Fix unit tests. NSS crypto policy disallows keys < 1024

2018-02-23 13:41:55 -05:00 · 2018-02-23 13:41:55 -05:00 · c5174122f5
commit c5174122f5
parent 21cdfd73c3
2 changed files with 299 additions and 1 deletions
--- a/0006-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
+++ b/0006-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
@ -0,0 +1,293 @@
+From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 23 Feb 2018 10:43:44 -0500
+Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048
+
+Remove keys < 2048 for the NSS tests. This affects some of the
+OpenSSL tests as well where they run in a combined loop.
+
+Where it was not invasive to do I left the 1024/1536 for OpenSSL.
+---
+ tests/001-keyiread-dsa/expected.out |  6 +++---
+ tests/001-keyiread-dsa/run.sh       |  2 +-
+ tests/001-keyiread-rsa/expected.out |  2 --
+ tests/001-keyiread-rsa/run.sh       |  2 +-
+ tests/001-keyiread/expected.out     |  2 --
+ tests/001-keyiread/run.sh           |  2 +-
+ tests/002-keygen-rsa/expected.out   |  6 ------
+ tests/002-keygen-rsa/run.sh         |  2 +-
+ tests/002-keygen/expected.out       | 18 ------------------
+ tests/002-keygen/run.sh             |  2 +-
+ tests/003-csrgen-rsa/expected.out   |  6 ------
+ tests/003-csrgen-rsa/run.sh         |  4 ++--
+ tests/003-csrgen/expected.out       |  8 --------
+ tests/003-csrgen/run.sh             |  4 ++--
+ tests/004-selfsign-rsa/expected.out |  2 --
+ tests/004-selfsign-rsa/run.sh       |  2 +-
+ tests/004-selfsign/expected.out     |  2 --
+ tests/004-selfsign/run.sh           |  2 +-
+ 18 files changed, 14 insertions(+), 60 deletions(-)
+
+diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out
+index b09db0ae..50643176 100644
+--- a/tests/001-keyiread-dsa/expected.out
+++ b/tests/001-keyiread-dsa/expected.out
+@@ -1,4 +1,4 @@
+-OK (DSA:1024).
+-OK (DSA:1024).
+-OK (DSA:1024).
+OK (DSA:2048).
+OK (DSA:2048).
+OK (DSA:2048).
+ Test complete.
+diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh
+index 9f96b3bc..68f6d1c3 100755
+--- a/tests/001-keyiread-dsa/run.sh
+++ b/tests/001-keyiread-dsa/run.sh
+@@ -5,7 +5,7 @@ cd "$tmpdir"
+ source "$srcdir"/functions
+ initnssdb "$tmpdir"
+ 
+-for size in 1024 ; do
+for size in 2048 ; do
+ 	# Generate a self-signed cert.
+ 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
+ 		-s "cn=T$size" -c "cn=T$size" \
+diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out
+index 727897d1..3daa51f2 100644
+--- a/tests/001-keyiread-rsa/expected.out
+++ b/tests/001-keyiread-rsa/expected.out
+@@ -1,5 +1,3 @@
+-OK (RSA:1024).
+-OK (RSA:1536).
+ OK (RSA:2048).
+ OK (RSA:3072).
+ OK (RSA:4096).
+diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
+index c7b77686..ec31c7c7 100755
+--- a/tests/001-keyiread-rsa/run.sh
+++ b/tests/001-keyiread-rsa/run.sh
+@@ -5,7 +5,7 @@ cd "$tmpdir"
+ source "$srcdir"/functions
+ initnssdb "$tmpdir"
+ 
+-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
+ 	# Generate a self-signed cert.
+ 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
+ 		-s "cn=T$size" -c "cn=T$size" \
+diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out
+index 727897d1..3daa51f2 100644
+--- a/tests/001-keyiread/expected.out
+++ b/tests/001-keyiread/expected.out
+@@ -1,5 +1,3 @@
+-OK (RSA:1024).
+-OK (RSA:1536).
+ OK (RSA:2048).
