Remove left-over crypto-policies installation snippet

See https://bugzilla.redhat.com/show_bug.cgi?id=1422046#c6

.gitignore

@@ -20,3 +20,11 @@ TestUser51.cert
 /nss-3.30.2.tar.gz
 /nss-3.31.0.tar.gz
 /nss-3.32.0.tar.gz
+/nss-3.33.0.tar.gz
+/nss-3.34.0.tar.gz
+/nss-3.35.0.tar.gz
+/nss-3.36.0.tar.gz
+/nss-3.36.1.tar.gz
+/nss-3.37.3.tar.gz
+/nss-3.38.0.tar.gz
+/nss-3.39.tar.gz

iquote.patch

@@ -1,211 +1,13 @@
-diff -up ./nss/cmd/certcgi/Makefile.iquote ./nss/cmd/certcgi/Makefile
---- ./nss/cmd/certcgi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/certcgi/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
---- ./nss/cmd/certutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/certutil/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
---- ./nss/cmd/lib/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/lib/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
---- ./nss/cmd/modutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/modutil/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- 
- #######################################################################
-diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
---- ./nss/cmd/selfserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/selfserv/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
---- ./nss/cmd/ssltap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/ssltap/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
---- ./nss/cmd/strsclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/strsclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
---- ./nss/cmd/tstclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/tstclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
- 
- #include ../platlibs.mk
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
---- ./nss/cmd/vfyserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/vfyserv/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
- 
- #include ../platlibs.mk
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
---- ./nss/coreconf/location.mk.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/coreconf/location.mk	2016-03-05 12:04:06.217474124 -0800
-@@ -45,6 +45,10 @@ endif
- 
- ifdef NSS_INCLUDE_DIR
-     INCLUDES += -I$(NSS_INCLUDE_DIR)
-+    ifdef IN_TREE_FREEBL_HEADERS_FIRST
-+        INCLUDES += -iquote $(DIST)/../public/nss
-+        INCLUDES += -iquote $(DIST)/../private/nss
-+    endif
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+     SQLITE_LIB_NAME = sqlite3
  endif
  
- ifndef NSS_LIB_DIR
-diff -up ./nss/gtests/pk11_gtest/Makefile.iquote ./nss/gtests/pk11_gtest/Makefile
---- ./nss/gtests/pk11_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/gtests/pk11_gtest/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
---- ./nss/gtests/ssl_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/gtests/ssl_gtest/Makefile	2016-03-05 12:05:17.208082475 -0800
-@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
---- ./nss/lib/certhigh/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/certhigh/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
---- ./nss/lib/cryptohi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/cryptohi/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
---- ./nss/lib/nss/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/nss/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile
---- ./nss/lib/pk11wrap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/pk11wrap/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
---- ./nss/lib/ssl/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/ssl/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included

nss-3.14.0.0-disble-ocsp-test.patch

@@ -1,11 +0,0 @@
-diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
---- nss/tests/chains/scenarios/scenarios.noocsptest	2013-06-27 10:58:08.000000000 -0700
-+++ nss/tests/chains/scenarios/scenarios	2013-07-02 16:13:27.075038930 -0700
-@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
- realcerts.cfg
- dsa.cfg
- revoc.cfg
--ocsp.cfg
- crldp.cfg
- trustanchors.cfg
- nameconstraints.cfg

