summaryrefslogtreecommitdiffstats
path: root/security/nss/tests
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-06-06 21:27:04 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-06-06 21:27:04 +0200
commit4a71b30364a4b6d1eaf16fcfdc8e873e6697f293 (patch)
treea47014077c14579249859ad34afcc5a8f2f0730a /security/nss/tests
parentd7da72799521386c110dbba73b1e483b00a0a56a (diff)
parent2dad0ec41d0b69c0a815012e6ea4bdde81b2875b (diff)
downloadUXP-4a71b30364a4b6d1eaf16fcfdc8e873e6697f293.tar
UXP-4a71b30364a4b6d1eaf16fcfdc8e873e6697f293.tar.gz
UXP-4a71b30364a4b6d1eaf16fcfdc8e873e6697f293.tar.lz
UXP-4a71b30364a4b6d1eaf16fcfdc8e873e6697f293.tar.xz
UXP-4a71b30364a4b6d1eaf16fcfdc8e873e6697f293.zip
Merge branch 'NSS-335'
Diffstat (limited to 'security/nss/tests')
-rwxr-xr-xsecurity/nss/tests/all.sh64
-rw-r--r--security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt26
-rw-r--r--security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt24
-rwxr-xr-xsecurity/nss/tests/cert/cert.sh560
-rwxr-xr-xsecurity/nss/tests/cipher/cipher.sh16
-rw-r--r--security/nss/tests/common/init.sh14
-rwxr-xr-xsecurity/nss/tests/gtests/gtests.sh2
-rwxr-xr-xsecurity/nss/tests/merge/merge.sh2
-rwxr-xr-xsecurity/nss/tests/pkits/pkits.sh2
-rw-r--r--security/nss/tests/remote/Makefile1
-rwxr-xr-xsecurity/nss/tests/smime/smime.sh50
-rwxr-xr-xsecurity/nss/tests/ssl/ssl.sh344
-rw-r--r--security/nss/tests/ssl/sslstress.txt1
-rwxr-xr-xsecurity/nss/tests/ssl_gtests/ssl_gtests.sh14
-rw-r--r--security/nss/tests/tools/TestOldAES128CA.p12bin0 -> 2628 bytes
-rw-r--r--security/nss/tests/tools/TestOldCA.p12bin0 -> 2588 bytes
-rw-r--r--security/nss/tests/tools/tools.sh88
17 files changed, 980 insertions, 228 deletions
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh
index 833817f4a..8d5bd2dbb 100755
--- a/security/nss/tests/all.sh
+++ b/security/nss/tests/all.sh
@@ -63,10 +63,6 @@
# BUILT_OPT - use optimized/debug build
# USE_64 - use 64bit/32bit build
#
-# Optional environment variables to enable specific NSS features:
-# ---------------------------------------------------------------
-# NSS_DISABLE_ECC - disable ECC
-#
# Optional environment variables to select which cycles/suites to test:
# ---------------------------------------------------------------------
# NSS_CYCLES - list of cycles to run (separated by space
@@ -107,12 +103,16 @@
#
########################################################################
+RUN_FIPS=""
+
############################## run_tests ###############################
# run test suites defined in TESTS variable, skip scripts defined in
# TESTS_SKIP variable
########################################################################
run_tests()
{
+ echo "Running test cycle: ${TEST_MODE} ----------------------"
+ echo "List of tests that will be executed: ${TESTS}"
for TEST in ${TESTS}
do
# NOTE: the spaces are important. If you don't include
@@ -132,14 +132,20 @@ run_tests()
}
########################## run_cycle_standard ##########################
-# run test suites with defaults settings (no PKIX, no sharedb)
+# run test suites with dbm database (no PKIX, no sharedb)
########################################################################
run_cycle_standard()
{
TEST_MODE=STANDARD
TESTS="${ALL_TESTS}"
- TESTS_SKIP=
+ TESTS_SKIP="cipher libpkix sdr ocsp pkits"
+
+ NSS_DEFAULT_DB_TYPE="dbm"
+ export NSS_DEFAULT_DB_TYPE
+
+ NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+ NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"`
run_tests
}
@@ -164,7 +170,13 @@ run_cycle_pkix()
TESTS="${ALL_TESTS}"
TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
+
NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+ export -n NSS_SSL_RUN
+
+ # use the default format. (unset for the shell, export -n for binaries)
+ export -n NSS_DEFAULT_DB_TYPE
+ unset NSS_DEFAULT_DB_TYPE
run_tests
}
@@ -187,7 +199,7 @@ run_cycle_upgrade_db()
init_directories
if [ -r "${OLDHOSTDIR}/cert.log" ]; then
- DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA stapling tools/copydir cert.log cert.done tests.*"
+ DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server $RUN_FIPS SDR server serverCA stapling tools/copydir cert.log cert.done tests.*"
for i in $DIRS
do
cp -r ${OLDHOSTDIR}/${i} ${HOSTDIR} #2> /dev/null
@@ -233,10 +245,10 @@ run_cycle_shared_db()
# run the tests for native sharedb support
TESTS="${ALL_TESTS}"
- TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits"
+ TESTS_SKIP="dbupgrade"
- NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
- NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"`
+ export -n NSS_SSL_TESTS
+ export -n NSS_SSL_RUN
run_tests
}
@@ -270,10 +282,25 @@ run_cycles()
############################## main code ###############################
+SCRIPTNAME=all.sh
+CLEANUP="${SCRIPTNAME}"
+cd `dirname $0`
+
+# all.sh should be the first one to try to source the init
+if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd common
+ . ./init.sh
+fi
+
cycles="standard pkix upgradedb sharedb"
CYCLES=${NSS_CYCLES:-$cycles}
-tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
+NO_INIT_SUPPORT=`certutil --build-flags |grep -cw NSS_NO_INIT_SUPPORT`
+if [ $NO_INIT_SUPPORT -eq 0 ]; then
+ RUN_FIPS="fips"
+fi
+
+tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
# Don't run chains tests when we have a gyp build.
if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then
tests="$tests chains"
@@ -282,22 +309,15 @@ TESTS=${NSS_TESTS:-$tests}
ALL_TESTS=${TESTS}
-nss_ssl_tests="crl fips_normal normal_fips iopr policy"
+nss_ssl_tests="crl iopr policy"
+if [ $NO_INIT_SUPPORT -eq 0 ]; then
+ nss_ssl_tests="$nss_ssl_tests fips_normal normal_fips"
+fi
NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"
nss_ssl_run="cov auth stapling stress"
NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
-SCRIPTNAME=all.sh
-CLEANUP="${SCRIPTNAME}"
