From 8701289f05f376f93bff35c6a8c606a3bcb08432 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jan 11 2018 19:50:24 +0000 Subject: [PATCH 1/5] Perm issues in sqlite databases show up in slightly different ways SQLite databases may return SEC_ERROR_READ_ONLY instead of SEC_ERROR_BAD_DATABASE. If a database is opened as read-write but it fails (e.g. in a read-only directory) it will try again to open it as read-only and potentially fail because it doesn't exist at all. This sets errno as ENOENT rather than the expected EACCES so treat that as a read failure as well. Related: https://pagure.io/certmonger/issue/88 --- diff --git a/src/certsave-n.c b/src/certsave-n.c index 67deb88..a2c9700 100644 --- a/src/certsave-n.c +++ b/src/certsave-n.c @@ -128,10 +128,13 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, NSS_INIT_NOMODDB); ec = PORT_GetError(); if (ctx == NULL) { - if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { + if ((ec == SEC_ERROR_READ_ONLY) && readwrite) { + ec = PR_NO_ACCESS_RIGHTS_ERROR; + } else if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { switch (errno) { case EACCES: case EPERM: + case ENOENT: ec = PR_NO_ACCESS_RIGHTS_ERROR; break; default: diff --git a/src/keygen-n.c b/src/keygen-n.c index 08f0049..8078a52 100644 --- a/src/keygen-n.c +++ b/src/keygen-n.c @@ -169,10 +169,14 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, NSS_INIT_NOMODDB); ec = PORT_GetError(); if (ctx == NULL) { - if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { + if ((ec == SEC_ERROR_READ_ONLY) && readwrite) { + ec = PR_NO_ACCESS_RIGHTS_ERROR; + } + else if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { switch (errno) { case EACCES: case EPERM: + case ENOENT: ec = PR_NO_ACCESS_RIGHTS_ERROR; break; default: From aa1b511224277f377cb8aebf93a06dc25d993c18 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jan 11 2018 19:50:24 +0000 Subject: [PATCH 2/5] SQLite databases require a password to modify trust and to sign This affects certutil -M and cmsutil -S. Need to add -f pinfile. https://pagure.io/certmonger/issue/88 --- diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh index 9b50da4..07fea68 100755 --- a/tests/030-rekey/run.sh +++ b/tests/030-rekey/run.sh @@ -140,11 +140,11 @@ for preserve in 1 0 ; do echo "This is the plaintext." > plain.txt echo "NSS Signing:" - certutil -M -d $tmpdir -n i$size -t P,P,P - cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed + certutil -M -d $tmpdir -n i$size -t P,P,P -f pinfile + cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -f pinfile echo "NSS Verify:" - cmsutil -D -d $tmpdir -f pinfile -i signed - certutil -M -d $tmpdir -n i$size -t ,, + cmsutil -D -d $tmpdir -f pinfile -i signed -f pinfile + certutil -M -d $tmpdir -n i$size -t ,, -f pinfile # Go and save the new certs and keys (NSS). echo '(saving)' @@ -163,11 +163,11 @@ for preserve in 1 0 ; do echo "This is the plaintext." > plain.txt echo "NSS Signing:" - certutil -M -d $tmpdir -n i$size -t P,P,P - cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed + certutil -M -d $tmpdir -n i$size -t P,P,P -f pinfile + cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -f pinfile echo "NSS Verify:" - cmsutil -D -d $tmpdir -f pinfile -i signed - certutil -M -d $tmpdir -n i$size -t ,, + cmsutil -D -d $tmpdir -f pinfile -i signed -f pinfile + certutil -M -d $tmpdir -n i$size -t ,, -f pinfile # Now generate new keys, CSRs, and certificates (OpenSSL). echo "PEM keys before re-keygen (preserve=$preserve,pin=\"$pin\"):" From d78ad9271a520e57adce43c53aa47f529e25e6cf Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jan 11 2018 19:50:24 +0000 Subject: [PATCH 3/5] NSS in rawhide (F28) was switched to sqlite, fix assumptions Previous releases of NSS had dbm as the default storage type. Certain assumptions were built into the tests. Make the default scheme more explicit, leaving it as dbm for now. https://pagure.io/certmonger/issue/88 --- diff --git a/tests/007-certsave-dbm/expected.out b/tests/007-certsave-dbm/expected.out index e0978c6..ed6b4ed 100644 --- a/tests/007-certsave-dbm/expected.out +++ b/tests/007-certsave-dbm/expected.out @@ -37,7 +37,7 @@ Testing setting trust to C,c,p: wrong nickname, right subject: cert ,, wrong subject, right nickname: cert ,, [nss:rosubdir] -Failed to save (NSS:${tmpdir}/rosubdir), filesystem permissions error. +Failed to save (NSS:dbm:${tmpdir}/rosubdir), filesystem permissions error. [nss:rwsubdir] -Failed to save (NSS:${tmpdir}/rwsubdir), filesystem permissions error. +Failed to save (NSS:dbm:${tmpdir}/rwsubdir), filesystem permissions error. Test complete. diff --git a/tests/007-certsave/expected.out b/tests/007-certsave/expected.out index e0978c6..ed6b4ed 100644 --- a/tests/007-certsave/expected.out +++ b/tests/007-certsave/expected.out @@ -37,7 +37,7 @@ Testing setting trust to C,c,p: wrong nickname, right subject: cert ,, wrong subject, right nickname: cert ,, [nss:rosubdir] -Failed to save (NSS:${tmpdir}/rosubdir), filesystem permissions error. +Failed to save (NSS:dbm:${tmpdir}/rosubdir), filesystem permissions error. [nss:rwsubdir] -Failed to save (NSS:${tmpdir}/rwsubdir), filesystem permissions error. +Failed to save (NSS:dbm:${tmpdir}/rwsubdir), filesystem permissions error. Test complete. diff --git a/tests/007-certsave/run.sh b/tests/007-certsave/run.sh index bea8341..29b0215 100755 --- a/tests/007-certsave/run.sh +++ b/tests/007-certsave/run.sh @@ -2,8 +2,9 @@ cd "$tmpdir" +scheme="${scheme:-dbm}" source "$srcdir"/functions -initnssdb ${scheme:+${scheme}:}$tmpdir +initnssdb $scheme:$tmpdir wrongcert='-----BEGIN CERTIFICATE----- MIIDQTCCAimgAwIBAgIBBTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdwaWxs @@ -50,7 +51,7 @@ echo "$wrongcert" | sed -e 's,^$,,g' -e 's,^ ,,g' > cert.wrong echo "[nss:wrongnick]" cat > entry.nss << EOF cert_storage_type=NSSDB -cert_storage_location=${scheme:+${scheme}:}$tmpdir +cert_storage_location=$scheme:$tmpdir cert_nickname=wrongnick cert=$cert EOF @@ -59,7 +60,7 @@ $toolsdir/certsave entry.nss echo "[nss:wrongcert]" cat > entry.nss << EOF cert_storage_type=NSSDB -cert_storage_location=${scheme:+${scheme}:}$tmpdir +cert_storage_location=$scheme:$tmpdir cert_nickname=cert cert=$wrongcert EOF @@ -68,13 +69,13 @@ $toolsdir/certsave entry.nss echo "[nss:right]" cat > entry.nss << EOF cert_storage_type=NSSDB -cert_storage_location=${scheme:+${scheme}:}$tmpdir +cert_storage_location=$scheme:$tmpdir cert_nickname=cert cert=$cert EOF $toolsdir/certsave entry.nss $toolsdir/listnicks entry.nss -certutil -d ${scheme:+${scheme}:}$tmpdir -L -n cert -a > cert.nss +certutil -d $scheme:$tmpdir -L -n cert -a > cert.nss # Save the wrong certificate to the PEM file. echo "[openssl:wrong]" cat > entry.openssl << EOF @@ -96,7 +97,7 @@ run_dos2unix cert.original run_dos2unix cert.nss run_dos2unix cert.openssl if ! cmp cert.original cert.nss ; then - echo Original and NSS disagree "(${scheme:+${scheme}:}$tmpdir)". + echo Original and NSS disagree "($scheme:$tmpdir)". cat cert.original cert.nss exit 1 fi @@ -137,62 +138,62 @@ $toolsdir/certsave entry.openssl || true for trust in ,, P,, ,P, CT,C, C,c,p ; do echo Testing setting trust to "$trust": # Save the right certificate to NSS's database and read it back. - initnssdb ${scheme:+${scheme}:}$tmpdir + initnssdb $scheme:$tmpdir cat > entry.nss <<- EOF cert_storage_type=NSSDB - cert_storage_location=${scheme:+${scheme}:}$tmpdir + cert_storage_location=$scheme:$tmpdir cert_nickname=cert cert=$cert EOF $toolsdir/certsave entry.nss - certutil -d ${scheme:+${scheme}:}$tmpdir -M -n cert -t $trust + certutil -d $scheme:$tmpdir -M -n cert -t $trust echo -n " baseline: " - certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' + certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' $toolsdir/certsave entry.nss echo -n " right nickname, right subject: " - certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' + certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' # Save the right certificate to NSS's database with the wrong nickname. - initnssdb ${scheme:+${scheme}:}$tmpdir + initnssdb $scheme:$tmpdir $toolsdir/certsave entry.nss cat > entry.nss <<- EOF cert_storage_type=NSSDB - cert_storage_location=${scheme:+${scheme}:}$tmpdir + cert_storage_location=$scheme:$tmpdir cert_nickname=wrongnick cert=$cert EOF $toolsdir/certsave entry.nss - certutil -d ${scheme:+${scheme}:}$tmpdir -M -n wrongnick -t $trust + certutil -d $scheme:$tmpdir -M -n wrongnick -t $trust # Save the right certificate to NSS's database and read it back. cat > entry.nss <<- EOF cert_storage_type=NSSDB - cert_storage_location=${scheme:+${scheme}:}$tmpdir + cert_storage_location=$scheme:$tmpdir cert_nickname=cert cert=$cert EOF $toolsdir/certsave entry.nss echo -n " wrong nickname, right subject: " - certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' + certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' # Save the wrong certificate to NSS's database with the right nickname. - initnssdb ${scheme:+${scheme}:}$tmpdir + initnssdb $scheme:$tmpdir $toolsdir/certsave entry.nss cat > entry.nss <<- EOF cert_storage_type=NSSDB - cert_storage_location=${scheme:+${scheme}:}$tmpdir + cert_storage_location=$scheme:$tmpdir cert_nickname=cert cert=$wrongcert EOF $toolsdir/certsave entry.nss - certutil -d ${scheme:+${scheme}:}$tmpdir -M -n cert -t $trust + certutil -d $scheme:$tmpdir -M -n cert -t $trust # Save the right certificate to NSS's database and read it back. cat > entry.nss <<- EOF cert_storage_type=NSSDB - cert_storage_location=${scheme:+${scheme}:}$tmpdir + cert_storage_location=$scheme:$tmpdir cert_nickname=cert cert=$cert EOF $toolsdir/certsave entry.nss echo -n " wrong subject, right nickname: " - certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' + certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' done if test "$scheme" = sql ; then @@ -202,7 +203,7 @@ else echo "[nss:rosubdir]" cat > entry.nss <<- EOF cert_storage_type=NSSDB - cert_storage_location=$tmpdir/rosubdir + cert_storage_location=$scheme:$tmpdir/rosubdir cert_nickname=cert cert=$cert EOF @@ -216,7 +217,7 @@ else echo "[nss:rwsubdir]" cat > entry.nss <<- EOF cert_storage_type=NSSDB - cert_storage_location=$tmpdir/rwsubdir + cert_storage_location=$scheme:$tmpdir/rwsubdir cert_nickname=cert cert=$cert EOF diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh index 44a08b0..aff1e6d 100755 --- a/tests/025-casave/run.sh +++ b/tests/025-casave/run.sh @@ -196,7 +196,7 @@ id=EntryD1 root_cert_files= other_root_cert_files= other_cert_files= -root_cert_dbs=$tmpdir/db1,$tmpdir/dba +root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba other_root_cert_dbs= other_cert_dbs= cert_roots=Per-certificate Signing Authority D1 @@ -229,7 +229,7 @@ root_cert_files= other_root_cert_files= other_cert_files= root_cert_dbs= -other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba +other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba other_cert_dbs= EOF cat > $tmpdir/entryd3 <<- EOF @@ -239,7 +239,7 @@ other_root_cert_files= other_cert_files= root_cert_dbs= other_root_cert_dbs= -other_cert_dbs=$tmpdir/db3,$tmpdir/dba +other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba cert_chain=Per-certificate Signing Authority D3 -----BEGIN CERTIFICATE----- MIIDjjCCAnagAwIBAgIRALuVK2FuXklPuMP4qtRyQjUwDQYJKoZIhvcNAQELBQAw @@ -300,7 +300,7 @@ ca_name=CAD1 root_cert_files= other_root_cert_files= other_cert_files= -root_cert_dbs=$tmpdir/db1,$tmpdir/dba +root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba other_root_cert_dbs= other_cert_dbs= EOF @@ -311,7 +311,7 @@ root_cert_files= other_root_cert_files= other_cert_files= root_cert_dbs= -other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba +other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba other_cert_dbs= EOF cat > $tmpdir/entrycad3 <<- EOF @@ -322,7 +322,7 @@ other_root_cert_files= other_cert_files= root_cert_dbs= other_root_cert_dbs= -other_cert_dbs=$tmpdir/db3,$tmpdir/dba +other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba EOF cat > $tmpdir/cab1 <<- EOF @@ -564,9 +564,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh ca_root_cert_files= ca_other_root_cert_files= ca_other_cert_files= -ca_root_cert_dbs=$tmpdir/db1,$tmpdir/dba -ca_other_root_cert_dbs=$tmpdir/dba -ca_other_cert_dbs=$tmpdir/dba +ca_root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba +ca_other_root_cert_dbs=dbm:$tmpdir/dba +ca_other_cert_dbs=dbm:$tmpdir/dba ca_root_certs=Root Certificate D1 -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ @@ -639,9 +639,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh ca_root_cert_files= ca_other_root_cert_files= ca_other_cert_files= -ca_root_cert_dbs=$tmpdir/dba -ca_other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba -ca_other_cert_dbs=$tmpdir/dba +ca_root_cert_dbs=dbm:$tmpdir/dba +ca_other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba +ca_other_cert_dbs=dbm:$tmpdir/dba ca_root_certs=Root Certificate D2 -----BEGIN CERTIFICATE----- MIIEDzCCAvegAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJTSzET @@ -722,9 +722,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh ca_root_cert_files= ca_other_root_cert_files= ca_other_cert_files= -ca_root_cert_dbs=,$tmpdir/dba -ca_other_root_cert_dbs=,$tmpdir/dba, -ca_other_cert_dbs=$tmpdir/db3,$tmpdir/dba +ca_root_cert_dbs=,dbm:$tmpdir/dba +ca_other_root_cert_dbs=,dbm:$tmpdir/dba, +ca_other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba ca_root_certs=Root Certificate D3 -----BEGIN CERTIFICATE----- MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL @@ -796,9 +796,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh ca_root_cert_files=$tmpdir/bundle-all ca_other_root_cert_files= ca_other_cert_files= -ca_root_cert_dbs=$tmpdir/dba -ca_other_root_cert_dbs=,$tmpdir/dba -ca_other_cert_dbs=,$tmpdir/dba +ca_root_cert_dbs=dbm:$tmpdir/dba +ca_other_root_cert_dbs=,dbm:$tmpdir/dba +ca_other_cert_dbs=,dbm:$tmpdir/dba