+ OK (RSA:3072).
+ OK (RSA:4096).
+diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
+index ce1428ed..0b31df95 100755
+--- a/tests/001-keyiread/run.sh
+++ b/tests/001-keyiread/run.sh
+@@ -5,7 +5,7 @@ cd "$tmpdir"
+ source "$srcdir"/functions
+ initnssdb "$tmpdir"
+ 
+-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
+ 	# Generate a self-signed cert.
+ 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
+ 		-s "cn=T$size" -c "cn=T$size" \
+diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out
+index 3e6e9f3c..f7c146d0 100644
+--- a/tests/002-keygen-rsa/expected.out
+++ b/tests/002-keygen-rsa/expected.out
+@@ -1,9 +1,3 @@
+-[nss:1024]
+-OK.
+-OK (RSA:1024).
+-[nss:1536]
+-OK.
+-OK (RSA:1536).
+ [nss:2048]
+ OK.
+ OK (RSA:2048).
+diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh
+index 476f4127..c0c59249 100755
+--- a/tests/002-keygen-rsa/run.sh
+++ b/tests/002-keygen-rsa/run.sh
+@@ -5,7 +5,7 @@ cd "$tmpdir"
+ source "$srcdir"/functions
+ initnssdb "$tmpdir"
+ 
+-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
+ 	echo "[nss:$size]"
+ 	# Generate a key.
+ 	cat > entry.$size <<- EOF
+diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out
+index dcd1af06..b8fbea56 100644
+--- a/tests/002-keygen/expected.out
+++ b/tests/002-keygen/expected.out
+@@ -1,21 +1,3 @@
+-[nss:1024]
+-OK.
+-OK (RSA:1024).
+-OK.
+-OK (RSA:1024 after RSA:1024).
+-OK.
+-OK (RSA:1024 after RSA:1024).
+-keyi1024
+-keyi1024 (candidate (next))
+-[nss:1536]
+-OK.
+-OK (RSA:1536).
+-OK.
+-OK (RSA:1536 after RSA:1536).
+-OK.
+-OK (RSA:1536 after RSA:1536).
+-keyi1536
+-keyi1536 (candidate (next))
+ [nss:2048]
+ OK.
+ OK (RSA:2048).
+diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
+index 08af1523..94230e6f 100755
+--- a/tests/002-keygen/run.sh
+++ b/tests/002-keygen/run.sh
+@@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}"
+ source "$srcdir"/functions
+ initnssdb "$scheme$tmpdir"
+ 
+-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
+ 	echo "[nss:$size]"
+ 	# Generate a key.
+ 	cat > entry.$size <<- EOF
+diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
+index c9dec729..def53fe4 100644
+--- a/tests/003-csrgen-rsa/expected.out
+++ b/tests/003-csrgen-rsa/expected.out
+@@ -1,10 +1,4 @@
+ pk12util: PKCS12 EXPORT SUCCESSFUL
+-1024 OK.
+-Signature OK
+-pk12util: PKCS12 EXPORT SUCCESSFUL
+-1536 OK.
+-Signature OK
+-pk12util: PKCS12 EXPORT SUCCESSFUL
+ 2048 OK.
+ Signature OK
+ pk12util: PKCS12 EXPORT SUCCESSFUL
+diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
+index 4cd84084..bb8ebecb 100755
+--- a/tests/003-csrgen-rsa/run.sh
+++ b/tests/003-csrgen-rsa/run.sh
+@@ -5,7 +5,7 @@ cd "$tmpdir"
+ source "$srcdir"/functions
+ initnssdb "$tmpdir"
+ 
+-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
+ 	# Build a self-signed certificate.
+ 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
+ 		-s "cn=T$size" -c "cn=T$size" \
+@@ -147,7 +147,7 @@ iterate() {
+ 
+ iteration=1
+ 
+-for size in 1024 ; do
+for size in 2048 ; do
+ 	iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment"
+ done
+ 
+diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
+index 8e6cac6e..04342c0f 100644
+--- a/tests/003-csrgen/expected.out
+++ b/tests/003-csrgen/expected.out
+@@ -1,13 +1,5 @@
+ pk12util: PKCS12 EXPORT SUCCESSFUL