-cd `dirname $0`
-
-# all.sh should be the first one to try to source the init
-if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
- cd common
- . ./init.sh
-fi
-
# NOTE:
# Lists of enabled tests and other settings are stored to ${ENV_BACKUP}
# file and are are restored after every test cycle.
diff --git a/security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt b/security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt
new file mode 100644
index 000000000..e3c8fcdcf
--- /dev/null
+++ b/security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA
+oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp
+biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB
+IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa
+GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
+Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO
+U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl
+ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG
+CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB
+AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX
+yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo
+SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK
+xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07
+/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK
+Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC
+BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow
+OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA
+ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8
+HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba
+nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh
+pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA
+hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh
+uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA=
+-----END CERTIFICATE-----
diff --git a/security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt b/security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt
new file mode 100644
index 000000000..d46442dc4
--- /dev/null
+++ b/security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh
+GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw
+EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT
+IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2
+NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
+Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T
+UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3
+DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6
+7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x
+Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj
+sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa
+eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu
+aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg
+hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN
+AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY
+fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D
+difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+
+4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2
+g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT
+0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ==
+-----END CERTIFICATE-----
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index 9b3455747..d1a9148a9 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -46,11 +46,7 @@ cert_init()
fi
SCRIPTNAME="cert.sh"
CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- html_head "Certutil and Crlutil Tests with ECC"
- else
- html_head "Certutil and Crlutil Tests"
- fi
+ html_head "Certutil and Crlutil Tests"
LIBDIR="${DIST}/${OBJDIR}/lib"
@@ -300,14 +296,12 @@ cert_create_cert()
fi
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Import EC Root CA for $CERTNAME"
certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
-d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
- fi
cert_add_cert "$5"
return $?
@@ -402,7 +396,6 @@ cert_add_cert()
#
# Generate and add EC cert
#
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CURVE="secp384r1"
CU_ACTION="Generate EC Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
@@ -454,7 +447,6 @@ cert_add_cert()
return $RET
fi
cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
- fi
return 0
}
@@ -467,6 +459,7 @@ cert_add_cert()
cert_all_CA()
{
echo nss > ${PWFILE}
+ echo > ${EMPTY_FILE}
ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
@@ -517,10 +510,16 @@ cert_all_CA()
# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
+#
+# Create RSA-PSS version of TestCA
+ ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256
+ rm $CADIR/rsapssroot.cert
+ ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1
+ rm $CADIR/rsapssroot.cert
-
- if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Create EC version of TestCA
CA_CURVE="secp521r1"
@@ -545,8 +544,6 @@ cert_all_CA()
rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
-
- fi
}
################################# cert_CA ################################
@@ -637,7 +634,7 @@ CERTSCRIPT
################################ cert_dsa_CA #############################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
-# This is the ECC version of cert_CA.
+# This is the DSA version of cert_CA.
##########################################################################
cert_dsa_CA()
{
@@ -648,7 +645,7 @@ cert_dsa_CA()
DOMAIN=$5
CERTSERIAL=$6
- echo "$SCRIPTNAME: Creating an DSA CA Certificate $NICKNAME =========================="
+ echo "$SCRIPTNAME: Creating a DSA CA Certificate $NICKNAME =========================="
if [ ! -d "${CUR_CADIR}" ]; then
mkdir -p "${CUR_CADIR}"
@@ -661,7 +658,7 @@ cert_dsa_CA()
LPROFILE="multiaccess:${DOMAIN}"
fi
- ################# Creating an DSA CA Cert ###############################
+ ################# Creating a DSA CA Cert ###############################
#
CU_ACTION="Creating DSA CA Cert $NICKNAME "
CU_SUBJECT=$ALL_CU_SUBJECT
@@ -700,6 +697,79 @@ CERTSCRIPT
+
+################################ cert_rsa_pss_CA #############################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating a CA Certificate and a root cert
+# This is the RSA-PSS version of cert_CA.
+##########################################################################
+cert_rsa_pss_CA()
+{
+ CUR_CADIR=$1
+ NICKNAME=$2
+ SIGNER=$3
+ TRUSTARG=$4
+ DOMAIN=$5
+ CERTSERIAL=$6
+ HASHALG=$7
+
+ echo "$SCRIPTNAME: Creating an RSA-PSS CA Certificate $NICKNAME =========================="
+
+ if [ ! -d "${CUR_CADIR}" ]; then
+ mkdir -p "${CUR_CADIR}"
+ fi
+ cd ${CUR_CADIR}
+ pwd
+
+ LPROFILE=.
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ LPROFILE="multiaccess:${DOMAIN}"
+ fi
+
+ HASHOPT=
+ if [ -n "$HASHALG" ]; then
+ HASHOPT="-Z $HASHALG"
+ fi
+
+ ################# Creating an RSA-PSS CA Cert ###############################
+ #
+ CU_ACTION="Creating RSA-PSS CA Cert $NICKNAME "
+ CU_SUBJECT=$ALL_CU_SUBJECT
+ certu -S -n $NICKNAME -k rsa --pss $HASHOPT -t $TRUSTARG -v 600 $SIGNER \
+ -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
+ -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+ if [ "$RET" -ne 0 ]; then
+ echo "return value is $RET"
+ Exit 6 "Fatal - failed to create RSA-PSS CA cert"
+ fi
+
+ ################# Exporting RSA-PSS Root Cert ###############################
+ #
+ CU_ACTION="Exporting RSA-PSS Root Cert"
+ certu -L -n $NICKNAME -r -d ${LPROFILE} -o rsapssroot.cert
+ if [ "$RET" -ne 0 ]; then
+ Exit 7 "Fatal - failed to export RSA-PSS root cert"
+ fi
+ cp rsapssroot.cert ${NICKNAME}.ca.cert
+}
+
+
+
+
################################ cert_ec_CA ##############################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
@@ -831,7 +901,6 @@ cert_smime_client()
certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
-i ${R_EVEDIR}/Eve.cert 2>&1
- if [ -z "$NSS_DISABLE_ECC" ] ; then
echo "$SCRIPTNAME: Importing EC Certificates =============================="
CU_ACTION="Import Bob's EC cert into Alice's db"
certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
@@ -855,7 +924,6 @@ cert_smime_client()
# CU_ACTION="Import Eve's EC cert into Bob's DB"
# certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
- fi
if [ "$CERTFAILED" != 0 ] ; then
cert_log "ERROR: SMIME failed $RET"
@@ -946,7 +1014,6 @@ cert_extended_ssl()
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
# 2>&1
- if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Repeat the above for EC certs
#
@@ -992,7 +1059,6 @@ cert_extended_ssl()
# certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
# 2>&1
- fi
echo "Importing all the server's own CA chain into the servers DB"
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
@@ -1081,7 +1147,6 @@ cert_extended_ssl()
# done with mixed DSA certs
#
- if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Repeat the above for EC certs
#
@@ -1128,7 +1193,6 @@ cert_extended_ssl()
#
# done with mixed EC certs
#
- fi
echo "Importing all the client's own CA chain into the servers DB"
for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
@@ -1175,10 +1239,8 @@ cert_ssl()
CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC"
certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
- certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
- fi
+ CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
+ certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
# echo "************* Copying CA files to ${SERVERDIR}"
# cp ${CADIR}/*.db .
@@ -1199,6 +1261,12 @@ cert_ssl()
cp -r ${R_SERVERDIR} ${R_STAPLINGDIR}
pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
+
+ echo "$SCRIPTNAME: Creating database for strsclnt no login tests ==============="
+ echo "cp -r ${CLIENTDIR} ${NOLOGINDIR}"
+ cp -r ${R_CLIENTDIR} ${R_NOLOGINDIR}
+ # change the password to empty
+ certu -W -d "${R_NOLOGINDIR}" -f "${R_PWFILE}" -@ "${R_EMPTY_FILE}" 2>&1
}
############################## cert_stresscerts ################################
@@ -1269,12 +1337,35 @@ MODSCRIPT
html_passed "${CU_ACTION}"
fi
+ CU_ACTION="Setting invalid database password in FIPS mode"
+ RETEXPECTED=255
+ certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1
+ CU_ACTION="Attempt to generate a key with exponent of 3 (too small)"
+ certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}"
+ CU_ACTION="Attempt to generate a key with exponent of 17 (too small)"
+ certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}"
+ RETEXPECTED=0
+
CU_ACTION="Generate Certificate for ${CERTNAME}"
CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
if [ "$RET" -eq 0 ]; then
cert_log "SUCCESS: FIPS passed"
fi
+
+}
+
+########################## cert_rsa_exponent #################################
+# local shell function to verify small rsa exponent can be used (only
+# run if FIPS has not been turned on in the build).
+##############################################################################
+cert_rsa_exponent_nonfips()
+{
+ echo "$SCRIPTNAME: Verify that small RSA exponents still work =============="
+ CU_ACTION="Attempt to generate a key with exponent of 3"
+ certu -G -k rsa -g 2048 -y 3 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}"
+ CU_ACTION="Attempt to generate a key with exponent of 17"
+ certu -G -k rsa -g 2048 -y 17 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}"
}
############################## cert_eccurves ###########################
@@ -1284,7 +1375,6 @@ cert_eccurves()
{
################# Creating Certs for EC curves test ########################
#
- if [ -z "$NSS_DISABLE_ECC" ] ; then
echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
echo " EC Curves Test Certificates ------------------------------------"
@@ -1325,8 +1415,6 @@ cert_eccurves()
-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
fi
done
-
- fi # $NSS_DISABLE_ECC
}
########################### cert_extensions_test #############################
@@ -1678,7 +1766,6 @@ EOF_CRLINI
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
# Until Bug 292285 is resolved, do not encode x400 Addresses. After
@@ -1693,7 +1780,6 @@ addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|director
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or-ec
- fi
echo test > file
############################# Modification ##################################
@@ -1724,7 +1810,6 @@ EOF_CRLINI
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Modify CRL (ECC) by adding one more cert"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
-o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
@@ -1734,7 +1819,6 @@ EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or1-ec
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
- fi
########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
@@ -1763,7 +1847,6 @@ EOF_CRLINI
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Modify CRL (ECC) by removing one cert"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
-i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
@@ -1772,7 +1855,6 @@ rmcert ${UNREVOKED_CERT_GRP_1}
EOF_CRLINI
chmod 600 ${CRL_FILE_GRP_1}-ec
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
- fi
########### Creating second CRL which includes groups 1 and 2 ##############
CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
@@ -1792,7 +1874,6 @@ rmcert ${UNREVOKED_CERT_GRP_2}
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_2}
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
-i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
@@ -1803,7 +1884,6 @@ rmcert ${UNREVOKED_CERT_GRP_2}
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_2}-ec
- fi
########### Creating second CRL which includes groups 1, 2 and 3 ##############
CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
@@ -1825,7 +1905,6 @@ addext crlNumber 0 2
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_3}
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
-i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
@@ -1836,7 +1915,6 @@ addext crlNumber 0 2
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_3}-ec
- fi
############ Importing Server CA Issued CRL for certs of first group #######
@@ -1845,13 +1923,11 @@ EOF_CRLINI
crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}"
crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Importing CRL (ECC) for groups 1"
crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}"
crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
-d "${R_SERVERDIR}"
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
- fi
if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
@@ -1968,6 +2044,387 @@ cert_test_ocspresp()
ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
}
+cert_test_implicit_db_init()
+{
+ echo "$SCRIPTNAME: test implicit database init"
+
+ CU_ACTION="Add cert with trust flags to db with implicit init"
+ mkdir ${IMPLICIT_INIT_DIR}
+ certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
+}
+
+check_sign_algo()
+{
+ certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
+ sed -n '/^ *Data:/,/^$/{
+/^ Signature Algorithm/,/^ *Salt length/s/^ //p
+}' > ${TMP}/signalgo.txt
+
+ diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt
+ RET=$?
