summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/cert/cert.sh
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-04-25 21:33:33 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-04-25 21:33:33 +0200
commitfba28f19754f62b5227650143d5441fc86d4c7d7 (patch)
tree26629d73f83543ff92a060fd7b310bb748b13173 /security/nss/tests/cert/cert.sh
parentb4154e043bfc0d2f301d88304efc896989d650bf (diff)
downloadUXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.gz
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.lz
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.xz
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.zip
Revert "Update NSS to 3.35-RTM"
This reverts commit f1a0f0a56fdd0fc39f255174ce08c06b91c66c94.
Diffstat (limited to 'security/nss/tests/cert/cert.sh')
-rwxr-xr-xsecurity/nss/tests/cert/cert.sh560
1 files changed, 49 insertions, 511 deletions
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index d1a9148a9..9b3455747 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -46,7 +46,11 @@ cert_init()
fi
SCRIPTNAME="cert.sh"
CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
- html_head "Certutil and Crlutil Tests"
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ html_head "Certutil and Crlutil Tests with ECC"
+ else
+ html_head "Certutil and Crlutil Tests"
+ fi
LIBDIR="${DIST}/${OBJDIR}/lib"
@@ -296,12 +300,14 @@ cert_create_cert()
fi
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Import EC Root CA for $CERTNAME"
certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
-d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
+ fi
cert_add_cert "$5"
return $?
@@ -396,6 +402,7 @@ cert_add_cert()
#
# Generate and add EC cert
#
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
CURVE="secp384r1"
CU_ACTION="Generate EC Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
@@ -447,6 +454,7 @@ cert_add_cert()
return $RET
fi
cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
+ fi
return 0
}
@@ -459,7 +467,6 @@ cert_add_cert()
cert_all_CA()
{
echo nss > ${PWFILE}
- echo > ${EMPTY_FILE}
ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
@@ -510,16 +517,10 @@ cert_all_CA()
# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
-#
-# Create RSA-PSS version of TestCA
- ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256
- rm $CADIR/rsapssroot.cert
- ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1
- rm $CADIR/rsapssroot.cert
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Create EC version of TestCA
CA_CURVE="secp521r1"
@@ -544,6 +545,8 @@ cert_all_CA()
rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
+
+ fi
}
################################# cert_CA ################################
@@ -634,7 +637,7 @@ CERTSCRIPT
################################ cert_dsa_CA #############################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
-# This is the DSA version of cert_CA.
+# This is the ECC version of cert_CA.
##########################################################################
cert_dsa_CA()
{
@@ -645,7 +648,7 @@ cert_dsa_CA()
DOMAIN=$5
CERTSERIAL=$6
- echo "$SCRIPTNAME: Creating a DSA CA Certificate $NICKNAME =========================="
+ echo "$SCRIPTNAME: Creating an DSA CA Certificate $NICKNAME =========================="
if [ ! -d "${CUR_CADIR}" ]; then
mkdir -p "${CUR_CADIR}"
@@ -658,7 +661,7 @@ cert_dsa_CA()
LPROFILE="multiaccess:${DOMAIN}"
fi
- ################# Creating a DSA CA Cert ###############################
+ ################# Creating an DSA CA Cert ###############################
#
CU_ACTION="Creating DSA CA Cert $NICKNAME "
CU_SUBJECT=$ALL_CU_SUBJECT
@@ -697,79 +700,6 @@ CERTSCRIPT
-
-################################ cert_rsa_pss_CA #############################
-# local shell function to build the Temp. Certificate Authority (CA)
-# used for testing purposes, creating a CA Certificate and a root cert
-# This is the RSA-PSS version of cert_CA.
-##########################################################################
-cert_rsa_pss_CA()
-{
- CUR_CADIR=$1
- NICKNAME=$2
- SIGNER=$3
- TRUSTARG=$4
- DOMAIN=$5
- CERTSERIAL=$6
- HASHALG=$7
-
- echo "$SCRIPTNAME: Creating an RSA-PSS CA Certificate $NICKNAME =========================="
-
- if [ ! -d "${CUR_CADIR}" ]; then
- mkdir -p "${CUR_CADIR}"
- fi
- cd ${CUR_CADIR}
- pwd
-
- LPROFILE=.