ca_root_certs=Root Certificate DA -----BEGIN CERTIFICATE----- MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDEL diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out index 4e2fbd7..c062d40 100644 --- a/tests/034-perms/expected.out +++ b/tests/034-perms/expected.out @@ -41,54 +41,54 @@ $owner:$group|0755|ee.key.MARKER.key $owner:$group|0662|ee.crt $owner:$group|0620|ee.key -[start] -[keygen] +[dbm:start] +[dbm:keygen] $owner:$group|0600|cert8.db $owner:$group|0620|key3.db -[reset] +[dbm:reset] $owner:$group|0755|cert8.db $owner:$group|0755|key3.db -[csrgen] +[dbm:csrgen] $owner:$group|0755|cert8.db $owner:$group|0620|key3.db -[reset] +[dbm:reset] $owner:$group|0755|cert8.db $owner:$group|0755|key3.db -[submit] +[dbm:submit] $owner:$group|0755|cert8.db $owner:$group|0755|key3.db -[reset] +[dbm:reset] $owner:$group|0755|cert8.db $owner:$group|0755|key3.db -[save] +[dbm:save] $owner:$group|0662|cert8.db $owner:$group|0620|key3.db -[rekey:start] -[rekey:keygen] +[rekey:dbm:start] +[rekey:dbm:keygen] $owner:$group|0600|cert8.db $owner:$group|0620|key3.db -[rekey:reset] +[rekey:dbm:reset] $owner:$group|0755|cert8.db $owner:$group|0755|key3.db -[rekey:keygen] +[rekey:dbm:keygen] $owner:$group|0755|cert8.db $owner:$group|0620|key3.db -[rekey:reset] +[rekey:dbm:reset] $owner:$group|0755|cert8.db $owner:$group|0755|key3.db -[rekey:csrgen] +[rekey:dbm:csrgen] $owner:$group|0755|cert8.db $owner:$group|0620|key3.db -[rekey:reset] +[rekey:dbm:reset] $owner:$group|0755|cert8.db $owner:$group|0755|key3.db -[rekey:submit] +[rekey:dbm:submit] $owner:$group|0755|cert8.db $owner:$group|0755|key3.db -[rekey:reset] +[rekey:dbm:reset] $owner:$group|0755|cert8.db $owner:$group|0755|key3.db -[rekey:save] +[rekey:dbm:save] $owner:$group|0662|cert8.db $owner:$group|0620|key3.db OK diff --git a/tests/034-perms/run.sh b/tests/034-perms/run.sh index 7f349d3..88eae19 100755 --- a/tests/034-perms/run.sh +++ b/tests/034-perms/run.sh @@ -1,6 +1,8 @@ #!/bin/bash cd "$tmpdir" +scheme="${scheme:-dbm:}" + function list() { $toolsdir/ls *.* | sed -e "s~^$owner:$group|~\$owner:\$group|~g" } From fc60d968fb4a96d857de9cbba66493cecf793a61 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jan 11 2018 19:50:24 +0000 Subject: [PATCH 4/5] Workaround NSS bug in associating private key to certificate If NSS uses SQL DB storage, CERT_ImportCerts creates incomplete internal state (the cert isn't associated with the private key, and calling PK11_FindKeyByAnyCert returns no result). As a workaround, we import the cert again using PK11_ImportCert which magically fixes the issue. See rhbz#1532188 Related: https://pagure.io/certmonger/issue/88 --- diff --git a/src/certsave-n.c b/src/certsave-n.c index a2c9700..8e15a18 100644 --- a/src/certsave-n.c +++ b/src/certsave-n.c @@ -475,6 +475,20 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, entry->cm_cert_nickname); ec = PORT_GetError(); if (error == SECSuccess) { + /* If NSS uses SQL DB storage, CERT_ImportCerts creates + * an incomplete internal state (the cert isn't + * associated with the private key, and calling + * PK11_FindKeyByAnyCert returns no result). + * As a workaround, we import the cert again using + * PK11_ImportCert, which magically fixes the issue. + * See rhbz#1532188 */ + error = PK11_ImportCert(PK11_GetInternalKeySlot(), + returned[0], + CK_INVALID_HANDLE, + returned[0]->nickname, + PR_FALSE); + } + if (error == SECSuccess) { cm_log(1, "Imported certificate \"%s\", got " "nickname \"%s\".