1348 lines
58 KiB
Diff
1348 lines
58 KiB
Diff
|
diff -up ./cmd/pk11mode/pk11mode.c.disable_dsa ./cmd/pk11mode/pk11mode.c
|
||
|
--- ./cmd/pk11mode/pk11mode.c.disable_dsa 2024-06-17 09:39:06.137190654 -0700
|
||
|
+++ ./cmd/pk11mode/pk11mode.c 2024-06-17 09:39:12.265257501 -0700
|
||
|
@@ -578,7 +578,7 @@ main(int argc, char **argv)
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
- * PKM_KeyTest creates RSA,DSA public keys
|
||
|
+ * PKM_KeyTest creates RSA,ECDSA public keys
|
||
|
* and AES, DES3 secret keys.
|
||
|
* then does digest, hmac, encrypt/decrypt, signing operations.
|
||
|
*/
|
||
|
@@ -793,19 +793,14 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
|
||
|
|
||
|
CK_RV crv = CKR_OK;
|
||
|
|
||
|
- /*** DSA Key ***/
|
||
|
- CK_MECHANISM dsaParamGenMech;
|
||
|
- CK_ULONG primeBits = 1024;
|
||
|
- CK_ATTRIBUTE dsaParamGenTemplate[1];
|
||
|
- CK_OBJECT_HANDLE hDsaParams = CK_INVALID_HANDLE;
|
||
|
- CK_BYTE DSA_P[128];
|
||
|
- CK_BYTE DSA_Q[20];
|
||
|
- CK_BYTE DSA_G[128];
|
||
|
- CK_MECHANISM dsaKeyPairGenMech;
|
||
|
- CK_ATTRIBUTE dsaPubKeyTemplate[5];
|
||
|
- CK_ATTRIBUTE dsaPrivKeyTemplate[5];
|
||
|
- CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE;
|
||
|
- CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE;
|
||
|
+ /*** ECDSA Key ***/
|
||
|
+ CK_BYTE ECDSA_P256_PARAMS[] =
|
||
|
+ { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 };
|
||
|
+ CK_MECHANISM ecdsaKeyPairGenMech;
|
||
|
+ CK_ATTRIBUTE ecdsaPubKeyTemplate[3];
|
||
|
+ CK_ATTRIBUTE ecdsaPrivKeyTemplate[5];
|
||
|
+ CK_OBJECT_HANDLE hECDSApubKey = CK_INVALID_HANDLE;
|
||
|
+ CK_OBJECT_HANDLE hECDSAprivKey = CK_INVALID_HANDLE;
|
||
|
|
||
|
/**** RSA Key ***/
|
||
|
CK_KEY_TYPE rsatype = CKK_RSA;
|
||
|
@@ -840,8 +835,8 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
|
||
|
CK_ATTRIBUTE sDES3KeyTemplate[9];
|
||
|
CK_OBJECT_HANDLE hDES3SecKey;
|
||
|
|
||
|
- CK_MECHANISM dsaWithSha1Mech = {
|
||
|
- CKM_DSA_SHA1, NULL, 0
|
||
|
+ CK_MECHANISM ecdsaWithSha256Mech = {
|
||
|
+ CKM_ECDSA_SHA256, NULL, 0
|
||
|
};
|
||
|
|
||
|
CK_BYTE IV[16];
|
||
|
@@ -888,45 +883,33 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
|
||
|
NUMTESTS++; /* increment NUMTESTS */
|
||
|
|
||
|
/* DSA key init */
|
||
|
- dsaParamGenMech.mechanism = CKM_DSA_PARAMETER_GEN;
|
||
|
- dsaParamGenMech.pParameter = NULL_PTR;
|
||
|
- dsaParamGenMech.ulParameterLen = 0;
|
||
|
- dsaParamGenTemplate[0].type = CKA_PRIME_BITS;
|
||
|
- dsaParamGenTemplate[0].pValue = &primeBits;
|
||
|
- dsaParamGenTemplate[0].ulValueLen = sizeof(primeBits);
|
||
|
- dsaPubKeyTemplate[0].type = CKA_PRIME;
|
||
|
- dsaPubKeyTemplate[0].pValue = DSA_P;
|
||
|
- dsaPubKeyTemplate[0].ulValueLen = sizeof(DSA_P);
|
||
|
- dsaPubKeyTemplate[1].type = CKA_SUBPRIME;
|
||
|
- dsaPubKeyTemplate[1].pValue = DSA_Q;
|
||
|
- dsaPubKeyTemplate[1].ulValueLen = sizeof(DSA_Q);
|
||
|
- dsaPubKeyTemplate[2].type = CKA_BASE;
|
||
|
- dsaPubKeyTemplate[2].pValue = DSA_G;
|
||
|
- dsaPubKeyTemplate[2].ulValueLen = sizeof(DSA_G);
|
||
|
- dsaPubKeyTemplate[3].type = CKA_TOKEN;
|
||
|
- dsaPubKeyTemplate[3].pValue = &true;
|
||
|
- dsaPubKeyTemplate[3].ulValueLen = sizeof(true);
|
||
|
- dsaPubKeyTemplate[4].type = CKA_VERIFY;
|
||
|
- dsaPubKeyTemplate[4].pValue = &true;
|
||
|
- dsaPubKeyTemplate[4].ulValueLen = sizeof(true);
|
||
|
- dsaKeyPairGenMech.mechanism = CKM_DSA_KEY_PAIR_GEN;
|
||
|
- dsaKeyPairGenMech.pParameter = NULL_PTR;
|
||
|
- dsaKeyPairGenMech.ulParameterLen = 0;
|
||
|
- dsaPrivKeyTemplate[0].type = CKA_TOKEN;
|
||
|
- dsaPrivKeyTemplate[0].pValue = &true;
|
||
|
- dsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
|
||
|
- dsaPrivKeyTemplate[1].type = CKA_PRIVATE;
|
||
|
- dsaPrivKeyTemplate[1].pValue = &true;
|
||
|
- dsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
|
||
|
- dsaPrivKeyTemplate[2].type = CKA_SENSITIVE;
|
||
|
- dsaPrivKeyTemplate[2].pValue = &true;
|
||
|
- dsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
|
||
|
- dsaPrivKeyTemplate[3].type = CKA_SIGN,
|
||
|
- dsaPrivKeyTemplate[3].pValue = &true;
|
||
|
- dsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
|
||
|
- dsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE;
|
||
|
- dsaPrivKeyTemplate[4].pValue = &true;
|
||
|
- dsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPubKeyTemplate[0].type = CKA_EC_PARAMS;
|
||
|
+ ecdsaPubKeyTemplate[0].pValue = ECDSA_P256_PARAMS;
|
||
|
+ ecdsaPubKeyTemplate[0].ulValueLen = sizeof(ECDSA_P256_PARAMS);
|
||
|
+ ecdsaPubKeyTemplate[1].type = CKA_TOKEN;
|
||
|
+ ecdsaPubKeyTemplate[1].pValue = &true;
|
||
|
+ ecdsaPubKeyTemplate[1].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPubKeyTemplate[2].type = CKA_VERIFY;
|
||
|
+ ecdsaPubKeyTemplate[2].pValue = &true;
|
||
|
+ ecdsaPubKeyTemplate[2].ulValueLen = sizeof(true);
|
||
|
+ ecdsaKeyPairGenMech.mechanism = CKM_ECDSA_KEY_PAIR_GEN;
|
||
|
+ ecdsaKeyPairGenMech.pParameter = NULL_PTR;
|
||
|
+ ecdsaKeyPairGenMech.ulParameterLen = 0;
|
||
|
+ ecdsaPrivKeyTemplate[0].type = CKA_TOKEN;
|
||
|
+ ecdsaPrivKeyTemplate[0].pValue = &true;
|
||
|
+ ecdsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPrivKeyTemplate[1].type = CKA_PRIVATE;
|
||
|
+ ecdsaPrivKeyTemplate[1].pValue = &true;
|
||
|
+ ecdsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPrivKeyTemplate[2].type = CKA_SENSITIVE;
|
||
|
+ ecdsaPrivKeyTemplate[2].pValue = &true;
|
||
|
+ ecdsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPrivKeyTemplate[3].type = CKA_SIGN,
|
||
|
+ ecdsaPrivKeyTemplate[3].pValue = &true;
|
||
|
+ ecdsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE;
|
||
|
+ ecdsaPrivKeyTemplate[4].pValue = &true;
|
||
|
+ ecdsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
|
||
|
|
||
|
/* RSA key init */
|
||
|
rsaKeyPairGenMech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
|
||
|
@@ -1148,52 +1131,18 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
|
||
|
return crv;
|
||
|
}
|
||
|
|
||
|
- PKM_LogIt("Generate DSA PQG domain parameters ... \n");
|
||
|
- /* Generate DSA domain parameters PQG */
|
||
|
- crv = pFunctionList->C_GenerateKey(hRwSession, &dsaParamGenMech,
|
||
|
- dsaParamGenTemplate,
|
||
|
- 1,
|
||
|
- &hDsaParams);
|
||
|
+ PKM_LogIt("Generate a ECDSA key pair ... \n");
|
||
|
+ /* Generate a persistent ECDSA key pair */
|
||
|
+ crv = pFunctionList->C_GenerateKeyPair(hRwSession, &ecdsaKeyPairGenMech,
