|
 |
9e5f05 |
From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001
|
|
|
9e5f05 |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
9e5f05 |
Date: Fri, 23 Feb 2018 10:43:44 -0500
|
|
|
9e5f05 |
Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048
|
|
|
9e5f05 |
|
|
|
9e5f05 |
Remove keys < 2048 for the NSS tests. This affects some of the
|
|
|
9e5f05 |
OpenSSL tests as well where they run in a combined loop.
|
|
|
9e5f05 |
|
|
|
9e5f05 |
Where it was not invasive to do I left the 1024/1536 for OpenSSL.
|
|
|
9e5f05 |
---
|
|
|
9e5f05 |
tests/001-keyiread-dsa/expected.out | 6 +++---
|
|
|
9e5f05 |
tests/001-keyiread-dsa/run.sh | 2 +-
|
|
|
9e5f05 |
tests/001-keyiread-rsa/expected.out | 2 --
|
|
|
9e5f05 |
tests/001-keyiread-rsa/run.sh | 2 +-
|
|
|
9e5f05 |
tests/001-keyiread/expected.out | 2 --
|
|
|
9e5f05 |
tests/001-keyiread/run.sh | 2 +-
|
|
|
9e5f05 |
tests/002-keygen-rsa/expected.out | 6 ------
|
|
|
9e5f05 |
tests/002-keygen-rsa/run.sh | 2 +-
|
|
|
9e5f05 |
tests/002-keygen/expected.out | 18 ------------------
|
|
|
9e5f05 |
tests/002-keygen/run.sh | 2 +-
|
|
|
9e5f05 |
tests/003-csrgen-rsa/expected.out | 6 ------
|
|
|
9e5f05 |
tests/003-csrgen-rsa/run.sh | 4 ++--
|
|
|
9e5f05 |
tests/003-csrgen/expected.out | 8 --------
|
|
|
9e5f05 |
tests/003-csrgen/run.sh | 4 ++--
|
|
|
9e5f05 |
tests/004-selfsign-rsa/expected.out | 2 --
|
|
|
9e5f05 |
tests/004-selfsign-rsa/run.sh | 2 +-
|
|
|
9e5f05 |
tests/004-selfsign/expected.out | 2 --
|
|
|
9e5f05 |
tests/004-selfsign/run.sh | 2 +-
|
|
|
9e5f05 |
18 files changed, 14 insertions(+), 60 deletions(-)
|
|
|
9e5f05 |
|
|
|
9e5f05 |
diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out
|
|
|
9e5f05 |
index b09db0ae..50643176 100644
|
|
|
9e5f05 |
--- a/tests/001-keyiread-dsa/expected.out
|
|
|
9e5f05 |
+++ b/tests/001-keyiread-dsa/expected.out
|
|
|
9e5f05 |
@@ -1,4 +1,4 @@
|
|
|
9e5f05 |
-OK (DSA:1024).
|
|
|
9e5f05 |
-OK (DSA:1024).
|
|
|
9e5f05 |
-OK (DSA:1024).
|
|
|
9e5f05 |
+OK (DSA:2048).
|
|
|
9e5f05 |
+OK (DSA:2048).
|
|
|
9e5f05 |
+OK (DSA:2048).
|
|
|
9e5f05 |
Test complete.
|
|
|
9e5f05 |
diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh
|
|
|
9e5f05 |
index 9f96b3bc..68f6d1c3 100755
|
|
|
9e5f05 |
--- a/tests/001-keyiread-dsa/run.sh
|
|
|
9e5f05 |
+++ b/tests/001-keyiread-dsa/run.sh
|
|
|
9e5f05 |
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
|
9e5f05 |
source "$srcdir"/functions
|
|
|
9e5f05 |
initnssdb "$tmpdir"
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 ; do
|
|
|
9e5f05 |
+for size in 2048 ; do
|
|
|
9e5f05 |
# Generate a self-signed cert.
|
|
|
9e5f05 |
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
|
9e5f05 |
-s "cn=T$size" -c "cn=T$size" \
|
|
|
9e5f05 |
diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out
|
|
|
9e5f05 |
index 727897d1..3daa51f2 100644
|
|
|
9e5f05 |
--- a/tests/001-keyiread-rsa/expected.out
|
|
|
9e5f05 |
+++ b/tests/001-keyiread-rsa/expected.out
|
|
|
9e5f05 |
@@ -1,5 +1,3 @@
|
|
|
9e5f05 |
-OK (RSA:1024).
|
|
|
9e5f05 |
-OK (RSA:1536).
|
|
|
9e5f05 |
OK (RSA:2048).
