From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 23 Feb 2018 10:43:44 -0500 Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048 Remove keys < 2048 for the NSS tests. This affects some of the OpenSSL tests as well where they run in a combined loop. Where it was not invasive to do I left the 1024/1536 for OpenSSL. --- tests/001-keyiread-dsa/expected.out | 6 +++--- tests/001-keyiread-dsa/run.sh | 2 +- tests/001-keyiread-rsa/expected.out | 2 -- tests/001-keyiread-rsa/run.sh | 2 +- tests/001-keyiread/expected.out | 2 -- tests/001-keyiread/run.sh | 2 +- tests/002-keygen-rsa/expected.out | 6 ------ tests/002-keygen-rsa/run.sh | 2 +- tests/002-keygen/expected.out | 18 ------------------ tests/002-keygen/run.sh | 2 +- tests/003-csrgen-rsa/expected.out | 6 ------ tests/003-csrgen-rsa/run.sh | 4 ++-- tests/003-csrgen/expected.out | 8 -------- tests/003-csrgen/run.sh | 4 ++-- tests/004-selfsign-rsa/expected.out | 2 -- tests/004-selfsign-rsa/run.sh | 2 +- tests/004-selfsign/expected.out | 2 -- tests/004-selfsign/run.sh | 2 +- 18 files changed, 14 insertions(+), 60 deletions(-) diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out index b09db0ae..50643176 100644 --- a/tests/001-keyiread-dsa/expected.out +++ b/tests/001-keyiread-dsa/expected.out @@ -1,4 +1,4 @@ -OK (DSA:1024). -OK (DSA:1024). -OK (DSA:1024). +OK (DSA:2048). +OK (DSA:2048). +OK (DSA:2048). Test complete. diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh index 9f96b3bc..68f6d1c3 100755 --- a/tests/001-keyiread-dsa/run.sh +++ b/tests/001-keyiread-dsa/run.sh @@ -5,7 +5,7 @@ cd "$tmpdir" source "$srcdir"/functions initnssdb "$tmpdir" -for size in 1024 ; do +for size in 2048 ; do # Generate a self-signed cert. run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ -s "cn=T$size" -c "cn=T$size" \ diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out index 727897d1..3daa51f2 100644 --- a/tests/001-keyiread-rsa/expected.out +++ b/tests/001-keyiread-rsa/expected.out @@ -1,5 +1,3 @@ -OK (RSA:1024). -OK (RSA:1536). OK (RSA:2048). OK (RSA:3072). OK (RSA:4096). diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh index c7b77686..ec31c7c7 100755 --- a/tests/001-keyiread-rsa/run.sh +++ b/tests/001-keyiread-rsa/run.sh @@ -5,7 +5,7 @@ cd "$tmpdir" source "$srcdir"/functions initnssdb "$tmpdir" -for size in 1024 1536 2048 3072 4096 ; do +for size in 2048 3072 4096 ; do # Generate a self-signed cert. run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ -s "cn=T$size" -c "cn=T$size" \ diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out index 727897d1..3daa51f2 100644 --- a/tests/001-keyiread/expected.out +++ b/tests/001-keyiread/expected.out @@ -1,5 +1,3 @@ -OK (RSA:1024). -OK (RSA:1536). OK (RSA:2048). OK (RSA:3072). OK (RSA:4096). diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh index ce1428ed..0b31df95 100755 --- a/tests/001-keyiread/run.sh +++ b/tests/001-keyiread/run.sh @@ -5,7 +5,7 @@ cd "$tmpdir" source "$srcdir"/functions initnssdb "$tmpdir" -for size in 1024 1536 2048 3072 4096 ; do +for size in 2048 3072 4096 ; do # Generate a self-signed cert. run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ -s "cn=T$size" -c "cn=T$size" \ diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out index 3e6e9f3c..f7c146d0 100644 --- a/tests/002-keygen-rsa/expected.out +++ b/tests/002-keygen-rsa/expected.out @@ -1,9 +1,3 @@ -[nss:1024] -OK. -OK (RSA:1024). -[nss:1536] -OK. -OK (RSA:1536). [nss:2048] OK. OK (RSA:2048). diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh index 476f4127..c0c59249 100755 --- a/tests/002-keygen-rsa/run.sh +++ b/tests/002-keygen-rsa/run.sh @@ -5,7 +5,7 @@ cd "$tmpdir" source "$srcdir"/functions initnssdb "$tmpdir" -for size in 1024 1536 2048 3072 4096 ; do +for size in 2048 3072 4096 ; do echo "[nss:$size]" # Generate a key. cat > entry.