37cd032951
The updated NSS crypto-policy enables all tokens which broke requesting certificates due to the way that tokens were managed.
294 lines
8.8 KiB
Diff
294 lines
8.8 KiB
Diff
From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Fri, 23 Feb 2018 10:43:44 -0500
|
|
Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048
|
|
|
|
Remove keys < 2048 for the NSS tests. This affects some of the
|
|
OpenSSL tests as well where they run in a combined loop.
|
|
|
|
Where it was not invasive to do I left the 1024/1536 for OpenSSL.
|
|
---
|
|
tests/001-keyiread-dsa/expected.out | 6 +++---
|
|
tests/001-keyiread-dsa/run.sh | 2 +-
|
|
tests/001-keyiread-rsa/expected.out | 2 --
|
|
tests/001-keyiread-rsa/run.sh | 2 +-
|
|
tests/001-keyiread/expected.out | 2 --
|
|
tests/001-keyiread/run.sh | 2 +-
|
|
tests/002-keygen-rsa/expected.out | 6 ------
|
|
tests/002-keygen-rsa/run.sh | 2 +-
|
|
tests/002-keygen/expected.out | 18 ------------------
|
|
tests/002-keygen/run.sh | 2 +-
|
|
tests/003-csrgen-rsa/expected.out | 6 ------
|
|
tests/003-csrgen-rsa/run.sh | 4 ++--
|
|
tests/003-csrgen/expected.out | 8 --------
|
|
tests/003-csrgen/run.sh | 4 ++--
|
|
tests/004-selfsign-rsa/expected.out | 2 --
|
|
tests/004-selfsign-rsa/run.sh | 2 +-
|
|
tests/004-selfsign/expected.out | 2 --
|
|
tests/004-selfsign/run.sh | 2 +-
|
|
18 files changed, 14 insertions(+), 60 deletions(-)
|
|
|
|
diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out
|
|
index b09db0ae..50643176 100644
|
|
--- a/tests/001-keyiread-dsa/expected.out
|
|
+++ b/tests/001-keyiread-dsa/expected.out
|
|
@@ -1,4 +1,4 @@
|
|
-OK (DSA:1024).
|
|
-OK (DSA:1024).
|
|
-OK (DSA:1024).
|
|
+OK (DSA:2048).
|
|
+OK (DSA:2048).
|
|
+OK (DSA:2048).
|
|
Test complete.
|
|
diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh
|
|
index 9f96b3bc..68f6d1c3 100755
|
|
--- a/tests/001-keyiread-dsa/run.sh
|
|
+++ b/tests/001-keyiread-dsa/run.sh
|
|
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
source "$srcdir"/functions
|
|
initnssdb "$tmpdir"
|
|
|
|
-for size in 1024 ; do
|
|
+for size in 2048 ; do
|
|
# Generate a self-signed cert.
|
|
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
-s "cn=T$size" -c "cn=T$size" \
|
|
diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out
|
|
index 727897d1..3daa51f2 100644
|
|
--- a/tests/001-keyiread-rsa/expected.out
|
|
+++ b/tests/001-keyiread-rsa/expected.out
|
|
@@ -1,5 +1,3 @@
|
|
-OK (RSA:1024).
|
|
-OK (RSA:1536).
|
|
OK (RSA:2048).
|
|
OK (RSA:3072).
|
|
OK (RSA:4096).
|
|
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
|
|
index c7b77686..ec31c7c7 100755
|
|
--- a/tests/001-keyiread-rsa/run.sh
|
|
+++ b/tests/001-keyiread-rsa/run.sh
|
|
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
source "$srcdir"/functions
|
|
initnssdb "$tmpdir"
|
|
|
|
-for size in 1024 1536 2048 3072 4096 ; do
|
|
+for size in 2048 3072 4096 ; do
|
|
# Generate a self-signed cert.
|
|
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
-s "cn=T$size" -c "cn=T$size" \
|
|
diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out
|
|
index 727897d1..3daa51f2 100644
|
|
--- a/tests/001-keyiread/expected.out
|
|
+++ b/tests/001-keyiread/expected.out
|
|
@@ -1,5 +1,3 @@
|
|
-OK (RSA:1024).