\n", entry->cm_cert_nickname, From 7a3e74cf694018579c007689b83b911d8084f602 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jan 11 2018 19:50:24 +0000 Subject: [PATCH 5/5] Run key generation tests against both dbm and sqlite databases Related: https://pagure.io/certmonger/issue/88 --- diff --git a/tests/002-keygen-dbm/expected.out b/tests/002-keygen-dbm/expected.out new file mode 100644 index 0000000..dcd1af0 --- /dev/null +++ b/tests/002-keygen-dbm/expected.out @@ -0,0 +1,99 @@ +[nss:1024] +OK. +OK (RSA:1024). +OK. +OK (RSA:1024 after RSA:1024). +OK. +OK (RSA:1024 after RSA:1024). +keyi1024 +keyi1024 (candidate (next)) +[nss:1536] +OK. +OK (RSA:1536). +OK. +OK (RSA:1536 after RSA:1536). +OK. +OK (RSA:1536 after RSA:1536). +keyi1536 +keyi1536 (candidate (next)) +[nss:2048] +OK. +OK (RSA:2048). +OK. +OK (RSA:2048 after RSA:2048). +OK. +OK (RSA:2048 after RSA:2048). +keyi2048 +keyi2048 (candidate (next)) +[nss:3072] +OK. +OK (RSA:3072). +OK. +OK (RSA:3072 after RSA:3072). +OK. +OK (RSA:3072 after RSA:3072). +keyi3072 +keyi3072 (candidate (next)) +[nss:4096] +OK. +OK (RSA:4096). +OK. +OK (RSA:4096 after RSA:4096). +OK. +OK (RSA:4096 after RSA:4096). +keyi4096 +keyi4096 (candidate (next)) +[nss:rosubdir] +Failed to save NSS:dbm:${tmpdir}/rosubdir: need fs permissions. +[nss:rwsubdir] +Failed to save NSS:dbm:${tmpdir}/rwsubdir: need fs permissions. +[openssl:1024] +OK. +OK (RSA:1024). +OK. +OK (RSA:1024 after RSA:1024). +OK. +OK (RSA:1024 after RSA:1024). +${tmpdir}/sample.1024 +${tmpdir}/sample.1024.(next).key +[openssl:1536] +OK. +OK (RSA:1536). +OK. +OK (RSA:1536 after RSA:1536). +OK. +OK (RSA:1536 after RSA:1536). +${tmpdir}/sample.1536 +${tmpdir}/sample.1536.(next).key +[openssl:2048] +OK. +OK (RSA:2048). +OK. +OK (RSA:2048 after RSA:2048). +OK. +OK (RSA:2048 after RSA:2048). +${tmpdir}/sample.2048 +${tmpdir}/sample.2048.(next).key +[openssl:3072] +OK. +OK (RSA:3072). +OK. +OK (RSA:3072 after RSA:3072). +OK. +OK (RSA:3072 after RSA:3072). +${tmpdir}/sample.3072 +${tmpdir}/sample.3072.(next).key +[openssl:4096] +OK. +OK (RSA:4096). +OK. +OK (RSA:4096 after RSA:4096). +OK. +OK (RSA:4096 after RSA:4096). +${tmpdir}/sample.4096 +${tmpdir}/sample.4096.(next).key +[openssl:rosubdir] +Failed to save FILE:${tmpdir}/rosubdir/sample.4096: need fs permissions. +[openssl:rwsubdir] +Failed to save FILE:${tmpdir}/rwsubdir/sample.4096: need fs permissions. +Test complete. diff --git a/tests/002-keygen-dbm/run.sh b/tests/002-keygen-dbm/run.sh new file mode 100755 index 0000000..3632394 --- /dev/null +++ b/tests/002-keygen-dbm/run.sh @@ -0,0 +1,2 @@ +#!/bin/bash -e +exec env scheme=dbm: ../002-keygen/run.sh diff --git a/tests/002-keygen-sql/expected.out b/tests/002-keygen-sql/expected.out new file mode 100644 index 0000000..178f1b3 --- /dev/null +++ b/tests/002-keygen-sql/expected.out @@ -0,0 +1,99 @@ +[nss:1024] +OK. +OK (RSA:1024). +OK. +OK (RSA:1024 after RSA:1024). +OK. +OK (RSA:1024 after RSA:1024). +keyi1024 +keyi1024 (candidate (next)) +[nss:1536] +OK. +OK (RSA:1536). +OK. +OK (RSA:1536 after RSA:1536). +OK. +OK (RSA:1536 after RSA:1536). +keyi1536 +keyi1536 (candidate (next)) +[nss:2048] +OK. +OK (RSA:2048). +OK. +OK (RSA:2048 after RSA:2048). +OK. +OK (RSA:2048 after RSA:2048). +keyi2048 +keyi2048 (candidate (next)) +[nss:3072] +OK. +OK (RSA:3072). +OK. +OK (RSA:3072 after RSA:3072). +OK. +OK (RSA:3072 after RSA:3072). +keyi3072 +keyi3072 (candidate (next)) +[nss:4096] +OK. +OK (RSA:4096). +OK. +OK (RSA:4096 after RSA:4096). +OK. +OK (RSA:4096 after RSA:4096). +keyi4096 +keyi4096 (candidate (next)) +[nss:rosubdir] +Failed to save NSS:sql:${tmpdir}/rosubdir: need fs permissions. +[nss:rwsubdir] +Failed to save NSS:sql:${tmpdir}/rwsubdir: need fs permissions. +[openssl:1024] +OK. +OK (RSA:1024). +OK. +OK (RSA:1024 after RSA:1024). +OK. +OK (RSA:1024 after RSA:1024). +${tmpdir}/sample.1024 +${tmpdir}/sample.1024.