|
||
|
+ ecdsaPubKeyTemplate,
|
||
|
+ NUM_ELEM(ecdsaPubKeyTemplate),
|
||
|
+ ecdsaPrivKeyTemplate,
|
||
|
+ NUM_ELEM(ecdsaPrivKeyTemplate),
|
||
|
+ &hECDSApubKey, &hECDSAprivKey);
|
||
|
if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("DSA domain parameter generation succeeded\n");
|
||
|
+ PKM_LogIt("ECDSA key pair generation succeeded\n");
|
||
|
} else {
|
||
|
- PKM_Error("DSA domain parameter generation failed "
|
||
|
- "with 0x%08X, %-26s\n",
|
||
|
- crv, PKM_CK_RVtoStr(crv));
|
||
|
- return crv;
|
||
|
- }
|
||
|
- crv = pFunctionList->C_GetAttributeValue(hRwSession, hDsaParams,
|
||
|
- dsaPubKeyTemplate, 3);
|
||
|
- if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("Getting DSA domain parameters succeeded\n");
|
||
|
- } else {
|
||
|
- PKM_Error("Getting DSA domain parameters failed "
|
||
|
- "with 0x%08X, %-26s\n",
|
||
|
- crv, PKM_CK_RVtoStr(crv));
|
||
|
- return crv;
|
||
|
- }
|
||
|
- crv = pFunctionList->C_DestroyObject(hRwSession, hDsaParams);
|
||
|
- if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("Destroying DSA domain parameters succeeded\n");
|
||
|
- } else {
|
||
|
- PKM_Error("Destroying DSA domain parameters failed "
|
||
|
- "with 0x%08X, %-26s\n",
|
||
|
- crv, PKM_CK_RVtoStr(crv));
|
||
|
- return crv;
|
||
|
- }
|
||
|
-
|
||
|
- PKM_LogIt("Generate a DSA key pair ... \n");
|
||
|
- /* Generate a persistent DSA key pair */
|
||
|
- crv = pFunctionList->C_GenerateKeyPair(hRwSession, &dsaKeyPairGenMech,
|
||
|
- dsaPubKeyTemplate,
|
||
|
- NUM_ELEM(dsaPubKeyTemplate),
|
||
|
- dsaPrivKeyTemplate,
|
||
|
- NUM_ELEM(dsaPrivKeyTemplate),
|
||
|
- &hDSApubKey, &hDSAprivKey);
|
||
|
- if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("DSA key pair generation succeeded\n");
|
||
|
- } else {
|
||
|
- PKM_Error("DSA key pair generation failed "
|
||
|
+ PKM_Error("ECDSA key pair generation failed "
|
||
|
"with 0x%08X, %-26s\n",
|
||
|
crv, PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
@@ -1414,10 +1363,10 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
|
||
|
} /* end of RSA for loop */
|
||
|
|
||
|
crv = PKM_PubKeySign(pFunctionList, hRwSession,
|
||
|
- hDSApubKey, hDSAprivKey,
|
||
|
- &dsaWithSha1Mech, PLAINTEXT, sizeof(PLAINTEXT));
|
||
|
+ hECDSApubKey, hECDSAprivKey,
|
||
|
+ &ecdsaWithSha256Mech, PLAINTEXT, sizeof(PLAINTEXT));
|
||
|
if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("PKM_PubKeySign for DSAwithSHA1 succeeded \n\n");
|
||
|
+ PKM_LogIt("PKM_PubKeySign for ECDSAwithSHA256 succeeded \n\n");
|
||
|
} else {
|
||
|
PKM_Error("PKM_PubKeySign failed "
|
||
|
"with 0x%08X, %-26s\n",
|
||
|
@@ -1425,8 +1374,8 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
|
||
|
return crv;
|
||
|
}
|
||
|
crv = PKM_DualFuncSign(pFunctionList, hRwSession,
|
||
|
- hDSApubKey, hDSAprivKey,
|
||
|
- &dsaWithSha1Mech,
|
||
|
+ hECDSApubKey, hECDSAprivKey,
|
||
|
+ &ecdsaWithSha256Mech,
|
||
|
hAESSecKey, &mech_AES_CBC,
|
||
|
PLAINTEXT, sizeof(PLAINTEXT));
|
||
|
if (crv == CKR_OK) {
|
||
|
@@ -1439,44 +1388,44 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
|
||
|
return crv;
|
||
|
}
|
||
|
crv = PKM_DualFuncSign(pFunctionList, hRwSession,
|
||
|
- hDSApubKey, hDSAprivKey,
|
||
|
- &dsaWithSha1Mech,
|
||
|
+ hECDSApubKey, hECDSAprivKey,
|
||
|
+ &ecdsaWithSha256Mech,
|
||
|
hDES3SecKey, &mech_DES3_CBC,
|
||
|
PLAINTEXT, sizeof(PLAINTEXT));
|
||
|
if (crv == CKR_OK) {
|
||
|
PKM_LogIt("PKM_DualFuncSign with DES3 secret key succeeded "
|
||
|
- "for DSAWithSHA1\n\n");
|
||
|
+ "for ECDSAWithSHA256\n\n");
|
||
|
} else {
|
||
|
PKM_Error("PKM_DualFuncSign with DES3 secret key failed "
|
||
|
- "for DSAWithSHA1 with 0x%08X, %-26s\n",
|
||
|
+ "for ECDSAWithSHA256 with 0x%08X, %-26s\n",
|
||
|
crv, PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
crv = PKM_DualFuncSign(pFunctionList, hRwSession,
|
||
|
- hDSApubKey, hDSAprivKey,
|
||
|
- &dsaWithSha1Mech,
|
||
|
+ hECDSApubKey, hECDSAprivKey,
|
||
|
+ &ecdsaWithSha256Mech,
|
||
|
hAESSecKey, &mech_AES_CBC_PAD,
|
||
|
PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
|
||
|
if (crv == CKR_OK) {
|
||
|
PKM_LogIt("PKM_DualFuncSign with AES secret key CBC_PAD succeeded "
|
||
|
- "for DSAWithSHA1\n\n");
|
||
|
+ "for DSAWithSHA256\n\n");
|
||
|
} else {
|
||
|
PKM_Error("PKM_DualFuncSign with AES secret key CBC_PAD failed "
|
||
|
- "for DSAWithSHA1 with 0x%08X, %-26s\n",
|
||
|
+ "for DSAWithSHA256 with 0x%08X, %-26s\n",
|
||
|
crv, PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
crv = PKM_DualFuncSign(pFunctionList, hRwSession,
|
||
|
- hDSApubKey, hDSAprivKey,
|
||
|
- &dsaWithSha1Mech,
|
||
|
+ hECDSApubKey, hECDSAprivKey,
|
||
|
+ &ecdsaWithSha256Mech,
|
||
|
hDES3SecKey, &mech_DES3_CBC_PAD,
|
||
|
PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
|
||
|
if (crv == CKR_OK) {
|
||
|
PKM_LogIt("PKM_DualFuncSign with DES3 secret key CBC_PAD succeeded "
|
||
|
- "for DSAWithSHA1\n\n");
|
||
|
+ "for ECDSAWithSHA256\n\n");
|
||
|
} else {
|
||
|
PKM_Error("PKM_DualFuncSign with DES3 secret key CBC_PAD failed "
|
||
|
- "for DSAWithSHA1 with 0x%08X, %-26s\n",
|
||
|
+ "for ECDSAWithSHA256 with 0x%08X, %-26s\n",
|
||
|
crv, PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
@@ -3029,7 +2978,7 @@ PKM_PubKeySign(CK_FUNCTION_LIST_PTR pFun
|
||
|
}
|
||
|
|
||
|
/* Check that the mechanism is Multi-part */
|
||
|
- if (signMech->mechanism == CKM_DSA ||
|
||
|
+ if (signMech->mechanism == CKM_ECDSA ||
|
||
|
signMech->mechanism == CKM_RSA_PKCS) {
|
||
|
return crv;
|
||
|
}
|
||
|
@@ -3083,6 +3032,7 @@ PKM_PubKeySign(CK_FUNCTION_LIST_PTR pFun
|
||
|
return crv;
|
||
|
}
|
||
|
|
||
|
+#define SHA256_LENGTH 32
|
||
|
CK_RV
|
||
|
PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunctionList,
|
||
|
CK_SLOT_ID *pSlotList,
|
||
|
@@ -3092,19 +3042,14 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
CK_SESSION_HANDLE hSession;
|
||
|
CK_RV crv = CKR_OK;
|
||
|
|
||
|
- /*** DSA Key ***/
|
||
|
- CK_MECHANISM dsaParamGenMech;
|
||
|
- CK_ULONG primeBits = 1024;
|
||
|
- CK_ATTRIBUTE dsaParamGenTemplate[1];
|
||
|
- CK_OBJECT_HANDLE hDsaParams = CK_INVALID_HANDLE;
|
||
|
- CK_BYTE DSA_P[128];
|
||
|
- CK_BYTE DSA_Q[20];
|
||
|
- CK_BYTE DSA_G[128];
|
||
|
- CK_MECHANISM dsaKeyPairGenMech;
|
||
|
- CK_ATTRIBUTE dsaPubKeyTemplate[5];
|
||
|
- CK_ATTRIBUTE dsaPrivKeyTemplate[5];
|
||
|
- CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE;
|
||
|
- CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE;
|
||
|
+ /*** ECDSA Key ***/
|
||
|
+ CK_MECHANISM ecdsaKeyPairGenMech;
|
||
|
+ CK_ATTRIBUTE ecdsaPubKeyTemplate[3];
|
||
|
+ CK_ATTRIBUTE ecdsaPrivKeyTemplate[5];
|
||
|
+ CK_OBJECT_HANDLE hECDSApubKey = CK_INVALID_HANDLE;
|
||
|
+ CK_OBJECT_HANDLE hECDSAprivKey = CK_INVALID_HANDLE;
|
||
|
+ CK_BYTE ECDSA_P256_PARAMS[] =
|
||
|
+ { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 };
|
||
|
|
||
|
/* From SHA1ShortMsg.req, Len = 136 */
|
||
|
CK_BYTE MSG[] = {
|
||
|
@@ -3115,69 +3060,57 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
0x44
|
||
|
};
|
||
|
CK_BYTE MD[] = {
|
||
|
- 0xf7, 0x5d, 0x92, 0xa4,
|
||
|
- 0xbb, 0x4d, 0xec, 0xc3,
|
||
|
- 0x7c, 0x5c, 0x72, 0xfa,
|
||
|
- 0x04, 0x75, 0x71, 0x0a,
|
||
|
- 0x06, 0x75, 0x8c, 0x1d
|
||
|
+ 0x88, 0x78, 0xe1, 0x1e,
|
||
|
+ 0x63, 0x74, 0xa9, 0xd9,
|
||
|
+ 0x90, 0xd0, 0xeb, 0x2c,
|
||
|
+ 0xeb, 0x62, 0x2b, 0x04,
|
||
|
+ 0x53, 0x9f, 0xa0, 0xfc
|
||
|
};
|
||
|
|
||
|
- CK_BYTE sha1Digest[20];
|
||
|
- CK_ULONG sha1DigestLen;
|
||
|
- CK_BYTE dsaSig[40];
|
||
|
- CK_ULONG dsaSigLen;
|
||
|
- CK_MECHANISM sha1Mech = {
|
||
|
- CKM_SHA_1, NULL, 0
|
||
|
+ CK_BYTE sha256Digest[SHA256_LENGTH];
|
||
|
+ CK_ULONG sha256DigestLen;
|
||
|
+ CK_BYTE ecdsaSig[SHA256_LENGTH*2+1];
|
||
|
+ CK_ULONG ecdsaSigLen;
|
||
|
+ CK_MECHANISM sha256Mech = {
|
||
|
+ CKM_SHA256, NULL, 0
|
||
|
};
|
||
|
- CK_MECHANISM dsaMech = {
|
||
|
- CKM_DSA, NULL, 0
|
||
|
+ CK_MECHANISM ecdsaMech = {
|
||
|
+ CKM_ECDSA, NULL, 0
|
||
|
};
|
||
|
- CK_MECHANISM dsaWithSha1Mech = {
|
||
|
- CKM_DSA_SHA1, NULL, 0
|
||
|
+ CK_MECHANISM ecdsaWithSha256Mech = {
|
||
|
+ CKM_ECDSA_SHA256, NULL, 0
|
||
|
};
|
||
|
|
||
|
NUMTESTS++; /* increment NUMTESTS */
|
||
|
|
||
|
- /* DSA key init */
|
||
|
- dsaParamGenMech.mechanism = CKM_DSA_PARAMETER_GEN;
|
||
|
- dsaParamGenMech.pParameter = NULL_PTR;
|
||
|
- dsaParamGenMech.ulParameterLen = 0;
|
||
|
- dsaParamGenTemplate[0].type = CKA_PRIME_BITS;
|
||
|
- dsaParamGenTemplate[0].pValue = &primeBits;
|
||
|
- dsaParamGenTemplate[0].ulValueLen = sizeof(primeBits);
|
||
|
- dsaPubKeyTemplate[0].type = CKA_PRIME;
|
||
|
- dsaPubKeyTemplate[0].pValue = DSA_P;
|
||
|
- dsaPubKeyTemplate[0].ulValueLen = sizeof(DSA_P);
|
||
|
- dsaPubKeyTemplate[1].type = CKA_SUBPRIME;
|
||
|
- dsaPubKeyTemplate[1].pValue = DSA_Q;
|
||
|
- dsaPubKeyTemplate[1].ulValueLen = sizeof(DSA_Q);
|
||
|
- dsaPubKeyTemplate[2].type = CKA_BASE;
|
||
|
- dsaPubKeyTemplate[2].pValue = DSA_G;
|
||
|
- dsaPubKeyTemplate[2].ulValueLen = sizeof(DSA_G);
|
||
|
- dsaPubKeyTemplate[3].type = CKA_TOKEN;
|
||
|
- dsaPubKeyTemplate[3].pValue = &true;
|
||
|
- dsaPubKeyTemplate[3].ulValueLen = sizeof(true);
|
||
|
- dsaPubKeyTemplate[4].type = CKA_VERIFY;
|
||
|
- dsaPubKeyTemplate[4].pValue = &true;
|
||
|
- dsaPubKeyTemplate[4].ulValueLen = sizeof(true);
|
||
|
- dsaKeyPairGenMech.mechanism = CKM_DSA_KEY_PAIR_GEN;
|
||
|
- dsaKeyPairGenMech.pParameter = NULL_PTR;
|
||
|
- dsaKeyPairGenMech.ulParameterLen = 0;
|
||
|
- dsaPrivKeyTemplate[0].type = CKA_TOKEN;
|
||
|
- dsaPrivKeyTemplate[0].pValue = &true;
|
||
|
- dsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
|
||
|
- dsaPrivKeyTemplate[1].type = CKA_PRIVATE;
|
||
|
- dsaPrivKeyTemplate[1].pValue = &true;
|
||
|
- dsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
|
||
|
- dsaPrivKeyTemplate[2].type = CKA_SENSITIVE;
|
||
|
- dsaPrivKeyTemplate[2].pValue = &true;
|
||
|
- dsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
|
||
|
- dsaPrivKeyTemplate[3].type = CKA_SIGN,
|
||
|
- dsaPrivKeyTemplate[3].pValue = &true;
|
||
|
- dsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
|
||
|
- dsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE;
|
||
|
- dsaPrivKeyTemplate[4].pValue = &true;
|
||
|
- dsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
|
||
|
+ /* ECDSA key init */
|
||
|
+ ecdsaPubKeyTemplate[0].type = CKA_EC_PARAMS;
|
||
|
+ ecdsaPubKeyTemplate[0].pValue = ECDSA_P256_PARAMS;
|
||
|
+ ecdsaPubKeyTemplate[0].ulValueLen = sizeof(ECDSA_P256_PARAMS);
|
||
|
+ ecdsaPubKeyTemplate[1].type = CKA_TOKEN;
|
||
|
+ ecdsaPubKeyTemplate[1].pValue = &true;
|
||
|
+ ecdsaPubKeyTemplate[1].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPubKeyTemplate[2].type = CKA_VERIFY;
|
||
|
+ ecdsaPubKeyTemplate[2].pValue = &true;
|
||
|
+ ecdsaPubKeyTemplate[2].ulValueLen = sizeof(true);
|
||
|
+ ecdsaKeyPairGenMech.mechanism = CKM_ECDSA_KEY_PAIR_GEN;
|
||
|
+ ecdsaKeyPairGenMech.pParameter = NULL_PTR;
|
||
|
+ ecdsaKeyPairGenMech.ulParameterLen = 0;
|
||
|
+ ecdsaPrivKeyTemplate[0].type = CKA_TOKEN;
|
||
|
+ ecdsaPrivKeyTemplate[0].pValue = &true;
|
||
|
+ ecdsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPrivKeyTemplate[1].type = CKA_PRIVATE;
|
||
|
+ ecdsaPrivKeyTemplate[1].pValue = &true;
|
||
|
+ ecdsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPrivKeyTemplate[2].type = CKA_SENSITIVE;
|
||
|
+ ecdsaPrivKeyTemplate[2].pValue = &true;
|
||
|
+ ecdsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPrivKeyTemplate[3].type = CKA_SIGN,
|
||
|
+ ecdsaPrivKeyTemplate[3].pValue = &true;
|
||
|
+ ecdsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
|
||
|
+ ecdsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE;
|
||
|
+ ecdsaPrivKeyTemplate[4].pValue = &true;
|
||
|
+ ecdsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
|
||
|
|
||
|
crv = pFunctionList->C_OpenSession(pSlotList[slotID],
|
||
|
CKF_RW_SESSION | CKF_SERIAL_SESSION,
|
||
|
@@ -3198,88 +3131,60 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
return crv;
|
||
|
}
|
||
|
|
||
|
- PKM_LogIt("Generate DSA PQG domain parameters ... \n");
|
||
|
- /* Generate DSA domain parameters PQG */
|
||
|
- crv = pFunctionList->C_GenerateKey(hSession, &dsaParamGenMech,
|
||
|
- dsaParamGenTemplate,
|
||
|
- 1,
|
||
|
- &hDsaParams);
|
||
|
- if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("DSA domain parameter generation succeeded\n");
|
||
|
- } else {
|
||
|
- PKM_Error("DSA domain parameter generation failed "
|
||
|
- "with 0x%08X, %-26s\n",
|
||
|
- crv, PKM_CK_RVtoStr(crv));
|
||
|
- return crv;
|
||
|
- }
|
||
|
- crv = pFunctionList->C_GetAttributeValue(hSession, hDsaParams,
|
||
|
- dsaPubKeyTemplate, 3);
|
||
|
- if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("Getting DSA domain parameters succeeded\n");