|
|
-OK (RSA:1536).
|
|
OK (RSA:2048).
|
|
OK (RSA:3072).
|
|
OK (RSA:4096).
|
|
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
|
|
index ce1428ed..0b31df95 100755
|
|
--- a/tests/001-keyiread/run.sh
|
|
+++ b/tests/001-keyiread/run.sh
|
|
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
source "$srcdir"/functions
|
|
initnssdb "$tmpdir"
|
|
|
|
-for size in 1024 1536 2048 3072 4096 ; do
|
|
+for size in 2048 3072 4096 ; do
|
|
# Generate a self-signed cert.
|
|
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
-s "cn=T$size" -c "cn=T$size" \
|
|
diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out
|
|
index 3e6e9f3c..f7c146d0 100644
|
|
--- a/tests/002-keygen-rsa/expected.out
|
|
+++ b/tests/002-keygen-rsa/expected.out
|
|
@@ -1,9 +1,3 @@
|
|
-[nss:1024]
|
|
-OK.
|
|
-OK (RSA:1024).
|
|
-[nss:1536]
|
|
-OK.
|
|
-OK (RSA:1536).
|
|
[nss:2048]
|
|
OK.
|
|
OK (RSA:2048).
|
|
diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh
|
|
index 476f4127..c0c59249 100755
|
|
--- a/tests/002-keygen-rsa/run.sh
|
|
+++ b/tests/002-keygen-rsa/run.sh
|
|
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
source "$srcdir"/functions
|
|
initnssdb "$tmpdir"
|
|
|
|
-for size in 1024 1536 2048 3072 4096 ; do
|
|
+for size in 2048 3072 4096 ; do
|
|
echo "[nss:$size]"
|
|
# Generate a key.
|
|
cat > entry.$size <<- EOF
|
|
diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out
|
|
index dcd1af06..b8fbea56 100644
|
|
--- a/tests/002-keygen/expected.out
|
|
+++ b/tests/002-keygen/expected.out
|
|
@@ -1,21 +1,3 @@
|
|
-[nss:1024]
|
|
-OK.
|
|
-OK (RSA:1024).
|
|
-OK.
|
|
-OK (RSA:1024 after RSA:1024).
|
|
-OK.
|
|
-OK (RSA:1024 after RSA:1024).
|
|
-keyi1024
|
|
-keyi1024 (candidate (next))
|
|
-[nss:1536]
|
|
-OK.
|
|
-OK (RSA:1536).
|
|
-OK.
|
|
-OK (RSA:1536 after RSA:1536).
|
|
-OK.
|
|
-OK (RSA:1536 after RSA:1536).
|
|
-keyi1536
|
|
-keyi1536 (candidate (next))
|
|
[nss:2048]
|
|
OK.
|
|
OK (RSA:2048).
|
|
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
|
|
index 08af1523..94230e6f 100755
|
|
--- a/tests/002-keygen/run.sh
|
|
+++ b/tests/002-keygen/run.sh
|
|
@@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}"
|
|
source "$srcdir"/functions
|
|
initnssdb "$scheme$tmpdir"
|
|
|
|
-for size in 1024 1536 2048 3072 4096 ; do
|
|
+for size in 2048 3072 4096 ; do
|
|
echo "[nss:$size]"
|
|
# Generate a key.
|
|
cat > entry.$size <<- EOF
|
|
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
|
|
index c9dec729..def53fe4 100644
|
|
--- a/tests/003-csrgen-rsa/expected.out
|
|
+++ b/tests/003-csrgen-rsa/expected.out
|
|
@@ -1,10 +1,4 @@
|
|
pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
-1024 OK.
|
|
-Signature OK
|
|
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
-1536 OK.
