Compare commits
16 Commits
Author | SHA1 | Date |
---|---|---|
Daiki Ueno | 8717d6f440 | |
Daiki Ueno | f002359684 | |
Daiki Ueno | 5c8d0c9dc8 | |
Daiki Ueno | 322fc2fe6a | |
Daiki Ueno | 8f809a2ad3 | |
Daiki Ueno | 5fa4ca6305 | |
Daiki Ueno | b85b8ae15c | |
Daiki Ueno | de815a3b94 | |
Daiki Ueno | fbe7ee8ba4 | |
Daiki Ueno | 1aa83c28c1 | |
Daiki Ueno | 4151e80088 | |
Daiki Ueno | 09bd50715f | |
Daiki Ueno | da4d943b09 | |
Daiki Ueno | f4e07c6887 | |
Daiki Ueno | b3e4df57b7 | |
Daiki Ueno | 2b0c47748c |
|
@ -20,3 +20,11 @@ TestUser51.cert
|
|||
/nss-3.30.2.tar.gz
|
||||
/nss-3.31.0.tar.gz
|
||||
/nss-3.32.0.tar.gz
|
||||
/nss-3.33.0.tar.gz
|
||||
/nss-3.34.0.tar.gz
|
||||
/nss-3.35.0.tar.gz
|
||||
/nss-3.36.0.tar.gz
|
||||
/nss-3.36.1.tar.gz
|
||||
/nss-3.37.3.tar.gz
|
||||
/nss-3.38.0.tar.gz
|
||||
/nss-3.39.tar.gz
|
||||
|
|
220
iquote.patch
220
iquote.patch
|
@ -1,211 +1,13 @@
|
|||
diff -up ./nss/cmd/certcgi/Makefile.iquote ./nss/cmd/certcgi/Makefile
|
||||
--- ./nss/cmd/certcgi/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/certcgi/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
|
||||
--- ./nss/cmd/certutil/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/certutil/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
|
||||
--- ./nss/cmd/lib/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/lib/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
|
||||
--- ./nss/cmd/modutil/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/modutil/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
|
||||
#######################################################################
|
||||
diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
|
||||
--- ./nss/cmd/selfserv/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/selfserv/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
|
||||
--- ./nss/cmd/ssltap/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/ssltap/Makefile 2016-03-05 12:04:06.216474144 -0800
|
||||
@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
|
||||
--- ./nss/cmd/strsclnt/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/strsclnt/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
|
||||
--- ./nss/cmd/tstclnt/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/tstclnt/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
#######################################################################
|
||||
|
||||
#include ../platlibs.mk
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
|
||||
--- ./nss/cmd/vfyserv/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/cmd/vfyserv/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
#######################################################################
|
||||
|
||||
#include ../platlibs.mk
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
|
||||
--- ./nss/coreconf/location.mk.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/coreconf/location.mk 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -45,6 +45,10 @@ endif
|
||||
|
||||
ifdef NSS_INCLUDE_DIR
|
||||
INCLUDES += -I$(NSS_INCLUDE_DIR)
|
||||
+ ifdef IN_TREE_FREEBL_HEADERS_FIRST
|
||||
+ INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+ INCLUDES += -iquote $(DIST)/../private/nss
|
||||
+ endif
|
||||
diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
|
||||
--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
|
||||
+++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
|
||||
@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
|
||||
SQLITE_LIB_NAME = sqlite3
|
||||
endif
|
||||
|
||||
ifndef NSS_LIB_DIR
|
||||
diff -up ./nss/gtests/pk11_gtest/Makefile.iquote ./nss/gtests/pk11_gtest/Makefile
|
||||
--- ./nss/gtests/pk11_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/gtests/pk11_gtest/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
|
||||
--- ./nss/gtests/ssl_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/gtests/ssl_gtest/Makefile 2016-03-05 12:05:17.208082475 -0800
|
||||
@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
|
||||