$size <<- EOF diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out index dcd1af06..b8fbea56 100644 --- a/tests/002-keygen/expected.out +++ b/tests/002-keygen/expected.out @@ -1,21 +1,3 @@ -[nss:1024] -OK. -OK (RSA:1024). -OK. -OK (RSA:1024 after RSA:1024). -OK. -OK (RSA:1024 after RSA:1024). -keyi1024 -keyi1024 (candidate (next)) -[nss:1536] -OK. -OK (RSA:1536). -OK. -OK (RSA:1536 after RSA:1536). -OK. -OK (RSA:1536 after RSA:1536). -keyi1536 -keyi1536 (candidate (next)) [nss:2048] OK. OK (RSA:2048). diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh index 08af1523..94230e6f 100755 --- a/tests/002-keygen/run.sh +++ b/tests/002-keygen/run.sh @@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}" source "$srcdir"/functions initnssdb "$scheme$tmpdir" -for size in 1024 1536 2048 3072 4096 ; do +for size in 2048 3072 4096 ; do echo "[nss:$size]" # Generate a key. cat > entry.$size <<- EOF diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out index c9dec729..def53fe4 100644 --- a/tests/003-csrgen-rsa/expected.out +++ b/tests/003-csrgen-rsa/expected.out @@ -1,10 +1,4 @@ pk12util: PKCS12 EXPORT SUCCESSFUL -1024 OK. -Signature OK -pk12util: PKCS12 EXPORT SUCCESSFUL -1536 OK. -Signature OK -pk12util: PKCS12 EXPORT SUCCESSFUL 2048 OK. Signature OK pk12util: PKCS12 EXPORT SUCCESSFUL diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh index 4cd84084..bb8ebecb 100755 --- a/tests/003-csrgen-rsa/run.sh +++ b/tests/003-csrgen-rsa/run.sh @@ -5,7 +5,7 @@ cd "$tmpdir" source "$srcdir"/functions initnssdb "$tmpdir" -for size in 1024 1536 2048 3072 4096 ; do +for size in 2048 3072 4096 ; do # Build a self-signed certificate. run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ -s "cn=T$size" -c "cn=T$size" \ @@ -147,7 +147,7 @@ iterate() { iteration=1 -for size in 1024 ; do +for size in 2048 ; do iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" done diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out index 8e6cac6e..04342c0f 100644 --- a/tests/003-csrgen/expected.out +++ b/tests/003-csrgen/expected.out @@ -1,13 +1,5 @@ pk12util: PKCS12 EXPORT SUCCESSFUL Signature OK -minicert.openssl.1024.pem: OK -1024 OK. -pk12util: PKCS12 EXPORT SUCCESSFUL -Signature OK -minicert.openssl.1536.pem: OK -1536 OK. -pk12util: PKCS12 EXPORT SUCCESSFUL -Signature OK minicert.openssl.2048.pem: OK 2048 OK. pk12util: PKCS12 EXPORT SUCCESSFUL diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh index 7c169ed9..31466b5c 100755 --- a/tests/003-csrgen/run.sh +++ b/tests/003-csrgen/run.sh @@ -5,7 +5,7 @@ cd "$tmpdir" source "$srcdir"/functions initnssdb "$tmpdir" -for size in 1024 1536 2048 3072 4096 ; do +for size in 2048 3072 4096 ; do # Build a self-signed certificate. run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ -s "cn=T$size" -c "cn=T$size" \ @@ -199,7 +199,7 @@ iterate() { iteration=1 -for size in 1024 ; do +for size in 2048 ; do iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" done diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out index dd5029ec..0eb84ef1 100644 --- a/tests/004-selfsign-rsa/expected.out +++ b/tests/004-selfsign-rsa/expected.out @@ -1,5 +1,3 @@ -1024 OK. -1536 OK. 2048 OK. 3072 OK. 4096 OK. diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh index 6f9285b6..c1dd4c80 100755 --- a/tests/004-selfsign-rsa/run.sh +++ b/tests/004-selfsign-rsa/run.sh @@ -33,7 +33,7 @@ function setupca() { EOF } -for size in 1024 1536 2048 3072 4096 ; do +for size in 2048 3072 4096 ; do # Build a self-signed certificate. run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ -s "cn=T$size" -c "cn=T$size" \ diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out index dd5029ec..0eb84ef1 100644 --- a/tests/004-selfsign/expected.out +++ b/tests/004-selfsign/expected.out @@ -1,5 +1,3 @@ -1024 OK. -1536 OK. 2048 OK. 3072 OK. 4096 OK. diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh index 7bb368ec..eb1df4ee 100755 --- a/tests/004-selfsign/run.sh +++ b/tests/004-selfsign/run.sh @@ -43,7 +43,7 @@ function setupca() { EOF } -for size in 1024 1536 2048 3072 4096 ; do +for size in 2048 3072 4096 ; do # Build a self-signed certificate. run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ -s "cn=T$size" -c "cn=T$size" \ -- 2.16.2