diff --git a/0006-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch b/0006-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch new file mode 100644 index 0000000..8e19e28 --- /dev/null +++ b/0006-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch @@ -0,0 +1,293 @@ +From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 23 Feb 2018 10:43:44 -0500 +Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048 + +Remove keys < 2048 for the NSS tests. This affects some of the +OpenSSL tests as well where they run in a combined loop. + +Where it was not invasive to do I left the 1024/1536 for OpenSSL. +--- + tests/001-keyiread-dsa/expected.out | 6 +++--- + tests/001-keyiread-dsa/run.sh | 2 +- + tests/001-keyiread-rsa/expected.out | 2 -- + tests/001-keyiread-rsa/run.sh | 2 +- + tests/001-keyiread/expected.out | 2 -- + tests/001-keyiread/run.sh | 2 +- + tests/002-keygen-rsa/expected.out | 6 ------ + tests/002-keygen-rsa/run.sh | 2 +- + tests/002-keygen/expected.out | 18 ------------------ + tests/002-keygen/run.sh | 2 +- + tests/003-csrgen-rsa/expected.out | 6 ------ + tests/003-csrgen-rsa/run.sh | 4 ++-- + tests/003-csrgen/expected.out | 8 -------- + tests/003-csrgen/run.sh | 4 ++-- + tests/004-selfsign-rsa/expected.out | 2 -- + tests/004-selfsign-rsa/run.sh | 2 +- + tests/004-selfsign/expected.out | 2 -- + tests/004-selfsign/run.sh | 2 +- + 18 files changed, 14 insertions(+), 60 deletions(-) + +diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out +index b09db0ae..50643176 100644 +--- a/tests/001-keyiread-dsa/expected.out ++++ b/tests/001-keyiread-dsa/expected.out +@@ -1,4 +1,4 @@ +-OK (DSA:1024). +-OK (DSA:1024). +-OK (DSA:1024). ++OK (DSA:2048). ++OK (DSA:2048). ++OK (DSA:2048). + Test complete. +diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh +index 9f96b3bc..68f6d1c3 100755 +--- a/tests/001-keyiread-dsa/run.sh ++++ b/tests/001-keyiread-dsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 1024 ; do ++for size in 2048 ; do + # Generate a self-signed cert. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out +index 727897d1..3daa51f2 100644 +--- a/tests/001-keyiread-rsa/expected.out ++++ b/tests/001-keyiread-rsa/expected.out +@@ -1,5 +1,3 @@ +-OK (RSA:1024). +-OK (RSA:1536). + OK (RSA:2048). + OK (RSA:3072). + OK (RSA:4096). +diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh +index c7b77686..ec31c7c7 100755 +--- a/tests/001-keyiread-rsa/run.sh ++++ b/tests/001-keyiread-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 1024 1536 2048 3072 4096 ; do ++for size in 2048 3072 4096 ; do + # Generate a self-signed cert. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out +index 727897d1..3daa51f2 100644 +--- a/tests/001-keyiread/expected.out ++++ b/tests/001-keyiread/expected.out +@@ -1,5 +1,3 @@ +-OK (RSA:1024). +-OK (RSA:1536). + OK (RSA:2048). + OK (RSA:3072). + OK (RSA:4096). +diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh +index ce1428ed..0b31df95 100755 +--- a/tests/001-keyiread/run.sh ++++ b/tests/001-keyiread/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 1024 1536 2048 3072 4096 ; do ++for size in 2048 3072 4096 ; do + # Generate a self-signed cert. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out +index 3e6e9f3c..f7c146d0 100644 +--- a/tests/002-keygen-rsa/expected.out ++++ b/tests/002-keygen-rsa/expected.out +@@ -1,9 +1,3 @@ +-[nss:1024] +-OK. +-OK (RSA:1024). +-[nss:1536] +-OK. +-OK (RSA:1536). + [nss:2048] + OK. + OK (RSA:2048). +diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh +index 476f4127..c0c59249 100755 +--- a/tests/002-keygen-rsa/run.sh ++++ b/tests/002-keygen-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 1024 1536 2048 3072 4096 ; do ++for size in 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out +index dcd1af06..b8fbea56 100644 +--- a/tests/002-keygen/expected.out ++++ b/tests/002-keygen/expected.out +@@ -1,21 +1,3 @@ +-[nss:1024] +-OK. +-OK (RSA:1024). +-OK. +-OK (RSA:1024 after RSA:1024). +-OK. +-OK (RSA:1024 after RSA:1024). +-keyi1024 +-keyi1024 (candidate (next)) +-[nss:1536] +-OK. +-OK (RSA:1536). +-OK. +-OK (RSA:1536 after RSA:1536). +-OK. +-OK (RSA:1536 after RSA:1536). +-keyi1536 +-keyi1536 (candidate (next)) + [nss:2048] + OK. + OK (RSA:2048). +diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh +index 08af1523..94230e6f 100755 +--- a/tests/002-keygen/run.sh ++++ b/tests/002-keygen/run.sh +@@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}" + source "$srcdir"/functions + initnssdb "$scheme$tmpdir" + +-for size in 1024 1536 2048 3072 4096 ; do ++for size in 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF +diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out +index c9dec729..def53fe4 100644 +--- a/tests/003-csrgen-rsa/expected.out ++++ b/tests/003-csrgen-rsa/expected.out +@@ -1,10 +1,4 @@ + pk12util: PKCS12 EXPORT SUCCESSFUL +-1024 OK. +-Signature OK +-pk12util: PKCS12 EXPORT SUCCESSFUL +-1536 OK. +-Signature OK +-pk12util: PKCS12 EXPORT SUCCESSFUL + 2048 OK. + Signature OK + pk12util: PKCS12 EXPORT SUCCESSFUL +diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh +index 4cd84084..bb8ebecb 100755 +--- a/tests/003-csrgen-rsa/run.sh ++++ b/tests/003-csrgen-rsa/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 1024 1536 2048 3072 4096 ; do ++for size in 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -147,7 +147,7 @@ iterate() { + + iteration=1 + +-for size in 1024 ; do ++for size in 2048 ; do + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" + done + +diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out +index 8e6cac6e..04342c0f 100644 +--- a/tests/003-csrgen/expected.out ++++ b/tests/003-csrgen/expected.out +@@ -1,13 +1,5 @@ + pk12util: PKCS12 EXPORT SUCCESSFUL + Signature OK +-minicert.openssl.1024.pem: OK +-1024 OK. +-pk12util: PKCS12 EXPORT SUCCESSFUL +-Signature OK +-minicert.openssl.1536.pem: OK +-1536 OK. +-pk12util: PKCS12 EXPORT SUCCESSFUL +-Signature OK + minicert.openssl.2048.pem: OK + 2048 OK. + pk12util: PKCS12 EXPORT SUCCESSFUL +diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh +index 7c169ed9..31466b5c 100755 +--- a/tests/003-csrgen/run.sh ++++ b/tests/003-csrgen/run.sh +@@ -5,7 +5,7 @@ cd "$tmpdir" + source "$srcdir"/functions + initnssdb "$tmpdir" + +-for size in 1024 1536 2048 3072 4096 ; do ++for size in 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +@@ -199,7 +199,7 @@ iterate() { + + iteration=1 + +-for size in 1024 ; do ++for size in 2048 ; do + iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" + done + +diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out +index dd5029ec..0eb84ef1 100644 +--- a/tests/004-selfsign-rsa/expected.out ++++ b/tests/004-selfsign-rsa/expected.out +@@ -1,5 +1,3 @@ +-1024 OK. +-1536 OK. + 2048 OK. + 3072 OK. + 4096 OK. +diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh +index 6f9285b6..c1dd4c80 100755 +--- a/tests/004-selfsign-rsa/run.sh ++++ b/tests/004-selfsign-rsa/run.sh +@@ -33,7 +33,7 @@ function setupca() { + EOF + } + +-for size in 1024 1536 2048 3072 4096 ; do ++for size in 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out +index dd5029ec..0eb84ef1 100644 +--- a/tests/004-selfsign/expected.out ++++ b/tests/004-selfsign/expected.out +@@ -1,5 +1,3 @@ +-1024 OK. +-1536 OK. + 2048 OK. + 3072 OK. + 4096 OK. +diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh +index 7bb368ec..eb1df4ee 100755 +--- a/tests/004-selfsign/run.sh ++++ b/tests/004-selfsign/run.sh +@@ -43,7 +43,7 @@ function setupca() { + EOF + } + +-for size in 1024 1536 2048 3072 4096 ; do ++for size in 2048 3072 4096 ; do + # Build a self-signed certificate. + run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ + -s "cn=T$size" -c "cn=T$size" \ +-- +2.16.2 + diff --git a/certmonger.spec b/certmonger.spec index 269b5f3..7d8571a 100644 --- a/certmonger.spec +++ b/certmonger.spec @@ -26,7 +26,7 @@ Name: certmonger Version: 0.79.5 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -112,6 +112,7 @@ Patch2: 0002-SQLite-databases-require-a-password-to-modify-trust-.patch Patch3: 0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch Patch4: 0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch Patch5: 0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch +Patch6: 0006-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch %description Certmonger is a service which is primarily concerned with getting your @@ -124,6 +125,7 @@ system enrolled with a certificate authority (CA) and keeping it enrolled. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %if 0%{?rhel} > 0 # Enabled by default for RHEL for bug #765600, still disabled by default for @@ -251,6 +253,9 @@ exit 0 %endif %changelog +* Fri Feb 23 2018 Rob Crittenden 0.79.5-6 +- Fix unit tests. NSS crypto policy disallows keys < 1024 + * Wed Feb 21 2018 Rob Crittenden 0.79.5-5 - Add BuildRequires on gcc