- if [ -n "${MULTIACCESS_DBM}" ]; then
- LPROFILE="multiaccess:${DOMAIN}"
- fi
-
- HASHOPT=
- if [ -n "$HASHALG" ]; then
- HASHOPT="-Z $HASHALG"
- fi
-
- ################# Creating an RSA-PSS CA Cert ###############################
- #
- CU_ACTION="Creating RSA-PSS CA Cert $NICKNAME "
- CU_SUBJECT=$ALL_CU_SUBJECT
- certu -S -n $NICKNAME -k rsa --pss $HASHOPT -t $TRUSTARG -v 600 $SIGNER \
- -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
- -m $CERTSERIAL 2>&1 <<CERTSCRIPT
-5
-6
-9
-n
-y
--1
-n
-5
-6
-7
-9
-n
-CERTSCRIPT
-
- if [ "$RET" -ne 0 ]; then
- echo "return value is $RET"
- Exit 6 "Fatal - failed to create RSA-PSS CA cert"
- fi
-
- ################# Exporting RSA-PSS Root Cert ###############################
- #
- CU_ACTION="Exporting RSA-PSS Root Cert"
- certu -L -n $NICKNAME -r -d ${LPROFILE} -o rsapssroot.cert
- if [ "$RET" -ne 0 ]; then
- Exit 7 "Fatal - failed to export RSA-PSS root cert"
- fi
- cp rsapssroot.cert ${NICKNAME}.ca.cert
-}
-
-
-
-
################################ cert_ec_CA ##############################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
@@ -901,6 +831,7 @@ cert_smime_client()
certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
-i ${R_EVEDIR}/Eve.cert 2>&1
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
echo "$SCRIPTNAME: Importing EC Certificates =============================="
CU_ACTION="Import Bob's EC cert into Alice's db"
certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
@@ -924,6 +855,7 @@ cert_smime_client()
# CU_ACTION="Import Eve's EC cert into Bob's DB"
# certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
+ fi
if [ "$CERTFAILED" != 0 ] ; then
cert_log "ERROR: SMIME failed $RET"
@@ -1014,6 +946,7 @@ cert_extended_ssl()
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
# 2>&1
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Repeat the above for EC certs
#
@@ -1059,6 +992,7 @@ cert_extended_ssl()
# certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
# 2>&1
+ fi
echo "Importing all the server's own CA chain into the servers DB"
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
@@ -1147,6 +1081,7 @@ cert_extended_ssl()
# done with mixed DSA certs
#
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Repeat the above for EC certs
#
@@ -1193,6 +1128,7 @@ cert_extended_ssl()
#
# done with mixed EC certs
#
+ fi
echo "Importing all the client's own CA chain into the servers DB"
for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
@@ -1239,8 +1175,10 @@ cert_ssl()
CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC"
certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
- CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
- certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
+ certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+ fi
# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
# echo "************* Copying CA files to ${SERVERDIR}"
# cp ${CADIR}/*.db .
@@ -1261,12 +1199,6 @@ cert_ssl()
cp -r ${R_SERVERDIR} ${R_STAPLINGDIR}
pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
-
- echo "$SCRIPTNAME: Creating database for strsclnt no login tests ==============="
- echo "cp -r ${CLIENTDIR} ${NOLOGINDIR}"
- cp -r ${R_CLIENTDIR} ${R_NOLOGINDIR}
- # change the password to empty
- certu -W -d "${R_NOLOGINDIR}" -f "${R_PWFILE}" -@ "${R_EMPTY_FILE}" 2>&1
}
############################## cert_stresscerts ################################
@@ -1337,35 +1269,12 @@ MODSCRIPT
html_passed "${CU_ACTION}"
fi
- CU_ACTION="Setting invalid database password in FIPS mode"
- RETEXPECTED=255
- certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1
- CU_ACTION="Attempt to generate a key with exponent of 3 (too small)"
- certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}"
- CU_ACTION="Attempt to generate a key with exponent of 17 (too small)"
- certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}"
- RETEXPECTED=0
-
CU_ACTION="Generate Certificate for ${CERTNAME}"
CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
if [ "$RET" -eq 0 ]; then
cert_log "SUCCESS: FIPS passed"
fi
-
-}
-
-########################## cert_rsa_exponent #################################
-# local shell function to verify small rsa exponent can be used (only
-# run if FIPS has not been turned on in the build).
