Add new algorithms in nss's config file to support nss >= 3.59 (ECDSA RSA-PSS RSA-PKCS)

(cherry picked from commit a5fe243acd68b2053a3b5a7bb844c818378462c2)

backport-policygenerators-nss-output-sigalgs-nss-3-59.patch

@@ -0,0 +1,192 @@
+From b21c8114995e07965c2ccde5f5767d0618d854bf Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 18 Jan 2021 17:58:45 +0100
+Subject: [PATCH] policygenerators/nss: output sigalgs (nss >=3.59)
+
+Actually, checking for 3.60 because Fedora has reverted the change.
+---
+ python/policygenerators/nss.py        | 36 ++++++++++++++++++++++++++++++++---
+ tests/nss.py                          | 15 +++++++++++++++
+ tests/outputs/DEFAULT-nss.txt         |  2 +-
+ tests/outputs/FIPS-nss.txt            |  2 +-
+ tests/outputs/FIPS:ECDHE-ONLY-nss.txt |  2 +-
+ tests/outputs/FIPS:OSPP-nss.txt       |  2 +-
+ tests/outputs/FUTURE-nss.txt          |  2 +-
+ tests/outputs/LEGACY-nss.txt          |  2 +-
+ 9 files changed, 55 insertions(+), 10 deletions(-)
+
+diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py
+index ee10025..00935a2 100644
+--- a/python/policygenerators/nss.py
++++ b/python/policygenerators/nss.py
+@@ -6,6 +6,8 @@
+ from subprocess import call, CalledProcessError
+ from tempfile import mkstemp
+ 
++import ctypes
++import ctypes.util
+ import os
+ 
+ from .configgenerator import ConfigGenerator
+@@ -86,6 +88,15 @@ class NSSGenerator(ConfigGenerator):
+ 		'DTLS1.2':'dtls1.2'
+ 	}
+ 
++	# Depends on a dict being ordered,
++	# impl. detail in CPython 3.6, guaranteed starting from Python 3.7.
++	sign_prefix_ordmap = {
++		'RSA-PSS-':'RSA-PSS',  # must come before RSA-
++		'RSA-':'RSA-PKCS',
++		'ECDSA-':'ECDSA',
++		'DSA-':'DSA',
++	}
++
+ 	@classmethod
+ 	def generate_config(cls, policy):
+ 		p = policy.props
+@@ -126,9 +137,14 @@ class NSSGenerator(ConfigGenerator):
+ 			except KeyError:
+ 				pass
+ 
+-		dsa = [i for i in p['sign'] if i.find('DSA-') == 0]
+-		if dsa:
+-			s = cls.append(s, 'DSA')
++		enabled_sigalgs = set()
++		for i in p['sign']:
++			for prefix, sigalg in cls.sign_prefix_ordmap.items():
++				if i.startswith(prefix):
++					if sigalg not in enabled_sigalgs:
++						enabled_sigalgs.add(sigalg)
++						s = cls.append(s, sigalg)
++					break  # limit to first match
+ 
+ 		try:
+ 			minver = cls.protocol_map[p['min_tls_version']]
+@@ -151,6 +167,20 @@ class NSSGenerator(ConfigGenerator):
+ 
+ 	@classmethod
+ 	def test_config(cls, config):
++		try:
++			nss_path = ctypes.util.find_library('nss3')
++			nss_lib = ctypes.CDLL(nss_path)
++			if not nss_lib.NSS_VersionCheck(b'3.60'):
++				# Cannot validate with pre-3.59 NSS
++				# that doesn't know ECDSA/RSA-PSS/RSA-PKCS
++				# identifiers yet.