nss-check-policy-file.patch

@@ -1,49 +0,0 @@
-diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
---- nss/lib/pk11wrap/pk11pars.c.check_policy_file	2017-01-06 13:21:47.002952050 +0100
-+++ nss/lib/pk11wrap/pk11pars.c	2017-01-06 13:28:18.972536334 +0100
-@@ -109,6 +109,7 @@ secmod_NewModule(void)
-                                                  *other flags are set */
- #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
- #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
-+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
- 
- /* private flags for internal (field in SECMODModule). */
- /* The meaing of these flags is as follows:
-@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
-         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
-             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
-         }
-+	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
-+	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
-+	}
-         /* additional moduleDB flags could be added here in the future */
-         mod->isModuleDB = (PRBool)flags;
-     }
-@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
- }
- 
- PRBool
-+secmod_PolicyOnly(SECMODModule *mod)
-+{
-+   char flags = (char) mod->isModuleDB;
-+
-+   return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
-+}
-+
-+PRBool
- secmod_IsInternalKeySlot(SECMODModule *mod)
- {
-     char flags = (char)mod->internal;
-@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
-     if (!module) {
-         goto loser;
-     }
-+
-+    /* a policy only stanza doesn't actually get 'loaded'. policy has already
-+     * been parsed as a side effect of the CreateModuleEx call */
-+    if (secmod_PolicyOnly(module)) {
-+	return module;
-+    }
-     if (parent) {
-         module->parent = SECMOD_ReferenceModule(parent);
-         if (module->internal && secmod_IsInternalKeySlot(parent)) {

nss-load-policy-file.patch

@@ -0,0 +1,79 @@
+# HG changeset patch
+# User David Woodhouse <David.Woodhouse@intel.com>
+# Date 1529655250 -7200
+#      Fri Jun 22 10:14:10 2018 +0200
+# Node ID d99e54ca9b6df33025ee9a196b8b942428bbff91
+# Parent  1a13c19d7fab53fd62786e05d6546a4abf66e48d
+Bug 1296263 - Fix loading of PKCS#11 modules from system policy file, r=rrelyea
+
+We currently load the policy file after calling
+STAN_LoadDefaultNSS3TrustDomain(), which causes problems because any
+tokens in the newly-added modules don't get initialised.
+
+Move it up by a few lines and fix up the indentation while we're at it.
+
+diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
+--- a/lib/nss/nssinit.c
++++ b/lib/nss/nssinit.c
+@@ -702,6 +702,30 @@ nss_Init(const char *configdir, const ch
+         if (SECOID_Init() != SECSuccess) {
+             goto loser;
+         }
++#ifdef POLICY_FILE
++        /* Load the system crypto policy file if it exists,
++         * unless the NSS_IGNORE_SYSTEM_POLICY environment
++         * variable has been set to 1. */
++        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
++        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
++            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
++                SECMODModule *module = SECMOD_LoadModule(
++                    "name=\"Policy File\" "
++                    "parameters=\"configdir='sql:" POLICY_PATH "' "
++                    "secmod='" POLICY_FILE "' "
++                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
++                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
++                    parent, PR_TRUE);
++                if (module) {
++                    PRBool isLoaded = module->loaded;
++                    SECMOD_DestroyModule(module);
++                    if (!isLoaded) {
++                        goto loser;
++                    }
++                }
++            }
++        }
++#endif
+         if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
+             goto loser;
+         }
+@@ -730,30 +754,6 @@ nss_Init(const char *configdir, const ch
+                 }
+             }
+         }
+-#ifdef POLICY_FILE
+-        /* Load the system crypto policy file if it exists,
+-         * unless the NSS_IGNORE_SYSTEM_POLICY environment
+-         * variable has been set to 1. */
+-        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+-        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
+-            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
+-                SECMODModule *module = SECMOD_LoadModule(
+-                    "name=\"Policy File\" "
+-                    "parameters=\"configdir='sql:" POLICY_PATH "' "
+-                    "secmod='" POLICY_FILE "' "
+-                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+-                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+-                    parent, PR_TRUE);
+-                if (module) {
+-                    PRBool isLoaded = module->loaded;
+-                    SECMOD_DestroyModule(module);
+-                    if (!isLoaded) {
+-                        goto loser;
+-                    }
+-                }
+-            }
+-        }
+-#endif
+         pk11sdr_Init();
+         cert_CreateSubjectKeyIDHashTable();
+ 

