summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/cert/cert.sh
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-02-23 11:04:39 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-06-05 22:24:08 +0200
commite10349ab8dda8a3f11be6aa19f2b6e29fe814044 (patch)
tree1a9b078b06a76af06839d407b7267880890afccc /security/nss/tests/cert/cert.sh
parent75b3dd4cbffb6e4534128278300ed6c8a3ab7506 (diff)
downloadUXP-e10349ab8dda8a3f11be6aa19f2b6e29fe814044.tar
UXP-e10349ab8dda8a3f11be6aa19f2b6e29fe814044.tar.gz
UXP-e10349ab8dda8a3f11be6aa19f2b6e29fe814044.tar.lz
UXP-e10349ab8dda8a3f11be6aa19f2b6e29fe814044.tar.xz
UXP-e10349ab8dda8a3f11be6aa19f2b6e29fe814044.zip
Update NSS to 3.35-RTM
Diffstat (limited to 'security/nss/tests/cert/cert.sh')
-rwxr-xr-xsecurity/nss/tests/cert/cert.sh560
1 files changed, 511 insertions, 49 deletions
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index 9b3455747..d1a9148a9 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -46,11 +46,7 @@ cert_init()
fi
SCRIPTNAME="cert.sh"
CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- html_head "Certutil and Crlutil Tests with ECC"
- else
- html_head "Certutil and Crlutil Tests"
- fi
+ html_head "Certutil and Crlutil Tests"
LIBDIR="${DIST}/${OBJDIR}/lib"
@@ -300,14 +296,12 @@ cert_create_cert()
fi
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Import EC Root CA for $CERTNAME"
certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
-d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
- fi
cert_add_cert "$5"
return $?
@@ -402,7 +396,6 @@ cert_add_cert()
#
# Generate and add EC cert
#
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CURVE="secp384r1"
CU_ACTION="Generate EC Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
@@ -454,7 +447,6 @@ cert_add_cert()
return $RET
fi
cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
- fi
return 0
}
@@ -467,6 +459,7 @@ cert_add_cert()
cert_all_CA()
{
echo nss > ${PWFILE}
+ echo > ${EMPTY_FILE}
ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
@@ -517,10 +510,16 @@ cert_all_CA()
# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
+#
+# Create RSA-PSS version of TestCA
+ ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256
+ rm $CADIR/rsapssroot.cert
+ ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1
+ rm $CADIR/rsapssroot.cert
-
- if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Create EC version of TestCA
CA_CURVE="secp521r1"
@@ -545,8 +544,6 @@ cert_all_CA()
rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
-
- fi
}
################################# cert_CA ################################
@@ -637,7 +634,7 @@ CERTSCRIPT
################################ cert_dsa_CA #############################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
-# This is the ECC version of cert_CA.
+# This is the DSA version of cert_CA.
##########################################################################
cert_dsa_CA()
{
@@ -648,7 +645,7 @@ cert_dsa_CA()
DOMAIN=$5
CERTSERIAL=$6
- echo "$SCRIPTNAME: Creating an DSA CA Certificate $NICKNAME =========================="
+ echo "$SCRIPTNAME: Creating a DSA CA Certificate $NICKNAME =========================="
if [ ! -d "${CUR_CADIR}" ]; then
mkdir -p "${CUR_CADIR}"
@@ -661,7 +658,7 @@ cert_dsa_CA()
LPROFILE="multiaccess:${DOMAIN}"
fi
- ################# Creating an DSA CA Cert ###############################
+ ################# Creating a DSA CA Cert ###############################
#
CU_ACTION="Creating DSA CA Cert $NICKNAME "
CU_SUBJECT=$ALL_CU_SUBJECT
@@ -700,6 +697,79 @@ CERTSCRIPT
+
+################################ cert_rsa_pss_CA #############################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating a CA Certificate and a root cert
+# This is the RSA-PSS version of cert_CA.