--- ./nss/lib/certhigh/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/certhigh/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
|
||||
--- ./nss/lib/cryptohi/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/cryptohi/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
|
||||
--- ./nss/lib/nss/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/nss/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile
|
||||
--- ./nss/lib/pk11wrap/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/pk11wrap/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
|
||||
--- ./nss/lib/ssl/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/ssl/Makefile 2016-03-05 12:04:06.217474124 -0800
|
||||
@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
+# Prefer in-tree headers over system headers
|
||||
+ifdef IN_TREE_FREEBL_HEADERS_FIRST
|
||||
+ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
|
||||
+endif
|
||||
+
|
||||
MK_LOCATION = included
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
|
||||
--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700
|
||||
+++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700
|
||||
@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
|
||||
realcerts.cfg
|
||||
dsa.cfg
|
||||
revoc.cfg
|
||||
-ocsp.cfg
|
||||
crldp.cfg
|
||||
trustanchors.cfg
|
||||
nameconstraints.cfg
|
|
@ -1,49 +0,0 @@
|
|||
diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
|
||||
--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-01-06 13:21:47.002952050 +0100
|
||||
+++ nss/lib/pk11wrap/pk11pars.c 2017-01-06 13:28:18.972536334 +0100
|
||||
@@ -109,6 +109,7 @@ secmod_NewModule(void)
|
||||
*other flags are set */
|
||||
#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
|
||||
#define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
|
||||
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
|
||||
|
||||
/* private flags for internal (field in SECMODModule). */
|
||||
/* The meaing of these flags is as follows:
|
||||
@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
|
||||
if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
|
||||
flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
|
||||
}
|
||||
+ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
|
||||
+ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
|
||||
+ }
|
||||
/* additional moduleDB flags could be added here in the future */
|
||||
mod->isModuleDB = (PRBool)flags;
|
||||
}
|
||||
@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
|
||||
}
|
||||
|
||||
PRBool
|
||||
+secmod_PolicyOnly(SECMODModule *mod)
|
||||
+{
|
||||
+ char flags = (char) mod->isModuleDB;
|
||||
+
|
||||
+ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
|
||||
+}
|
||||
+
|
||||
+PRBool
|
||||
secmod_IsInternalKeySlot(SECMODModule *mod)
|
||||
{
|
||||
char flags = (char)mod->internal;
|
||||
@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
|
||||
if (!module) {
|
||||
goto loser;
|
||||
}
|
||||
+
|
||||
+ /* a policy only stanza doesn't actually get 'loaded'. policy has already
|
||||
+ * been parsed as a side effect of the CreateModuleEx call */
|
||||
+ if (secmod_PolicyOnly(module)) {
|
||||
+ return module;
|
||||
+ }
|
||||
if (parent) {
|
||||
module->parent = SECMOD_ReferenceModule(parent);
|
||||
if (module->internal && secmod_IsInternalKeySlot(parent)) {
|
|
@ -0,0 +1,79 @@
|
|||
# HG changeset patch
|
||||
# User David Woodhouse <David.Woodhouse@intel.com>
|
||||
# Date 1529655250 -7200
|
||||
# Fri Jun 22 10:14:10 2018 +0200
|
||||
# Node ID d99e54ca9b6df33025ee9a196b8b942428bbff91
|
||||
# Parent 1a13c19d7fab53fd62786e05d6546a4abf66e48d
|
||||
Bug 1296263 - Fix loading of PKCS#11 modules from system policy file, r=rrelyea
|
||||
|
||||
We currently load the policy file after calling
|
||||
STAN_LoadDefaultNSS3TrustDomain(), which causes problems because any
|
||||
tokens in the newly-added modules don't get initialised.
|
||||
|
||||
Move it up by a few lines and fix up the indentation while we're at it.
