diff options
Diffstat (limited to 'security/nss/tests/cert/cert.sh')
| -rwxr-xr-x | security/nss/tests/cert/cert.sh | 560 |
1 files changed, 511 insertions, 49 deletions
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh index 9b3455747..d1a9148a9 100755 --- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -46,11 +46,7 @@ cert_init() fi SCRIPTNAME="cert.sh" CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` - if [ -z "$NSS_DISABLE_ECC" ] ; then - html_head "Certutil and Crlutil Tests with ECC" - else - html_head "Certutil and Crlutil Tests" - fi + html_head "Certutil and Crlutil Tests" LIBDIR="${DIST}/${OBJDIR}/lib" @@ -300,14 +296,12 @@ cert_create_cert() fi - if [ -z "$NSS_DISABLE_ECC" ] ; then CU_ACTION="Import EC Root CA for $CERTNAME" certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi - fi cert_add_cert "$5" return $? @@ -402,7 +396,6 @@ cert_add_cert() # # Generate and add EC cert # - if [ -z "$NSS_DISABLE_ECC" ] ; then CURVE="secp384r1" CU_ACTION="Generate EC Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" @@ -454,7 +447,6 @@ cert_add_cert() return $RET fi cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created" - fi return 0 } @@ -467,6 +459,7 @@ cert_add_cert() cert_all_CA() { echo nss > ${PWFILE} + echo > ${EMPTY_FILE} ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US" cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1" @@ -517,10 +510,16 @@ cert_all_CA() # dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last # in the chain +# +# Create RSA-PSS version of TestCA + ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS), O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256 + rm $CADIR/rsapssroot.cert + ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1 + rm $CADIR/rsapssroot.cert - - if [ -z "$NSS_DISABLE_ECC" ] ; then # # Create EC version of TestCA CA_CURVE="secp521r1" @@ -545,8 +544,6 @@ cert_all_CA() rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert # ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last # in the chain - - fi } ################################# cert_CA ################################ @@ -637,7 +634,7 @@ CERTSCRIPT ################################ cert_dsa_CA ############################# # local shell function to build the Temp. Certificate Authority (CA) # used for testing purposes, creating a CA Certificate and a root cert -# This is the ECC version of cert_CA. +# This is the DSA version of cert_CA. ########################################################################## cert_dsa_CA() { @@ -648,7 +645,7 @@ cert_dsa_CA() DOMAIN=$5 CERTSERIAL=$6 - echo "$SCRIPTNAME: Creating an DSA CA Certificate $NICKNAME ==========================" + echo "$SCRIPTNAME: Creating a DSA CA Certificate $NICKNAME ==========================" if [ ! -d "${CUR_CADIR}" ]; then mkdir -p "${CUR_CADIR}" @@ -661,7 +658,7 @@ cert_dsa_CA() LPROFILE="multiaccess:${DOMAIN}" fi - ################# Creating an DSA CA Cert ############################### + ################# Creating a DSA CA Cert ############################### # CU_ACTION="Creating DSA CA Cert $NICKNAME " CU_SUBJECT=$ALL_CU_SUBJECT @@ -700,6 +697,79 @@ CERTSCRIPT + +################################ cert_rsa_pss_CA ############################# +# local shell function to build the Temp. Certificate Authority (CA) +# used for testing purposes, creating a CA Certificate and a root cert +# This is the RSA-PSS version of cert_CA. +########################################################################## +cert_rsa_pss_CA() +{ + CUR_CADIR=$1 + NICKNAME=$2 + SIGNER=$3 + TRUSTARG=$4 + DOMAIN=$5 + CERTSERIAL=$6 + HASHALG=$7 + + echo "$SCRIPTNAME: Creating an RSA-PSS CA Certificate $NICKNAME ==========================" + + if [ ! -d "${CUR_CADIR}" ]; then + mkdir -p "${CUR_CADIR}" + fi + cd ${CUR_CADIR} + pwd + + LPROFILE=. + if [ -n "${MULTIACCESS_DBM}" ]; then + LPROFILE="multiaccess:${DOMAIN}" + fi + + HASHOPT= + if [ -n "$HASHALG" ]; then + HASHOPT="-Z $HASHALG" + fi + + ################# Creating an RSA-PSS CA Cert ############################### + # + CU_ACTION="Creating RSA-PSS CA Cert $NICKNAME " + CU_SUBJECT=$ALL_CU_SUBJECT + certu -S -n $NICKNAME -k rsa --pss $HASHOPT -t $TRUSTARG -v 600 $SIGNER \ + -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ + -m $CERTSERIAL 2>&1 <<CERTSCRIPT +5 +6 +9 +n +y +-1 +n +5 +6 +7 +9 +n +CERTSCRIPT + + if [ "$RET" -ne 0 ]; then + echo "return value is $RET" + Exit 6 "Fatal - failed to create RSA-PSS CA cert" + fi + + ################# Exporting RSA-PSS Root Cert ############################### + # + CU_ACTION="Exporting RSA-PSS Root Cert" + certu -L -n $NICKNAME -r -d ${LPROFILE} -o rsapssroot.cert + if [ "$RET" -ne 0 ]; then + Exit 7 "Fatal - failed to export RSA-PSS root cert" + fi + cp rsapssroot.cert ${NICKNAME}.ca.cert +} + + + + ################################ cert_ec_CA ############################## # local shell function to build the Temp. Certificate Authority (CA) # used for testing purposes, creating a CA Certificate and a root cert @@ -831,7 +901,6 @@ cert_smime_client() certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ -i ${R_EVEDIR}/Eve.cert 2>&1 - if [ -z "$NSS_DISABLE_ECC" ] ; then echo "$SCRIPTNAME: Importing EC Certificates ==============================" CU_ACTION="Import Bob's EC cert into Alice's db" certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ @@ -855,7 +924,6 @@ cert_smime_client() # CU_ACTION="Import Eve's EC cert into Bob's DB" # certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ # -i ${R_EVEDIR}/Eve-ec.cert 2>&1 - fi if [ "$CERTFAILED" != 0 ] ; then cert_log "ERROR: SMIME failed $RET" @@ -946,7 +1014,6 @@ cert_extended_ssl() # -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \ # 2>&1 - if [ -z "$NSS_DISABLE_ECC" ] ; then # # Repeat the above for EC certs # @@ -992,7 +1059,6 @@ cert_extended_ssl() # certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \ # -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \ # 2>&1 - fi echo "Importing all the server's own CA chain into the servers DB" for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; @@ -1081,7 +1147,6 @@ cert_extended_ssl() # done with mixed DSA certs # - if [ -z "$NSS_DISABLE_ECC" ] ; then # # Repeat the above for EC certs # @@ -1128,7 +1193,6 @@ cert_extended_ssl() # # done with mixed EC certs # - fi echo "Importing all the client's own CA chain into the servers DB" for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ; @@ -1175,10 +1239,8 @@ cert_ssl() CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC" certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" - if [ -z "$NSS_DISABLE_ECC" ] ; then - CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC" - certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" - fi + CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC" + certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" # cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER} # echo "************* Copying CA files to ${SERVERDIR}" # cp ${CADIR}/*.db . @@ -1199,6 +1261,12 @@ cert_ssl() cp -r ${R_SERVERDIR} ${R_STAPLINGDIR} pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR} pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR} + + echo "$SCRIPTNAME: Creating database for strsclnt no login tests ===============" + echo "cp -r ${CLIENTDIR} ${NOLOGINDIR}" + cp -r ${R_CLIENTDIR} ${R_NOLOGINDIR} + # change the password to empty + certu -W -d "${R_NOLOGINDIR}" -f "${R_PWFILE}" -@ "${R_EMPTY_FILE}" 2>&1 } ############################## cert_stresscerts ################################ @@ -1269,12 +1337,35 @@ MODSCRIPT html_passed "${CU_ACTION}" fi + CU_ACTION="Setting invalid database password in FIPS mode" + RETEXPECTED=255 + certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1 + CU_ACTION="Attempt to generate a key with exponent of 3 (too small)" + certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" + CU_ACTION="Attempt to generate a key with exponent of 17 (too small)" + certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" + RETEXPECTED=0 + CU_ACTION="Generate Certificate for ${CERTNAME}" CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US" certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1 if [ "$RET" -eq 0 ]; then cert_log "SUCCESS: FIPS passed" fi + +} + +########################## cert_rsa_exponent ################################# +# local shell function to verify small rsa exponent can be used (only +# run if FIPS has not been turned on in the build). +############################################################################## +cert_rsa_exponent_nonfips() +{ + echo "$SCRIPTNAME: Verify that small RSA exponents still work ==============" + CU_ACTION="Attempt to generate a key with exponent of 3" + certu -G -k rsa -g 2048 -y 3 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" + CU_ACTION="Attempt to generate a key with exponent of 17" + certu -G -k rsa -g 2048 -y 17 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" } ############################## cert_eccurves ########################### @@ -1284,7 +1375,6 @@ cert_eccurves() { ################# Creating Certs for EC curves test ######################## # - if [ -z "$NSS_DISABLE_ECC" ] ; then echo "$SCRIPTNAME: Creating Server CA Issued Certificate for " echo " EC Curves Test Certificates ------------------------------------" @@ -1325,8 +1415,6 @@ cert_eccurves() -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 fi done - - fi # $NSS_DISABLE_ECC } ########################### cert_extensions_test ############################# @@ -1678,7 +1766,6 @@ EOF_CRLINI - if [ -z "$NSS_DISABLE_ECC" ] ; then CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority" # Until Bug 292285 is resolved, do not encode x400 Addresses. After @@ -1693,7 +1780,6 @@ addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|director EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` chmod 600 ${CRL_FILE_GRP_1}_or-ec - fi echo test > file ############################# Modification ################################## @@ -1724,7 +1810,6 @@ EOF_CRLINI TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa" - if [ -z "$NSS_DISABLE_ECC" ] ; then CU_ACTION="Modify CRL (ECC) by adding one more cert" crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \ -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI @@ -1734,7 +1819,6 @@ EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` chmod 600 ${CRL_FILE_GRP_1}_or1-ec TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec" - fi ########### Removing one cert ${UNREVOKED_CERT_GRP_1} ####################### echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ===============" @@ -1763,7 +1847,6 @@ EOF_CRLINI - if [ -z "$NSS_DISABLE_ECC" ] ; then CU_ACTION="Modify CRL (ECC) by removing one cert" crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \ -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI @@ -1772,7 +1855,6 @@ rmcert ${UNREVOKED_CERT_GRP_1} EOF_CRLINI chmod 600 ${CRL_FILE_GRP_1}-ec TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec" - fi ########### Creating second CRL which includes groups 1 and 2 ############## CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1` @@ -1792,7 +1874,6 @@ rmcert ${UNREVOKED_CERT_GRP_2} EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` chmod 600 ${CRL_FILE_GRP_2} - if [ -z "$NSS_DISABLE_ECC" ] ; then CU_ACTION="Creating CRL (ECC) for groups 1 and 2" crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \ -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI @@ -1803,7 +1884,6 @@ rmcert ${UNREVOKED_CERT_GRP_2} EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` chmod 600 ${CRL_FILE_GRP_2}-ec - fi ########### Creating second CRL which includes groups 1, 2 and 3 ############## CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1` @@ -1825,7 +1905,6 @@ addext crlNumber 0 2 EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` chmod 600 ${CRL_FILE_GRP_3} - if [ -z "$NSS_DISABLE_ECC" ] ; then CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3" crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \ -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI @@ -1836,7 +1915,6 @@ addext crlNumber 0 2 EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` chmod 600 ${CRL_FILE_GRP_3}-ec - fi ############ Importing Server CA Issued CRL for certs of first group ####### @@ -1845,13 +1923,11 @@ EOF_CRLINI crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}" crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}" CRL_GEN_RES=`expr $? + $CRL_GEN_RES` - if [ -z "$NSS_DISABLE_ECC" ] ; then CU_ACTION="Importing CRL (ECC) for groups 1" crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}" crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \ -d "${R_SERVERDIR}" CRL_GEN_RES=`expr $? + $CRL_GEN_RES` - fi if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES" @@ -1968,6 +2044,387 @@ cert_test_ocspresp() ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1 } +cert_test_implicit_db_init() +{ + echo "$SCRIPTNAME: test implicit database init" + + CU_ACTION="Add cert with trust flags to db with implicit init" + mkdir ${IMPLICIT_INIT_DIR} + certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert" +} + +check_sign_algo() +{ + certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ + sed -n '/^ *Data:/,/^$/{ +/^ Signature Algorithm/,/^ *Salt length/s/^ //p +}' > ${TMP}/signalgo.txt + + diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt + RET=$? + if [ "$RET" -ne 0 ]; then + CERTFAILED=$RET + html_failed "${CU_ACTION} ($RET) " + cert_log "ERROR: ${CU_ACTION} failed $RET" + else + html_passed "${CU_ACTION}" + fi +} + +cert_test_rsapss() +{ + TEMPFILES="$TEMPFILES ${TMP}/signalgo.exp ${TMP}/signalgo.txt" + + cert_init_cert "${RSAPSSDIR}" "RSA-PSS Test Cert" 1000 "${D_RSAPSS}" + + CU_ACTION="Initialize Cert DB" + certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import RSA CA Cert" + certu -A -n "TestCA" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${R_CADIR}/TestCA.ca.cert" 2>&1 + + CU_ACTION="Import RSA-PSS CA Cert" + certu -A -n "TestCA-rsa-pss" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${R_CADIR}/TestCA-rsa-pss.ca.cert" 2>&1 + + CU_ACTION="Verify RSA-PSS CA Cert" + certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}" + + CU_ACTION="Import RSA-PSS CA Cert (SHA1)" + certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 + + CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)" + certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1 + RETEXPECTED=255 + certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + RETEXPECTED=0 + + CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)" + certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1 + RETEXPECTED=255 + certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + RETEXPECTED=0 + + CERTSERIAL=200 + + # Subject certificate: RSA + # Issuer certificate: RSA + # Signature: RSA-PSS (explicit, with --pss-sign) + CERTNAME="TestUser-rsa-pss1" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <<EOF +Signature Algorithm: PKCS #1 RSA-PSS Signature + Parameters: + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 + Salt length: 32 (0x20) +EOF + check_sign_algo + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA + # Issuer certificate: RSA + # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512) + CERTNAME="TestUser-rsa-pss2" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <<EOF +Signature Algorithm: PKCS #1 RSA-PSS Signature + Parameters: + Hash algorithm: SHA-512 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-512 + Salt length: 64 (0x40) +EOF + check_sign_algo + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS + CERTNAME="TestUser-rsa-pss3" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <<EOF +Signature Algorithm: PKCS #1 RSA-PSS Signature + Parameters: + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 + Salt length: 32 (0x20) +EOF + check_sign_algo + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA-PSS + # Issuer certificate: RSA + # Signature: RSA-PSS (explicit, with --pss-sign) + CERTNAME="TestUser-rsa-pss4" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <<EOF +Signature Algorithm: PKCS #1 RSA-PSS Signature + Parameters: + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 + Salt length: 32 (0x20) +EOF + check_sign_algo + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA-PSS + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS (explicit, with --pss-sign) + CERTNAME="TestUser-rsa-pss5" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <<EOF +Signature Algorithm: PKCS #1 RSA-PSS Signature + Parameters: + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 + Salt length: 32 (0x20) +EOF + check_sign_algo + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA-PSS + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS (implicit, without --pss-sign) + CERTNAME="TestUser-rsa-pss6" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + # Sign without --pss-sign nor -Z option + certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <<EOF +Signature Algorithm: PKCS #1 RSA-PSS Signature + Parameters: + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 + Salt length: 32 (0x20) +EOF + check_sign_algo + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA-PSS + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS (with conflicting hash algorithm) + CERTNAME="TestUser-rsa-pss7" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + RETEXPECTED=255 + certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + RETEXPECTED=0 + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA-PSS + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS (with compatible hash algorithm) + CERTNAME="TestUser-rsa-pss8" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <<EOF +Signature Algorithm: PKCS #1 RSA-PSS Signature + Parameters: + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 + Salt length: 32 (0x20) +EOF + check_sign_algo + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA + # Issuer certificate: RSA + # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1) + CERTNAME="TestUser-rsa-pss9" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <<EOF +Signature Algorithm: PKCS #1 RSA-PSS Signature + Parameters: + Hash algorithm: default, SHA-1 + Mask algorithm: default, MGF1 + Mask hash algorithm: default, SHA-1 + Salt length: default, 20 (0x14) +EOF + check_sign_algo + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA-PSS + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS (implicit, without --pss-sign, default parameters) + CERTNAME="TestUser-rsa-pss10" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + # Sign without --pss-sign nor -Z option + certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Verify $CERTNAME's Cert" + certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" + cat > ${TMP}/signalgo.exp <<EOF +Signature Algorithm: PKCS #1 RSA-PSS Signature + Parameters: + Hash algorithm: default, SHA-1 + Mask algorithm: default, MGF1 + Mask hash algorithm: default, SHA-1 + Salt length: default, 20 (0x14) +EOF + check_sign_algo + + CERTSERIAL=`expr $CERTSERIAL + 1` + + # Subject certificate: RSA-PSS + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS (with conflicting hash algorithm, default parameters) + CERTNAME="TestUser-rsa-pss11" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + RETEXPECTED=255 + certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + RETEXPECTED=0 +} + ############################## cert_cleanup ############################ # local shell function to finish this script (no exit since it might be # sourced) @@ -1975,20 +2432,24 @@ cert_test_ocspresp() cert_cleanup() { cert_log "$SCRIPTNAME: finished $SCRIPTNAME" - html "</TABLE><BR>" + html "</TABLE><BR>" cd ${QADIR} . common/cleanup.sh } ################## main ################################################# -cert_init +cert_init cert_all_CA -cert_extended_ssl -cert_ssl -cert_smime_client -if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then - cert_fips +cert_test_implicit_db_init +cert_extended_ssl +cert_ssl +cert_smime_client +IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED` +if [ $IS_FIPS_DISABLED -ne 0 ]; then + cert_rsa_exponent_nonfips +else + cert_fips fi cert_eccurves cert_extensions @@ -1996,6 +2457,7 @@ cert_san_and_generic_extensions cert_test_password cert_test_distrust cert_test_ocspresp +cert_test_rsapss if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then cert_crl_ssl @@ -2004,7 +2466,7 @@ else fi if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then - cert_stresscerts + cert_stresscerts fi cert_iopr_setup |