+ if [ "$RET" -ne 0 ]; then
+ CERTFAILED=$RET
+ html_failed "${CU_ACTION} ($RET) "
+ cert_log "ERROR: ${CU_ACTION} failed $RET"
+ else
+ html_passed "${CU_ACTION}"
+ fi
+}
+
+cert_test_rsapss()
+{
+ TEMPFILES="$TEMPFILES ${TMP}/signalgo.exp ${TMP}/signalgo.txt"
+
+ cert_init_cert "${RSAPSSDIR}" "RSA-PSS Test Cert" 1000 "${D_RSAPSS}"
+
+ CU_ACTION="Initialize Cert DB"
+ certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import RSA CA Cert"
+ certu -A -n "TestCA" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${R_CADIR}/TestCA.ca.cert" 2>&1
+
+ CU_ACTION="Import RSA-PSS CA Cert"
+ certu -A -n "TestCA-rsa-pss" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${R_CADIR}/TestCA-rsa-pss.ca.cert" 2>&1
+
+ CU_ACTION="Verify RSA-PSS CA Cert"
+ certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+
+ CU_ACTION="Import RSA-PSS CA Cert (SHA1)"
+ certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
+
+ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)"
+ certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1
+ RETEXPECTED=255
+ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ RETEXPECTED=0
+
+ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)"
+ certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1
+ RETEXPECTED=255
+ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ RETEXPECTED=0
+
+ CERTSERIAL=200
+
+ # Subject certificate: RSA
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explicit, with --pss-sign)
+ CERTNAME="TestUser-rsa-pss1"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512)
+ CERTNAME="TestUser-rsa-pss2"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-512
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-512
+ Salt length: 64 (0x40)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS
+ CERTNAME="TestUser-rsa-pss3"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explicit, with --pss-sign)
+ CERTNAME="TestUser-rsa-pss4"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (explicit, with --pss-sign)
+ CERTNAME="TestUser-rsa-pss5"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (implicit, without --pss-sign)
+ CERTNAME="TestUser-rsa-pss6"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ # Sign without --pss-sign nor -Z option
+ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (with conflicting hash algorithm)
+ CERTNAME="TestUser-rsa-pss7"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ RETEXPECTED=255
+ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+ RETEXPECTED=0
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (with compatible hash algorithm)
+ CERTNAME="TestUser-rsa-pss8"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+ Salt length: 32 (0x20)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1)
+ CERTNAME="TestUser-rsa-pss9"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: default, SHA-1
+ Mask algorithm: default, MGF1
+ Mask hash algorithm: default, SHA-1
+ Salt length: default, 20 (0x14)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (implicit, without --pss-sign, default parameters)
+ CERTNAME="TestUser-rsa-pss10"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ # Sign without --pss-sign nor -Z option
+ certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+ Hash algorithm: default, SHA-1
+ Mask algorithm: default, MGF1
+ Mask hash algorithm: default, SHA-1
+ Salt length: default, 20 (0x14)
+EOF
+ check_sign_algo
+
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS (with conflicting hash algorithm, default parameters)
+ CERTNAME="TestUser-rsa-pss11"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ RETEXPECTED=255
+ certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+ RETEXPECTED=0
+}
+
############################## cert_cleanup ############################
# local shell function to finish this script (no exit since it might be
# sourced)
@@ -1975,20 +2432,24 @@ cert_test_ocspresp()
cert_cleanup()
{
cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
- html "</TABLE><BR>"
+ html "</TABLE><BR>"
cd ${QADIR}
. common/cleanup.sh
}
################## main #################################################
-cert_init
+cert_init
cert_all_CA
-cert_extended_ssl
-cert_ssl
-cert_smime_client
-if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
- cert_fips
+cert_test_implicit_db_init
+cert_extended_ssl
+cert_ssl
+cert_smime_client
+IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
+if [ $IS_FIPS_DISABLED -ne 0 ]; then
+ cert_rsa_exponent_nonfips
+else
+ cert_fips
fi
cert_eccurves
cert_extensions
@@ -1996,6 +2457,7 @@ cert_san_and_generic_extensions
cert_test_password
cert_test_distrust
cert_test_ocspresp
+cert_test_rsapss
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
cert_crl_ssl
@@ -2004,7 +2466,7 @@ else
fi
if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
- cert_stresscerts
+ cert_stresscerts
fi
cert_iopr_setup
diff --git a/security/nss/tests/cipher/cipher.sh b/security/nss/tests/cipher/cipher.sh
index 1d2561d9c..11a621815 100755
--- a/security/nss/tests/cipher/cipher.sh
+++ b/security/nss/tests/cipher/cipher.sh
@@ -107,6 +107,21 @@ cipher_gcm()
done < ${GCM_TXT}
}
+###################### cipher_rsa_populate ############################
+# Test the ability to reconstruct rsa private key reconstruction
+# also test the PK11GenericObject interface
+###################################################################
+cipher_rsa_populate()
+{
+ TESTNAME="RSA Reconstruct Private Keys Test"
+ echo "$SCRIPTNAME: $TESTNAME --------------------------------"
+ echo "rsapoptst -t all -r 10"
+# skip e_d_q. It isn't reliable, and can return incorrect data. e_d_q should
+# be turned off.
+ ${PROFTOOL} ${BINDIR}/rsapoptst -t e_n_p,d_n_q,d_p_q,e_d_n -r 10
+ html_msg $? 0 "$TESTNAME"
+}
+
############################## cipher_cleanup ############################
# local shell function to finish this script (no exit since it might be
# sourced)
@@ -136,5 +151,6 @@ fi
# Skip cipher_gcm if this is a softoken only build.
if [ "${NSS_BUILD_SOFTOKEN_ONLY}" != "1" ]; then
cipher_gcm
+ cipher_rsa_populate
fi
cipher_cleanup
diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh
index caf3013e6..933551e83 100644
--- a/security/nss/tests/common/init.sh
+++ b/security/nss/tests/common/init.sh
@@ -63,11 +63,13 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
DBPASSDIR=${HOSTDIR}/dbpass
ECCURVES_DIR=${HOSTDIR}/eccurves
DISTRUSTDIR=${HOSTDIR}/distrust
+ RSAPSSDIR=${HOSTDIR}/rsapss
SERVER_CADIR=${HOSTDIR}/serverCA
CLIENT_CADIR=${HOSTDIR}/clientCA
EXT_SERVERDIR=${HOSTDIR}/ext_server
EXT_CLIENTDIR=${HOSTDIR}/ext_client
+ IMPLICIT_INIT_DIR=${HOSTDIR}/implicit_init
IOPR_CADIR=${HOSTDIR}/CA_iopr
IOPR_SSL_SERVERDIR=${HOSTDIR}/server_ssl_iopr
@@ -76,10 +78,12 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
STAPLINGDIR=${HOSTDIR}/stapling