|
||||
|
||||
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
||||
--- a/lib/nss/nssinit.c
|
||||
+++ b/lib/nss/nssinit.c
|
||||
@@ -702,6 +702,30 @@ nss_Init(const char *configdir, const ch
|
||||
if (SECOID_Init() != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
+#ifdef POLICY_FILE
|
||||
+ /* Load the system crypto policy file if it exists,
|
||||
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
|
||||
+ * variable has been set to 1. */
|
||||
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
|
||||
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
|
||||
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
|
||||
+ SECMODModule *module = SECMOD_LoadModule(
|
||||
+ "name=\"Policy File\" "
|
||||
+ "parameters=\"configdir='sql:" POLICY_PATH "' "
|
||||
+ "secmod='" POLICY_FILE "' "
|
||||
+ "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
|
||||
+ "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
|
||||
+ parent, PR_TRUE);
|
||||
+ if (module) {
|
||||
+ PRBool isLoaded = module->loaded;
|
||||
+ SECMOD_DestroyModule(module);
|
||||
+ if (!isLoaded) {
|
||||
+ goto loser;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
|
||||
goto loser;
|
||||
}
|
||||
@@ -730,30 +754,6 @@ nss_Init(const char *configdir, const ch
|
||||
}
|
||||
}
|
||||
}
|
||||
-#ifdef POLICY_FILE
|
||||
- /* Load the system crypto policy file if it exists,
|
||||
- * unless the NSS_IGNORE_SYSTEM_POLICY environment
|
||||
- * variable has been set to 1. */
|
||||
- ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
|
||||
- if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
|
||||
- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
|
||||
- SECMODModule *module = SECMOD_LoadModule(
|
||||
- "name=\"Policy File\" "
|
||||
- "parameters=\"configdir='sql:" POLICY_PATH "' "
|
||||
- "secmod='" POLICY_FILE "' "
|
||||
- "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
|
||||
- "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
|
||||
- parent, PR_TRUE);
|
||||
- if (module) {
|
||||
- PRBool isLoaded = module->loaded;
|
||||
- SECMOD_DestroyModule(module);
|
||||
- if (!isLoaded) {
|
||||
- goto loser;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
pk11sdr_Init();
|
||||
cert_CreateSubjectKeyIDHashTable();
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
name=p11-kit-proxy
|
||||
library=p11-kit-proxy.so
|
||||
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
# HG changeset patch
|
||||
# User Kai Engert <kaie@kuix.de>
|
||||
# Date 1511548994 -3600
|
||||
# Fri Nov 24 19:43:14 2017 +0100
|
||||
# Node ID b0658ed367633e505d38c0c0f63b801ddbbb21a4
|
||||
# Parent 807662e6ba57db5be05036511ac8634466ed473f
|
||||
Bug 1377940, Change NSS default storage file format (currently DBM), when no prefix is given, to SQL, r=rrelyea, r=fkiefer
|
||||
|
||||
--- a/tests/all.sh
|
||||
+++ b/tests/all.sh
|
||||
@@ -111,6 +111,8 @@ RUN_FIPS=""
|
||||
########################################################################
|
||||
run_tests()
|
||||
{
|
||||
+ echo "Running test cycle: ${TEST_MODE} ----------------------"
|
||||
+ echo "List of tests that will be executed: ${TESTS}"
|
||||
for TEST in ${TESTS}
|
||||
do
|
||||
# NOTE: the spaces are important. If you don't include
|
||||
@@ -172,8 +174,9 @@ run_cycle_pkix()
|
||||
NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
|
||||
export -n NSS_SSL_RUN
|
||||
|
||||
- # use the default format
|
||||
+ # use the default format. (unset for the shell, export -n for binaries)
|
||||
export -n NSS_DEFAULT_DB_TYPE
|
||||
+ unset NSS_DEFAULT_DB_TYPE
|
||||
|
||||
run_tests
|
||||
}
|
||||
diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh
|
||||
--- a/tests/merge/merge.sh
|
||||
+++ b/tests/merge/merge.sh
|
||||
@@ -98,7 +98,7 @@ merge_init()