|
||
|
- } else {
|
||
|
- PKM_Error("Getting DSA domain parameters failed "
|
||
|
- "with 0x%08X, %-26s\n",
|
||
|
- crv, PKM_CK_RVtoStr(crv));
|
||
|
- return crv;
|
||
|
- }
|
||
|
- crv = pFunctionList->C_DestroyObject(hSession, hDsaParams);
|
||
|
- if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("Destroying DSA domain parameters succeeded\n");
|
||
|
- } else {
|
||
|
- PKM_Error("Destroying DSA domain parameters failed "
|
||
|
- "with 0x%08X, %-26s\n",
|
||
|
- crv, PKM_CK_RVtoStr(crv));
|
||
|
- return crv;
|
||
|
- }
|
||
|
-
|
||
|
- PKM_LogIt("Generate a DSA key pair ... \n");
|
||
|
- /* Generate a persistent DSA key pair */
|
||
|
- crv = pFunctionList->C_GenerateKeyPair(hSession, &dsaKeyPairGenMech,
|
||
|
- dsaPubKeyTemplate,
|
||
|
- NUM_ELEM(dsaPubKeyTemplate),
|
||
|
- dsaPrivKeyTemplate,
|
||
|
- NUM_ELEM(dsaPrivKeyTemplate),
|
||
|
- &hDSApubKey, &hDSAprivKey);
|
||
|
+ PKM_LogIt("Generate a ECDSA key pair ... \n");
|
||
|
+ /* Generate a persistent ECDSA key pair */
|
||
|
+ crv = pFunctionList->C_GenerateKeyPair(hSession, &ecdsaKeyPairGenMech,
|
||
|
+ ecdsaPubKeyTemplate,
|
||
|
+ NUM_ELEM(ecdsaPubKeyTemplate),
|
||
|
+ ecdsaPrivKeyTemplate,
|
||
|
+ NUM_ELEM(ecdsaPrivKeyTemplate),
|
||
|
+ &hECDSApubKey, &hECDSAprivKey);
|
||
|
if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("DSA key pair generation succeeded\n");
|
||
|
+ PKM_LogIt("ECDSA key pair generation succeeded\n");
|
||
|
} else {
|
||
|
- PKM_Error("DSA key pair generation failed "
|
||
|
+ PKM_Error("ECDSA key pair generation failed "
|
||
|
"with 0x%08X, %-26s\n",
|
||
|
crv, PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
|
||
|
/* Compute SHA-1 digest */
|
||
|
- crv = pFunctionList->C_DigestInit(hSession, &sha1Mech);
|
||
|
+ crv = pFunctionList->C_DigestInit(hSession, &sha256Mech);
|
||
|
if (crv != CKR_OK) {
|
||
|
PKM_Error("C_DigestInit failed with 0x%08X, %-26s\n", crv,
|
||
|
PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
- sha1DigestLen = sizeof(sha1Digest);
|
||
|
+ sha256DigestLen = sizeof(sha256Digest);
|
||
|
crv = pFunctionList->C_Digest(hSession, MSG, sizeof(MSG),
|
||
|
- sha1Digest, &sha1DigestLen);
|
||
|
+ sha256Digest, &sha256DigestLen);
|
||
|
if (crv != CKR_OK) {
|
||
|
PKM_Error("C_Digest failed with 0x%08X, %-26s\n", crv,
|
||
|
PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
- if (sha1DigestLen != sizeof(sha1Digest)) {
|
||
|
- PKM_Error("sha1DigestLen is %lu\n", sha1DigestLen);
|
||
|
+ if (sha256DigestLen != sizeof(sha256Digest)) {
|
||
|
+ PKM_Error("sha1DigestLen is %lu\n", sha256DigestLen);
|
||
|
return crv;
|
||
|
}
|
||
|
|
||
|
- if (memcmp(sha1Digest, MD, sizeof(MD)) == 0) {
|
||
|
- PKM_LogIt("SHA-1 SHA1ShortMsg test case Len = 136 passed\n");
|
||
|
+ if (memcmp(sha256Digest, MD, sizeof(MD)) == 0) {
|
||
|
+ PKM_LogIt("SHA-256 SHA256ShortMsg test case Len = 136 passed\n");
|
||
|
} else {
|
||
|
- PKM_Error("SHA-1 SHA1ShortMsg test case Len = 136 failed\n");
|
||
|
+ int i;
|
||
|
+ PKM_Error("SHA-256 SHA256ShortMsg test case Len = 136 failed\n");
|
||
|
+ fprintf(stderr, "sha256Digest: ");
|
||
|
+ for (i=0; i < sizeof(MD); i++) fprintf(stderr, " 0x%02x", sha256Digest[i]);
|
||
|
+ fprintf(stderr, "\nMD: ");
|
||
|
+ for (i=0; i < sizeof(MD); i++) fprintf(stderr, " 0x%02x", MD[i]);
|
||
|
+ fprintf(stderr, "\n");
|
||
|
}
|
||
|
|
||
|
crv = PKM_PubKeySign(pFunctionList, hSession,
|
||
|
- hDSApubKey, hDSAprivKey,
|
||
|
- &dsaMech, sha1Digest, sizeof(sha1Digest));
|
||
|
+ hECDSApubKey, hECDSAprivKey,
|
||
|
+ &ecdsaMech, sha256Digest, sizeof(sha256Digest));
|
||
|
if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("PKM_PubKeySign CKM_DSA succeeded \n");
|
||
|
+ PKM_LogIt("PKM_PubKeySign CKM_ECDSA succeeded \n");
|
||
|
} else {
|
||
|
PKM_Error("PKM_PubKeySign failed "
|
||
|
"with 0x%08X, %-26s\n",
|
||
|
@@ -3287,10 +3192,10 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
return crv;
|
||
|
}
|
||
|
crv = PKM_PubKeySign(pFunctionList, hSession,
|
||
|
- hDSApubKey, hDSAprivKey,
|
||
|
- &dsaWithSha1Mech, PLAINTEXT, sizeof(PLAINTEXT));
|
||
|
+ hECDSApubKey, hECDSAprivKey,
|
||
|
+ &ecdsaWithSha256Mech, PLAINTEXT, sizeof(PLAINTEXT));
|
||
|
if (crv == CKR_OK) {
|
||
|
- PKM_LogIt("PKM_PubKeySign CKM_DSA_SHA1 succeeded \n");
|
||
|
+ PKM_LogIt("PKM_PubKeySign CKM_DSA_SHA256 succeeded \n");
|
||
|
} else {
|
||
|
PKM_Error("PKM_PubKeySign failed "
|
||
|
"with 0x%08X, %-26s\n",
|
||
|
@@ -3298,16 +3203,16 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
return crv;
|
||
|
}
|
||
|
|
||
|
- /* Sign with DSA */
|
||
|
- crv = pFunctionList->C_SignInit(hSession, &dsaMech, hDSAprivKey);
|
||
|
+ /* Sign with ECDSA */
|
||
|
+ crv = pFunctionList->C_SignInit(hSession, &ecdsaMech, hECDSAprivKey);
|
||
|
if (crv != CKR_OK) {
|
||
|
PKM_Error("C_SignInit failed with 0x%08X, %-26s\n", crv,
|
||
|
PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
- dsaSigLen = sizeof(dsaSig);
|
||
|
- crv = pFunctionList->C_Sign(hSession, sha1Digest, sha1DigestLen,
|
||
|
- dsaSig, &dsaSigLen);
|
||
|
+ ecdsaSigLen = sizeof(ecdsaSig);
|
||
|
+ crv = pFunctionList->C_Sign(hSession, sha256Digest, sha256DigestLen,
|
||
|
+ ecdsaSig, &ecdsaSigLen);
|
||
|
if (crv != CKR_OK) {
|
||
|
PKM_Error("C_Sign failed with 0x%08X, %-26s\n", crv,
|
||
|
PKM_CK_RVtoStr(crv));
|
||
|
@@ -3315,14 +3220,14 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
}
|
||
|
|
||
|
/* Verify the DSA signature */
|
||
|
- crv = pFunctionList->C_VerifyInit(hSession, &dsaMech, hDSApubKey);
|
||
|
+ crv = pFunctionList->C_VerifyInit(hSession, &ecdsaMech, hECDSApubKey);
|
||
|
if (crv != CKR_OK) {
|
||
|
PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n", crv,
|
||
|
PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
- crv = pFunctionList->C_Verify(hSession, sha1Digest, sha1DigestLen,
|
||
|
- dsaSig, dsaSigLen);
|
||
|
+ crv = pFunctionList->C_Verify(hSession, sha256Digest, sha256DigestLen,
|
||
|
+ ecdsaSig, ecdsaSigLen);
|
||
|
if (crv == CKR_OK) {
|
||
|
PKM_LogIt("C_Verify succeeded\n");
|
||
|
} else {
|
||
|
@@ -3332,8 +3237,8 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
}
|
||
|
|
||
|
/* Verify the signature in a different way */
|
||
|
- crv = pFunctionList->C_VerifyInit(hSession, &dsaWithSha1Mech,
|
||
|
- hDSApubKey);
|
||
|
+ crv = pFunctionList->C_VerifyInit(hSession, &ecdsaWithSha256Mech,