+ NOLOGINDIR=${HOSTDIR}/nologin
SSLGTESTDIR=${HOSTDIR}/ssl_gtests
GTESTDIR=${HOSTDIR}/gtests
PWFILE=${HOSTDIR}/tests.pw
+ EMPTY_FILE=${HOSTDIR}/tests_empty
NOISE_FILE=${HOSTDIR}/tests_noise
CORELIST_FILE=${HOSTDIR}/clist
@@ -528,13 +532,16 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
D_CLIENT_CA="ClientCA.$version"
D_SERVER="Server.$version"
D_CLIENT="Client.$version"
+ D_NOLOGIN="NoLogin.$version"
D_FIPS="FIPS.$version"
D_DBPASS="DBPASS.$version"
D_ECCURVES="ECCURVES.$version"
D_EXT_SERVER="ExtendedServer.$version"
D_EXT_CLIENT="ExtendedClient.$version"
+ D_IMPLICIT_INIT="ImplicitInit.$version"
D_CERT_EXTENSTIONS="CertExtensions.$version"
D_DISTRUST="Distrust.$version"
+ D_RSAPSS="RSAPSS.$version"
# we need relative pathnames of these files abd directories, since our
# tools can't handle the unix style absolut pathnames on cygnus
@@ -552,8 +559,10 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
R_EVEDIR=../eve
R_EXT_SERVERDIR=../ext_server
R_EXT_CLIENTDIR=../ext_client
+ R_IMPLICIT_INIT_DIR=../implicit_init
R_CERT_EXT=../cert_extensions
R_STAPLINGDIR=../stapling
+ R_NOLOGINDIR=../nologin
R_SSLGTESTDIR=../ssl_gtests
R_GTESTDIR=../gtests
@@ -568,8 +577,10 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
P_R_EVEDIR=${R_EVEDIR}
P_R_SERVERDIR=${R_SERVERDIR}
P_R_CLIENTDIR=${R_CLIENTDIR}
+ P_R_NOLOGINDIR=${R_NOLOGINDIR}
P_R_EXT_SERVERDIR=${R_EXT_SERVERDIR}
P_R_EXT_CLIENTDIR=${R_EXT_CLIENTDIR}
+ P_R_IMPLICIT_INIT_DIR=${R_IMPLICIT_INIT_DIR}
if [ -n "${MULTIACCESS_DBM}" ]; then
P_R_CADIR="multiaccess:${D_CA}"
P_R_ALICEDIR="multiaccess:${D_ALICE}"
@@ -578,11 +589,14 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
P_R_EVEDIR="multiaccess:${D_EVE}"
P_R_SERVERDIR="multiaccess:${D_SERVER}"
P_R_CLIENTDIR="multiaccess:${D_CLIENT}"
+ P_R_NOLOGINDIR="multiaccess:${D_NOLOGIN}"
P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
+ P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}"
fi
R_PWFILE=../tests.pw
+ R_EMPTY_FILE=../tests_empty
R_NOISE_FILE=../tests_noise
R_FIPSPWFILE=../tests.fipspw
diff --git a/security/nss/tests/gtests/gtests.sh b/security/nss/tests/gtests/gtests.sh
index c785241c4..6606b59e7 100755
--- a/security/nss/tests/gtests/gtests.sh
+++ b/security/nss/tests/gtests/gtests.sh
@@ -83,7 +83,7 @@ gtest_cleanup()
}
################## main #################################################
-GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest"
+GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest blake2b_gtest"
SOURCE_DIR="$PWD"/../..
gtest_init $0
gtest_start
diff --git a/security/nss/tests/merge/merge.sh b/security/nss/tests/merge/merge.sh
index 1929b12c8..d17a8c4ef 100755
--- a/security/nss/tests/merge/merge.sh
+++ b/security/nss/tests/merge/merge.sh
@@ -98,7 +98,7 @@ merge_init()
# are dbm databases.
if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
save=${NSS_DEFAULT_DB_TYPE}
- NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
+ NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE
fi
certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
diff --git a/security/nss/tests/pkits/pkits.sh b/security/nss/tests/pkits/pkits.sh
index ecf007736..e79fdd382 100755
--- a/security/nss/tests/pkits/pkits.sh
+++ b/security/nss/tests/pkits/pkits.sh
@@ -93,7 +93,7 @@ pkits_init()
${BINDIR}/certutil -N -d ${PKITSdb} -f ${PKITSdb}/pw
${BINDIR}/certutil -A -n TrustAnchorRootCertificate -t "C,C,C" -i \
- $certs/TrustAnchorRootCertificate.crt -d $PKITSdb
+ $certs/TrustAnchorRootCertificate.crt -d $PKITSdb -f ${PKITSdb}/pw
if [ -z "$NSS_NO_PKITS_CRLS" ]; then
${BINDIR}/crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb} -f ${PKITSdb}/pw
else
diff --git a/security/nss/tests/remote/Makefile b/security/nss/tests/remote/Makefile
index 6c6e5bd55..4635bccc5 100644
--- a/security/nss/tests/remote/Makefile
+++ b/security/nss/tests/remote/Makefile
@@ -80,7 +80,6 @@ package_for_testing:
echo 'export USE_64=$(USE_64)' >> $(RTSH)
echo 'export BUILD_OPT=$(BUILD_OPT)' >> $(RTSH)
echo 'export PKITS_DATA=$(PKITS_DATA)' >> $(RTSH)
- echo 'export NSS_DISABLE_ECC=$(NSS_DISABLE_ECC)' >> $(RTSH)
echo 'export NSPR_LOG_MODULES=$(NSPR_LOG_MODULES)' >> $(RTSH)
ifeq ($(OS_TARGET),Android)
# Android doesn't support FIPS tests, because
diff --git a/security/nss/tests/smime/smime.sh b/security/nss/tests/smime/smime.sh
index 2360100de..9cdc0875b 100755
--- a/security/nss/tests/smime/smime.sh
+++ b/security/nss/tests/smime/smime.sh
@@ -40,11 +40,7 @@ smime_init()
fi
SCRIPTNAME=smime.sh
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- html_head "S/MIME Tests with ECC"
- else
- html_head "S/MIME Tests"
- fi
+ html_head "S/MIME Tests"
grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
@@ -85,29 +81,27 @@ smime_sign()
html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "."
# Test ECDSA signing for all hash algorithms.
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
- echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
- ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
- html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
-
- echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
- ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
- html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
-
- echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
- echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
- ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
- html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
-
- echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
- ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}
- html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
-
- echo "diff alice.txt alice-ec.data.${HASH}"
- diff alice.txt alice-ec.data.${HASH}
- html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
- fi
+ echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
+ echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
+ html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
+
+ echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
+ html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
+
+ echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
+ echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
+ html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
+
+ echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}
+ html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
+
+ echo "diff alice.txt alice-ec.data.${HASH}"
+ diff alice.txt alice-ec.data.${HASH}
+ html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
}
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
index 944849ad3..de867a4bd 100755
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -57,10 +57,16 @@ ssl_init()
fi
PORT=${PORT-8443}
+ # Avoid port conflicts when multiple tests are running on the same machine.