nss-p11-kit.config

@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+

nss-sql-default.patch

@@ -0,0 +1,42 @@
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1511548994 -3600
+#      Fri Nov 24 19:43:14 2017 +0100
+# Node ID b0658ed367633e505d38c0c0f63b801ddbbb21a4
+# Parent  807662e6ba57db5be05036511ac8634466ed473f
+Bug 1377940, Change NSS default storage file format (currently DBM), when no prefix is given, to SQL, r=rrelyea, r=fkiefer
+
+--- a/tests/all.sh
++++ b/tests/all.sh
+@@ -111,6 +111,8 @@ RUN_FIPS=""
+ ########################################################################
+ run_tests()
+ {
++    echo "Running test cycle: ${TEST_MODE} ----------------------"
++    echo "List of tests that will be executed: ${TESTS}"
+     for TEST in ${TESTS}
+     do
+         # NOTE: the spaces are important. If you don't include
+@@ -172,8 +174,9 @@ run_cycle_pkix()
+     NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+     export -n NSS_SSL_RUN
+ 
+-    # use the default format
++    # use the default format. (unset for the shell, export -n for binaries)
+     export -n NSS_DEFAULT_DB_TYPE
++    unset NSS_DEFAULT_DB_TYPE
+ 
+     run_tests
+ }
+diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh
+--- a/tests/merge/merge.sh
++++ b/tests/merge/merge.sh
+@@ -98,7 +98,7 @@ merge_init()
+   # are dbm databases.
+   if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+ 	save=${NSS_DEFAULT_DB_TYPE}
+-	NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
++	NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE
+   fi
+ 
+   certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}

nss.spec

@@ -1,27 +1,24 @@
-%global nspr_version 4.16.0
-%global nss_util_version 3.32.0
-%global nss_softokn_version 3.32.0
+%global nspr_version 4.20.0
+%global nss_util_version 3.39.0
+%global nss_softokn_version 3.39.0
+%global nss_version 3.39.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
-# solution taken from icedtea-web.spec
-%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
-%ifarch %{multilib_arches}
-%define alt_ckbi  libnssckbi.so.%{_arch}
-%else
-%define alt_ckbi  libnssckbi.so
-%endif
-
-# Define if using a source archive like "nss-version.with.ckbi.version".
-# To "disable", add "#" to start of line, AND a space after "%".
-#% define nss_ckbi_suffix .with.ckbi.1.93
+# The upstream omits the trailing ".0", while we need it for
+# consistency with the pkg-config version:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
+%{lua:
+rpm.define(string.format("nss_archive_version %s",
+           string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
+}
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.32.0
+Version:          %{nss_version}
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          2%{?dist}
+Release:          1.0%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -30,9 +27,7 @@ Requires:         nss-util >= %{nss_util_version}
 # TODO: revert to same version as nss once we are done with the merge
 Requires:         nss-softokn%{_isa} >= %{nss_softokn_version}
 Requires:         nss-system-init
-Requires(post):   %{_sbindir}/update-alternatives
-Requires(postun): %{_sbindir}/update-alternatives
-BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Requires:         p11-kit-trust
 BuildRequires:    nspr-devel >= %{nspr_version}
 # TODO: revert to same version as nss once we are done with the merge
 # Using '>=' but on RHEL the requires should be '='
@@ -44,12 +39,13 @@ BuildRequires:    pkgconfig
 BuildRequires:    gawk
 BuildRequires:    psmisc
 BuildRequires:    perl-interpreter
+BuildRequires:    gcc-c++
 
 # nss-pem used to be bundled with the nss package on Fedora -- make sure that
 # programs relying on that continue to work until they are fixed to require
 # nss-pem instead.  Once all of them are fixed, the following line can be
 # removed.  See https://bugzilla.redhat.com/1346806 for details.
-Requires:         nss-pem
+Requires:         nss-pem%{?_isa}
 