|
||
|
+ hECDSApubKey);
|
||
|
if (crv != CKR_OK) {
|
||
|
PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n", crv,
|
||
|
PKM_CK_RVtoStr(crv));
|
||
|
@@ -3351,7 +3256,7 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
- crv = pFunctionList->C_VerifyFinal(hSession, dsaSig, dsaSigLen);
|
||
|
+ crv = pFunctionList->C_VerifyFinal(hSession, ecdsaSig, ecdsaSigLen);
|
||
|
if (crv == CKR_OK) {
|
||
|
PKM_LogIt("C_VerifyFinal succeeded\n");
|
||
|
} else {
|
||
|
@@ -3361,8 +3266,8 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
}
|
||
|
|
||
|
/* Verify the signature in a different way */
|
||
|
- crv = pFunctionList->C_VerifyInit(hSession, &dsaWithSha1Mech,
|
||
|
- hDSApubKey);
|
||
|
+ crv = pFunctionList->C_VerifyInit(hSession, &ecdsaWithSha256Mech,
|
||
|
+ hECDSApubKey);
|
||
|
if (crv != CKR_OK) {
|
||
|
PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n",
|
||
|
crv, PKM_CK_RVtoStr(crv));
|
||
|
@@ -3380,7 +3285,7 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
crv, PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
- crv = pFunctionList->C_VerifyFinal(hSession, dsaSig, dsaSigLen);
|
||
|
+ crv = pFunctionList->C_VerifyFinal(hSession, ecdsaSig, ecdsaSigLen);
|
||
|
if (crv == CKR_OK) {
|
||
|
PKM_LogIt("C_VerifyFinal of multi update succeeded.\n");
|
||
|
} else {
|
||
|
@@ -3391,28 +3296,28 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
|
||
|
/* Now modify the data */
|
||
|
MSG[0] += 1;
|
||
|
/* Compute SHA-1 digest */
|
||
|
- crv = pFunctionList->C_DigestInit(hSession, &sha1Mech);
|
||
|
+ crv = pFunctionList->C_DigestInit(hSession, &sha256Mech);
|
||
|
if (crv != CKR_OK) {
|
||
|
PKM_Error("C_DigestInit failed with 0x%08X, %-26s\n", crv,
|
||
|
PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
- sha1DigestLen = sizeof(sha1Digest);
|
||
|
+ sha256DigestLen = sizeof(sha256Digest);
|
||
|
crv = pFunctionList->C_Digest(hSession, MSG, sizeof(MSG),
|
||
|
- sha1Digest, &sha1DigestLen);
|
||
|
+ sha256Digest, &sha256DigestLen);
|
||
|
if (crv != CKR_OK) {
|
||
|
PKM_Error("C_Digest failed with 0x%08X, %-26s\n", crv,
|
||
|
PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
- crv = pFunctionList->C_VerifyInit(hSession, &dsaMech, hDSApubKey);
|
||
|
+ crv = pFunctionList->C_VerifyInit(hSession, &ecdsaMech, hECDSApubKey);
|
||
|
if (crv != CKR_OK) {
|
||
|
PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n", crv,
|
||
|
PKM_CK_RVtoStr(crv));
|
||
|
return crv;
|
||
|
}
|
||
|
- crv = pFunctionList->C_Verify(hSession, sha1Digest, sha1DigestLen,
|
||
|
- dsaSig, dsaSigLen);
|
||
|
+ crv = pFunctionList->C_Verify(hSession, sha256Digest, sha256DigestLen,
|
||
|
+ ecdsaSig, ecdsaSigLen);
|
||
|
if (crv != CKR_SIGNATURE_INVALID) {
|
||
|
PKM_Error("C_Verify of modified data succeeded\n");
|
||
|
return crv;
|
||
|
@@ -5020,7 +4925,7 @@ PKM_DualFuncSign(CK_FUNCTION_LIST_PTR pF
|
||
|
NUMTESTS++; /* increment NUMTESTS */
|
||
|
|
||
|
/* Check that the mechanism is Multi-part */
|
||
|
- if (sigMech->mechanism == CKM_DSA || sigMech->mechanism == CKM_RSA_PKCS) {
|
||
|
+ if (sigMech->mechanism == CKM_ECDSA || sigMech->mechanism == CKM_RSA_PKCS) {
|
||
|
PKM_Error("PKM_DualFuncSign must be called with a Multi-part "
|
||
|
"operation mechanism\n");
|
||
|
return CKR_DEVICE_ERROR;
|
||
|
diff -up ./coreconf/config.mk.disable_dsa ./coreconf/config.mk
|
||
|
--- ./coreconf/config.mk.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./coreconf/config.mk 2024-06-17 09:38:50.438019407 -0700
|
||
|
@@ -183,6 +183,10 @@ ifdef NSS_DISABLE_DBM
|
||
|
DEFINES += -DNSS_DISABLE_DBM
|
||
|
endif
|
||
|
|
||
|
+ifdef NSS_DISABLE_DSA
|
||
|
+DEFINES += -DNSS_DISABLE_DSA
|
||
|
+endif
|
||
|
+
|
||
|
ifdef NSS_DISABLE_AVX2
|
||
|
DEFINES += -DNSS_DISABLE_AVX2
|
||
|
endif
|
||
|
diff -up ./gtests/pk11_gtest/manifest.mn.disable_dsa ./gtests/pk11_gtest/manifest.mn
|
||
|
--- ./gtests/pk11_gtest/manifest.mn.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./gtests/pk11_gtest/manifest.mn 2024-06-17 09:38:50.438019407 -0700
|
||
|
@@ -6,6 +6,10 @@ CORE_DEPTH = ../..
|
||
|
DEPTH = ../..
|
||
|
MODULE = nss
|
||
|
|
||
|
+ifndef NSS_DISABLE_DSA
|
||
|
+ DSA_UNIT_TESTS=pk11_dsa_unittest.cc
|
||
|
+endif
|
||
|
+
|
||
|
CPPSRCS = \
|
||
|
json_reader.cc \
|
||
|
pk11_aes_gcm_unittest.cc \
|
||
|
@@ -17,7 +21,7 @@ CPPSRCS = \
|
||
|
pk11_curve25519_unittest.cc \
|
||
|
pk11_der_private_key_import_unittest.cc \
|
||
|
pk11_des_unittest.cc \
|
||
|
- pk11_dsa_unittest.cc \
|
||
|
+ ${DSA_UNIT_TESTS} \
|
||
|
pk11_ecdsa_unittest.cc \
|
||
|
pk11_eddsa_unittest.cc \
|
||
|
pk11_ecdh_unittest.cc \
|
||
|
diff -up ./gtests/pk11_gtest/pk11_import_unittest.cc.disable_dsa ./gtests/pk11_gtest/pk11_import_unittest.cc
|
||
|
--- ./gtests/pk11_gtest/pk11_import_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./gtests/pk11_gtest/pk11_import_unittest.cc 2024-06-17 09:38:50.438019407 -0700
|
||
|
@@ -261,7 +261,9 @@ TEST_P(Pk11KeyImportTest, GenerateExport
|
||
|
|
||
|
INSTANTIATE_TEST_SUITE_P(Pk11KeyImportTest, Pk11KeyImportTest,
|
||
|
::testing::Values(CKM_RSA_PKCS_KEY_PAIR_GEN,
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
CKM_DSA_KEY_PAIR_GEN,
|
||
|
+#endif
|
||
|
CKM_DH_PKCS_KEY_PAIR_GEN));
|
||
|
|
||
|
class Pk11KeyImportTestEC : public Pk11KeyImportTestBase,
|
||
|
diff -up ./gtests/ssl_gtest/ssl_auth_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_auth_unittest.cc
|
||
|
--- ./gtests/ssl_gtest/ssl_auth_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./gtests/ssl_gtest/ssl_auth_unittest.cc 2024-06-17 09:38:50.438019407 -0700
|
||
|
@@ -532,6 +532,7 @@ TEST_P(TlsConnectTls12, AutoClientSelect
|
||
|
EXPECT_TRUE(ecc.hookCalled);
|
||
|
}
|
||
|
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
TEST_P(TlsConnectTls12, AutoClientSelectDsa) {
|
||
|
AutoClientResults dsa = {{SECFailure, TlsAgent::kClient},
|
||
|
{SECFailure, TlsAgent::kClient},
|
||
|
@@ -548,6 +549,7 @@ TEST_P(TlsConnectTls12, AutoClientSelect
|
||
|
Connect();
|
||
|
EXPECT_TRUE(dsa.hookCalled);
|
||
|
}
|
||
|
+#endif
|
||
|
|
||
|
TEST_P(TlsConnectClientAuthStream13, PostHandshakeAuthMultiple) {
|
||
|
client_->SetupClientAuth(std::get<2>(GetParam()), true);
|
||
|
@@ -1841,7 +1843,7 @@ TEST_F(TlsAgentStreamTestServer, Configu
|
||
|
// A server should refuse to even start a handshake with
|
||
|
// misconfigured certificate and signature scheme.