+##########################################################################
+cert_rsa_pss_CA()
+{
+ CUR_CADIR=$1
+ NICKNAME=$2
+ SIGNER=$3
+ TRUSTARG=$4
+ DOMAIN=$5
+ CERTSERIAL=$6
+ HASHALG=$7
+
+ echo "$SCRIPTNAME: Creating an RSA-PSS CA Certificate $NICKNAME =========================="
+
+ if [ ! -d "${CUR_CADIR}" ]; then
+ mkdir -p "${CUR_CADIR}"
+ fi
+ cd ${CUR_CADIR}
+ pwd
+
+ LPROFILE=.
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ LPROFILE="multiaccess:${DOMAIN}"
+ fi
+
+ HASHOPT=
+ if [ -n "$HASHALG" ]; then
+ HASHOPT="-Z $HASHALG"
+ fi
+
+ ################# Creating an RSA-PSS CA Cert ###############################
+ #
+ CU_ACTION="Creating RSA-PSS CA Cert $NICKNAME "
+ CU_SUBJECT=$ALL_CU_SUBJECT
+ certu -S -n $NICKNAME -k rsa --pss $HASHOPT -t $TRUSTARG -v 600 $SIGNER \
+ -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
+ -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+ if [ "$RET" -ne 0 ]; then
+ echo "return value is $RET"
+ Exit 6 "Fatal - failed to create RSA-PSS CA cert"
+ fi
+
+ ################# Exporting RSA-PSS Root Cert ###############################
+ #
+ CU_ACTION="Exporting RSA-PSS Root Cert"
+ certu -L -n $NICKNAME -r -d ${LPROFILE} -o rsapssroot.cert
+ if [ "$RET" -ne 0 ]; then
+ Exit 7 "Fatal - failed to export RSA-PSS root cert"
+ fi
+ cp rsapssroot.cert ${NICKNAME}.ca.cert
+}
+
+
+
+
################################ cert_ec_CA ##############################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
@@ -831,7 +901,6 @@ cert_smime_client()
certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
-i ${R_EVEDIR}/Eve.cert 2>&1
- if [ -z "$NSS_DISABLE_ECC" ] ; then
echo "$SCRIPTNAME: Importing EC Certificates =============================="
CU_ACTION="Import Bob's EC cert into Alice's db"
certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
@@ -855,7 +924,6 @@ cert_smime_client()
# CU_ACTION="Import Eve's EC cert into Bob's DB"
# certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
- fi
if [ "$CERTFAILED" != 0 ] ; then
cert_log "ERROR: SMIME failed $RET"
@@ -946,7 +1014,6 @@ cert_extended_ssl()
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
# 2>&1
- if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Repeat the above for EC certs
#
@@ -992,7 +1059,6 @@ cert_extended_ssl()
# certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
# 2>&1
- fi
echo "Importing all the server's own CA chain into the servers DB"
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
@@ -1081,7 +1147,6 @@ cert_extended_ssl()
# done with mixed DSA certs
#
- if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Repeat the above for EC certs
#
@@ -1128,7 +1193,6 @@ cert_extended_ssl()
#
# done with mixed EC certs
#
- fi
echo "Importing all the client's own CA chain into the servers DB"
for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
@@ -1175,10 +1239,8 @@ cert_ssl()
CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC"
certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
- certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
- fi
+ CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
+ certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
# echo "************* Copying CA files to ${SERVERDIR}"
# cp ${CADIR}/*.db .
@@ -1199,6 +1261,12 @@ cert_ssl()
cp -r ${R_SERVERDIR} ${R_STAPLINGDIR}
pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
+
+ echo "$SCRIPTNAME: Creating database for strsclnt no login tests ==============="
+ echo "cp -r ${CLIENTDIR} ${NOLOGINDIR}"
+ cp -r ${R_CLIENTDIR} ${R_NOLOGINDIR}
+ # change the password to empty
+ certu -W -d "${R_NOLOGINDIR}" -f "${R_PWFILE}" -@ "${R_EMPTY_FILE}" 2>&1
}
############################## cert_stresscerts ################################
@@ -1269,12 +1337,35 @@ MODSCRIPT
html_passed "${CU_ACTION}"
fi
+ CU_ACTION="Setting invalid database password in FIPS mode"
+ RETEXPECTED=255
+ certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1
+ CU_ACTION="Attempt to generate a key with exponent of 3 (too small)"
+ certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}"
+ CU_ACTION="Attempt to generate a key with exponent of 17 (too small)"
+ certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}"
+ RETEXPECTED=0
+
CU_ACTION="Generate Certificate for ${CERTNAME}"
CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
if [ "$RET" -eq 0 ]; then
cert_log "SUCCESS: FIPS passed"
fi
+
+}
+
+########################## cert_rsa_exponent #################################
+# local shell function to verify small rsa exponent can be used (only
+# run if FIPS has not been turned on in the build).
