summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/cert/cert.sh
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-08-14 07:52:35 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-08-14 16:42:52 +0200
commitab1060037931158d3a8bf4c8f9f6cb4dbfe916e9 (patch)
tree5e4677e52b9a349602f04135a44b3000c8baa97b /security/nss/tests/cert/cert.sh
parentf44e99950fc25d16a3cdaffe26dadf7b58a9d38c (diff)
downloadUXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.gz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.lz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.xz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.zip
Update NSS to 3.38
- Added HACL*Poly1305 32-bit (INRIA/Microsoft) - Updated to final TLS 1.3 draft version (28) - Removed TLS 1.3 prerelease draft limit check - Removed NPN code - Enabled dev/urandom-only RNG on Linux with NSS_SEED_ONLY_DEV_URANDOM for non-standard environments - Fixed several bugs with TLS 1.3 negotiation - Updated internal certificate store - Added support for the TLS Record Size Limit Extension. - Fixed CVE-2018-0495 - Various security fixes in the ASN.1 code.
Diffstat (limited to 'security/nss/tests/cert/cert.sh')
-rwxr-xr-xsecurity/nss/tests/cert/cert.sh76
1 files changed, 76 insertions, 0 deletions
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index d1a9148a9..34006efd1 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -1060,6 +1060,25 @@ cert_extended_ssl()
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
# 2>&1
+ # Check that a repeated import with a different nickname doesn't change the
+ # nickname of the existing cert (bug 1458518).
+ # We want to search for the results using grep, to avoid subset matches,
+ # we'll use one of the longer nicknames for testing.
+ # (Because "grep -w hostname" matches "grep -w hostname-dsamixed")
+ MYDBPASS="-d ${PROFILEDIR} -f ${R_PWFILE}"
+ TESTNAME="Ensure there's exactly one match for ${CERTNAME}-dsamixed"
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}"
+
+ CU_ACTION="Repeated import of $CERTNAME's mixed DSA Cert with different nickname"
+ certu -A -n "${CERTNAME}-repeated-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
+
+ TESTNAME="Ensure there's still exactly one match for ${CERTNAME}-dsamixed"
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}"
+
+ TESTNAME="Ensure there's zero matches for ${CERTNAME}-repeated-dsamixed"
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-repeated-dsamixed" 0 0 "${TESTNAME}"
+
echo "Importing all the server's own CA chain into the servers DB"
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
do
@@ -1532,6 +1551,37 @@ cert_make_with_param()
return 0
}
+cert_check_nickname_exists()
+{
+ MYDIRPASS="$1"
+ MYCERTNAME="$2"
+ EXPECT="$3"
+ EXPECTCOUNT="$4"
+ MYTESTNAME="$5"
+
+ echo certutil ${MYDIRPASS} -L
+ ${BINDIR}/certutil ${MYDIRPASS} -L
+
+ RET=$?
+ if [ "${RET}" -ne "${EXPECT}" ]; then
+ CERTFAILED=1
+ html_failed "${MYTESTNAME} - list"
+ cert_log "ERROR: ${MYTESTNAME} - list"
+ return 1
+ fi
+
+ LISTCOUNT=`${BINDIR}/certutil ${MYDIRPASS} -L | grep -wc ${MYCERTNAME}`
+ if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then
+ CERTFAILED=1
+ html_failed "${MYTESTNAME} - list and count"
+ cert_log "ERROR: ${MYTESTNAME} - list and count failed"
+ return 1
+ fi
+
+ html_passed "${MYTESTNAME}"
+ return 0
+}
+
cert_list_and_count_dns()
{
DIRPASS="$1"
@@ -2425,6 +2475,31 @@ EOF
RETEXPECTED=0
}
+cert_test_orphan_key_reuse()
+{
+ CU_ACTION="Create orphan key in serverdir"
+ certu -G -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
+ # Let's get the key ID of the first orphan key.
+ # The output of certutil -K (list keys) isn't well formatted.
+ # The initial <key-number> part may or may not contain white space, which
+ # makes the use of awk to filter the column unreliable.
+ # To fix that, we remove the initial <number> field using sed, then select the
+ # column that contains the key ID.
+ ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+ sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
+ CU_ACTION="Create cert request for orphan key"
+ certu -R -f "${R_PWFILE}" -k ${ORPHAN} -s "CN=orphan" -d ${PROFILEDIR} \
+ -o ${SERVERDIR}/orphan.req
+ # Ensure that creating the request really works by listing it, and check
+ # if listing was successful.
+ ${BINDIR}/pp -t certificate-request -i ${SERVERDIR}/orphan.req
+ RET=$?
+ if [ "$RET" -ne 0 ]; then
+ html_failed "Listing cert request for orphan key ($RET)"
+ cert_log "ERROR: Listing cert request for orphan key failed $RET"
+ fi
+}
+
############################## cert_cleanup ############################
# local shell function to finish this script (no exit since it might be
# sourced)
@@ -2444,6 +2519,7 @@ cert_all_CA
cert_test_implicit_db_init
cert_extended_ssl
cert_ssl
+cert_test_orphan_key_reuse
cert_smime_client
IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
if [ $IS_FIPS_DISABLED -ne 0 ]; then