-##############################################################################
-cert_rsa_exponent_nonfips()
-{
- echo "$SCRIPTNAME: Verify that small RSA exponents still work =============="
- CU_ACTION="Attempt to generate a key with exponent of 3"
- certu -G -k rsa -g 2048 -y 3 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}"
- CU_ACTION="Attempt to generate a key with exponent of 17"
- certu -G -k rsa -g 2048 -y 17 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}"
}
############################## cert_eccurves ###########################
@@ -1375,6 +1284,7 @@ cert_eccurves()
{
################# Creating Certs for EC curves test ########################
#
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
echo " EC Curves Test Certificates ------------------------------------"
@@ -1415,6 +1325,8 @@ cert_eccurves()
-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
fi
done
+
+ fi # $NSS_DISABLE_ECC
}
########################### cert_extensions_test #############################
@@ -1766,6 +1678,7 @@ EOF_CRLINI
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
# Until Bug 292285 is resolved, do not encode x400 Addresses. After
@@ -1780,6 +1693,7 @@ addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|director
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or-ec
+ fi
echo test > file
############################# Modification ##################################
@@ -1810,6 +1724,7 @@ EOF_CRLINI
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa"
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Modify CRL (ECC) by adding one more cert"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
-o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
@@ -1819,6 +1734,7 @@ EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or1-ec
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
+ fi
########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
@@ -1847,6 +1763,7 @@ EOF_CRLINI
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Modify CRL (ECC) by removing one cert"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
-i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
@@ -1855,6 +1772,7 @@ rmcert ${UNREVOKED_CERT_GRP_1}
EOF_CRLINI
chmod 600 ${CRL_FILE_GRP_1}-ec
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
+ fi
########### Creating second CRL which includes groups 1 and 2 ##############
CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
@@ -1874,6 +1792,7 @@ rmcert ${UNREVOKED_CERT_GRP_2}
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_2}
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
-i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
@@ -1884,6 +1803,7 @@ rmcert ${UNREVOKED_CERT_GRP_2}
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_2}-ec
+ fi
########### Creating second CRL which includes groups 1, 2 and 3 ##############
CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
@@ -1905,6 +1825,7 @@ addext crlNumber 0 2
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_3}
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
-i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
@@ -1915,6 +1836,7 @@ addext crlNumber 0 2
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_3}-ec
+ fi
############ Importing Server CA Issued CRL for certs of first group #######
@@ -1923,11 +1845,13 @@ EOF_CRLINI
crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}"
crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Importing CRL (ECC) for groups 1"
crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}"
crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
-d "${R_SERVERDIR}"
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ fi
if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
@@ -2044,387 +1968,6 @@ cert_test_ocspresp()
ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
}
-cert_test_implicit_db_init()
-{
- echo "$SCRIPTNAME: test implicit database init"
-
- CU_ACTION="Add cert with trust flags to db with implicit init"
- mkdir ${IMPLICIT_INIT_DIR}
- certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
-}
-
-check_sign_algo()
-{
- certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
- sed -n '/^ *Data:/,/^$/{
-/^ Signature Algorithm/,/^ *Salt length/s/^ //p
-}' > ${TMP}/signalgo.txt
-
- diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt
- RET=$?
- if [ "$RET" -ne 0 ]; then
- CERTFAILED=$RET
- html_failed "${CU_ACTION} ($RET) "
- cert_log "ERROR: ${CU_ACTION} failed $RET"
- else
- html_passed "${CU_ACTION}"
- fi
-}
-
-cert_test_rsapss()
-{
- TEMPFILES="$TEMPFILES ${TMP}/signalgo.exp ${TMP}/signalgo.txt"
-
- cert_init_cert "${RSAPSSDIR}" "RSA-PSS Test Cert" 1000 "${D_RSAPSS}"
-
- CU_ACTION="Initialize Cert DB"
- certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
-