 # NSS 3.28.1 introduced a curve, that is smaller than a check in old
 # Mozilla code allows.
@@ -64,13 +60,7 @@ Conflicts:        seamonkey < 2.46-2
 # https://bugzilla.redhat.com/show_bug.cgi?id=1414987
 # Conflicts:        icecat < 45.5.1-5
 
-%if %{defined nss_ckbi_suffix}
-%define full_nss_version %{version}%{nss_ckbi_suffix}
-%else
-%define full_nss_version %{version}
-%endif
-
-Source0:          %{name}-%{full_nss_version}.tar.gz
+Source0:          %{name}-%{nss_archive_version}.tar.gz
 Source1:          nss.pc.in
 Source2:          nss-config.in
 Source3:          blank-cert8.db
@@ -93,24 +83,26 @@ Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
 Patch16:          nss-539183.patch
-# TODO: Remove this patch when the ocsp test are fixed
-Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
 Patch47:          utilwrap-include-templates.patch
 # TODO remove when we switch to building nss without softoken
 Patch49:          nss-skip-bltest-and-fipstest.patch
-# This patch uses the gcc-iquote dir option documented at
+# This patch uses the GCC -iquote option documented at
 # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
-# to place the in-tree directories at the head of the list of list of directories
-# to be searched for for header files. This ensures a build even when system
-# headers are older. Such is the case when starting an update with API changes or even private export changes.
-# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
+# to give the in-tree headers a higher priority over the system headers,
+# when they are included through the quote form (#include "file.h").
+#
+# This ensures a build even when system headers are older. Such is the
+# case when starting an update with API changes or even private export
+# changes.
+#
+# Once the buildroot aha been bootstrapped the patch may be removed
+# but it doesn't hurt to keep it.
 Patch50:          iquote.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
-Patch59: nss-check-policy-file.patch
 Patch62: nss-skip-util-gtest.patch
+Patch63: nss-sql-default.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -180,20 +172,18 @@ low level services.
 
 
 %prep
-%setup -q
-%setup -q -T -D -n %{name}-%{version}
+%setup -q -n %{name}-%{nss_archive_version}
 
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
 %patch16 -p0 -b .539183
-%patch40 -p0 -b .noocsptest
 %patch47 -p0 -b .templates
 %patch49 -p0 -b .skipthem
 %patch50 -p0 -b .iquote
 %patch58 -p0 -b .1185708_3des
 pushd nss
-%patch59 -p1 -b .check_policy_file
 %patch62 -p1 -b .skip_util_gtest
+%patch63 -p1 -R -b .sql-default
 popd
 
 #########################################################
@@ -225,12 +215,12 @@ popd
 
 %build
 
-NSS_NO_PKCS11_BYPASS=1
-export NSS_NO_PKCS11_BYPASS
-
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
+NSS_FORCE_FIPS=1
+export NSS_FORCE_FIPS
+
 # Enable compiler optimizations and disable debugging code
 export BUILD_OPT=1
 
@@ -242,6 +232,9 @@ export BUILD_OPT=1
 XCFLAGS=$RPM_OPT_FLAGS
 export XCFLAGS
 
+LDFLAGS=$RPM_LD_FLAGS
+export LDFLAGS
+
 PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
 PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
 
@@ -407,6 +400,8 @@ export SOFTOKEN_LIB_DIR=%{_libdir}
 # disabled by the system policy.
 export NSS_IGNORE_SYSTEM_POLICY=1
 
+export NSS_FORCE_FIPS=1
+
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f
 
@@ -477,7 +472,7 @@ popd
 killall $RANDSERV || :
 
 if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
-  TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
+  TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
 else
   TEST_FAILURES=0
   GREP_EXIT_STATUS=1
@@ -526,9 +521,6 @@ echo "test suite completed"
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
 
-touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
-%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
-
 # Copy the binary libraries we want
 for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
@@ -553,7 +545,7 @@ do
 done
 