|
|
-Signature OK
|
|
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
2048 OK.
|
|
Signature OK
|
|
pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
|
|
index 4cd84084..bb8ebecb 100755
|
|
--- a/tests/003-csrgen-rsa/run.sh
|
|
+++ b/tests/003-csrgen-rsa/run.sh
|
|
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
source "$srcdir"/functions
|
|
initnssdb "$tmpdir"
|
|
|
|
-for size in 1024 1536 2048 3072 4096 ; do
|
|
+for size in 2048 3072 4096 ; do
|
|
# Build a self-signed certificate.
|
|
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
-s "cn=T$size" -c "cn=T$size" \
|
|
@@ -147,7 +147,7 @@ iterate() {
|
|
|
|
iteration=1
|
|
|
|
-for size in 1024 ; do
|
|
+for size in 2048 ; do
|
|
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment"
|
|
done
|
|
|
|
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
|
|
index 8e6cac6e..04342c0f 100644
|
|
--- a/tests/003-csrgen/expected.out
|
|
+++ b/tests/003-csrgen/expected.out
|
|
@@ -1,13 +1,5 @@
|
|
pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
Signature OK
|
|
-minicert.openssl.1024.pem: OK
|
|
-1024 OK.
|
|
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
-Signature OK
|
|
-minicert.openssl.1536.pem: OK
|
|
-1536 OK.
|
|
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
-Signature OK
|
|
minicert.openssl.2048.pem: OK
|
|
2048 OK.
|
|
pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
|
|
index 7c169ed9..31466b5c 100755
|
|
--- a/tests/003-csrgen/run.sh
|
|
+++ b/tests/003-csrgen/run.sh
|
|
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
source "$srcdir"/functions
|
|
initnssdb "$tmpdir"
|
|
|
|
-for size in 1024 1536 2048 3072 4096 ; do
|
|
+for size in 2048 3072 4096 ; do
|
|
# Build a self-signed certificate.
|
|
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
-s "cn=T$size" -c "cn=T$size" \
|
|
@@ -199,7 +199,7 @@ iterate() {
|
|
|
|
iteration=1
|
|
|
|
-for size in 1024 ; do
|
|
+for size in 2048 ; do
|
|
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype"
|
|
done
|
|
|
|
diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out
|
|
index dd5029ec..0eb84ef1 100644
|
|
--- a/tests/004-selfsign-rsa/expected.out
|
|
+++ b/tests/004-selfsign-rsa/expected.out
|
|
@@ -1,5 +1,3 @@
|
|
-1024 OK.
|
|
-1536 OK.
|
|
2048 OK.
|
|
3072 OK.
|
|
4096 OK.
|
|
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
|
|
index 6f9285b6..c1dd4c80 100755
|
|
--- a/tests/004-selfsign-rsa/run.sh
|
|
+++ b/tests/004-selfsign-rsa/run.sh
|
|
@@ -33,7 +33,7 @@ function setupca() {
|
|
EOF
|
|
}
|
|
|
|
-for size in 1024 1536 2048 3072 4096 ; do
|
|
+for size in 2048 3072 4096 ; do
|
|
# Build a self-signed certificate.
|
|
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
-s "cn=T$size" -c "cn=T$size" \
|
|
diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out
|
|
index dd5029ec..0eb84ef1 100644
|
|
--- a/tests/004-selfsign/expected.out
|
|
+++ b/tests/004-selfsign/expected.out
|
|
@@ -1,5 +1,3 @@
|
|
-1024 OK.
|
|
-1536 OK.
|
|
2048 OK.
|
|
3072 OK.
|
|
4096 OK.
|
|
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
|
|
index 7bb368ec..eb1df4ee 100755
|
|
--- a/tests/004-selfsign/run.sh
|
|
+++ b/tests/004-selfsign/run.sh
|
|
@@ -43,7 +43,7 @@ function setupca() {
|
|
EOF
|
|
}
|
|
|
|
-for size in 1024 1536 2048 3072 4096 ; do
|
|
+for size in 2048 3072 4096 ; do
|
|
# Build a self-signed certificate.
|
|
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
-s "cn=T$size" -c "cn=T$size" \
|
|
--
|
|
2.16.2
|
|
|