++				# 3.60 because Fedora's 3.59 has that reverted
++				cls.eprint('Skipping nss-policy-check due to '
++				           'nss being older than 3.60')
++				return True
++		except AttributeError:
++			cls.eprint('Cannot determine nss version with ctypes')
++
+ 		if not os.access('/usr/bin/nss-policy-check', os.X_OK):
+ 			return True
+ 
+diff --git a/tests/nss.py b/tests/nss.py
+index 4d2cee1..a16d984 100755
+--- a/tests/nss.py
++++ b/tests/nss.py
+@@ -1,5 +1,7 @@
+ #!/usr/bin/python3
+ 
++import ctypes
++import ctypes.util
+ import glob
+ import os
+ import shutil
+@@ -12,6 +14,19 @@ if shutil.which('nss-policy-check') is None:
+     sys.exit(0)
+ 
+ 
++# Cannot validate with pre-3.59 NSS that doesn't know ECDSA/RSA-PSS/RSA-PKCS
++# identifiers yet. Checking for 3.60 because Fedora has reverted the change.
++try:
++    nss = ctypes.CDLL(ctypes.util.find_library('nss3'))
++    if not nss.NSS_VersionCheck(b'3.60'):
++        print('Skipping nss-policy-check verification '
++              'due to nss being older than 3.60', file=sys.stderr)
++        sys.exit(0)
++except AttributeError:
++    print('Cannot determine nss version with ctypes, hoping for >=3.59',
++          file=sys.stderr)
++
++
+ print('Checking the NSS configuration')
+ 
+ for policy_path in glob.glob('tests/outputs/*-nss.txt'):
+diff --git a/tests/outputs/DEFAULT-nss.txt b/tests/outputs/DEFAULT-nss.txt
+index 6a93308..500cd70 100644
+--- a/tests/outputs/DEFAULT-nss.txt
++++ b/tests/outputs/DEFAULT-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
+ 
+ 
+diff --git a/tests/outputs/FIPS-nss.txt b/tests/outputs/FIPS-nss.txt
+index c9809b9..4fdf6bc 100644
+--- a/tests/outputs/FIPS-nss.txt
++++ b/tests/outputs/FIPS-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+ 
+ 
+diff --git a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
+index 78f4844..399bc5c 100644
+--- a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
++++ b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+ 
+ 
+diff --git a/tests/outputs/FIPS:OSPP-nss.txt b/tests/outputs/FIPS:OSPP-nss.txt
+index 0ca1ab0..d172a83 100644
+--- a/tests/outputs/FIPS:OSPP-nss.txt
++++ b/tests/outputs/FIPS:OSPP-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+ 
+ 
+diff --git a/tests/outputs/FUTURE-nss.txt b/tests/outputs/FUTURE-nss.txt
+index 23d1ce8..9cea0a4 100644
+--- a/tests/outputs/FUTURE-nss.txt
++++ b/tests/outputs/FUTURE-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
+ 
+ 
+diff --git a/tests/outputs/LEGACY-nss.txt b/tests/outputs/LEGACY-nss.txt
+index e16b6ce..8bf8bd1 100644
+--- a/tests/outputs/LEGACY-nss.txt
++++ b/tests/outputs/LEGACY-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
+ 
+ 
+-- 
+1.8.3.1
+