+ if [ -n "$NSS_TASKCLUSTER_MAC" ]; then
+ cwd=$(cd $(dirname $0); pwd -P)
+ padd=$(echo $cwd | cut -d "/" -f4 | sed 's/[^0-9]//g')
+ PORT=$(($PORT + $padd))
+ fi
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
- nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
+ nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls"
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
-
+
# Test case files
SSLCOV=${QADIR}/ssl/sslcov.txt
SSLAUTH=${QADIR}/ssl/sslauth.txt
@@ -90,15 +96,8 @@ ssl_init()
NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B"
NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- ECC_STRING=" - with ECC"
- # List of cipher suites to test, including ECC cipher suites.
- CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
- else
- ECC_STRING=""
- # List of cipher suites to test, excluding ECC cipher suites.
- CIPHER_SUITES="-c ${NON_EC_SUITES}"
- fi
+ # List of cipher suites to test, including ECC cipher suites.
+ CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
if [ "${OS_ARCH}" != "WINNT" ]; then
ulimit -n 1000 # make sure we have enough file descriptors
@@ -141,16 +140,16 @@ wait_for_selfserv()
{
#verbose="-v"
echo "trying to connect to selfserv at `date`"
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
- ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
if [ $? -ne 0 ]; then
sleep 5
echo "retrying to connect to selfserv at `date`"
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
- ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
if [ $? -ne 0 ]; then
html_failed "Waiting for Server"
@@ -212,8 +211,7 @@ start_selfserv()
echo "$SCRIPTNAME: $testname ----"
fi
sparam=`echo $sparam | sed -e 's;_; ;g'`
- if [ -z "$NSS_DISABLE_ECC" ] && \
- [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
+ if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
else
ECC_OPTIONS=""
@@ -258,13 +256,18 @@ start_selfserv()
echo "selfserv with PID ${PID} started at `date`"
}
+ignore_blank_lines()
+{
+ LC_ALL=C grep -v '^[[:space:]]*\(#\|$\)' "$1"
+}
+
############################## ssl_cov #################################
# local shell function to perform SSL Cipher Coverage tests
########################################################################
ssl_cov()
{
#verbose="-v"
- html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname=""
sparam="$CIPHER_SUITES"
@@ -274,15 +277,15 @@ ssl_cov()
VMIN="ssl3"
VMAX="tls1.1"
- exec < ${SSLCOV}
+ ignore_blank_lines ${SSLCOV} | \
while read ectype testmax param testname
do
echo "${testname}" | grep "EXPORT" > /dev/null
EXP=$?
- if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ if [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
+ else
echo "$SCRIPTNAME: running $testname ----------------------------"
VMAX="ssl3"
if [ "$testmax" = "TLS10" ]; then
@@ -295,11 +298,11 @@ ssl_cov()
VMAX="tls1.2"
fi
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
-d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
@@ -320,12 +323,11 @@ ssl_cov()
ssl_auth()
{
#verbose="-v"
- html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
- exec < ${SSLAUTH}
+ ignore_blank_lines ${SSLAUTH} | \
while read ectype value sparam cparam testname
do
- [ -z "$ectype" ] && continue
echo "${testname}" | grep "don't require client auth" > /dev/null
CAUTH=$?
@@ -333,9 +335,9 @@ ssl_auth()
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ elif [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+ else
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
if [ "$ectype" = "SNI" ]; then
cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
@@ -343,10 +345,10 @@ ssl_auth()
fi
start_selfserv
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
-d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
@@ -395,10 +397,10 @@ ssl_stapling_sub()
start_selfserv
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
-d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
@@ -465,7 +467,7 @@ ssl_stapling_stress()
########################################################################
ssl_stapling()
{
- html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
# tstclnt Exit code:
# 0: have fresh and valid revocation data, status good
@@ -498,7 +500,7 @@ ssl_stapling()
ssl_signed_cert_timestamps()
{
#verbose="-v"
- html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname="ssl_signed_cert_timestamps"
value=0
@@ -514,10 +516,10 @@ ssl_signed_cert_timestamps()
# Since we don't have server-side support, this test only covers advertising the
# extension in the client hello.
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
echo " -U -V tls1.0:tls1.2 < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
-d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
@@ -536,26 +538,26 @@ ssl_signed_cert_timestamps()
########################################################################
ssl_stress()
{
- html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
- exec < ${SSLSTRESS}
+ ignore_blank_lines ${SSLSTRESS} | \
while read ectype value sparam cparam testname
do
- if [ -z "$ectype" ]; then
- # silently ignore blank lines
- continue
- fi
-
echo "${testname}" | grep "client auth" > /dev/null
CAUTH=$?
+ echo "${testname}" | grep "no login" > /dev/null
+ NOLOGIN=$?
if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ elif [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
- elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+ elif [ "${NOLOGIN}" -eq 0 ] && \
+ [ "${CLIENT_MODE}" = "fips" -o "$NORM_EXT" = "Extended Test" ] ; then
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ else
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
if [ "$ectype" = "SNI" ]; then
cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
@@ -569,10 +571,16 @@ ssl_stress()
ps -ef | grep selfserv
fi
- echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
+ if [ "${NOLOGIN}" -eq 0 ] ; then
+ dbdir=${P_R_NOLOGINDIR}
+ else
+ dbdir=${P_R_CLIENTDIR}
+ fi
+
+ echo "strsclnt -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \\"
echo " -V ssl3:tls1.2 $verbose ${HOSTADDR}"
echo "strsclnt started at `date`"
- ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
+ ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \
-V ssl3:tls1.2 $verbose ${HOSTADDR}
ret=$?