|
||
|
TEST_P(TlsConnectTls12Plus, MisconfiguredCertScheme) {
|
||
|
- Reset(TlsAgent::kServerDsa);
|
||
|
+ Reset(TlsAgent::kServerRsaSign);
|
||
|
static const SSLSignatureScheme kScheme[] = {ssl_sig_ecdsa_secp256r1_sha256};
|
||
|
server_->SetSignatureSchemes(kScheme, PR_ARRAY_SIZE(kScheme));
|
||
|
ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
|
||
|
@@ -1882,6 +1884,9 @@ TEST_P(TlsConnectTls13, Tls13DsaOnlyClie
|
||
|
client_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
||
|
}
|
||
|
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
+// can't test a dsa only server becasue we can't generate a server
|
||
|
+// DSA certificate
|
||
|
TEST_P(TlsConnectTls13, Tls13DsaOnlyServer) {
|
||
|
Reset(TlsAgent::kServerDsa);
|
||
|
static const SSLSignatureScheme kDsa[] = {ssl_sig_dsa_sha256};
|
||
|
@@ -1890,6 +1895,7 @@ TEST_P(TlsConnectTls13, Tls13DsaOnlyServ
|
||
|
server_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
||
|
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||
|
}
|
||
|
+#endif
|
||
|
|
||
|
TEST_P(TlsConnectTls13, Tls13Pkcs1OnlyClient) {
|
||
|
static const SSLSignatureScheme kPkcs1[] = {ssl_sig_rsa_pkcs1_sha256};
|
||
|
diff -up ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
|
||
|
--- ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc 2024-06-17 09:38:50.438019407 -0700
|
||
|
@@ -383,8 +383,10 @@ INSTANTIATE_CIPHER_TEST_P(AEAD12, All, V
|
||
|
kDummySignatureSchemesParams,
|
||
|
TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||
|
TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
|
||
|
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
|
||
|
+#endif
|
||
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
|
||
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384);
|
||
|
INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12, kDummyNamedGroupParams,
|
||
|
@@ -395,16 +397,20 @@ INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12
|
||
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
|
||
|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
|
||
|
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
||
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
||
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
||
|
- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
|
||
|
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
|
||
|
INSTANTIATE_CIPHER_TEST_P(
|
||
|
CBC12, All, V12, kDummyNamedGroupParams, kDummySignatureSchemesParams,
|
||
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
|
||
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
|
||
|
- TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
|
||
|
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256);
|
||
|
+ TLS_RSA_WITH_AES_128_CBC_SHA256
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
+ , TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
|
||
|
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
|
||
|
+#endif
|
||
|
+ );
|
||
|
INSTANTIATE_CIPHER_TEST_P(
|
||
|
CBCStream, Stream, V10ToV12, kDummyNamedGroupParams,
|
||
|
kDummySignatureSchemesParams, TLS_ECDH_ECDSA_WITH_NULL_SHA,
|
||
|
@@ -431,8 +437,12 @@ INSTANTIATE_CIPHER_TEST_P(
|
||
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
|
||
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
|
||
|
- TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
|
||
|
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256);
|
||
|
+ TLS_RSA_WITH_AES_128_CBC_SHA256
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
+ , TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
|
||
|
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
|
||
|
+#endif
|
||
|
+ );
|
||
|
#ifndef NSS_DISABLE_TLS_1_3
|
||
|
INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
|
||
|
::testing::ValuesIn(kFasterDHEGroups),
|
||
|
diff -up ./gtests/ssl_gtest/ssl_dhe_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_dhe_unittest.cc
|
||
|
--- ./gtests/ssl_gtest/ssl_dhe_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./gtests/ssl_gtest/ssl_dhe_unittest.cc 2024-06-17 09:45:33.575416837 -0700
|
||
|
@@ -622,6 +622,7 @@ class TlsDheSkeChangeSignature : public
|
||
|
size_t len_;
|
||
|
};
|
||
|
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
TEST_P(TlsConnectGenericPre13, InvalidDERSignatureFfdhe) {
|
||
|
const uint8_t kBogusDheSignature[] = {
|
||
|
0x30, 0x69, 0x3c, 0x02, 0x1c, 0x7d, 0x0b, 0x2f, 0x64, 0x00, 0x27,
|
||
|
@@ -642,6 +643,7 @@ TEST_P(TlsConnectGenericPre13, InvalidDE
|
||
|
ConnectExpectAlert(client_, kTlsAlertDecryptError);
|
||
|
client_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
|
||
|
}
|
||
|
+#endif
|
||
|
|
||
|
TEST_P(TlsConnectTls12, ConnectInconsistentSigAlgDHE) {
|
||
|
EnableOnlyDheCiphers();
|
||
|
diff -up ./gtests/ssl_gtest/ssl_extension_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_extension_unittest.cc
|
||
|
--- ./gtests/ssl_gtest/ssl_extension_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./gtests/ssl_gtest/ssl_extension_unittest.cc 2024-06-17 09:38:50.438019407 -0700
|
||
|
@@ -651,7 +651,10 @@ TEST_P(TlsExtensionTest12, SignatureAlgo
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
// This only works on TLS 1.2, since it relies on DSA.
|
||
|
+// and doesn't work if we've disabled DSA (Reset(TlsAgent:kServerDSA) fail
|
||
|
+// because we don't have a DSA certificate)
|
||
|
TEST_P(TlsExtensionTest12, SignatureAlgorithmDisableDSA) {
|
||
|
const std::vector<SSLSignatureScheme> schemes = {
|
||
|
ssl_sig_dsa_sha1, ssl_sig_dsa_sha256, ssl_sig_dsa_sha384,
|
||
|
@@ -700,6 +703,7 @@ TEST_P(TlsExtensionTest12, SignatureAlgo
|
||
|
EXPECT_TRUE(ext2.Read(2, 2, &v));
|
||
|
EXPECT_EQ(ssl_sig_rsa_pss_rsae_sha256, v);
|
||
|
}
|
||
|
+#endif
|
||
|
|
||
|
// Temporary test to verify that we choke on an empty ClientKeyShare.
|
||
|
// This test will fail when we implement HelloRetryRequest.
|
||
|
diff -up ./lib/softoken/pkcs11c.c.disable_dsa ./lib/softoken/pkcs11c.c
|
||
|
--- ./lib/softoken/pkcs11c.c.disable_dsa 2024-06-17 09:38:50.434019363 -0700
|
||
|
+++ ./lib/softoken/pkcs11c.c 2024-06-17 09:38:50.439019418 -0700
|
||
|
@@ -2665,6 +2665,7 @@ sftk_RSASignPSS(SFTKPSSSignInfo *info, u
|
||
|
return rv;
|
||
|
}
|
||
|
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
static SECStatus
|
||
|
nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen,
|
||
|
void *dataBuf, unsigned int dataLen)
|
||
|
@@ -2690,6 +2691,7 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
|
||
|
*sigLen = signature.len;
|
||
|
return rv;
|
||
|
}
|
||
|
+#endif
|
||
|
|
||
|
static SECStatus
|
||
|
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
|
||
|
@@ -2905,6 +2907,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
|
||
|
context->maxLen = nsslowkey_PrivateModulusLen(pinfo->key);
|
||
|
break;
|
||
|
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
#define INIT_DSA_SIG_MECH(mmm) \
|
||
|
case CKM_DSA_##mmm: \
|
||
|
context->multi = PR_TRUE; \
|
||
|
@@ -2933,6 +2936,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
|
||
|
context->maxLen = DSA_MAX_SIGNATURE_LEN;
|
||
|
|
||
|
break;
|
||
|
+#endif
|
||
|
|
||
|
#define INIT_ECDSA_SIG_MECH(mmm) \
|
||
|
case CKM_ECDSA_##mmm: \
|
||
|
@@ -3717,6 +3721,7 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
|
||
|
context->verify = (SFTKVerify)sftk_RSACheckSignPSS;
|
||
|
break;
|
||
|
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
INIT_DSA_SIG_MECH(SHA1)
|
||
|
INIT_DSA_SIG_MECH(SHA224)
|
||
|
INIT_DSA_SIG_MECH(SHA256)
|
||
|
@@ -3736,6 +3741,7 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
|
||
|
context->verify = (SFTKVerify)nsc_DSA_Verify_Stub;
|
||
|
context->destroy = sftk_Null;
|
||
|
break;
|
||
|
+#endif
|
||
|
|
||
|
INIT_ECDSA_SIG_MECH(SHA1)
|
||
|
INIT_ECDSA_SIG_MECH(SHA224)
|
||
|
@@ -4753,12 +4759,16 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||
|
key_gen_type = nsc_pbe;
|
||
|
crv = nsc_SetupPBEKeyGen(pMechanism, &pbe_param, &key_type, &key_length);
|
||
|
break;
|
||
|
+/*#ifndef NSS_DISABLE_DSA */
|
||
|
+/* some applications use CKM_DSA_PARAMTER_GEN for week DH keys...