+##############################################################################
+cert_rsa_exponent_nonfips()
+{
+ echo "$SCRIPTNAME: Verify that small RSA exponents still work =============="
+ CU_ACTION="Attempt to generate a key with exponent of 3"
+ certu -G -k rsa -g 2048 -y 3 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}"
+ CU_ACTION="Attempt to generate a key with exponent of 17"
+ certu -G -k rsa -g 2048 -y 17 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}"
}
############################## cert_eccurves ###########################
@@ -1284,7 +1375,6 @@ cert_eccurves()
{
################# Creating Certs for EC curves test ########################
#
- if [ -z "$NSS_DISABLE_ECC" ] ; then
echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
echo " EC Curves Test Certificates ------------------------------------"
@@ -1325,8 +1415,6 @@ cert_eccurves()
-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
fi
done
-
- fi # $NSS_DISABLE_ECC
}
########################### cert_extensions_test #############################
@@ -1678,7 +1766,6 @@ EOF_CRLINI
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
# Until Bug 292285 is resolved, do not encode x400 Addresses. After
@@ -1693,7 +1780,6 @@ addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|director
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or-ec
- fi
echo test > file
############################# Modification ##################################
@@ -1724,7 +1810,6 @@ EOF_CRLINI
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Modify CRL (ECC) by adding one more cert"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
-o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
@@ -1734,7 +1819,6 @@ EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or1-ec
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
- fi
########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
@@ -1763,7 +1847,6 @@ EOF_CRLINI
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Modify CRL (ECC) by removing one cert"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
-i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
@@ -1772,7 +1855,6 @@ rmcert ${UNREVOKED_CERT_GRP_1}
EOF_CRLINI
chmod 600 ${CRL_FILE_GRP_1}-ec
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
- fi
########### Creating second CRL which includes groups 1 and 2 ##############
CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
@@ -1792,7 +1874,6 @@ rmcert ${UNREVOKED_CERT_GRP_2}
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_2}
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
-i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
@@ -1803,7 +1884,6 @@ rmcert ${UNREVOKED_CERT_GRP_2}
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_2}-ec
- fi
########### Creating second CRL which includes groups 1, 2 and 3 ##############
CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
@@ -1825,7 +1905,6 @@ addext crlNumber 0 2
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_3}
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
-i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
@@ -1836,7 +1915,6 @@ addext crlNumber 0 2
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_3}-ec
- fi
############ Importing Server CA Issued CRL for certs of first group #######
@@ -1845,13 +1923,11 @@ EOF_CRLINI
crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}"
crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Importing CRL (ECC) for groups 1"
crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}"
crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
-d "${R_SERVERDIR}"
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
- fi
if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
@@ -1968,6 +2044,387 @@ cert_test_ocspresp()
ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
}
+cert_test_implicit_db_init()
+{
+ echo "$SCRIPTNAME: test implicit database init"
+
+ CU_ACTION="Add cert with trust flags to db with implicit init"
+ mkdir ${IMPLICIT_INIT_DIR}
+ certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
+}
+
+check_sign_algo()
+{
+ certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
+ sed -n '/^ *Data:/,/^$/{
+/^ Signature Algorithm/,/^ *Salt length/s/^ //p
+}' > ${TMP}/signalgo.txt
+
+ diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt
+ RET=$?