echo "strsclnt completed at `date`"
@@ -596,7 +604,7 @@ ssl_stress()
ssl_crl_ssl()
{
#verbose="-v"
- html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+ html_head "CRL SSL Client Tests $NORM_EXT"
# Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
# Cert number $UNREVOKED_CERT_GRP_1 was not revoked
@@ -604,15 +612,14 @@ ssl_crl_ssl()
CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
- exec < ${SSLAUTH}
+ ignore_blank_lines ${SSLAUTH} | \
while read ectype value sparam cparam testname
do
- [ "$ectype" = "" ] && continue
- if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ if [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "$ectype" = "SNI" ]; then
continue
- elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+ else
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
pwd=`echo $cparam | grep nss`
user=`echo $cparam | grep TestUser`
@@ -642,10 +649,10 @@ ssl_crl_ssl()
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
start_selfserv
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
@@ -669,19 +676,47 @@ ssl_crl_ssl()
html "</TABLE><BR>"
}
-############################## ssl_cov #################################
+############################# setup_policy #############################
+# local shell function to create policy configuration
+########################################################################
+setup_policy()
+{
+ policy="$1"
+ outdir="$2"
+ OUTFILE="${outdir}/pkcs11.txt"
+ cat > "$OUTFILE" << ++EOF++
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+++EOF++
+ echo "config=${policy}" >> "$OUTFILE"
+ echo "" >> "$OUTFILE"
+ echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> "$OUTFILE"
+ cat >> "$OUTFILE" << ++EOF++
+name=RootCerts
+NSS=trustOrder=100
+++EOF++
+
+ echo "******************************Testing with: "
+ cat "$OUTFILE"
+ echo "******************************"
+}
+
+############################## ssl_policy ##############################
# local shell function to perform SSL Policy tests
########################################################################
ssl_policy()
{
#verbose="-v"
- html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname=""
sparam="$CIPHER_SUITES"
if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
- return;
+ html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized"
+ return 1;
fi
echo "Saving pkcs11.txt"
@@ -689,17 +724,14 @@ ssl_policy()
start_selfserv # Launch the server
- VMIN="ssl3"
- VMAX="tls1.2"
-
- exec < ${SSLPOLICY}
+ ignore_blank_lines ${SSLPOLICY} | \
while read value ectype testmax param policy testname
do
VMIN="ssl3"
- if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ if [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "`echo $value | cut -b 1`" != "#" ] ; then
+ else
echo "$SCRIPTNAME: running $testname ----------------------------"
VMAX="ssl3"
if [ "$testmax" = "TLS10" ]; then
@@ -714,30 +746,13 @@ ssl_policy()
# load the policy
policy=`echo ${policy} | sed -e 's;_; ;g'`
+ setup_policy "$policy" ${P_R_CLIENTDIR}
- cat > ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++
-library=
-name=NSS Internal PKCS #11 Module
-parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
-++EOF++
- echo "config=${policy}" >> ${P_R_CLIENTDIR}/pkcs11.txt
- echo "" >> ${P_R_CLIENTDIR}/pkcs11.txt
- echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> ${P_R_CLIENTDIR}/pkcs11.txt >> ${P_R_CLIENTDIR}/pkcs11.txt
- cat >> ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++
-name=RootCerts
-NSS=trustOrder=100
-++EOF++
-
- echo "******************************Testing with: "
- cat ${P_R_CLIENTDIR}/pkcs11.txt
- echo "******************************"
-
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
-d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
@@ -757,6 +772,103 @@ NSS=trustOrder=100
kill_selfserv
html "</TABLE><BR>"
}
+
+list_enabled_suites()
+{
+ echo "SSL_DIR=${P_R_CLIENTDIR} ${BINDIR}/listsuites"
+ SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites | tail -n+3 | \
+ sed -n -e '/^TLS_/h' -e '/^ .*Enabled.*/{g;p}' | sed 's/:$//'
+}
+
+############################## ssl_policy_listsuites ###################
+# local shell function to perform SSL Policy tests, using listsuites
+########################################################################
+ssl_policy_listsuites()
+{
+ #verbose="-v"
+ html_head "SSL POLICY LISTSUITES $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname=""
+ sparam="$CIPHER_SUITES"
+
+ if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
+ html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized"
+ return 1;
+ fi
+
+ echo "Saving pkcs11.txt"
+ cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
+
+ # Disallow all explicitly
+ setup_policy "disallow=all" ${P_R_CLIENTDIR}
+ RET_EXP=1
+ list_enabled_suites | grep '^TLS_'
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ # Disallow RSA in key exchange explicitly
+ setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR}
+ RET_EXP=1
+ list_enabled_suites | grep '^TLS_RSA_'
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt
+
+ html "</TABLE><BR>"
+}
+
+############################## ssl_policy_selfserv #####################
+# local shell function to perform SSL Policy tests, using selfserv
+########################################################################
+ssl_policy_selfserv()
+{
+ #verbose="-v"
+ html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname=""
+ sparam="$CIPHER_SUITES"
+
+ if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
+ html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
+ return 1;
+ fi
+
+ echo "Saving pkcs11.txt"
+ cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav
+
+ # Disallow RSA in key exchange explicitly
+ setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR}
+
+ start_selfserv # Launch the server
+
+ VMIN="ssl3"
+ VMAX="tls1.2"
+
+ # Try to connect to the server with a ciphersuite using RSA in key exchange
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ RET_EXP=254
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ RET=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
+
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
############################# is_revoked ###############################
# local shell function to check if certificate is revoked
########################################################################
@@ -826,7 +938,7 @@ load_group_crl() {
fi
echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
echo " -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
echo "Request:"
echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
@@ -839,7 +951,7 @@ GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
_EOF_REQUEST_
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f \
-d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
>${OUTFILE_TMP} 2>&1 < ${REQF}
@@ -876,7 +988,7 @@ _EOF_REQUEST_
ssl_crl_cache()
{
#verbose="-v"
- html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+ html_head "Cache CRL SSL Client Tests $NORM_EXT"
SSLAUTH_TMP=${TMP}/authin.tl.tmp
SERV_ARG=-r_-r
rm -f ${SSLAUTH_TMP}
@@ -892,7 +1004,7 @@ ssl_crl_cache()
while read ectype value sparam cparam testname
do
[ "$ectype" = "" ] && continue
- if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ if [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "$ectype" = "SNI" ]; then
continue
@@ -930,10 +1042,10 @@ ssl_crl_cache()
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
echo "Server Args: $SERV_ARG"
- echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
- ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
@@ -985,6 +1097,47 @@ ssl_crl_cache()
html "</TABLE><BR>"
}
+############################ ssl_dtls ###################################
+# local shell function to test tstclnt acting as client and server for DTLS
+#########################################################################
+ssl_dtls()
+{
+ #verbose="-v"
+ html_head "SSL DTLS $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+ testname="ssl_dtls"
+ value=0
+
+ if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ return 0
+ fi
+
+ echo "${testname}"
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_SERVERDIR} $verbose ${SERVER_OPTIONS} \\"
+ echo " -U -V tls1.1:tls1.2 -P server -Q < ${REQUEST_FILE} &"
+
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \
+ -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} 2>&1 &
+
+ PID=$!
+
+ sleep 1
+
+ echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE}"
+ ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1
+ ret=$?