|
||
|
+ * most notably tests... continue to allow it for now */
|
||
|
case CKM_DSA_PARAMETER_GEN:
|
||
|
key_gen_type = nsc_param;
|
||
|
key_type = CKK_DSA;
|
||
|
objclass = CKO_DOMAIN_PARAMETERS;
|
||
|
crv = CKR_OK;
|
||
|
break;
|
||
|
+/* #endif */
|
||
|
case CKM_NSS_JPAKE_ROUND1_SHA1:
|
||
|
hashType = HASH_AlgSHA1;
|
||
|
goto jpake1;
|
||
|
@@ -5121,11 +5131,13 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||
|
signature_length = modulusLen;
|
||
|
mech.mechanism = CKM_RSA_PKCS;
|
||
|
break;
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
case CKK_DSA:
|
||
|
signature_length = DSA_MAX_SIGNATURE_LEN;
|
||
|
pairwise_digest_length = subPrimeLen;
|
||
|
mech.mechanism = CKM_DSA;
|
||
|
break;
|
||
|
+#endif
|
||
|
case CKK_EC:
|
||
|
signature_length = MAX_ECKEY_LEN * 2;
|
||
|
mech.mechanism = CKM_ECDSA;
|
||
|
@@ -5373,10 +5385,12 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||
|
SECItem pubExp;
|
||
|
RSAPrivateKey *rsaPriv;
|
||
|
|
||
|
+ DHParams dhParam;
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
/* DSA */
|
||
|
PQGParams pqgParam;
|
||
|
- DHParams dhParam;
|
||
|
DSAPrivateKey *dsaPriv;
|
||
|
+#endif
|
||
|
|
||
|
/* Diffie Hellman */
|
||
|
DHPrivateKey *dhPriv;
|
||
|
@@ -5552,6 +5566,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||
|
/* Should zeroize the contents first, since this func doesn't. */
|
||
|
PORT_FreeArena(rsaPriv->arena, PR_TRUE);
|
||
|
break;
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
case CKM_DSA_KEY_PAIR_GEN:
|
||
|
sftk_DeleteAttributeType(publicKey, CKA_VALUE);
|
||
|
sftk_DeleteAttributeType(privateKey, CKA_NSS_DB);
|
||
|
@@ -5663,6 +5678,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||
|
/* should zeroize, since this function doesn't. */
|
||
|
PORT_FreeArena(dsaPriv->params.arena, PR_TRUE);
|
||
|
break;
|
||
|
+#endif
|
||
|
|
||
|
case CKM_DH_PKCS_KEY_PAIR_GEN:
|
||
|
sftk_DeleteAttributeType(privateKey, CKA_PRIME);
|
||
|
diff -up ./lib/softoken/pkcs11.c.disable_dsa ./lib/softoken/pkcs11.c
|
||
|
--- ./lib/softoken/pkcs11.c.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./lib/softoken/pkcs11.c 2024-06-17 09:38:50.439019418 -0700
|
||
|
@@ -359,6 +359,7 @@ static const struct mechanismList mechan
|
||
|
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
|
||
|
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
|
||
|
/* ------------------------- DSA Operations --------------------------- */
|
||
|
+#ifndef NSS_DISABLE_DSA
|
||
|
{ CKM_DSA_KEY_PAIR_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
|
||
|
{ CKM_DSA, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
|
||
|
{ CKM_DSA_PARAMETER_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE }, PR_TRUE },
|
||
|
@@ -367,6 +368,7 @@ static const struct mechanismList mechan
|
||
|
{ CKM_DSA_SHA256, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
|
||
|
{ CKM_DSA_SHA384, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
|
||
|
{ CKM_DSA_SHA512, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
|
||
|
+#endif
|
||
|
/* -------------------- Diffie Hellman Operations --------------------- */
|
||
|
/* no diffie hellman yet */
|
||
|
{ CKM_DH_PKCS_KEY_PAIR_GEN, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
|
||
|
diff -up ./tests/cert/cert.sh.disable_dsa ./tests/cert/cert.sh
|
||
|
--- ./tests/cert/cert.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./tests/cert/cert.sh 2024-06-17 09:38:50.440019429 -0700
|
||
|
@@ -288,12 +288,14 @@ cert_create_cert()
|
||
|
return $RET
|
||
|
fi
|
||
|
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
CU_ACTION="Import DSA Root CA for $CERTNAME"
|
||
|
certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \
|
||
|
-d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1
|
||
|
if [ "$RET" -ne 0 ]; then
|
||
|
return $RET
|
||
|
fi
|
||
|
+ fi
|
||
|
|
||
|
|
||
|
CU_ACTION="Import EC Root CA for $CERTNAME"
|
||
|
@@ -342,6 +344,7 @@ cert_add_cert()
|
||
|
#
|
||
|
# Generate and add DSA cert
|
||
|
#
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
CU_ACTION="Generate DSA Cert Request for $CERTNAME"
|
||
|
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||
|
certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
|
||
|
@@ -392,6 +395,7 @@ cert_add_cert()
|
||
|
return $RET
|
||
|
fi
|
||
|
cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created"
|
||
|
+ fi
|
||
|
|
||
|
#
|
||
|
# Generate and add EC cert
|
||
|
@@ -504,6 +508,7 @@ cert_all_CA()
|
||
|
# in the chain
|
||
|
|
||
|
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
#
|
||
|
# Create DSA version of TestCA
|
||
|
ALL_CU_SUBJECT="CN=NSS Test CA (DSA), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||
|
@@ -527,6 +532,7 @@ cert_all_CA()
|
||
|
rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert
|
||
|
# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
|
||
|
# in the chain
|
||
|
+ fi
|
||
|
|
||
|
#
|
||
|
# Create RSA-PSS version of TestCA
|
||
|
@@ -988,6 +994,7 @@ cert_extended_ssl()
|
||
|
certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
|
||
|
-i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
|
||
|
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
#
|
||
|
# Repeat the above for DSA certs
|
||
|
#
|
||
|
@@ -1031,6 +1038,7 @@ cert_extended_ssl()
|
||
|
# certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \
|
||
|
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
|
||
|
# 2>&1
|
||
|
+ fi
|
||
|
|
||
|
#
|
||
|
# Repeat the above for EC certs
|
||
|
@@ -1084,18 +1092,18 @@ cert_extended_ssl()
|
||
|
# we'll use one of the longer nicknames for testing.
|
||
|
# (Because "grep -w hostname" matches "grep -w hostname-dsamixed")
|
||
|
MYDBPASS="-d ${PROFILEDIR} -f ${R_PWFILE}"
|
||
|
- TESTNAME="Ensure there's exactly one match for ${CERTNAME}-dsamixed"
|
||
|
- cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}"
|
||
|
+ TESTNAME="Ensure there's exactly one match for ${CERTNAME}-ecmixed"
|
||
|
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-ecmixed" 0 1 "${TESTNAME}"
|
||
|
|
||
|
- CU_ACTION="Repeated import of $CERTNAME's mixed DSA Cert with different nickname"
|
||
|
- certu -A -n "${CERTNAME}-repeated-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
|
||
|
- -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
|
||
|
+ CU_ACTION="Repeated import of $CERTNAME's mixed EC Cert with different nickname"
|
||
|
+ certu -A -n "${CERTNAME}-repeated-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
|
||
|
+ -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
|
||
|
|
||
|
- TESTNAME="Ensure there's still exactly one match for ${CERTNAME}-dsamixed"
|
||
|
- cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}"
|
||
|
+ TESTNAME="Ensure there's still exactly one match for ${CERTNAME}-ecmixed"
|
||
|
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-ecmixed" 0 1 "${TESTNAME}"
|
||
|
|
||
|
- TESTNAME="Ensure there's zero matches for ${CERTNAME}-repeated-dsamixed"
|
||
|
- cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-repeated-dsamixed" 0 0 "${TESTNAME}"
|
||
|
+ TESTNAME="Ensure there's zero matches for ${CERTNAME}-repeated-ecmixed"
|
||
|
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-repeated-ecmixed" 0 0 "${TESTNAME}"
|
||
|
|
||
|
echo "Importing all the server's own CA chain into the servers DB"
|
||
|
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
|
||
|
@@ -1140,6 +1148,7 @@ cert_extended_ssl()
|
||
|
#
|
||
|
# Repeat the above for DSA certs
|
||
|
#
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
|
||
|
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||
|
certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
|
||
|
@@ -1183,6 +1192,7 @@ cert_extended_ssl()
|
||
|
#
|
||
|
# done with mixed DSA certs
|
||
|
#
|
||
|
+ fi
|
||
|
|
||
|
#
|
||
|
# Repeat the above for EC certs
|
||
|
@@ -1273,8 +1283,10 @@ cert_ssl()
|
||
|
CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
|
||
|
certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
|
||
|
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC"
|
||
|
certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
|
||
|
+ fi
|
||
|
|
||
|
CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
|
||
|
certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
|
||
|
@@ -1383,9 +1395,14 @@ MODSCRIPT
|
||
|
certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}"
|
||
|
RETEXPECTED=0
|
||
|
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
+ FIPS_KEY="-k dsa"
|
||
|
+ else
|
||
|
+ FIPS_KEY="-k ec -q nistp256"
|
||
|
+ fi
|
||
|
CU_ACTION="Generate Certificate for ${CERTNAME}"
|
||
|
CU_SUBJECT="CN=${CERTNAME}, E=fips@example.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
|
||
|
- certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
|
||
|
+ certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" ${FIPS_KEY} -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
|
||
|
if [ "$RET" -eq 0 ]; then
|
||
|
cert_log "SUCCESS: FIPS passed"
|
||
|
fi
|
||
|
@@ -1817,6 +1834,7 @@ EOF_CRLINI
|
||
|
chmod 600 ${CRL_FILE_GRP_1}_or
|
||
|
|
||
|
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
CU_ACTION="Generating CRL (DSA) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-dsa authority"
|
||
|
|
||
|
# Until Bug 292285 is resolved, do not encode x400 Addresses. After
|
||
|
@@ -1831,6 +1849,7 @@ addext issuerAltNames 0 "rfc822Name:ca-d
|
||
|
EOF_CRLINI
|
||
|
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
|
||
|
chmod 600 ${CRL_FILE_GRP_1}_or-dsa
|
||
|
+ fi
|
||
|
|
||
|
|
||
|
|
||
|
@@ -1867,6 +1886,7 @@ EOF_CRLINI
|
||
|
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
|
||
|
|
||
|
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
CU_ACTION="Modify CRL (DSA) by adding one more cert"
|
||
|
crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1-dsa \
|
||
|
-i ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI
|
||
|
@@ -1876,6 +1896,7 @@ EOF_CRLINI
|
||
|
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
|
||
|
chmod 600 ${CRL_FILE_GRP_1}_or1-dsa
|
||
|
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa"
|
||
|
+ fi
|
||
|
|
||
|
|
||
|
CU_ACTION="Modify CRL (ECC) by adding one more cert"
|
||
|
@@ -1902,6 +1923,7 @@ EOF_CRLINI
|
||
|
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
|
||
|
|
||
|
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
CU_ACTION="Modify CRL (DSA) by removing one cert"
|
||
|
sleep 2
|
||
|
CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
|
||
|
@@ -1912,6 +1934,7 @@ rmcert ${UNREVOKED_CERT_GRP_1}
|
||
|
EOF_CRLINI
|
||
|
chmod 600 ${CRL_FILE_GRP_1}
|
||
|
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-dsa"
|
||
|
+ fi
|
||
|
|
||
|
|
||
|
|
||
|
diff -up ./tests/chains/scenarios/scenarios.disable_dsa ./tests/chains/scenarios/scenarios
|
||
|
--- ./tests/chains/scenarios/scenarios.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./tests/chains/scenarios/scenarios 2024-06-17 09:38:50.440019429 -0700
|
||
|
@@ -16,7 +16,7 @@ bridgewithaia.cfg
|
||
|
bridgewithhalfaia.cfg
|
||
|
bridgewithpolicyextensionandmapping.cfg
|
||
|
realcerts.cfg
|
||
|
-dsa.cfg
|
||
|
+#dsa.cfg
|
||
|
revoc.cfg
|
||
|
ocsp.cfg
|
||
|
crldp.cfg
|
||
|
diff -up ./tests/cipher/performance.sh.disable_dsa ./tests/cipher/performance.sh
|
||
|
--- ./tests/cipher/performance.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./tests/cipher/performance.sh 2024-06-17 09:38:50.440019429 -0700
|
||
|
@@ -95,6 +95,7 @@ done < ${RSAPERFOUT}
|
||
|
echo "</TABLE><BR>" >> ${PERFRESULTS}
|
||
|
fi
|
||
|
|
||
|
+if [ -z "${NSS_DISABLE_DSA}" ]; then
|
||
|
if [ $TESTSET = "all" -o $TESTSET = "dsa" ]; then
|
||
|
|
||
|
while read mode keysize bufsize reps cxreps
|
||
|
@@ -124,6 +125,7 @@ done < ${DSAPERFOUT}
|
||
|
|
||
|
echo "</TABLE><BR>" >> ${PERFRESULTS}
|
||
|
fi
|
||
|
+fi
|
||
|
|
||
|
if [ $TESTSET = "all" -o $TESTSET = "hash" ]; then
|
||
|
while read mode bufsize reps
|
||
|
diff -up ./tests/dbtests/dbtests.sh.disable_dsa ./tests/dbtests/dbtests.sh
|
||
|
--- ./tests/dbtests/dbtests.sh.disable_dsa 2024-06-17 09:38:50.412019123 -0700
|
||
|
+++ ./tests/dbtests/dbtests.sh 2024-06-17 09:38:50.440019429 -0700
|
||
|
@@ -257,7 +257,13 @@ dbtest_main()
|
||
|
fi
|
||
|
# import a token private key and make sure the corresponding public key is
|
||
|
# created
|
||
|
- ${BINDIR}/pk11importtest -d ${CONFLICT_DIR} -f ${R_PWFILE}
|
||
|
+ IMPORT_OPTIONS=""
|
||
|
+ if [ -n "$NSS_DISABLE_DSA" ]; then
|
||
|
+ IMPORT_OPTIONS="-D noDSA"
|
||
|
+ fi
|
||
|
+ Echo "Importing Token Private Key"
|
||
|
+ echo "pk11importtest ${IMPORT_OPTIONS} -d ${CONFLICT_DIR} -f ${R_PWFILE}"
|
||
|
+ ${BINDIR}/pk11importtest ${IMPORT_OPTIONS} -d ${CONFLICT_DIR} -f ${R_PWFILE}
|
||
|
ret=$?