(next).key +[openssl:1536] +OK. +OK (RSA:1536). +OK. +OK (RSA:1536 after RSA:1536). +OK. +OK (RSA:1536 after RSA:1536). +${tmpdir}/sample.1536 +${tmpdir}/sample.1536.(next).key +[openssl:2048] +OK. +OK (RSA:2048). +OK. +OK (RSA:2048 after RSA:2048). +OK. +OK (RSA:2048 after RSA:2048). +${tmpdir}/sample.2048 +${tmpdir}/sample.2048.(next).key +[openssl:3072] +OK. +OK (RSA:3072). +OK. +OK (RSA:3072 after RSA:3072). +OK. +OK (RSA:3072 after RSA:3072). +${tmpdir}/sample.3072 +${tmpdir}/sample.3072.(next).key +[openssl:4096] +OK. +OK (RSA:4096). +OK. +OK (RSA:4096 after RSA:4096). +OK. +OK (RSA:4096 after RSA:4096). +${tmpdir}/sample.4096 +${tmpdir}/sample.4096.(next).key +[openssl:rosubdir] +Failed to save FILE:${tmpdir}/rosubdir/sample.4096: need fs permissions. +[openssl:rwsubdir] +Failed to save FILE:${tmpdir}/rwsubdir/sample.4096: need fs permissions. +Test complete. diff --git a/tests/002-keygen-sql/run.sh b/tests/002-keygen-sql/run.sh new file mode 100755 index 0000000..cd5bc97 --- /dev/null +++ b/tests/002-keygen-sql/run.sh @@ -0,0 +1,2 @@ +#!/bin/bash -e +exec env scheme=sql: ../002-keygen/run.sh diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out index ff56372..dcd1af0 100644 --- a/tests/002-keygen/expected.out +++ b/tests/002-keygen/expected.out @@ -44,9 +44,9 @@ OK (RSA:4096 after RSA:4096). keyi4096 keyi4096 (candidate (next)) [nss:rosubdir] -Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. +Failed to save NSS:dbm:${tmpdir}/rosubdir: need fs permissions. [nss:rwsubdir] -Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. +Failed to save NSS:dbm:${tmpdir}/rwsubdir: need fs permissions. [openssl:1024] OK. OK (RSA:1024). diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh index f550fee..08af152 100755 --- a/tests/002-keygen/run.sh +++ b/tests/002-keygen/run.sh @@ -2,15 +2,17 @@ cd "$tmpdir" +scheme="${scheme:-dbm:}" + source "$srcdir"/functions -initnssdb "$tmpdir" +initnssdb "$scheme$tmpdir" for size in 1024 1536 2048 3072 4096 ; do echo "[nss:$size]" # Generate a key. cat > entry.$size <<- EOF key_storage_type=NSSDB - key_storage_location=$tmpdir + key_storage_location=$scheme$tmpdir key_nickname=keyi$size key_gen_size=$size EOF @@ -28,13 +30,13 @@ for size in 1024 1536 2048 3072 4096 ; do # Extract the marker. marker=`grep ^key_next_marker= entry.$size | cut -f2- -d=` # Make sure we're clean. - run_certutil -K -d "$tmpdir" | grep keyi$size | sed -e 's,.*keyi,keyi,' -e s,"${marker:-////////}","(next)",g | env LANG=C sort + run_certutil -K -d "$scheme$tmpdir" | grep keyi$size | sed -e 's,.*keyi,keyi,' -e s,"${marker:-////////}","(next)",g | env LANG=C sort done echo "[nss:rosubdir]" cat > entry.$size <<- EOF key_storage_type=NSSDB -key_storage_location=$tmpdir/rosubdir +key_storage_location=$scheme$tmpdir/rosubdir key_nickname=keyi$size key_gen_size=$size EOF @@ -43,7 +45,7 @@ $toolsdir/keygen entry.$size || true echo "[nss:rwsubdir]" cat > entry.$size <<- EOF key_storage_type=NSSDB -key_storage_location=$tmpdir/rwsubdir +key_storage_location=$scheme$tmpdir/rwsubdir key_nickname=keyi$size key_gen_size=$size EOF