|
||||
# are dbm databases.
|
||||
if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
|
||||
save=${NSS_DEFAULT_DB_TYPE}
|
||||
- NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
|
||||
+ NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE
|
||||
fi
|
||||
|
||||
certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
|
160
nss.spec
160
nss.spec
|
@ -1,27 +1,24 @@
|
|||
%global nspr_version 4.16.0
|
||||
%global nss_util_version 3.32.0
|
||||
%global nss_softokn_version 3.32.0
|
||||
%global nspr_version 4.20.0
|
||||
%global nss_util_version 3.39.0
|
||||
%global nss_softokn_version 3.39.0
|
||||
%global nss_version 3.39.0
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
# solution taken from icedtea-web.spec
|
||||
%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
|
||||
%ifarch %{multilib_arches}
|
||||
%define alt_ckbi libnssckbi.so.%{_arch}
|
||||
%else
|
||||
%define alt_ckbi libnssckbi.so
|
||||
%endif
|
||||
|
||||
# Define if using a source archive like "nss-version.with.ckbi.version".
|
||||
# To "disable", add "#" to start of line, AND a space after "%".
|
||||
#% define nss_ckbi_suffix .with.ckbi.1.93
|
||||
# The upstream omits the trailing ".0", while we need it for
|
||||
# consistency with the pkg-config version:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
|
||||
%{lua:
|
||||
rpm.define(string.format("nss_archive_version %s",
|
||||
string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
|
||||
}
|
||||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.32.0
|
||||
Version: %{nss_version}
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 2%{?dist}
|
||||
Release: 1.0%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
@ -30,9 +27,7 @@ Requires: nss-util >= %{nss_util_version}
|
|||
# TODO: revert to same version as nss once we are done with the merge
|
||||
Requires: nss-softokn%{_isa} >= %{nss_softokn_version}
|
||||
Requires: nss-system-init
|
||||
Requires(post): %{_sbindir}/update-alternatives
|
||||
Requires(postun): %{_sbindir}/update-alternatives
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Requires: p11-kit-trust
|
||||
BuildRequires: nspr-devel >= %{nspr_version}
|
||||
# TODO: revert to same version as nss once we are done with the merge
|
||||
# Using '>=' but on RHEL the requires should be '='
|
||||
|
@ -44,12 +39,13 @@ BuildRequires: pkgconfig
|
|||
BuildRequires: gawk
|
||||
BuildRequires: psmisc
|
||||
BuildRequires: perl-interpreter
|
||||
BuildRequires: gcc-c++
|
||||
|
||||
# nss-pem used to be bundled with the nss package on Fedora -- make sure that
|
||||
# programs relying on that continue to work until they are fixed to require
|
||||
# nss-pem instead. Once all of them are fixed, the following line can be
|
||||
# removed. See https://bugzilla.redhat.com/1346806 for details.
|
||||
Requires: nss-pem
|
||||
Requires: nss-pem%{?_isa}
|
||||
|
||||
# NSS 3.28.1 introduced a curve, that is smaller than a check in old
|
||||
# Mozilla code allows.
|
||||
|
@ -64,13 +60,7 @@ Conflicts: seamonkey < 2.46-2
|
|||
# https://bugzilla.redhat.com/show_bug.cgi?id=1414987
|
||||
# Conflicts: icecat < 45.5.1-5
|
||||
|
||||
%if %{defined nss_ckbi_suffix}
|
||||
%define full_nss_version %{version}%{nss_ckbi_suffix}
|
||||
%else
|
||||
%define full_nss_version %{version}
|
||||
%endif
|
||||
|
||||
Source0: %{name}-%{full_nss_version}.tar.gz
|
||||
Source0: %{name}-%{nss_archive_version}.tar.gz
|
||||
Source1: nss.pc.in
|
||||
Source2: nss-config.in
|
||||
Source3: blank-cert8.db
|
||||
|
@ -93,24 +83,26 @@ Patch2: add-relro-linker-option.patch
|
|||
Patch3: renegotiate-transitional.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
||||
Patch16: nss-539183.patch
|
||||
# TODO: Remove this patch when the ocsp test are fixed
|
||||
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
||||
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
||||
Patch47: utilwrap-include-templates.patch
|
||||
# TODO remove when we switch to building nss without softoken
|
||||
Patch49: nss-skip-bltest-and-fipstest.patch
|
||||
# This patch uses the gcc-iquote dir option documented at
|
||||
# This patch uses the GCC -iquote option documented at
|
||||
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
|
||||
# to place the in-tree directories at the head of the list of list of directories
|
||||
# to be searched for for header files. This ensures a build even when system
|
||||
# headers are older. Such is the case when starting an update with API changes or even private export changes.
|
||||
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
|
||||
# to give the in-tree headers a higher priority over the system headers,
|
||||
# when they are included through the quote form (#include "file.h").
|
||||
#
|
||||
# This ensures a build even when system headers are older. Such is the
|
||||
# case when starting an update with API changes or even private export
|
||||
# changes.
|
||||
#
|
||||
# Once the buildroot aha been bootstrapped the patch may be removed
|
||||
# but it doesn't hurt to keep it.
|
||||
Patch50: iquote.patch
|
||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch59: nss-check-policy-file.patch
|
||||
Patch62: nss-skip-util-gtest.patch
|
||||
Patch63: nss-sql-default.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -180,20 +172,18 @@ low level services.
