summaryrefslogtreecommitdiffstats
path: root/security/nss/tests
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/tests')
-rwxr-xr-xsecurity/nss/tests/all.sh2
-rwxr-xr-xsecurity/nss/tests/bogo/bogo.sh9
-rwxr-xr-xsecurity/nss/tests/cert/cert.sh76
-rw-r--r--security/nss/tests/common/init.sh7
-rw-r--r--security/nss/tests/interop/interop.sh2
-rwxr-xr-xsecurity/nss/tests/ssl/ssl.sh122
-rwxr-xr-xsecurity/nss/tests/ssl_gtests/ssl_gtests.sh2
-rw-r--r--security/nss/tests/tools/TestRSAPSS.p12bin0 -> 2554 bytes
-rw-r--r--security/nss/tests/tools/tools.sh21
9 files changed, 164 insertions, 77 deletions
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh
index 3a02debef..f8a777fb3 100755
--- a/security/nss/tests/all.sh
+++ b/security/nss/tests/all.sh
@@ -309,7 +309,7 @@ TESTS=${NSS_TESTS:-$tests}
ALL_TESTS=${TESTS}
-nss_ssl_tests="crl iopr policy"
+nss_ssl_tests="crl iopr policy normal_normal"
if [ $NO_INIT_SUPPORT -eq 0 ]; then
nss_ssl_tests="$nss_ssl_tests fips_normal normal_fips"
fi
diff --git a/security/nss/tests/bogo/bogo.sh b/security/nss/tests/bogo/bogo.sh
index d1a93bf9b..4fccb845b 100755
--- a/security/nss/tests/bogo/bogo.sh
+++ b/security/nss/tests/bogo/bogo.sh
@@ -25,7 +25,7 @@ bogo_init()
BORING=${BORING:=boringssl}
if [ ! -d "$BORING" ]; then
git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
- git -C "$BORING" checkout -q a513e86c1ebb1383930c9e504bdabcc302a85f30
+ git -C "$BORING" checkout -q ec55dc15d3a39e5f1a58bfd79148729f38f6acb4
fi
SCRIPTNAME="bogo.sh"
@@ -39,11 +39,12 @@ bogo_cleanup()
. common/cleanup.sh
}
-cd "$(dirname "$0")"
-SOURCE_DIR="$PWD"/../..
+cd ../
+cwd=$(cd $(dirname $0); pwd -P)
+SOURCE_DIR="$cwd"/..
bogo_init
(cd "$BORING"/ssl/test/runner;
- GOPATH="$PWD" go test -pipe -shim-path "${BINDIR}"/nss_bogo_shim \
+ GOPATH="$cwd" go test -pipe -shim-path "${BINDIR}"/nss_bogo_shim \
-loose-errors -allow-unimplemented \
-shim-config "${SOURCE_DIR}/gtests/nss_bogo_shim/config.json") \
2>bogo.errors | tee bogo.log
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index d1a9148a9..34006efd1 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -1060,6 +1060,25 @@ cert_extended_ssl()
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
# 2>&1
+ # Check that a repeated import with a different nickname doesn't change the
+ # nickname of the existing cert (bug 1458518).
+ # We want to search for the results using grep, to avoid subset matches,
+ # we'll use one of the longer nicknames for testing.
+ # (Because "grep -w hostname" matches "grep -w hostname-dsamixed")
+ MYDBPASS="-d ${PROFILEDIR} -f ${R_PWFILE}"
+ TESTNAME="Ensure there's exactly one match for ${CERTNAME}-dsamixed"
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}"
+
+ CU_ACTION="Repeated import of $CERTNAME's mixed DSA Cert with different nickname"
+ certu -A -n "${CERTNAME}-repeated-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
+
+ TESTNAME="Ensure there's still exactly one match for ${CERTNAME}-dsamixed"
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}"
+
+ TESTNAME="Ensure there's zero matches for ${CERTNAME}-repeated-dsamixed"
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-repeated-dsamixed" 0 0 "${TESTNAME}"
+
echo "Importing all the server's own CA chain into the servers DB"
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
do
@@ -1532,6 +1551,37 @@ cert_make_with_param()
return 0
}
+cert_check_nickname_exists()
+{
+ MYDIRPASS="$1"
+ MYCERTNAME="$2"
+ EXPECT="$3"
+ EXPECTCOUNT="$4"
+ MYTESTNAME="$5"
+
+ echo certutil ${MYDIRPASS} -L
+ ${BINDIR}/certutil ${MYDIRPASS} -L
+
+ RET=$?