|
||
|
if [ $ret -ne 0 ]; then
|
||
|
html_failed "Importing Token Private Key does not create the corrresponding Public Key"
|
||
|
diff -up ./tests/ssl_gtests/ssl_gtests.sh.disable_dsa ./tests/ssl_gtests/ssl_gtests.sh
|
||
|
--- ./tests/ssl_gtests/ssl_gtests.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./tests/ssl_gtests/ssl_gtests.sh 2024-06-17 09:38:50.440019429 -0700
|
||
|
@@ -56,7 +56,9 @@ ssl_gtest_certs() {
|
||
|
make_cert rsa_pss_chain rsapss_chain sign
|
||
|
make_cert rsa_ca_rsa_pss_chain rsa_ca_rsapss_chain sign
|
||
|
make_cert ecdh_rsa ecdh_rsa kex
|
||
|
- make_cert dsa dsa sign
|
||
|
+ if [ -z "${NSS_DISABLE_DSA}" ]; then
|
||
|
+ make_cert dsa dsa sign
|
||
|
+ fi
|
||
|
make_cert delegator_ecdsa256 delegator_p256 sign
|
||
|
make_cert delegator_rsae2048 delegator_rsae2048 sign
|
||
|
make_cert delegator_rsa_pss2048 delegator_rsa_pss2048 sign
|
||
|
diff -up ./tests/ssl/sslcov.txt.disable_dsa ./tests/ssl/sslcov.txt
|
||
|
--- ./tests/ssl/sslcov.txt.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./tests/ssl/sslcov.txt 2024-06-17 09:38:50.440019429 -0700
|
||
|
@@ -16,7 +16,6 @@
|
||
|
noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA
|
||
|
noECC SSL3 z SSL3_RSA_WITH_NULL_SHA
|
||
|
noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|
||
|
- noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
|
||
|
noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384
|
||
|
# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||
|
# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||
|
@@ -51,20 +50,15 @@
|
||
|
noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA
|
||
|
noECC TLS12 z TLS12_RSA_WITH_NULL_SHA
|
||
|
noECC TLS12 :0016 TLS12_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||
|
- noECC TLS12 :0032 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA
|
||
|
noECC TLS12 :0033 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA
|
||
|
- noECC TLS12 :0038 TLS12_DHE_DSS_WITH_AES_256_CBC_SHA
|
||
|
noECC TLS12 :0039 TLS12_DHE_RSA_WITH_AES_256_CBC_SHA
|
||
|
noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256
|
||
|
noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256
|
||
|
noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256
|
||
|
- noECC TLS12 :0040 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA256
|
||
|
noECC TLS12 :0067 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||
|
- noECC TLS12 :006A TLS12_DHE_DSS_WITH_AES_256_CBC_SHA256
|
||
|
noECC TLS12 :006B TLS12_DHE_RSA_WITH_AES_256_CBC_SHA256
|
||
|
noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256
|
||
|
noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
|
||
|
- noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256
|
||
|
noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||
|
noECC TLS13 :1301 TLS13_DHE_WITH_AES_128_GCM_SHA256
|
||
|
noECC TLS13 :1302 TLS13_DHE_WITH_AES_256_GCM_SHA384
|
||
|
diff -up ./tests/ssl/ssl.sh.disable_dsa ./tests/ssl/ssl.sh
|
||
|
--- ./tests/ssl/ssl.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./tests/ssl/ssl.sh 2024-06-17 09:38:50.440019429 -0700
|
||
|
@@ -251,20 +251,26 @@ start_selfserv()
|
||
|
else
|
||
|
RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss"
|
||
|
fi
|
||
|
+ if [ -z "$NSS_DISABLE_DSA" ]; then
|
||
|
+ DSA_OPTIONS="-S ${HOSTADDR}-dsa"
|
||
|
+ else
|
||
|
+ DSA_OPTIONS=""
|
||
|
+ fi
|
||
|
+
|
||
|
SERVER_VMIN=${SERVER_VMIN-ssl3}
|
||
|
SERVER_VMAX=${SERVER_VMAX-tls1.2}
|
||
|
echo "selfserv starting at `date`"
|
||
|
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\"
|
||
|
- echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\"
|
||
|
+ echo " ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID}\\"
|
||
|
echo " -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &"
|
||
|
if [ ${fileout} -eq 1 ]; then
|
||
|
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
|
||
|
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 \
|
||
|
+ ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 \
|
||
|
> ${SERVEROUTFILE} 2>&1 &
|
||
|
RET=$?
|
||
|
else
|
||
|
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
|
||
|
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &
|
||
|
+ ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &
|
||
|
RET=$?
|
||
|
fi
|
||
|
|
||
|
diff -up ./tests/ssl/sslstress.txt.disable_dsa ./tests/ssl/sslstress.txt
|
||
|
--- ./tests/ssl/sslstress.txt.disable_dsa 2024-06-07 09:26:03.000000000 -0700
|
||
|
+++ ./tests/ssl/sslstress.txt 2024-06-17 09:38:50.440019429 -0700
|
||
|
@@ -55,15 +55,6 @@
|
||
|
|
||
|
|
||
|
noECC 0 -c_:0039 -V_ssl3:tls1.2_-c_100_-C_:0039_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA (no reuse)
|
||
|
- noECC 0 -c_:0040 -V_ssl3:tls1.2_-c_100_-C_:0040_-N Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA256 (no reuse)
|
||
|
-
|
||
|
-# noECC 0 -c_:0038_-u -V_ssl3:tls1.2_-c_1000_-C_:0038_-u Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (session ticket)
|
||
|
-# use the above session ticket test, once session tickets with DHE_DSS are working
|
||
|
- noECC 0 -c_:0038 -V_ssl3:tls1.2_-c_1000_-C_:0038_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (no reuse)
|
||
|
-
|
||
|
-# noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256
|
||
|
-# use the above reuse test, once the session cache with DHE_DSS is working
|
||
|
- noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 (no reuse
|
||
|
|
||
|
noECC 0 -c_:006B -V_ssl3:tls1.2_-c_100_-C_:006B_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA256 (no reuse)
|
||
|
noECC 0 -c_:009E -V_ssl3:tls1.2_-c_100_-C_:009E_-N Stress TLS DHE_RSA_WITH_AES_128_GCM_SHA256 (no reuse)
|
||
|
@@ -71,11 +62,3 @@
|
||
|
#
|
||
|
# add client auth versions here...
|
||
|
#
|
||
|
- noECC 0 -r_-r_-c_:0032 -V_ssl3:tls1.2_-c_100_-C_:0032_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth)
|
||
|
- noECC 0 -r_-r_-c_:0067 -V_ssl3:tls1.2_-c_1000_-C_:0067_-n_TestUser-dsamixed Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth)
|
||
|
-
|
||
|
-# noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth)
|
||
|
-# noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (session ticket, client auth)
|
||
|
-# use the above session ticket test, once session tickets with DHE_DSS are working
|
||
|
- noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (no reuse, client auth)
|
||
|
- noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (no reuse, client auth)
|