|
|||
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%setup -q -T -D -n %{name}-%{version}
|
||||
%setup -q -n %{name}-%{nss_archive_version}
|
||||
|
||||
%patch2 -p0 -b .relro
|
||||
%patch3 -p0 -b .transitional
|
||||
%patch16 -p0 -b .539183
|
||||
%patch40 -p0 -b .noocsptest
|
||||
%patch47 -p0 -b .templates
|
||||
%patch49 -p0 -b .skipthem
|
||||
%patch50 -p0 -b .iquote
|
||||
%patch58 -p0 -b .1185708_3des
|
||||
pushd nss
|
||||
%patch59 -p1 -b .check_policy_file
|
||||
%patch62 -p1 -b .skip_util_gtest
|
||||
%patch63 -p1 -R -b .sql-default
|
||||
popd
|
||||
|
||||
#########################################################
|
||||
|
@ -225,12 +215,12 @@ popd
|
|||
|
||||
%build
|
||||
|
||||
NSS_NO_PKCS11_BYPASS=1
|
||||
export NSS_NO_PKCS11_BYPASS
|
||||
|
||||
FREEBL_NO_DEPEND=1
|
||||
export FREEBL_NO_DEPEND
|
||||
|
||||
NSS_FORCE_FIPS=1
|
||||
export NSS_FORCE_FIPS
|
||||
|
||||
# Enable compiler optimizations and disable debugging code
|
||||
export BUILD_OPT=1
|
||||
|
||||
|
@ -242,6 +232,9 @@ export BUILD_OPT=1
|
|||
XCFLAGS=$RPM_OPT_FLAGS
|
||||
export XCFLAGS
|
||||
|
||||
LDFLAGS=$RPM_LD_FLAGS
|
||||
export LDFLAGS
|
||||
|
||||
PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
|
||||
PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
|
||||
|
||||
|
@ -407,6 +400,8 @@ export SOFTOKEN_LIB_DIR=%{_libdir}
|
|||
# disabled by the system policy.
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
|
||||
export NSS_FORCE_FIPS=1
|
||||
|
||||
# enable the following line to force a test failure
|
||||
# find ./nss -name \*.chk | xargs rm -f
|
||||
|
||||
|
@ -477,7 +472,7 @@ popd
|
|||
killall $RANDSERV || :
|
||||
|
||||
if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
|
||||
TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
|
||||
TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
|
||||
else
|
||||
TEST_FAILURES=0
|
||||
GREP_EXIT_STATUS=1
|
||||
|
@ -526,9 +521,6 @@ echo "test suite completed"