 # Copy the binaries we want
-for file in certutil cmsutil crlutil modutil pk12util signver ssltap
+for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
 do
   %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
 done
@@ -608,42 +600,15 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
    install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
 done
 
-%clean
-%{__rm} -rf $RPM_BUILD_ROOT
-
 %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
 # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
 # from previous versions of nss.spec
 /usr/bin/setup-nsssysinit.sh on
 
 %post
-# If we upgrade, and the shared filename is a regular file, then we must
-# remove it, before we can install the alternatives symbolic link.
-if [ $1 -gt 1 ] ; then
-  # when upgrading or downgrading
-  if ! test -L %{_libdir}/libnssckbi.so; then
-    rm -f %{_libdir}/libnssckbi.so
-  fi
-fi
-# Install the symbolic link
-# FYI: Certain other packages use alternatives --set to enforce that the first
-# installed package is preferred. We don't do that. Highest priority wins.
-%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
-  %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
 /sbin/ldconfig
 
 %postun
-if [ $1 -eq 0 ] ; then
-  # package removal
-  %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
-else
-  # upgrade or downgrade
-  # If the new installed package uses a regular file (not a symblic link),
-  # then cleanup the alternatives link.
-  if ! test -L %{_libdir}/libnssckbi.so; then
-    %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
-  fi
-fi
 /sbin/ldconfig
 
 
@@ -654,8 +619,6 @@ fi
 %{_libdir}/libnss3.so
 %{_libdir}/libssl3.so
 %{_libdir}/libsmime3.so
-%ghost %{_libdir}/libnssckbi.so
-%{_libdir}/nss/libnssckbi.so
 %dir %{_sysconfdir}/pki/nssdb
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
@@ -684,6 +647,7 @@ fi
 %{_bindir}/cmsutil
 %{_bindir}/crlutil
 %{_bindir}/modutil
+%{_bindir}/nss-policy-check
 %{_bindir}/pk12util
 %{_bindir}/signver
 %{_bindir}/ssltap
@@ -773,6 +737,7 @@ fi
 %{_includedir}/nss3/smime.h
 %{_includedir}/nss3/ssl.h
 %{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
 %{_includedir}/nss3/sslproto.h
 %{_includedir}/nss3/sslt.h
 
@@ -795,6 +760,47 @@ fi
 
 
 %changelog
+* Mon Sep  3 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.0
+- Update to NSS 3.39
+- Use the upstream tarball as it is (rhbz#1578106)
+
+* Tue Jul  3 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.0
+- Update to NSS 3.38
+
+* Tue Jun  5 2018 Daiki Ueno <dueno@redhat.com> - 3.37.3-1.0
+- Update to NSS 3.37.3
+
+* Thu Apr 19 2018 Daiki Ueno <dueno@redhat.com> - 3.36.1-1.0
+- Update to NSS 3.36.1
+
+* Fri Mar  9 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-1.0
+- Update to NSS 3.36.0
+- Add gcc-c++ to BuildRequires (C++ is needed for gtests)
+- Make test failure detection robuster
+- Enable test on s390x again
+
+* Mon Feb 12 2018 Daiki Ueno <dueno@redhat.com> - 3.35.0-1.1
+- Temporarily ignore test failures on F27 s390x
+
+* Wed Feb  7 2018 Daiki Ueno <dueno@redhat.com> - 3.35.0-1.0
+- Update to NSS 3.35.0
+
+* Tue Nov 14 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-1.0
+- Update to NSS 3.34.0
+
+* Fri Nov 10 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1.1
+- Make sure 32bit nss-pem always be installed with 32bit nss in
+  multlib environment, patch by Kamil Dudka
+
+* Tue Oct  3 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1.0
+- Update to NSS 3.33.0
+
+* Tue Oct  3 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-1.1
+- Update iquote.patch to really prefer in-tree headers over system headers
+
+* Fri Sep 15 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-1.0
+- Update to NSS 3.32.1
+
 * Mon Aug  7 2017 Daiki Ueno <dueno@redhat.com> - 3.32.0-2
 - Update to NSS 3.32.0
 