|
|
|
9e5f05 |
OK (RSA:3072).
|
|
|
9e5f05 |
OK (RSA:4096).
|
|
|
9e5f05 |
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
|
|
|
9e5f05 |
index c7b77686..ec31c7c7 100755
|
|
|
9e5f05 |
--- a/tests/001-keyiread-rsa/run.sh
|
|
|
9e5f05 |
+++ b/tests/001-keyiread-rsa/run.sh
|
|
|
9e5f05 |
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
|
9e5f05 |
source "$srcdir"/functions
|
|
|
9e5f05 |
initnssdb "$tmpdir"
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 1536 2048 3072 4096 ; do
|
|
|
9e5f05 |
+for size in 2048 3072 4096 ; do
|
|
|
9e5f05 |
# Generate a self-signed cert.
|
|
|
9e5f05 |
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
|
9e5f05 |
-s "cn=T$size" -c "cn=T$size" \
|
|
|
9e5f05 |
diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out
|
|
|
9e5f05 |
index 727897d1..3daa51f2 100644
|
|
|
9e5f05 |
--- a/tests/001-keyiread/expected.out
|
|
|
9e5f05 |
+++ b/tests/001-keyiread/expected.out
|
|
|
9e5f05 |
@@ -1,5 +1,3 @@
|
|
|
9e5f05 |
-OK (RSA:1024).
|
|
|
9e5f05 |
-OK (RSA:1536).
|
|
|
9e5f05 |
OK (RSA:2048).
|
|
|
9e5f05 |
OK (RSA:3072).
|
|
|
9e5f05 |
OK (RSA:4096).
|
|
|
9e5f05 |
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
|
|
|
9e5f05 |
index ce1428ed..0b31df95 100755
|
|
|
9e5f05 |
--- a/tests/001-keyiread/run.sh
|
|
|
9e5f05 |
+++ b/tests/001-keyiread/run.sh
|
|
|
9e5f05 |
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
|
9e5f05 |
source "$srcdir"/functions
|
|
|
9e5f05 |
initnssdb "$tmpdir"
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 1536 2048 3072 4096 ; do
|
|
|
9e5f05 |
+for size in 2048 3072 4096 ; do
|
|
|
9e5f05 |
# Generate a self-signed cert.
|
|
|
9e5f05 |
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
|
9e5f05 |
-s "cn=T$size" -c "cn=T$size" \
|
|
|
9e5f05 |
diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out
|
|
|
9e5f05 |
index 3e6e9f3c..f7c146d0 100644
|
|
|
9e5f05 |
--- a/tests/002-keygen-rsa/expected.out
|
|
|
9e5f05 |
+++ b/tests/002-keygen-rsa/expected.out
|
|
|
9e5f05 |
@@ -1,9 +1,3 @@
|
|
|
9e5f05 |
-[nss:1024]
|
|
|
9e5f05 |
-OK.
|
|
|
9e5f05 |
-OK (RSA:1024).
|
|
|
9e5f05 |
-[nss:1536]
|
|
|
9e5f05 |
-OK.
|
|
|
9e5f05 |
-OK (RSA:1536).
|
|
|
9e5f05 |
[nss:2048]
|
|
|
9e5f05 |
OK.
|
|
|
9e5f05 |
OK (RSA:2048).
|
|
|
9e5f05 |
diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh
|
|
|
9e5f05 |
index 476f4127..c0c59249 100755
|
|
|
9e5f05 |
--- a/tests/002-keygen-rsa/run.sh
|
|
|
9e5f05 |
+++ b/tests/002-keygen-rsa/run.sh
|
|
|
9e5f05 |
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
|
9e5f05 |
source "$srcdir"/functions
|
|
|
9e5f05 |
initnssdb "$tmpdir"
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 1536 2048 3072 4096 ; do
|
|
|
9e5f05 |
+for size in 2048 3072 4096 ; do
|
|
|
9e5f05 |
echo "[nss:$size]"
|
|
|
9e5f05 |
# Generate a key.
|
|
|
9e5f05 |
cat > entry.$size <<- EOF
|
|
|
9e5f05 |
diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out
|
|
|
9e5f05 |
index dcd1af06..b8fbea56 100644
|
|
|
9e5f05 |
--- a/tests/002-keygen/expected.out
|
|
|
9e5f05 |
+++ b/tests/002-keygen/expected.out
|
|
|
9e5f05 |
@@ -1,21 +1,3 @@
|
|
|
9e5f05 |
-[nss:1024]
|
|
|
9e5f05 |
-OK.
|
|
|
9e5f05 |
-OK (RSA:1024).
|
|
|
9e5f05 |
-OK.