|
|||
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
|
||||
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
|
||||
|
||||
touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
|
||||
%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
|
||||
|
||||
# Copy the binary libraries we want
|
||||
for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
|
||||
do
|
||||
|
@ -553,7 +545,7 @@ do
|
|||
done
|
||||
|
||||
# Copy the binaries we want
|
||||
for file in certutil cmsutil crlutil modutil pk12util signver ssltap
|
||||
for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
|
||||
do
|
||||
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
|
||||
done
|
||||
|
@ -608,42 +600,15 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
|
|||
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
|
||||
done
|
||||
|
||||
%clean
|
||||
%{__rm} -rf $RPM_BUILD_ROOT
|
||||
|
||||
%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
|
||||
# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
|
||||
# from previous versions of nss.spec
|
||||
/usr/bin/setup-nsssysinit.sh on
|
||||
|
||||
%post
|
||||
# If we upgrade, and the shared filename is a regular file, then we must
|
||||
# remove it, before we can install the alternatives symbolic link.
|
||||
if [ $1 -gt 1 ] ; then
|
||||
# when upgrading or downgrading
|
||||
if ! test -L %{_libdir}/libnssckbi.so; then
|
||||
rm -f %{_libdir}/libnssckbi.so
|
||||
fi
|
||||
fi
|
||||
# Install the symbolic link
|
||||
# FYI: Certain other packages use alternatives --set to enforce that the first
|
||||
# installed package is preferred. We don't do that. Highest priority wins.
|
||||
%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
|
||||
%{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
|
||||
/sbin/ldconfig
|
||||
|
||||
%postun
|
||||
if [ $1 -eq 0 ] ; then
|
||||
# package removal
|
||||
%{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
|
||||
else
|
||||
# upgrade or downgrade
|
||||
# If the new installed package uses a regular file (not a symblic link),
|
||||
# then cleanup the alternatives link.
|
||||
if ! test -L %{_libdir}/libnssckbi.so; then
|
||||
%{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
|
||||
fi
|
||||
fi
|
||||
/sbin/ldconfig
|
||||
|
||||
|
||||
|
@ -654,8 +619,6 @@ fi
|
|||
%{_libdir}/libnss3.so
|
||||
%{_libdir}/libssl3.so
|
||||
%{_libdir}/libsmime3.so
|
||||
%ghost %{_libdir}/libnssckbi.so
|
||||
%{_libdir}/nss/libnssckbi.so
|
||||
%dir %{_sysconfdir}/pki/nssdb
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
||||
|
@ -684,6 +647,7 @@ fi
|
|||
%{_bindir}/cmsutil
|
||||
%{_bindir}/crlutil
|
||||
%{_bindir}/modutil
|
||||
%{_bindir}/nss-policy-check
|
||||
%{_bindir}/pk12util
|
||||
%{_bindir}/signver
|
||||
%{_bindir}/ssltap
|
||||
|
@ -773,6 +737,7 @@ fi
|
|||
%{_includedir}/nss3/smime.h
|
||||
%{_includedir}/nss3/ssl.h
|
||||
%{_includedir}/nss3/sslerr.h
|
||||
%{_includedir}/nss3/sslexp.h
|
||||
%{_includedir}/nss3/sslproto.h
|
||||
%{_includedir}/nss3/sslt.h
|
||||
|
||||
|
@ -795,6 +760,47 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Sep 3 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.0
|
||||
- Update to NSS 3.39
|
||||
- Use the upstream tarball as it is (rhbz#1578106)
|
||||
|
||||
* Tue Jul 3 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.0
|
||||
- Update to NSS 3.38
|
||||
|
||||
* Tue Jun 5 2018 Daiki Ueno <dueno@redhat.com> - 3.37.3-1.0
|
||||
- Update to NSS 3.37.3
|
||||
|
||||
* Thu Apr 19 2018 Daiki Ueno <dueno@redhat.com> - 3.36.1-1.0
|
||||
- Update to NSS 3.36.1
|
||||
|
||||
* Fri Mar 9 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-1.0
|
||||
- Update to NSS 3.36.0
|
||||
- Add gcc-c++ to BuildRequires (C++ is needed for gtests)
|
||||
- Make test failure detection robuster
|
||||
- Enable test on s390x again
|
||||
|
||||
* Mon Feb 12 2018 Daiki Ueno <dueno@redhat.com> - 3.35.0-1.1
|
||||
- Temporarily ignore test failures on F27 s390x
|
||||
|
||||
* Wed Feb 7 2018 Daiki Ueno <dueno@redhat.com> - 3.35.0-1.0
|
||||
- Update to NSS 3.35.0
|
||||
|
||||
* Tue Nov 14 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-1.0
|
||||
- Update to NSS 3.34.0
|
||||
|
||||
* Fri Nov 10 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1.1
|
||||
- Make sure 32bit nss-pem always be installed with 32bit nss in
|
||||
multlib environment, patch by Kamil Dudka
|
||||
|
||||
* Tue Oct 3 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1.0
|
||||
- Update to NSS 3.33.0
|
||||
|
||||
* Tue Oct 3 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-1.1
|
||||
- Update iquote.patch to really prefer in-tree headers over system headers
|
||||
|
||||
* Fri Sep 15 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-1.0
|
||||
- Update to NSS 3.32.1
|
||||
|
||||
* Mon Aug 7 2017 Daiki Ueno <dueno@redhat.com> - 3.32.0-2
|
||||
- Update to NSS 3.32.0
|
||||
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
|
||||
--- ./nss/lib/ssl/sslsock.c.transitional 2016-06-23 21:03:16.316480089 -0400
|
||||
+++ ./nss/lib/ssl/sslsock.c 2016-06-23 21:08:07.290202477 -0400
|
||||
@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
|
||||
PR_FALSE, /* noLocks */
|
||||
PR_FALSE, /* enableSessionTickets */
|
||||
PR_FALSE, /* enableDeflate */
|
