forked from os-autoinst/os-autoinst-distri-opensuse
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
44 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| #!/usr/bin/bash | ||
| OUTFILE=$1 | ||
| set -eux | ||
| # create NSS database | ||
| rm -rf nssdb && mkdir -p nssdb | ||
| certutil -N -d sql:./nssdb --empty-password | ||
| # generate an openssl keypair | ||
| # (size 2048 to cover also FUTURE cryptopolicy) | ||
| openssl req -new -newkey rsa:2048 -x509 -days 7 -nodes -subj "/CN=localhost" -out localhost.pem -keyout localhost.key | ||
| # import this certificate into the NSS database and mark it as trusted | ||
| certutil -d ./nssdb -A -a -i localhost.pem -t TCP -n localhost | ||
| # spin up a temp TLS server | ||
| openssl s_server -accept 4443 -cert localhost.pem -key localhost.key -www & | ||
| SERVER_PID=$! | ||
| # call the server with nss client | ||
| (echo "GET / HTTP/1.0" | /usr/lib/nss/tstclnt -d ./nssdb -h localhost -p 4443 2>&1 > $OUTFILE) & | ||
| sleep 5 | ||
| kill $SERVER_PID | ||
| killall tstclnt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,8 +5,11 @@ | |
| # Maintainer: QE Security <[email protected]> | ||
|
|
||
| use base 'opensusebasetest'; | ||
| use strict; | ||
| use warnings; | ||
| use strict; | ||
| use v5.20; | ||
| use feature qw(signatures); | ||
| no warnings qw(experimental::signatures); | ||
| use testapi; | ||
| use serial_terminal 'select_serial_terminal'; | ||
| use utils; | ||
|
|
@@ -20,6 +23,7 @@ sub run { | |
| select_serial_terminal; | ||
| setup_bind(); | ||
| setup_gnutls(); | ||
| setup_nss(); | ||
| foreach my $s (@services) { | ||
| systemctl "enable --now $s.service"; | ||
| } | ||
|
|
@@ -31,6 +35,7 @@ sub run { | |
| } | ||
| ensure_bind_is_working(); | ||
| ensure_gnutls_is_working(); | ||
| ensure_nss_is_working_with($policy); | ||
| } | ||
| } | ||
|
|
||
|
|
@@ -55,6 +60,25 @@ sub setup_gnutls { | |
| zypper_call 'in gnutls'; | ||
| } | ||
|
|
||
| sub setup_nss { | ||
| zypper_call 'in mozilla-nss mozilla-nss-tools'; | ||
| assert_script_run 'curl -O ' . data_url('security/crypto_policies/nss.sh'); | ||
| assert_script_run 'chmod +x nss.sh'; | ||
| } | ||
|
|
||
| sub ensure_nss_is_working_with($policy) { | ||
| # call the server with nss client | ||
| my $logfile = "nss_client_${policy}_policy.txt"; | ||
| assert_script_run("./nss.sh $logfile"); | ||
| # stop child processes | ||
| upload_logs $logfile; | ||
| # check if result is good | ||
| assert_script_run('grep "HTTP/1.0 200 ok" ' . $logfile); | ||
| assert_script_run('grep "1 server accepts (SSL_accept())" ' . $logfile); | ||
| # cleanup for next run | ||
| assert_script_run "rm -rf localhost.pem localhost.key nssdb"; | ||
| } | ||
|
|
||
| sub ensure_gnutls_is_working { | ||
| # generate a CA, and a server certificate | ||
| my $ca_key_file = 'x509-ca-key.pem'; | ||
|
|
||