renegotiate-transitional.patch

@@ -1,12 +1,12 @@
-diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
---- ./nss/lib/ssl/sslsock.c.transitional	2016-06-23 21:03:16.316480089 -0400
-+++ ./nss/lib/ssl/sslsock.c	2016-06-23 21:08:07.290202477 -0400
-@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,              /* noLocks            */
-     PR_FALSE,              /* enableSessionTickets */
-     PR_FALSE,              /* enableDeflate      */
--    2,                     /* enableRenegotiation (default: requires extension) */
-+    3,                     /* enableRenegotiation (default: transitional) */
-     PR_FALSE,              /* requireSafeNegotiation */
-     PR_FALSE,              /* enableFalseStart   */
-     PR_TRUE,               /* cbcRandomIV        */
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional	2018-03-09 13:57:50.615706802 +0100
++++ nss/lib/ssl/sslsock.c	2018-03-09 13:58:23.708974970 +0100
+@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
+     .noLocks = PR_FALSE,
+     .enableSessionTickets = PR_FALSE,
+     .enableDeflate = PR_FALSE,
+-    .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
++    .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
+     .requireSafeNegotiation = PR_FALSE,
+     .enableFalseStart = PR_FALSE,
+     .cbcRandomIV = PR_TRUE,

sources

@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.32.0.tar.gz) = c2947b7e12ab840bba1c591255d037a0c838bc1b36bd7ea00a94c447bf0e95fe4415da284c172acd8c04e3c0d583fcbc900a523230f42558c93692bfde5ba500
+SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f

tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
+#   Description: NSS tools should not use SHA1 by default when
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          nss openssl" >> $(METADATA)
+	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE

@@ -0,0 +1,4 @@
+PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
+Description: NSS tools should not use SHA1 by default when
+Author: Hubert Kario <hkario@redhat.com>
+Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
+#   Description: NSS tools should not use SHA1 by default when
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="nss"
+PACKAGES="nss openssl"
+DBDIR="nssdb"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm --all
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+        rlRun "mkdir nssdb"
+        rlRun "certutil -N -d $DBDIR --empty-password"
+        rlLogInfo "Create a JAR file"
+        rlRun "mkdir java-dir"
+        rlRun "pushd java-dir"
+        rlRun "mkdir META-INF mypackage"
+        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
+        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
+        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
+        rlRun "popd"
+        #rlRun "mv java-dir/package.jar ."
+    rlPhaseEnd
+
+    rlPhaseStartTest "Self signing certificates"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
+        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Signing certificates"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
+        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Certificate request"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "mkdir srv2db"
+        rlRun "certutil -d srv2db -N --empty-password"
+        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
+        rlRun -s "openssl req -noout -text -in srv2.req"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
+        rlRun -s "openssl x509 -in srv2.crt -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "rm -rf srv2db"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Certificate request with SHA1"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "mkdir srv2db"
+        rlRun "certutil -d srv2db -N --empty-password"
+        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
+        rlRun -s "openssl req -noout -text -in srv2.req"
+        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
+        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
+        rlRun -s "openssl x509 -in srv2.crt -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "rm -rf srv2db"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Signing CMS messages"
+        rlRun "echo 'This is a document' > document.txt"
+        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
+        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
+        rlAssertGrep "algorithm: sha256" $rlRun_LOG
+        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "CRL signing"
+        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
+        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
+        rlRun "echo addext crlNumber 0 1245 >>script"
+        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
+        rlRun "echo addext reasonCode 0 0 >>script"
+        rlRun "cat script"
+        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
+        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/tests.yml

@@ -0,0 +1,12 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    tests:
+    - NSS-tools-should-not-use-SHA1-by-default-when
+    required_packages:
+    - nss-tools
+    - nss