+ if [ "${RET}" -ne "${EXPECT}" ]; then
+ CERTFAILED=1
+ html_failed "${MYTESTNAME} - list"
+ cert_log "ERROR: ${MYTESTNAME} - list"
+ return 1
+ fi
+
+ LISTCOUNT=`${BINDIR}/certutil ${MYDIRPASS} -L | grep -wc ${MYCERTNAME}`
+ if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then
+ CERTFAILED=1
+ html_failed "${MYTESTNAME} - list and count"
+ cert_log "ERROR: ${MYTESTNAME} - list and count failed"
+ return 1
+ fi
+
+ html_passed "${MYTESTNAME}"
+ return 0
+}
+
cert_list_and_count_dns()
{
DIRPASS="$1"
@@ -2425,6 +2475,31 @@ EOF
RETEXPECTED=0
}
+cert_test_orphan_key_reuse()
+{
+ CU_ACTION="Create orphan key in serverdir"
+ certu -G -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
+ # Let's get the key ID of the first orphan key.
+ # The output of certutil -K (list keys) isn't well formatted.
+ # The initial <key-number> part may or may not contain white space, which
+ # makes the use of awk to filter the column unreliable.
+ # To fix that, we remove the initial <number> field using sed, then select the
+ # column that contains the key ID.
+ ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+ sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
+ CU_ACTION="Create cert request for orphan key"
+ certu -R -f "${R_PWFILE}" -k ${ORPHAN} -s "CN=orphan" -d ${PROFILEDIR} \
+ -o ${SERVERDIR}/orphan.req
+ # Ensure that creating the request really works by listing it, and check
+ # if listing was successful.
+ ${BINDIR}/pp -t certificate-request -i ${SERVERDIR}/orphan.req
+ RET=$?
+ if [ "$RET" -ne 0 ]; then
+ html_failed "Listing cert request for orphan key ($RET)"
+ cert_log "ERROR: Listing cert request for orphan key failed $RET"
+ fi
+}
+
############################## cert_cleanup ############################
# local shell function to finish this script (no exit since it might be
# sourced)
@@ -2444,6 +2519,7 @@ cert_all_CA
cert_test_implicit_db_init
cert_extended_ssl
cert_ssl
+cert_test_orphan_key_reuse
cert_smime_client
IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
if [ $IS_FIPS_DISABLED -ne 0 ]; then
diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh
index 933551e83..6aa22af8d 100644
--- a/security/nss/tests/common/init.sh
+++ b/security/nss/tests/common/init.sh
@@ -543,8 +543,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
D_DISTRUST="Distrust.$version"
D_RSAPSS="RSAPSS.$version"
- # we need relative pathnames of these files abd directories, since our
- # tools can't handle the unix style absolut pathnames on cygnus
+ # we need relative pathnames of these files and directories, since our
+ # tools can't handle the unix style absolute pathnames on cygnus
R_CADIR=../CA
R_SERVERDIR=../server
@@ -565,6 +565,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
R_NOLOGINDIR=../nologin
R_SSLGTESTDIR=../ssl_gtests
R_GTESTDIR=../gtests
+ R_RSAPSSDIR=../rsapss
#
# profiles are either paths or domains depending on the setting of
@@ -581,6 +582,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
P_R_EXT_SERVERDIR=${R_EXT_SERVERDIR}
P_R_EXT_CLIENTDIR=${R_EXT_CLIENTDIR}
P_R_IMPLICIT_INIT_DIR=${R_IMPLICIT_INIT_DIR}
+ P_R_RSAPSSDIR=${R_RSAPSSDIR}
if [ -n "${MULTIACCESS_DBM}" ]; then
P_R_CADIR="multiaccess:${D_CA}"
P_R_ALICEDIR="multiaccess:${D_ALICE}"
@@ -593,6 +595,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}"
+ P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
fi
R_PWFILE=../tests.pw
diff --git a/security/nss/tests/interop/interop.sh b/security/nss/tests/interop/interop.sh
index 97c82e0ca..50c8bb3c1 100644
--- a/security/nss/tests/interop/interop.sh
+++ b/security/nss/tests/interop/interop.sh
@@ -25,7 +25,7 @@ interop_init()
INTEROP=${INTEROP:=tls_interop}
if [ ! -d "$INTEROP" ]; then
git clone -q https://github.com/ttaubert/tls-interop "$INTEROP"
- git -C "$INTEROP" checkout -q 07930b791827c1bdb6f4c19ca0aa63850fd59e22
+ git -C "$INTEROP" checkout -q d07b28ac32b390dea1c9bcca5c56716247d23e5e
fi
INTEROP=$(cd "$INTEROP";pwd -P)
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
index de867a4bd..9a63bd997 100755
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -283,34 +283,30 @@ ssl_cov()
echo "${testname}" | grep "EXPORT" > /dev/null
EXP=$?