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+
+ kill ${PID}
+
+ html "</TABLE><BR>"
+}
+
############################## ssl_cleanup #############################
# local shell function to finish this script (no exit since it might be
@@ -1022,6 +1175,9 @@ ssl_run()
"stress")
ssl_stress
;;
+ "dtls")
+ ssl_dtls
+ ;;
esac
done
}
@@ -1143,7 +1299,9 @@ ssl_run_tests()
case "${SSL_TEST}" in
"policy")
if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
- ssl_policy
+ ssl_policy_listsuites
+ ssl_policy_selfserv
+ ssl_policy
fi
;;
"crl")
@@ -1166,8 +1324,8 @@ ssl_run_tests()
ssl_set_fips server on
;;
*)
- echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
- continue
+ html_failed "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
+ return 1
;;
esac
@@ -1180,8 +1338,8 @@ ssl_run_tests()
ssl_set_fips client on
;;
*)
- echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
- continue
+ html_failed "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
+ return 1
;;
esac
diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt
index e9defc502..a87eedad7 100644
--- a/security/nss/tests/ssl/sslstress.txt
+++ b/security/nss/tests/ssl/sslstress.txt
@@ -21,6 +21,7 @@
# add client auth versions here...
#
noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
+ noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth, no login)
noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
noECC 0 -r_-r_-u -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh
index ac39f212c..fd678bf59 100755
--- a/security/nss/tests/ssl_gtests/ssl_gtests.sh
+++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh
@@ -21,16 +21,17 @@
# Generate input to certutil
certscript() {
+ ca=n
while [ $# -gt 0 ]; do
case $1 in
sign) echo 0 ;;
kex) echo 2 ;;
- ca) echo 5;echo 6 ;;
+ ca) echo 5;echo 6;ca=y ;;
esac; shift
done;
echo 9
echo n
- echo ${ca:-n}
+ echo $ca
echo
echo n
}
@@ -41,6 +42,7 @@ certscript() {
make_cert() {
name=$1
type=$2
+ unset type_args trust sign
case $type in
dsa) type_args='-g 1024' ;;
rsa) type_args='-g 1024' ;;
@@ -49,8 +51,11 @@ make_cert() {
p256) type_args='-q nistp256';type=ec ;;
p384) type_args='-q secp384r1';type=ec ;;
p521) type_args='-q secp521r1';type=ec ;;
- rsa_ca) type_args='-g 1024';trust='CT,CT,CT';ca=y;type=rsa ;;
+ rsa_ca) type_args='-g 1024';trust='CT,CT,CT';type=rsa ;;
rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;;
+ rsapss_ca) type_args='-g 1024 --pss';trust='CT,CT,CT';type=rsa ;;
+ rsapss_chain) type_args='-g 1024';sign='-c rsa_pss_ca';type=rsa;;
+ rsa_ca_rsapss_chain) type_args='-g 1024 --pss-sign';sign='-c rsa_ca';type=rsa;;
ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;;
esac
shift 2
@@ -87,6 +92,9 @@ ssl_gtest_certs() {
make_cert ecdh_ecdsa p256 kex
make_cert rsa_ca rsa_ca ca
make_cert rsa_chain rsa_chain sign
+ make_cert rsa_pss_ca rsapss_ca ca
+ make_cert rsa_pss_chain rsapss_chain sign
+ make_cert rsa_ca_rsa_pss_chain rsa_ca_rsapss_chain sign
make_cert ecdh_rsa ecdh_rsa kex
make_cert dsa dsa sign
}
diff --git a/security/nss/tests/tools/TestOldAES128CA.p12 b/security/nss/tests/tools/TestOldAES128CA.p12
new file mode 100644
index 000000000..a05be8bde
--- /dev/null
+++ b/security/nss/tests/tools/TestOldAES128CA.p12
Binary files differ
diff --git a/security/nss/tests/tools/TestOldCA.p12 b/security/nss/tests/tools/TestOldCA.p12
new file mode 100644
index 000000000..40d5671b9
--- /dev/null
+++ b/security/nss/tests/tools/TestOldCA.p12
Binary files differ
diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh
index 769bafa00..11be23e05 100644
--- a/security/nss/tests/tools/tools.sh
+++ b/security/nss/tests/tools/tools.sh
@@ -76,11 +76,7 @@ tools_init()
fi
SCRIPTNAME=tools.sh
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- html_head "Tools Tests with ECC"
- else
- html_head "Tools Tests"
- fi
+ html_head "Tools Tests"
grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
@@ -106,6 +102,9 @@ tools_init()
cp ${ALICEDIR}/* ${SIGNDIR}/
mkdir -p ${TOOLSDIR}/html
cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
+ mkdir -p ${TOOLSDIR}/data
+ cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/TestOldAES128CA.p12 ${TOOLSDIR}/data
cd ${TOOLSDIR}
}
@@ -397,30 +396,44 @@ tools_p12_export_list_import_with_default_ciphers()
export_list_import "DEFAULT" "DEFAULT"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
- echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
- echo " -w ${R_PWFILE}"
- ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
- -w ${R_PWFILE} 2>&1
- ret=$?
- html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
- check_tmpfile
-
- echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
- echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
- ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
- ret=$?
- html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
- check_tmpfile
-
- echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
- echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
- ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
- ret=$?
- html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
- check_tmpfile
- fi
+ echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
+ echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+ echo " -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+ -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
+ check_tmpfile
+
+ echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
+ echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
+ check_tmpfile
+
+ echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
+ echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
+ check_tmpfile
+}
+
+tools_p12_import_old_files()
+{
+ echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------"
+ echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.21 (PBES2 with BMPString password)"
+ check_tmpfile
+
+ echo "pk12util -i TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.29.5 (PBES2 with incorrect AES-128-CBC algorithm ID)"
+ check_tmpfile
}
############################## tools_p12 ###############################
@@ -434,6 +447,7 @@ tools_p12()
tools_p12_export_list_import_all_pkcs12v2pbe_ciphers
tools_p12_export_with_none_ciphers
tools_p12_export_with_invalid_ciphers
+ tools_p12_import_old_files
}
############################## tools_sign ##############################
@@ -503,6 +517,21 @@ SIGNSCRIPT
}
+tools_modutil()
+{
+ echo "$SCRIPTNAME: Test if DB created by modutil -create is initialized"
+ mkdir -p ${R_TOOLSDIR}/moddir
+ # copied from modu function in cert.sh
+ # echo is used to press Enter expected by modutil
+ echo | ${BINDIR}/modutil -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1
+ ret=$?
+ ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \
+ -x -t ',,' -z "${R_NOISE_FILE}"
+ ret=$?
+ html_msg $ret 0 "Test if DB created by modutil -create is initialized"
+ check_tmpfile
+}
+
############################## tools_cleanup ###########################
# local shell function to finish this script (no exit since it might be
# sourced)
@@ -519,6 +548,7 @@ tools_cleanup()
tools_init
tools_p12
tools_sign
+tools_modutil
tools_cleanup