|
||||||
%clean
|
# Copy the crypto-policies configuration file
|
||||||
%{__rm} -rf $RPM_BUILD_ROOT
|
%{__install} -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
|
||||||
|
|
||||||
%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
|
%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
|
||||||
# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
|
# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
|
||||||
|
@ -632,33 +609,9 @@ done
|
||||||
/usr/bin/setup-nsssysinit.sh on
|
/usr/bin/setup-nsssysinit.sh on
|
||||||
|
|
||||||
%post
|
%post
|
||||||
# If we upgrade, and the shared filename is a regular file, then we must
|
|
||||||
# remove it, before we can install the alternatives symbolic link.
|
|
||||||
if [ $1 -gt 1 ] ; then
|
|
||||||
# when upgrading or downgrading
|
|
||||||
if ! test -L %{_libdir}/libnssckbi.so; then
|
|
||||||
rm -f %{_libdir}/libnssckbi.so
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
# Install the symbolic link
|
|
||||||
# FYI: Certain other packages use alternatives --set to enforce that the first
|
|
||||||
# installed package is preferred. We don't do that. Highest priority wins.
|
|
||||||
%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
|
|
||||||
%{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
|
|
||||||
/sbin/ldconfig
|
/sbin/ldconfig
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
if [ $1 -eq 0 ] ; then
|
|
||||||
# package removal
|
|
||||||
%{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
|
|
||||||
else
|
|
||||||
# upgrade or downgrade
|
|
||||||
# If the new installed package uses a regular file (not a symblic link),
|
|
||||||
# then cleanup the alternatives link.
|
|
||||||
if ! test -L %{_libdir}/libnssckbi.so; then
|
|
||||||
%{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
/sbin/ldconfig
|
/sbin/ldconfig
|
||||||
|
|
||||||
|
|
||||||
|
@ -669,8 +622,6 @@ fi
|
||||||
%{_libdir}/libnss3.so
|
%{_libdir}/libnss3.so
|
||||||
%{_libdir}/libssl3.so
|
%{_libdir}/libssl3.so
|
||||||
%{_libdir}/libsmime3.so
|
%{_libdir}/libsmime3.so
|
||||||
%ghost %{_libdir}/libnssckbi.so
|
|
||||||
%{_libdir}/nss/libnssckbi.so
|
|
||||||
%dir %{_sysconfdir}/pki/nssdb
|
%dir %{_sysconfdir}/pki/nssdb
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
||||||
|
@ -699,6 +650,7 @@ fi
|
||||||
%{_bindir}/cmsutil
|
%{_bindir}/cmsutil
|
||||||
%{_bindir}/crlutil
|
%{_bindir}/crlutil
|
||||||
%{_bindir}/modutil
|
%{_bindir}/modutil
|
||||||
|
%{_bindir}/nss-policy-check
|
||||||
%{_bindir}/pk12util
|
%{_bindir}/pk12util
|
||||||
%{_bindir}/signver
|
%{_bindir}/signver
|
||||||
%{_bindir}/ssltap
|
%{_bindir}/ssltap
|
||||||
|
@ -811,6 +763,10 @@ fi
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 3 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.0
|
||||||
|
- Update to NSS 3.39
|
||||||
|
- Use the upstream tarball as it is (rhbz#1578106)
|
||||||
|
|
||||||
* Tue Jul 3 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.0
|
* Tue Jul 3 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.0
|
||||||
- Update to NSS 3.38
|
- Update to NSS 3.38
|
||||||
|
|
||||||
|
|
2
sources
2
sources
|
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
|
||||||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||||
SHA512 (nss-3.38.0.tar.gz) = eb63f1c44adbbd97dc766e8545c72303f3cb18f1bfb2af67c33cdb1a1a9a1cc432a64afbafabd7a5bb3f08cb36db74ed81e5cfa1fc4bd35ae76e183f3205afed
|
SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f
|
||||||
|
|
|
@ -0,0 +1,64 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
|
||||||
|
# Description: NSS tools should not use SHA1 by default when
|
||||||
|
# Author: Hubert Kario <hkario@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 10m" >> $(METADATA)
|
||||||
|
@echo "RunFor: nss openssl" >> $(METADATA)
|
||||||
|
@echo "Requires: nss nss-tools openssl" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
|
@ -0,0 +1,4 @@
|
||||||
|
PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
|
||||||
|
Description: NSS tools should not use SHA1 by default when
|
||||||
|
Author: Hubert Kario <hkario@redhat.com>
|
||||||
|
Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates
|
|
@ -0,0 +1,125 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
|
||||||
|
# Description: NSS tools should not use SHA1 by default when
|
||||||
|
# Author: Hubert Kario <hkario@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="nss"
|
||||||
|
PACKAGES="nss openssl"
|
||||||
|
DBDIR="nssdb"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm --all
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlRun "mkdir nssdb"
|
||||||
|
rlRun "certutil -N -d $DBDIR --empty-password"
|
||||||
|
rlLogInfo "Create a JAR file"
|
||||||
|
rlRun "mkdir java-dir"
|
||||||
|
rlRun "pushd java-dir"
|
||||||
|
rlRun "mkdir META-INF mypackage"
|
||||||
|
rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
|
||||||
|
rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
|
||||||
|
#rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
|
||||||
|
rlRun "popd"
|
||||||
|
#rlRun "mv java-dir/package.jar ."
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Self signing certificates"
|
||||||
|
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||||
|
rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
|
||||||
|
rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Signing certificates"
|
||||||
|
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||||
|
rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
|
||||||
|
rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Certificate request"
|
||||||
|
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||||
|
rlRun "mkdir srv2db"
|
||||||
|
rlRun "certutil -d srv2db -N --empty-password"
|
||||||
|
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
|
||||||
|
rlRun -s "openssl req -noout -text -in srv2.req"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
|
||||||
|
rlRun -s "openssl x509 -in srv2.crt -noout -text"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlRun "rm -rf srv2db"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Certificate request with SHA1"
|
||||||
|
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||||
|
rlRun "mkdir srv2db"
|
||||||
|
rlRun "certutil -d srv2db -N --empty-password"
|
||||||
|
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
|
||||||
|
rlRun -s "openssl req -noout -text -in srv2.req"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
|
||||||
|
rlRun -s "openssl x509 -in srv2.crt -noout -text"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlRun "rm -rf srv2db"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Signing CMS messages"
|
||||||
|
rlRun "echo 'This is a document' > document.txt"
|
||||||
|
rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
|
||||||
|
rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
|
||||||
|
rlAssertGrep "algorithm: sha256" $rlRun_LOG
|
||||||
|
rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "CRL signing"
|
||||||
|
rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
|
||||||
|
rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
|
||||||
|
rlRun "echo addext crlNumber 0 1245 >>script"
|
||||||
|
rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
|
||||||
|
rlRun "echo addext reasonCode 0 0 >>script"
|
||||||
|
rlRun "cat script"
|
||||||
|
rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
|
||||||
|
rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
# This first play always runs on the local staging system
|
||||||
|
- hosts: localhost
|
||||||
|
roles:
|
||||||
|
- role: standard-test-beakerlib
|
||||||
|
tags:
|
||||||
|
- classic
|
||||||
|
tests:
|
||||||
|
- NSS-tools-should-not-use-SHA1-by-default-when
|
||||||
|
required_packages:
|
||||||
|
- nss-tools
|
||||||
|
- nss
|
Loading…
Reference in New Issue