- CU_ACTION="Import RSA CA Cert"
- certu -A -n "TestCA" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${R_CADIR}/TestCA.ca.cert" 2>&1
-
- CU_ACTION="Import RSA-PSS CA Cert"
- certu -A -n "TestCA-rsa-pss" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${R_CADIR}/TestCA-rsa-pss.ca.cert" 2>&1
-
- CU_ACTION="Verify RSA-PSS CA Cert"
- certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}"
-
- CU_ACTION="Import RSA-PSS CA Cert (SHA1)"
- certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
-
- CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)"
- certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1
- RETEXPECTED=255
- certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
- RETEXPECTED=0
-
- CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)"
- certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1
- RETEXPECTED=255
- certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
- RETEXPECTED=0
-
- CERTSERIAL=200
-
- # Subject certificate: RSA
- # Issuer certificate: RSA
- # Signature: RSA-PSS (explicit, with --pss-sign)
- CERTNAME="TestUser-rsa-pss1"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
-
- CU_ACTION="Import $CERTNAME's Cert"
- certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${CERTNAME}.cert" 2>&1
-
- CU_ACTION="Verify $CERTNAME's Cert"
- certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
- cat > ${TMP}/signalgo.exp <<EOF
-Signature Algorithm: PKCS #1 RSA-PSS Signature
- Parameters:
- Hash algorithm: SHA-256
- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
- Mask hash algorithm: SHA-256
- Salt length: 32 (0x20)
-EOF
- check_sign_algo
-
- CERTSERIAL=`expr $CERTSERIAL + 1`
-
- # Subject certificate: RSA
- # Issuer certificate: RSA
- # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512)
- CERTNAME="TestUser-rsa-pss2"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
-
- CU_ACTION="Import $CERTNAME's Cert"
- certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${CERTNAME}.cert" 2>&1
-
- CU_ACTION="Verify $CERTNAME's Cert"
- certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
- cat > ${TMP}/signalgo.exp <<EOF
-Signature Algorithm: PKCS #1 RSA-PSS Signature
- Parameters:
- Hash algorithm: SHA-512
- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
- Mask hash algorithm: SHA-512
- Salt length: 64 (0x40)
-EOF
- check_sign_algo
-
- CERTSERIAL=`expr $CERTSERIAL + 1`
-
- # Subject certificate: RSA
- # Issuer certificate: RSA-PSS
- # Signature: RSA-PSS
- CERTNAME="TestUser-rsa-pss3"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
-
- CU_ACTION="Import $CERTNAME's Cert"
- certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${CERTNAME}.cert" 2>&1
-
- CU_ACTION="Verify $CERTNAME's Cert"
- certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
- cat > ${TMP}/signalgo.exp <<EOF
-Signature Algorithm: PKCS #1 RSA-PSS Signature
- Parameters:
- Hash algorithm: SHA-256
- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
- Mask hash algorithm: SHA-256
- Salt length: 32 (0x20)
-EOF
- check_sign_algo
-
- CERTSERIAL=`expr $CERTSERIAL + 1`
-
- # Subject certificate: RSA-PSS
- # Issuer certificate: RSA
- # Signature: RSA-PSS (explicit, with --pss-sign)
- CERTNAME="TestUser-rsa-pss4"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
-
- CU_ACTION="Import $CERTNAME's Cert"
- certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${CERTNAME}.cert" 2>&1
-
- CU_ACTION="Verify $CERTNAME's Cert"
- certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
- cat > ${TMP}/signalgo.exp <<EOF
-Signature Algorithm: PKCS #1 RSA-PSS Signature
- Parameters:
- Hash algorithm: SHA-256
- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
- Mask hash algorithm: SHA-256
- Salt length: 32 (0x20)
-EOF
- check_sign_algo
-
- CERTSERIAL=`expr $CERTSERIAL + 1`
-
- # Subject certificate: RSA-PSS
- # Issuer certificate: RSA-PSS
- # Signature: RSA-PSS (explicit, with --pss-sign)
- CERTNAME="TestUser-rsa-pss5"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
-
- CU_ACTION="Import $CERTNAME's Cert"
- certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${CERTNAME}.cert" 2>&1
-
- CU_ACTION="Verify $CERTNAME's Cert"
- certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
- cat > ${TMP}/signalgo.exp <<EOF
-Signature Algorithm: PKCS #1 RSA-PSS Signature
- Parameters:
- Hash algorithm: SHA-256
- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
- Mask hash algorithm: SHA-256
- Salt length: 32 (0x20)
-EOF
- check_sign_algo
-
- CERTSERIAL=`expr $CERTSERIAL + 1`
-
- # Subject certificate: RSA-PSS
- # Issuer certificate: RSA-PSS
- # Signature: RSA-PSS (implicit, without --pss-sign)
- CERTNAME="TestUser-rsa-pss6"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- # Sign without --pss-sign nor -Z option
- certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
-
- CU_ACTION="Import $CERTNAME's Cert"
- certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${CERTNAME}.cert" 2>&1
-
- CU_ACTION="Verify $CERTNAME's Cert"
- certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
- cat > ${TMP}/signalgo.exp <<EOF
-Signature Algorithm: PKCS #1 RSA-PSS Signature
- Parameters:
- Hash algorithm: SHA-256
- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
- Mask hash algorithm: SHA-256
- Salt length: 32 (0x20)
-EOF
- check_sign_algo
-
- CERTSERIAL=`expr $CERTSERIAL + 1`
-
- # Subject certificate: RSA-PSS
- # Issuer certificate: RSA-PSS
- # Signature: RSA-PSS (with conflicting hash algorithm)
- CERTNAME="TestUser-rsa-pss7"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- RETEXPECTED=255
- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
- RETEXPECTED=0
-
- CERTSERIAL=`expr $CERTSERIAL + 1`
-
- # Subject certificate: RSA-PSS
- # Issuer certificate: RSA-PSS
- # Signature: RSA-PSS (with compatible hash algorithm)
- CERTNAME="TestUser-rsa-pss8"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
-
- CU_ACTION="Import $CERTNAME's Cert"
- certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${CERTNAME}.cert" 2>&1
-
- CU_ACTION="Verify $CERTNAME's Cert"
- certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
- cat > ${TMP}/signalgo.exp <<EOF
-Signature Algorithm: PKCS #1 RSA-PSS Signature
- Parameters:
- Hash algorithm: SHA-256
- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
- Mask hash algorithm: SHA-256
- Salt length: 32 (0x20)
-EOF
- check_sign_algo
-
- CERTSERIAL=`expr $CERTSERIAL + 1`
-
- # Subject certificate: RSA
- # Issuer certificate: RSA
- # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1)
- CERTNAME="TestUser-rsa-pss9"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
-
- CU_ACTION="Import $CERTNAME's Cert"
- certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${CERTNAME}.cert" 2>&1
-
- CU_ACTION="Verify $CERTNAME's Cert"
- certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
- cat > ${TMP}/signalgo.exp <<EOF
-Signature Algorithm: PKCS #1 RSA-PSS Signature
- Parameters:
- Hash algorithm: default, SHA-1
- Mask algorithm: default, MGF1
- Mask hash algorithm: default, SHA-1
- Salt length: default, 20 (0x14)
-EOF
- check_sign_algo
-
- CERTSERIAL=`expr $CERTSERIAL + 1`
-
- # Subject certificate: RSA-PSS
- # Issuer certificate: RSA-PSS
- # Signature: RSA-PSS (implicit, without --pss-sign, default parameters)
- CERTNAME="TestUser-rsa-pss10"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- # Sign without --pss-sign nor -Z option
- certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
-
- CU_ACTION="Import $CERTNAME's Cert"
- certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
- -i "${CERTNAME}.cert" 2>&1
-
- CU_ACTION="Verify $CERTNAME's Cert"
- certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
- cat > ${TMP}/signalgo.exp <<EOF
-Signature Algorithm: PKCS #1 RSA-PSS Signature
- Parameters:
- Hash algorithm: default, SHA-1
- Mask algorithm: default, MGF1
- Mask hash algorithm: default, SHA-1
- Salt length: default, 20 (0x14)
-EOF
- check_sign_algo
-
- CERTSERIAL=`expr $CERTSERIAL + 1`
-
- # Subject certificate: RSA-PSS
- # Issuer certificate: RSA-PSS
- # Signature: RSA-PSS (with conflicting hash algorithm, default parameters)
- CERTNAME="TestUser-rsa-pss11"
-
- CU_ACTION="Generate Cert Request for $CERTNAME"
- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
-
- CU_ACTION="Sign ${CERTNAME}'s Request"
- RETEXPECTED=255
- certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
- RETEXPECTED=0
-}
-
############################## cert_cleanup ############################
# local shell function to finish this script (no exit since it might be
# sourced)
@@ -2432,24 +1975,20 @@ EOF
cert_cleanup()
{
cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
- html "</TABLE><BR>"
+ html "</TABLE><BR>"
cd ${QADIR}
. common/cleanup.sh
}
################## main #################################################
-cert_init
+cert_init
cert_all_CA
-cert_test_implicit_db_init
-cert_extended_ssl
-cert_ssl
-cert_smime_client
-IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
-if [ $IS_FIPS_DISABLED -ne 0 ]; then
- cert_rsa_exponent_nonfips
-else
- cert_fips
+cert_extended_ssl
+cert_ssl
+cert_smime_client
+if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
+ cert_fips
fi
cert_eccurves
cert_extensions
@@ -2457,7 +1996,6 @@ cert_san_and_generic_extensions
cert_test_password
cert_test_distrust
cert_test_ocspresp
-cert_test_rsapss
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
cert_crl_ssl
@@ -2466,7 +2004,7 @@ else
fi
if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
- cert_stresscerts
+ cert_stresscerts
fi
cert_iopr_setup