diff options
Diffstat (limited to 'tests/dogtag/acceptance/bugzilla/tomcatjss-bugs/bug-1084224.sh')
-rwxr-xr-x | tests/dogtag/acceptance/bugzilla/tomcatjss-bugs/bug-1084224.sh | 233 |
1 files changed, 233 insertions, 0 deletions
diff --git a/tests/dogtag/acceptance/bugzilla/tomcatjss-bugs/bug-1084224.sh b/tests/dogtag/acceptance/bugzilla/tomcatjss-bugs/bug-1084224.sh new file mode 100755 index 000000000..782404c49 --- /dev/null +++ b/tests/dogtag/acceptance/bugzilla/tomcatjss-bugs/bug-1084224.sh @@ -0,0 +1,233 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/dogtag/acceptance/bugzilla/ +# Description: tomcatjss bug verification +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Authors: Roshni Pattath <rpattath@redhat.com> +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/env.sh + +######################################################################## +#pki-user-cli-user-ca.sh should be first executed prior to bug verification +######################################################################## + +######################################################################## +# Test Suite Globals +######################################################################## +run_tomcatjss-bug-verification(){ + + rlPhaseStartTest "bug_1084224: Tomcatjss missing strictCiphers implementation" + CA_HOST=$MASTER + CA_PORT=$(cat /tmp/bugca_instance.inf | grep pki_https_port | cut -d "=" -f2) + test1="test_screen" + ca_server_xml_file="/var/lib/pki/pki-ca-bug/conf/server.xml" + temp_file="$ca_server_xml_file.temp" + rlLog "https://bugzilla.redhat.com/show_bug.cgi?id=1084224" + rlRun "ssltap -sfx $CA_HOST:$CA_PORT > /tmp/original_cipher.out &" + rlRun "sleep 10" + rlLog "Executing: wget https://$CA_HOST:1924 --no-check-certificate" + rlRun "wget https://$CA_HOST:1924 --no-check-certificate" + cat /tmp/original_cipher.out | grep "cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA" + search_string3="+TLS_RSA_WITH_AES_256_CBC_SHA" + replace_string3="-TLS_RSA_WITH_AES_256_CBC_SHA" + fi + cat /tmp/original_cipher.out | grep "cipher_suite = (0x002f) TLS/RSA/AES128-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0x002f) TLS/RSA/AES128-CBC/SHA" + search_string3="+TLS_RSA_WITH_AES_128_CBC_SHA" + replace_string3="-TLS_RSA_WITH_AES_128_CBC_SHA" + fi + cat /tmp/original_cipher.out | grep "cipher_suite = (0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA" + search_string3="+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + replace_string3="-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + fi + cat /tmp/original_cipher.out | grep "cipher_suite = (0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA" + search_string3="+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" + replace_string3="-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" + fi + cat /tmp/original_cipher.out | grep "cipher_suite = (0xc012) TLS/ECDHE-RSA/3DES-EDE-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0xc012) TLS/ECDHE-RSA/3DES-EDE-CBC/SHA" + search_string3="+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" + replace_string3="-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" + fi + cat /tmp/original_cipher.out | grep "cipher_suite = (0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA" + search_string3="+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" + replace_string3="-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" + fi + cat /tmp/original_cipher.out | grep "cipher_suite = (0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA" + search_string3="+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + replace_string3="-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + fi + cat /tmp/original_cipher.out | grep "cipher_suite = (0x0032) TLS/DHE-DSS/AES128-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0x0032) TLS/DHE-DSS/AES128-CBC/SHA" + search_string3="+TLS_DHE_DSS_WITH_AES_128_CBC_SHA" + replace_string3="-TLS_DHE_DSS_WITH_AES_128_CBC_SHA" + fi + cat /tmp/original_cipher.out | grep "cipher_suite = (0x0038) TLS/DHE-DSS/AES256-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0x0038) TLS/DHE-DSS/AES256-CBC/SHA" + search_string3="+TLS_DHE_DSS_WITH_AES_256_CBC_SHA" + replace_string3="-TLS_DHE_DSS_WITH_AES_256_CBC_SHA" + fi + cat /tmp/original_cipher.out | grep "cipher_suite = (0x0033) TLS/DHE-RSA/AES128-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0x0033) TLS/DHE-RSA/AES128-CBC/SHA" + search_string3="+TLS_DHE_RSA_WITH_AES_128_CBC_SHA" + replace_string3="-TLS_DHE_RSA_WITH_AES_128_CBC_SHA" + fi + cat /tmp/original_cipher.out | grep "cipher_suite = (0x0039) TLS/DHE-RSA/AES256-CBC/SHA" + if [ $? -eq 0 ]; then + original_cipher="cipher_suite = (0x0039) TLS/DHE-RSA/AES256-CBC/SHA" + search_string3="+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + replace_string3="-TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + fi + rlRun "systemctl stop pki-tomcatd@pki-ca-bug.service" + search_string1="strictCiphers=\"false\"" + replace_string1="strictCiphers=\"true\"" + search_string2="sslOptions=\"ssl2=true,ssl3=true,tls=true\"" + replace_string2="sslOptions=\"ssl2=false,ssl3=false,tls=true\"" + #search_string4="clientAuth=\"want\"" + #replace_string4="clientauth=\"want\"" + rlRun "sed 's/$search_string1/$replace_string1/g' $ca_server_xml_file > $temp_file" + cp $temp_file $ca_server_xml_file + rlRun "sed 's/$search_string2/$replace_string2/g' $ca_server_xml_file > $temp_file" + cp $temp_file $ca_server_xml_file + rlRun "sed 's/$search_string3/$replace_string3/g' $ca_server_xml_file > $temp_file" + cp $temp_file $ca_server_xml_file + #rlRun "sed 's/$search_string4/$replace_string4/g' $ca_server_xml_file > $temp_file" + #cp $temp_file $ca_server_xml_file + chown pkiuser:pkiuser $ca_server_xml_file + cat $ca_server_xml_file | grep $replace_string1 + if [ $? -eq 0 ] ; then + rlRun "modutil -dbdir /var/lib/pki/pki-ca-bug/ca/alias -fips true &" + rlRun "sleep 5" + rlRun "modutil -dbdir /var/lib/pki/pki-ca-bug/ca/alias -chkfips true > /tmp/chkfips.out" + rlAssertGrep "FIPS mode enabled." "/tmp/chkfips.out" + rlRun "systemctl start pki-tomcatd@pki-ca-bug.service" + rlRun "ssltap -sfx $CA_HOST:$CA_PORT > /tmp/new_cipher.out &" + rlRun "sleep 10" + rlLog "Executing: wget https://$CA_HOST:1924 --no-check-certificate" + rlRun "wget https://$CA_HOST:1924 --no-check-certificate" + cat $ca_server_xml_file | grep "+TLS_RSA_WITH_AES_256_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + cat $ca_server_xml_file | grep "+TLS_RSA_WITH_AES_128_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0x002f) TLS/RSA/AES128-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + cat $ca_server_xml_file | grep "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + cat $ca_server_xml_file | grep "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + cat $ca_server_xml_file | grep "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0xc012) TLS/ECDHE-RSA/3DES-EDE-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + cat $ca_server_xml_file | grep "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + cat $ca_server_xml_file | grep "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + cat $ca_server_xml_file | grep "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0x0032) TLS/DHE-DSS/AES128-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + cat $ca_server_xml_file | grep "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0x0038) TLS/DHE-DSS/AES256-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + cat $ca_server_xml_file | grep "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0x0033) TLS/DHE-RSA/AES128-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + cat $ca_server_xml_file | grep "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + if [ $? -eq 0 ]; then + cat /tmp/new_cipher.out | grep "cipher_suite = (0x0039) TLS/DHE-RSA/AES256-CBC/SHA" + if [ $? -eq 0 ]; then + rlPass "Bug Verified" + fi + fi + rlAssertNotGrep "$original_cipher" "/tmp/new_cipher.out" + else + rlLog "Config file modification failed" + fi + rlPhaseEnd + +} |