+ if [ "$RET" -ne 0 ]; then
+ CERTFAILED=$RET
+ html_failed "${CU_ACTION} ($RET) "
+ cert_log "ERROR: ${CU_ACTION} failed $RET"
+ else
+ html_passed "${CU_ACTION}"
+ fi
+}
+
+cert_test_rsapss()
+{
+ TEMPFILES="$TEMPFILES ${TMP}/signalgo.exp ${TMP}/signalgo.txt"
+
+ cert_init_cert "${RSAPSSDIR}" "RSA-PSS Test Cert" 1000 "${D_RSAPSS}"
+
+ CU_ACTION="Initialize Cert DB"
+ certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import RSA CA Cert"
+ certu -A -n "TestCA" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${R_CADIR}/TestCA.ca.cert" 2>&1
+
+ CU_ACTION="Import RSA-PSS CA Cert"
+ certu -A -n "TestCA-rsa-pss" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${R_CADIR}/TestCA-rsa-pss.ca.cert" 2>&1
+
+ CU_ACTION="Verify RSA-PSS CA Cert"
+ certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+
+ CU_ACTION="Import RSA-PSS CA Cert (SHA1)"
+ certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
+
+ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)"
+ certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1
+ RETEXPECTED=255
+ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ RETEXPECTED=0
+
+ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)"
+ certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1
+ RETEXPECTED=255
+ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ RETEXPECTED=0
+
+ CERTSERIAL=200
+
+ # Subject certificate: RSA
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explicit, with --pss-sign)
+ CERTNAME="TestUser-rsa-pss1"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512)
+ CERTNAME="TestUser-rsa-pss2"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-512
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-512
+ Salt length: 64 (0x40)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS
+ CERTNAME="TestUser-rsa-pss3"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explicit, with --pss-sign)
+ CERTNAME="TestUser-rsa-pss4"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (explicit, with --pss-sign)
+ CERTNAME="TestUser-rsa-pss5"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (implicit, without --pss-sign)
+ CERTNAME="TestUser-rsa-pss6"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ # Sign without --pss-sign nor -Z option
+ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (with conflicting hash algorithm)
+ CERTNAME="TestUser-rsa-pss7"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ RETEXPECTED=255
+ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+ RETEXPECTED=0
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (with compatible hash algorithm)
+ CERTNAME="TestUser-rsa-pss8"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1)
+ CERTNAME="TestUser-rsa-pss9"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: default, SHA-1
+ Mask algorithm: default, MGF1
+ Mask hash algorithm: default, SHA-1
+ Salt length: default, 20 (0x14)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (implicit, without --pss-sign, default parameters)
+ CERTNAME="TestUser-rsa-pss10"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ # Sign without --pss-sign nor -Z option
+ certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: default, SHA-1
+ Mask algorithm: default, MGF1
+ Mask hash algorithm: default, SHA-1
+ Salt length: default, 20 (0x14)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (with conflicting hash algorithm, default parameters)
+ CERTNAME="TestUser-rsa-pss11"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ RETEXPECTED=255
+ certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+ RETEXPECTED=0
+}
+
############################## cert_cleanup ############################
# local shell function to finish this script (no exit since it might be
# sourced)
@@ -1975,20 +2432,24 @@ cert_test_ocspresp()
cert_cleanup()
{
cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
- html "</TABLE><BR>"
+ html "</TABLE><BR>"
cd ${QADIR}
. common/cleanup.sh
}
################## main #################################################
-cert_init
+cert_init
cert_all_CA
-cert_extended_ssl
-cert_ssl
-cert_smime_client
-if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
- cert_fips
+cert_test_implicit_db_init
+cert_extended_ssl
+cert_ssl
+cert_smime_client
+IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
+if [ $IS_FIPS_DISABLED -ne 0 ]; then
+ cert_rsa_exponent_nonfips
+else
+ cert_fips
fi
cert_eccurves
cert_extensions
@@ -1996,6 +2457,7 @@ cert_san_and_generic_extensions
cert_test_password
cert_test_distrust
cert_test_ocspresp
+cert_test_rsapss
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
cert_crl_ssl
@@ -2004,7 +2466,7 @@ else
fi
if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
- cert_stresscerts
+ cert_stresscerts
fi
cert_iopr_setup