- if [ "$ectype" = "ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
- else
- echo "$SCRIPTNAME: running $testname ----------------------------"
- VMAX="ssl3"
- if [ "$testmax" = "TLS10" ]; then
- VMAX="tls1.0"
- fi
- if [ "$testmax" = "TLS11" ]; then
- VMAX="tls1.1"
- fi
- if [ "$testmax" = "TLS12" ]; then
- VMAX="tls1.2"
- fi
-
- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
- echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
-
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
- -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
- >${TMP}/$HOST.tmp.$$ 2>&1
- ret=$?
- cat ${TMP}/$HOST.tmp.$$
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- html_msg $ret 0 "${testname}" \
- "produced a returncode of $ret, expected is 0"
+ echo "$SCRIPTNAME: running $testname ----------------------------"
+ VMAX="ssl3"
+ if [ "$testmax" = "TLS10" ]; then
+ VMAX="tls1.0"
+ fi
+ if [ "$testmax" = "TLS11" ]; then
+ VMAX="tls1.1"
fi
+ if [ "$testmax" = "TLS12" ]; then
+ VMAX="tls1.2"
+ fi
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ html_msg $ret 0 "${testname}" \
+ "produced a returncode of $ret, expected is 0"
done
kill_selfserv
@@ -335,8 +331,6 @@ ssl_auth()
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- elif [ "$ectype" = "ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
else
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
if [ "$ectype" = "SNI" ]; then
@@ -550,8 +544,6 @@ ssl_stress()
if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- elif [ "$ectype" = "ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
elif [ "${NOLOGIN}" -eq 0 ] && \
@@ -615,9 +607,7 @@ ssl_crl_ssl()
ignore_blank_lines ${SSLAUTH} | \
while read ectype value sparam cparam testname
do
- if [ "$ectype" = "ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "$ectype" = "SNI" ]; then
+ if [ "$ectype" = "SNI" ]; then
continue
else
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
@@ -729,43 +719,39 @@ ssl_policy()
do
VMIN="ssl3"
- if [ "$ectype" = "ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
- else
- echo "$SCRIPTNAME: running $testname ----------------------------"
- VMAX="ssl3"
- if [ "$testmax" = "TLS10" ]; then
- VMAX="tls1.0"
- fi
- if [ "$testmax" = "TLS11" ]; then
- VMAX="tls1.1"
- fi
- if [ "$testmax" = "TLS12" ]; then
- VMAX="tls1.2"
- fi
+ echo "$SCRIPTNAME: running $testname ----------------------------"
+ VMAX="ssl3"
+ if [ "$testmax" = "TLS10" ]; then
+ VMAX="tls1.0"
+ fi
+ if [ "$testmax" = "TLS11" ]; then
+ VMAX="tls1.1"
+ fi
+ if [ "$testmax" = "TLS12" ]; then
+ VMAX="tls1.2"
+ fi
- # load the policy
- policy=`echo ${policy} | sed -e 's;_; ;g'`
- setup_policy "$policy" ${P_R_CLIENTDIR}
+ # load the policy
+ policy=`echo ${policy} | sed -e 's;_; ;g'`
+ setup_policy "$policy" ${P_R_CLIENTDIR}
- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
- echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
- -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
- >${TMP}/$HOST.tmp.$$ 2>&1
- ret=$?