+ Signature OK
+-minicert.openssl.1024.pem: OK
+-1024 OK.
+-pk12util: PKCS12 EXPORT SUCCESSFUL
+-Signature OK
+-minicert.openssl.1536.pem: OK
+-1536 OK.
+-pk12util: PKCS12 EXPORT SUCCESSFUL
+-Signature OK
+ minicert.openssl.2048.pem: OK
+ 2048 OK.
+ pk12util: PKCS12 EXPORT SUCCESSFUL
+diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
+index 7c169ed9..31466b5c 100755
+--- a/tests/003-csrgen/run.sh
+++ b/tests/003-csrgen/run.sh
+@@ -5,7 +5,7 @@ cd "$tmpdir"
+ source "$srcdir"/functions
+ initnssdb "$tmpdir"
+ 
+-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
+ 	# Build a self-signed certificate.
+ 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
+ 		-s "cn=T$size" -c "cn=T$size" \
+@@ -199,7 +199,7 @@ iterate() {
+ 
+ iteration=1
+ 
+-for size in 1024 ; do
+for size in 2048 ; do
+ 	iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype"
+ done
+ 
+diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out
+index dd5029ec..0eb84ef1 100644
+--- a/tests/004-selfsign-rsa/expected.out
+++ b/tests/004-selfsign-rsa/expected.out
+@@ -1,5 +1,3 @@
+-1024 OK.
+-1536 OK.
+ 2048 OK.
+ 3072 OK.
+ 4096 OK.
+diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
+index 6f9285b6..c1dd4c80 100755
+--- a/tests/004-selfsign-rsa/run.sh
+++ b/tests/004-selfsign-rsa/run.sh
+@@ -33,7 +33,7 @@ function setupca() {
+ 	EOF
+ }
+ 
+-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
+ 	# Build a self-signed certificate.
+ 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
+ 		-s "cn=T$size" -c "cn=T$size" \
+diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out
+index dd5029ec..0eb84ef1 100644
+--- a/tests/004-selfsign/expected.out
+++ b/tests/004-selfsign/expected.out
+@@ -1,5 +1,3 @@
+-1024 OK.
+-1536 OK.
+ 2048 OK.
+ 3072 OK.
+ 4096 OK.
+diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
+index 7bb368ec..eb1df4ee 100755
+--- a/tests/004-selfsign/run.sh
+++ b/tests/004-selfsign/run.sh
+@@ -43,7 +43,7 @@ function setupca() {
+ 	EOF
+ }
+ 
+-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
+ 	# Build a self-signed certificate.
+ 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
+ 		-s "cn=T$size" -c "cn=T$size" \
+-- 
+2.16.2
+
--- a/certmonger.spec
+++ b/certmonger.spec
@ -26,7 +26,7 @@

 Name:		certmonger
 Version:	0.79.5
-Release:	5%{?dist}
+Release:	6%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client

 Group:		System Environment/Daemons
@ -112,6 +112,7 @@ Patch2:	0002-SQLite-databases-require-a-password-to-modify-trust-.patch
 Patch3:	0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch
 Patch4:	0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch
 Patch5:	0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch
+Patch6:	0006-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch

 %description
 Certmonger is a service which is primarily concerned with getting your
@ -124,6 +125,7 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1

 %if 0%{?rhel} > 0
 # Enabled by default for RHEL for bug #765600, still disabled by default for
@ -251,6 +253,9 @@ exit 0
 %endif

 %changelog
+* Fri Feb 23 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-6
+- Fix unit tests. NSS crypto policy disallows keys < 1024
+
 * Wed Feb 21 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-5
 - Add BuildRequires on gcc