backport-rewrite-test-nss-pl-in-python.patch

@@ -0,0 +1,115 @@
+From 4fb6cdf626ee35623400ca557198cecb4efd4e88 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 18 Jan 2021 17:43:53 +0100
+Subject: [PATCH] tests/nss.pl: rewrite in Python
+
+---
+ Makefile     |  2 +-
+ tests/nss.pl | 41 -----------------------------------------
+ tests/nss.py | 33 +++++++++++++++++++++++++++++++++
+ 3 files changed, 34 insertions(+), 42 deletions(-)
+ delete mode 100755 tests/nss.pl
+ create mode 100755 tests/nss.py
+
+diff --git a/Makefile b/Makefile
+index 2699ac6..a50408e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -43,7 +43,7 @@ check:
+ 	python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies tests/outputs
+ 	tests/openssl.pl
+ 	tests/gnutls.pl
+-	tests/nss.pl
++	tests/nss.py
+ 	tests/java.pl
+ 	tests/krb5.py
+ 	top_srcdir=. tests/update-crypto-policies.sh
+diff --git a/tests/nss.pl b/tests/nss.pl
+deleted file mode 100755
+index e021ffd..0000000
+--- a/tests/nss.pl
++++ /dev/null
+@@ -1,41 +0,0 @@
+-#!/usr/bin/perl
+-
+-my $RESULTFILE="result-nss.tmp";
+-
+-use File::Which qw(which);
+-
+-print "Checking the NSS configuration\n";
+-
+-my $dir = 'tests/outputs';
+-
+-opendir(DIR, $dir) or die $!;
+-
+-my @nsspolicies
+-    = grep {
+-        /-nss/             # has -nss in name
+-        && -f "$dir/$_"   # and is a file
+-    } readdir(DIR);
+-
+-foreach my $policyfile (@nsspolicies) {
+-	my $policy = $policyfile;
+-	$policy =~ s/-[^-]+$//;
+-
+-	print "Checking policy $policy\n";
+-	my $tool = which "nss-policy-check";
+-
+-	if ($policy ne 'EMPTY' and $tool ne undef) {
+-
+-		system("nss-policy-check $dir/$policyfile >$RESULTFILE 2>&1") ;
+-		if ($? != 0) {
+-			print "Error in NSS policy for $policy\n";
+-			print STDERR "NSS policy for $policy:\n";
+-			system("cat $dir/$policyfile 1>&2");
+-			print STDERR "\nnss-policy-check error:\n";
+-			system("cat $RESULTFILE 1>&2");
+-			exit 1;
+-		}
+-		unlink($RESULTFILE);
+-	}
+-}
+-
+-exit 0;
+diff --git a/tests/nss.py b/tests/nss.py
+new file mode 100755
+index 0000000..4d2cee1
+--- /dev/null
++++ b/tests/nss.py
+@@ -0,0 +1,33 @@
++#!/usr/bin/python3
++
++import glob
++import os
++import shutil
++import subprocess
++import sys
++
++
++if shutil.which('nss-policy-check') is None:
++    print('nss-policy-check not found, skipping check', file=sys.stderr)
++    sys.exit(0)
++
++
++print('Checking the NSS configuration')
++
++for policy_path in glob.glob('tests/outputs/*-nss.txt'):
++    policy = os.path.basename(policy_path)[:-len('-nss.txt')]
++    print(f'Checking policy {policy}')
++    if policy not in ('EMPTY', 'GOST-ONLY'):
++        p = subprocess.Popen(['nss-policy-check', policy_path],
++                             stdout=subprocess.PIPE,
++                             stderr=subprocess.STDOUT)
++        output, _ = p.communicate()
++        if p.wait():
++            print(f'Error in NSS policy for {policy}')
++            print(f'NSS policy for {policy}:', file=sys.stderr)
++            with open(policy_path) as policy_file:
++                shutil.copyfileobj(policy_file, sys.stderr)
++                sys.stderr.write('\n')
++            print('nss-policy-check error:', file=sys.stderr)
++            print(output.decode(), file=sys.stderr)
++            sys.exit(1)
+-- 
+1.8.3.1
+

crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch

@@ -0,0 +1,24 @@
+From 79b03b7a6ea10c8ed2a4a35d5daa8842922641f4 Mon Sep 17 00:00:00 2001
+From: yixiangzhike <yixiangzhike007@163.com>
+Date: Fri, 7 Jan 2022 15:12:26 +0800
+Subject: [PATCH] tests outputs NEXT-nss: output sigalgs (nss >=3.59)
+
+---
+ tests/outputs/NEXT-nss.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/outputs/NEXT-nss.txt b/tests/outputs/NEXT-nss.txt
+index 1c2e182..846beb2 100644
+--- a/tests/outputs/NEXT-nss.txt
++++ b/tests/outputs/NEXT-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+ 
+ 
+-- 
+1.8.3.1
+

crypto-policies.spec

@@ -4,7 +4,7 @@
 
 Name:           crypto-policies
 Version:        %{git_date}
-Release:        1.git%{git_commit_hash}
+Release:        2.git%{git_commit_hash}
 Summary:        Crypto policies package for Fedora
 
 License:        LGPLv2+
@@ -14,6 +14,10 @@ URL:            https://gitlab.com/redhat-crypto/fedora-crypto-policies
 # directory.
 Source0:        https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz
 
+Patch0:         backport-rewrite-test-nss-pl-in-python.patch
+Patch1:         backport-policygenerators-nss-output-sigalgs-nss-3-59.patch
+Patch2:         crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch
+
 BuildArch: noarch
 BuildRequires: asciidoc
 BuildRequires: libxslt
@@ -63,7 +67,7 @@ The package also provides a tool fips-mode-setup, which can be used
 to enable or disable the system FIPS mode.
 
 %prep
-%setup -q -n fedora-%{name}-%{git_commit_hash}-%{git_commit}
+%autosetup -p1 -n fedora-%{name}-%{git_commit_hash}-%{git_commit}
 
 %build
 make %{?_smp_mflags}
@@ -144,6 +148,9 @@ make check %{?_smp_mflags}
 %license COPYING.LESSER
 
 %changelog
+* Fri Jan 7 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-2.git781bbd4
+- add new algorithms in nss's config file to support nss >= 3.59 (ECDSA RSA-PSS RSA-PKCS)
+
 * Tue Aug 11 2020 yang_zhuang_zhuang <yangzhuangzhuang1@huawei.com> - 20200619-1.git781bbd4
 - downgrade version to 20200619