diff options
author | Kai Engert <kaie@kuix.de> | 2017-10-12 18:22:33 +0200 |
---|---|---|
committer | Kai Engert <kaie@kuix.de> | 2017-10-12 18:22:33 +0200 |
commit | fb06d0195ec9fda90f0138eb452a68555bfe8093 (patch) | |
tree | f52253b1f897ee350a1e41bc676096bbcc44e5cf /tests/cert | |
parent | 1db9f64345a261984228029db5b9a47b4a80ead7 (diff) | |
download | nss-hg-fb06d0195ec9fda90f0138eb452a68555bfe8093.tar.gz |
Bug 1402410, Make nss-softokn verify that RSA exponent is not smaller than 0x10001, when NSS is built with full FIPS support; r=fkiefer, r=kaie
Diffstat (limited to 'tests/cert')
-rwxr-xr-x | tests/cert/cert.sh | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh index 1e7c091e5..ca0646055 100755 --- a/tests/cert/cert.sh +++ b/tests/cert/cert.sh @@ -1260,6 +1260,10 @@ MODSCRIPT CU_ACTION="Setting invalid database password in FIPS mode" RETEXPECTED=255 certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1 + CU_ACTION="Attempt to generate a key with exponent of 3 (too small)" + certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" + CU_ACTION="Attempt to generate a key with exponent of 17 (too small)" + certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" RETEXPECTED=0 CU_ACTION="Generate Certificate for ${CERTNAME}" @@ -1268,6 +1272,20 @@ MODSCRIPT if [ "$RET" -eq 0 ]; then cert_log "SUCCESS: FIPS passed" fi + +} + +########################## cert_rsa_exponent ################################# +# local shell function to verify small rsa exponent can be used (only +# run if FIPS has not been turned on in the build). +############################################################################## +cert_rsa_exponent() +{ + echo "$SCRIPTNAME: Verify that small RSA exponents still work ==============" + CU_ACTION="Attempt to generate a key with exponent of 3" + certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" + CU_ACTION="Attempt to generate a key with exponent of 17" + certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" } ############################## cert_eccurves ########################### @@ -1977,6 +1995,8 @@ cert_ssl cert_smime_client if [[ -n "$NSS_TEST_ENABLE_FIPS" ]]; then cert_fips +else + cert_rsa_exponent fi cert_eccurves cert_extensions |