- cat ${TMP}/$HOST.tmp.$$
- rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- #workaround for bug #402058
- [ $ret -ne 0 ] && ret=1
- [ ${value} -ne 0 ] && value=1
+ #workaround for bug #402058
+ [ $ret -ne 0 ] && ret=1
+ [ ${value} -ne 0 ] && value=1
- html_msg $ret ${value} "${testname}" \
- "produced a returncode of $ret, expected is ${value}"
- fi
+ html_msg $ret ${value} "${testname}" \
+ "produced a returncode of $ret, expected is ${value}"
done
cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt
@@ -1004,9 +990,7 @@ ssl_crl_cache()
while read ectype value sparam cparam testname
do
[ "$ectype" = "" ] && continue
- if [ "$ectype" = "ECC" ] ; then
- echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "$ectype" = "SNI" ]; then
+ if [ "$ectype" = "SNI" ]; then
continue
else
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh
index fd678bf59..eef77f16f 100755
--- a/security/nss/tests/ssl_gtests/ssl_gtests.sh
+++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh
@@ -47,6 +47,7 @@ make_cert() {
dsa) type_args='-g 1024' ;;
rsa) type_args='-g 1024' ;;
rsa2048) type_args='-g 2048';type=rsa ;;
+ rsa8192) type_args='-g 8192';type=rsa ;;
rsapss) type_args='-g 1024 --pss';type=rsa ;;
p256) type_args='-q nistp256';type=ec ;;
p384) type_args='-q secp384r1';type=ec ;;
@@ -83,6 +84,7 @@ ssl_gtest_certs() {
make_cert client rsa sign
make_cert rsa rsa sign kex
make_cert rsa2048 rsa2048 sign kex
+ make_cert rsa8192 rsa8192 sign kex
make_cert rsa_sign rsa sign
make_cert rsa_pss rsapss sign
make_cert rsa_decrypt rsa kex
diff --git a/security/nss/tests/tools/TestRSAPSS.p12 b/security/nss/tests/tools/TestRSAPSS.p12
new file mode 100644
index 000000000..91473891c
--- /dev/null
+++ b/security/nss/tests/tools/TestRSAPSS.p12
Binary files differ
diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh
index 11be23e05..7cf1ef73f 100644
--- a/security/nss/tests/tools/tools.sh
+++ b/security/nss/tests/tools/tools.sh
@@ -105,6 +105,7 @@ tools_init()
mkdir -p ${TOOLSDIR}/data
cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/TestOldAES128CA.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/TestRSAPSS.p12 ${TOOLSDIR}/data
cd ${TOOLSDIR}
}
@@ -436,6 +437,23 @@ tools_p12_import_old_files()
check_tmpfile
}
+tools_p12_import_rsa_pss_private_key()
+{
+ echo "$SCRIPTNAME: Importing RSA-PSS private key from PKCS#12 file --------------"
+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestRSAPSS.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '' 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing RSA-PSS private key from PKCS#12 file"
+ check_tmpfile
+
+ # Check if RSA-PSS identifier is included in the key listing
+ ${BINDIR}/certutil -d ${P_R_COPYDIR} -K -f ${R_PWFILE} | grep '^<[0-9 ]*> *rsaPss'
+ ret=$?
+ html_msg $ret 0 "Listing RSA-PSS private key imported from PKCS#12 file"
+ check_tmpfile
+
+ return $ret
+}
+
############################## tools_p12 ###############################
# local shell function to test basic functionality of pk12util
########################################################################
@@ -448,6 +466,9 @@ tools_p12()
tools_p12_export_with_none_ciphers
tools_p12_export_with_invalid_ciphers
tools_p12_import_old_files
+ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+ tools_p12_import_rsa_pss_private_key
+ fi
}
############################## tools_sign ##############################