From 5553980fbb4e8f2000d702093eeb1927a7d0a0e9 Mon Sep 17 00:00:00 2001 From: Andrea Manzini Date: Wed, 15 Jan 2025 14:42:17 +0100 Subject: [PATCH] New test for nss crypto policies --- data/security/crypto_policies/nss.sh | 19 ++++++++++++++ .../crypto_policies/crypto_policies_tests.pm | 26 ++++++++++++++++++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 data/security/crypto_policies/nss.sh diff --git a/data/security/crypto_policies/nss.sh b/data/security/crypto_policies/nss.sh new file mode 100644 index 000000000000..1eecd1f1541d --- /dev/null +++ b/data/security/crypto_policies/nss.sh @@ -0,0 +1,19 @@ +#!/usr/bin/bash +OUTFILE=$1 +set -eux +# create NSS database +rm -rf nssdb && mkdir -p nssdb +certutil -N -d sql:./nssdb --empty-password +# generate an openssl keypair +# (size 2048 to cover also FUTURE cryptopolicy) +openssl req -new -newkey rsa:2048 -x509 -days 7 -nodes -subj "/CN=localhost" -out localhost.pem -keyout localhost.key +# import this certificate into the NSS database and mark it as trusted +certutil -d ./nssdb -A -a -i localhost.pem -t TCP -n localhost +# spin up a temp TLS server +openssl s_server -accept 4443 -cert localhost.pem -key localhost.key -www & +SERVER_PID=$! +# call the server with nss client +(echo "GET / HTTP/1.0" | /usr/lib/nss/tstclnt -d ./nssdb -h localhost -p 4443 2>&1 > $OUTFILE) & +sleep 5 +kill $SERVER_PID +killall tstclnt \ No newline at end of file diff --git a/tests/security/crypto_policies/crypto_policies_tests.pm b/tests/security/crypto_policies/crypto_policies_tests.pm index 2635adbb1470..50232c91f4ef 100644 --- a/tests/security/crypto_policies/crypto_policies_tests.pm +++ b/tests/security/crypto_policies/crypto_policies_tests.pm @@ -5,8 +5,11 @@ # Maintainer: QE Security use base 'opensusebasetest'; -use strict; use warnings; +use strict; +use v5.20; +use feature qw(signatures); +no warnings qw(experimental::signatures); use testapi; use serial_terminal 'select_serial_terminal'; use utils; @@ -20,6 +23,7 @@ sub run { select_serial_terminal; setup_bind(); setup_gnutls(); + setup_nss(); foreach my $s (@services) { systemctl "enable --now $s.service"; } @@ -31,6 +35,7 @@ sub run { } ensure_bind_is_working(); ensure_gnutls_is_working(); + ensure_nss_is_working_with($policy); } } @@ -55,6 +60,25 @@ sub setup_gnutls { zypper_call 'in gnutls'; } +sub setup_nss { + zypper_call 'in mozilla-nss mozilla-nss-tools'; + assert_script_run 'curl -O ' . data_url('security/crypto_policies/nss.sh'); + assert_script_run 'chmod +x nss.sh'; +} + +sub ensure_nss_is_working_with($policy) { + # call the server with nss client + my $logfile = "nss_client_${policy}_policy.txt"; + assert_script_run("./nss.sh $logfile"); + # stop child processes + upload_logs $logfile; + # check if result is good + assert_script_run('grep "HTTP/1.0 200 ok" ' . $logfile); + assert_script_run('grep "1 server accepts (SSL_accept())" ' . $logfile); + # cleanup for next run + assert_script_run "rm -rf localhost.pem localhost.key nssdb"; +} + sub ensure_gnutls_is_working { # generate a CA, and a server certificate my $ca_key_file = 'x509-ca-key.pem';