||||
- 2, /* enableRenegotiation (default: requires extension) */
|
||||
+ 3, /* enableRenegotiation (default: transitional) */
|
||||
PR_FALSE, /* requireSafeNegotiation */
|
||||
PR_FALSE, /* enableFalseStart */
|
||||
PR_TRUE, /* cbcRandomIV */
|
||||
diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
|
||||
--- nss/lib/ssl/sslsock.c.transitional 2018-03-09 13:57:50.615706802 +0100
|
||||
+++ nss/lib/ssl/sslsock.c 2018-03-09 13:58:23.708974970 +0100
|
||||
@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
|
||||
.noLocks = PR_FALSE,
|
||||
.enableSessionTickets = PR_FALSE,
|
||||
.enableDeflate = PR_FALSE,
|
||||
- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
|
||||
+ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
|
||||
.requireSafeNegotiation = PR_FALSE,
|
||||
.enableFalseStart = PR_FALSE,
|
||||
.cbcRandomIV = PR_TRUE,
|
||||
|
|
2
sources
2
sources
|
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
|
|||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||
SHA512 (nss-3.32.0.tar.gz) = c2947b7e12ab840bba1c591255d037a0c838bc1b36bd7ea00a94c447bf0e95fe4415da284c172acd8c04e3c0d583fcbc900a523230f42558c93692bfde5ba500
|
||||
SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
|
||||
# Description: NSS tools should not use SHA1 by default when
|
||||
# Author: Hubert Kario <hkario@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA)
|
||||
@echo "Type: Regression" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: nss openssl" >> $(METADATA)
|
||||
@echo "Requires: nss nss-tools openssl" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
|
@ -0,0 +1,4 @@
|
|||
PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
|
||||
Description: NSS tools should not use SHA1 by default when
|
||||
Author: Hubert Kario <hkario@redhat.com>
|
||||
Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates
|
|
@ -0,0 +1,125 @@
|
|||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
|
||||
# Description: NSS tools should not use SHA1 by default when
|
||||
# Author: Hubert Kario <hkario@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="nss"
|
||||
PACKAGES="nss openssl"
|
||||
DBDIR="nssdb"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm --all
|
||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||
rlRun "pushd $TmpDir"
|
||||
rlRun "mkdir nssdb"
|
||||
rlRun "certutil -N -d $DBDIR --empty-password"
|
||||
rlLogInfo "Create a JAR file"
|
||||
rlRun "mkdir java-dir"
|
||||
rlRun "pushd java-dir"
|
||||
rlRun "mkdir META-INF mypackage"
|
||||
rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
|
||||
rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
|
||||
#rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
|
||||
rlRun "popd"
|
||||
#rlRun "mv java-dir/package.jar ."
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Self signing certificates"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
|
||||
rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Signing certificates"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
|
||||
rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Certificate request"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "mkdir srv2db"
|
||||
rlRun "certutil -d srv2db -N --empty-password"
|
||||
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
|
||||
rlRun -s "openssl req -noout -text -in srv2.req"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
|
||||
rlRun -s "openssl x509 -in srv2.crt -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlRun "rm -rf srv2db"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Certificate request with SHA1"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "mkdir srv2db"
|
||||
rlRun "certutil -d srv2db -N --empty-password"
|
||||
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
|
||||
rlRun -s "openssl req -noout -text -in srv2.req"
|
||||
rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
|
||||
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
|
||||
rlRun -s "openssl x509 -in srv2.crt -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlRun "rm -rf srv2db"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Signing CMS messages"
|
||||
rlRun "echo 'This is a document' > document.txt"
|
||||
rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
|
||||
rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
|
||||
rlAssertGrep "algorithm: sha256" $rlRun_LOG
|
||||
rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "CRL signing"
|
||||
rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
|
||||
rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
|
||||
rlRun "echo addext crlNumber 0 1245 >>script"
|
||||
rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
|
||||
rlRun "echo addext reasonCode 0 0 >>script"
|
||||
rlRun "cat script"
|
||||
rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
|
||||
rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "popd"
|
||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
# This first play always runs on the local staging system
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-beakerlib
|
||||
tags:
|
||||
- classic
|
||||
tests:
|
||||
- NSS-tools-should-not-use-SHA1-by-default-when
|
||||
required_packages:
|
||||
- nss-tools
|
||||
- nss
|
Loading…
Reference in New Issue