|
|
|
9e5f05 |
-OK (RSA:1024 after RSA:1024).
|
|
|
9e5f05 |
-OK.
|
|
|
9e5f05 |
-OK (RSA:1024 after RSA:1024).
|
|
|
9e5f05 |
-keyi1024
|
|
|
9e5f05 |
-keyi1024 (candidate (next))
|
|
|
9e5f05 |
-[nss:1536]
|
|
|
9e5f05 |
-OK.
|
|
|
9e5f05 |
-OK (RSA:1536).
|
|
|
9e5f05 |
-OK.
|
|
|
9e5f05 |
-OK (RSA:1536 after RSA:1536).
|
|
|
9e5f05 |
-OK.
|
|
|
9e5f05 |
-OK (RSA:1536 after RSA:1536).
|
|
|
9e5f05 |
-keyi1536
|
|
|
9e5f05 |
-keyi1536 (candidate (next))
|
|
|
9e5f05 |
[nss:2048]
|
|
|
9e5f05 |
OK.
|
|
|
9e5f05 |
OK (RSA:2048).
|
|
|
9e5f05 |
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
|
|
|
9e5f05 |
index 08af1523..94230e6f 100755
|
|
|
9e5f05 |
--- a/tests/002-keygen/run.sh
|
|
|
9e5f05 |
+++ b/tests/002-keygen/run.sh
|
|
|
9e5f05 |
@@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}"
|
|
|
9e5f05 |
source "$srcdir"/functions
|
|
|
9e5f05 |
initnssdb "$scheme$tmpdir"
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 1536 2048 3072 4096 ; do
|
|
|
9e5f05 |
+for size in 2048 3072 4096 ; do
|
|
|
9e5f05 |
echo "[nss:$size]"
|
|
|
9e5f05 |
# Generate a key.
|
|
|
9e5f05 |
cat > entry.$size <<- EOF
|
|
|
9e5f05 |
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
|
|
|
9e5f05 |
index c9dec729..def53fe4 100644
|
|
|
9e5f05 |
--- a/tests/003-csrgen-rsa/expected.out
|
|
|
9e5f05 |
+++ b/tests/003-csrgen-rsa/expected.out
|
|
|
9e5f05 |
@@ -1,10 +1,4 @@
|
|
|
9e5f05 |
pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
|
9e5f05 |
-1024 OK.
|
|
|
9e5f05 |
-Signature OK
|
|
|
9e5f05 |
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
|
9e5f05 |
-1536 OK.
|
|
|
9e5f05 |
-Signature OK
|
|
|
9e5f05 |
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
|
9e5f05 |
2048 OK.
|
|
|
9e5f05 |
Signature OK
|
|
|
9e5f05 |
pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
|
9e5f05 |
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
|
|
|
9e5f05 |
index 4cd84084..bb8ebecb 100755
|
|
|
9e5f05 |
--- a/tests/003-csrgen-rsa/run.sh
|
|
|
9e5f05 |
+++ b/tests/003-csrgen-rsa/run.sh
|
|
|
9e5f05 |
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
|
9e5f05 |
source "$srcdir"/functions
|
|
|
9e5f05 |
initnssdb "$tmpdir"
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 1536 2048 3072 4096 ; do
|
|
|
9e5f05 |
+for size in 2048 3072 4096 ; do
|
|
|
9e5f05 |
# Build a self-signed certificate.
|
|
|
9e5f05 |
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
|
9e5f05 |
-s "cn=T$size" -c "cn=T$size" \
|
|
|
9e5f05 |
@@ -147,7 +147,7 @@ iterate() {
|
|
|
9e5f05 |
|
|
|
9e5f05 |
iteration=1
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 ; do
|
|
|
9e5f05 |
+for size in 2048 ; do
|
|
|
9e5f05 |
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment"
|
|
|
9e5f05 |
done
|
|
|
9e5f05 |
|
|
|
9e5f05 |
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
|
|
|
9e5f05 |
index 8e6cac6e..04342c0f 100644
|
|
|
9e5f05 |
--- a/tests/003-csrgen/expected.out
|
|
|
9e5f05 |
+++ b/tests/003-csrgen/expected.out
|
|
|
9e5f05 |
@@ -1,13 +1,5 @@
|
|
|
9e5f05 |
pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
|
9e5f05 |
Signature OK
|
|
|
9e5f05 |
-minicert.openssl.1024.pem: OK
|
|
|
9e5f05 |
-1024 OK.
|
|
|
9e5f05 |
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
|
9e5f05 |
-Signature OK
|
|
|
9e5f05 |
-minicert.openssl.1536.pem: OK
|
|
|
9e5f05 |
-1536 OK.
