1930807 - NSS policy updates

Status: NEW

(NSS :: Libraries, defect, P3)

Description

[Robert Relyea]

The following changes to our policy code from RHEL needs to be picked up:

Various policy tests are failing because the test case is wrong, but the tests weren't run because the tests were triggered on SDB mode, which isn't used anymore upstream because we no longer test dbm code (disabled by default). dbm code is still enabled and tested in some versions of RHEL.

KeySize checks were missing in RSA-PSS.

Cavs tests were failing on rhel-10 because of changes to the output of sum.

Comment 1

[Robert Relyea]

Attachment: Bug 1930807 NSS policy updates

1. The policy tests aren't running in the CI, update the way we determine that we are using sql db.
   1a. Add a new utility to get NSS default values to support getting sqldb state.
2. turn off key size policy for the weak key tests.
3. Make SECKEY_PrivateKeyStrengthInBits more accurate in the normal case.
4. Add key length policy enforcements to RSAPss on SSL.
5. Fix problem where ASN1 decoder is clobbering the error message, leading to DER errors when the real reason is policy issues.
6. Fix errors in the policy tests that were masked by the fact they weren't being run in the CI

Comment 2

[Robert Relyea]

Attachment: Bug 1930807 NSS policy updates - cavs

sum has changed formats on newer versions of linux, change the awk to fetch the correct value.

Comment 3

[Robert Relyea]

Attachment: Bug 1930807 NSS policy updates - fix inaccurate key policy issues

1. Make SECKEY_PrivateKeyStrengthInBits more accurate in the normal case.
2. Add key length policy enforcements to RSAPss on SSL.