|
|
|
9e5f05 |
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
|
9e5f05 |
-Signature OK
|
|
|
9e5f05 |
minicert.openssl.2048.pem: OK
|
|
|
9e5f05 |
2048 OK.
|
|
|
9e5f05 |
pk12util: PKCS12 EXPORT SUCCESSFUL
|
|
|
9e5f05 |
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
|
|
|
9e5f05 |
index 7c169ed9..31466b5c 100755
|
|
|
9e5f05 |
--- a/tests/003-csrgen/run.sh
|
|
|
9e5f05 |
+++ b/tests/003-csrgen/run.sh
|
|
|
9e5f05 |
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
|
|
9e5f05 |
source "$srcdir"/functions
|
|
|
9e5f05 |
initnssdb "$tmpdir"
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 1536 2048 3072 4096 ; do
|
|
|
9e5f05 |
+for size in 2048 3072 4096 ; do
|
|
|
9e5f05 |
# Build a self-signed certificate.
|
|
|
9e5f05 |
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
|
9e5f05 |
-s "cn=T$size" -c "cn=T$size" \
|
|
|
9e5f05 |
@@ -199,7 +199,7 @@ iterate() {
|
|
|
9e5f05 |
|
|
|
9e5f05 |
iteration=1
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 ; do
|
|
|
9e5f05 |
+for size in 2048 ; do
|
|
|
9e5f05 |
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype"
|
|
|
9e5f05 |
done
|
|
|
9e5f05 |
|
|
|
9e5f05 |
diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out
|
|
|
9e5f05 |
index dd5029ec..0eb84ef1 100644
|
|
|
9e5f05 |
--- a/tests/004-selfsign-rsa/expected.out
|
|
|
9e5f05 |
+++ b/tests/004-selfsign-rsa/expected.out
|
|
|
9e5f05 |
@@ -1,5 +1,3 @@
|
|
|
9e5f05 |
-1024 OK.
|
|
|
9e5f05 |
-1536 OK.
|
|
|
9e5f05 |
2048 OK.
|
|
|
9e5f05 |
3072 OK.
|
|
|
9e5f05 |
4096 OK.
|
|
|
9e5f05 |
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
|
|
|
9e5f05 |
index 6f9285b6..c1dd4c80 100755
|
|
|
9e5f05 |
--- a/tests/004-selfsign-rsa/run.sh
|
|
|
9e5f05 |
+++ b/tests/004-selfsign-rsa/run.sh
|
|
|
9e5f05 |
@@ -33,7 +33,7 @@ function setupca() {
|
|
|
9e5f05 |
EOF
|
|
|
9e5f05 |
}
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 1536 2048 3072 4096 ; do
|
|
|
9e5f05 |
+for size in 2048 3072 4096 ; do
|
|
|
9e5f05 |
# Build a self-signed certificate.
|
|
|
9e5f05 |
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
|
9e5f05 |
-s "cn=T$size" -c "cn=T$size" \
|
|
|
9e5f05 |
diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out
|
|
|
9e5f05 |
index dd5029ec..0eb84ef1 100644
|
|
|
9e5f05 |
--- a/tests/004-selfsign/expected.out
|
|
|
9e5f05 |
+++ b/tests/004-selfsign/expected.out
|
|
|
9e5f05 |
@@ -1,5 +1,3 @@
|
|
|
9e5f05 |
-1024 OK.
|
|
|
9e5f05 |
-1536 OK.
|
|
|
9e5f05 |
2048 OK.
|
|
|
9e5f05 |
3072 OK.
|
|
|
9e5f05 |
4096 OK.
|
|
|
9e5f05 |
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
|
|
|
9e5f05 |
index 7bb368ec..eb1df4ee 100755
|
|
|
9e5f05 |
--- a/tests/004-selfsign/run.sh
|
|
|
9e5f05 |
+++ b/tests/004-selfsign/run.sh
|
|
|
9e5f05 |
@@ -43,7 +43,7 @@ function setupca() {
|
|
|
9e5f05 |
EOF
|
|
|
9e5f05 |
}
|
|
|
9e5f05 |
|
|
|
9e5f05 |
-for size in 1024 1536 2048 3072 4096 ; do
|
|
|
9e5f05 |
+for size in 2048 3072 4096 ; do
|
|
|
9e5f05 |
# Build a self-signed certificate.
|
|
|
9e5f05 |
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
|
|
9e5f05 |
-s "cn=T$size" -c "cn=T$size" \
|
|
|
9e5f05 |
--
|
|
|
9e5f05 |
2.16.2
|
|
|
9e5f05 |
|