tools.sh (34006B)
1 #! /bin/bash 2 # 3 # This Source Code Form is subject to the terms of the Mozilla Public 4 # License, v. 2.0. If a copy of the MPL was not distributed with this 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/. 6 7 ######################################################################## 8 # 9 # mozilla/security/nss/tests/tools/tools.sh 10 # 11 # Script to test basic functionality of NSS tools 12 # 13 # needs to work on all Unix and Windows platforms 14 # 15 # tests implemented: 16 # pk12util 17 # signtool 18 # 19 # special strings 20 # --------------- 21 # FIXME ... known problems, search for this string 22 # NOTE .... unexpected behavior 23 ######################################################################## 24 25 export pkcs12v2pbeWithSha1And128BitRc4=\ 26 "PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4" 27 28 export pkcs12v2pbeWithSha1And40BitRc4=\ 29 "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4" 30 31 export pkcs12v2pbeWithSha1AndTripleDESCBC=\ 32 "PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC" 33 34 export pkcs12v2pbeWithSha1And128BitRc2Cbc=\ 35 "PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC" 36 37 export pkcs12v2pbeWithSha1And40BitRc2Cbc=\ 38 "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC" 39 40 export pkcs5pbeWithMD2AndDEScbc=\ 41 "PKCS #5 Password Based Encryption with MD2 and DES-CBC" 42 43 export pkcs5pbeWithMD5AndDEScbc=\ 44 "PKCS #5 Password Based Encryption with MD5 and DES-CBC" 45 46 export pkcs5pbeWithSha1AndDEScbc=\ 47 "PKCS #5 Password Based Encryption with SHA-1 and DES-CBC" 48 49 # if we change the defaults in pk12util, update these variables 50 export CERT_ENCRYPTION_DEFAULT="AES-128-CBC" 51 export KEY_ENCRYPTION_DEFAULT="AES-256-CBC" 52 export HASH_DEFAULT="SHA-256" 53 54 export PKCS5v1_PBE_CIPHERS="${pkcs5pbeWithMD2AndDEScbc},\ 55 ${pkcs5pbeWithMD5AndDEScbc},\ 56 ${pkcs5pbeWithSha1AndDEScbc}" 57 export PKCS12_PBE_CIPHERS="${pkcs12v2pbeWithSha1And128BitRc4},\ 58 ${pkcs12v2pbeWithSha1And40BitRc4},\ 59 ${pkcs12v2pbeWithSha1AndTripleDESCBC},\ 60 ${pkcs12v2pbeWithSha1And128BitRc2Cbc},\ 61 ${pkcs12v2pbeWithSha1And40BitRc2Cbc}" 62 export PKCS5v2_PBE_CIPHERS="RC2-CBC,DES-EDE3-CBC,AES-128-CBC,AES-192-CBC,\ 63 AES-256-CBC,CAMELLIA-128-CBC,CAMELLIA-192-CBC,CAMELLIA-256-CBC" 64 export PBE_CIPHERS="${PKCS5v1_PBE_CIPHERS},${PKCS12_PBE_CIPHERS},${PKCS5v2_PBE_CIPHERS}" 65 export PBE_CIPHERS_CLASSES="${pkcs5pbeWithSha1AndDEScbc},\ 66 ${pkcs12v2pbeWithSha1AndTripleDESCBC},AES-256-CBC,default" 67 export PBE_HASH="SHA-1,SHA-256,SHA-512,HMAC SHA-256,HMAC SHA-512,default" 68 export PBE_HASH_CLASSES="SHA-1,SHA-256,SHA-384,HMAC SHA-256,default" 69 70 ############################## tools_init ############################## 71 # local shell function to initialize this script 72 ######################################################################## 73 tools_init() 74 { 75 SCRIPTNAME=tools.sh # sourced - $0 would point to all.sh 76 77 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for 78 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it 79 fi 80 81 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then 82 cd ../common 83 . ./init.sh 84 fi 85 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here 86 cd ../cert 87 . ./cert.sh 88 fi 89 SCRIPTNAME=tools.sh 90 91 html_head "Tools Tests" 92 93 grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { 94 Exit 15 "Fatal - S/MIME of cert.sh needs to pass first" 95 } 96 97 TOOLSDIR=${HOSTDIR}/tools 98 COPYDIR=${TOOLSDIR}/copydir 99 SIGNDIR=${TOOLSDIR}/signdir 100 101 PKCS12POLICY=${QADIR}/tools/pkcs12policy.txt 102 103 R_TOOLSDIR=../tools 104 R_COPYDIR=../tools/copydir 105 R_SIGNDIR=../tools/signdir 106 P_R_COPYDIR=${R_COPYDIR} 107 P_R_SIGNDIR=${R_SIGNDIR} 108 if [ -n "${MULTIACCESS_DBM}" ]; then 109 P_R_COPYDIR="multiaccess:Tools.$version" 110 P_R_SIGNDIR="multiaccess:Tools.sign.$version" 111 fi 112 113 mkdir -p ${TOOLSDIR} 114 mkdir -p ${COPYDIR} 115 mkdir -p ${SIGNDIR} 116 cp ${ALICEDIR}/* ${SIGNDIR}/ 117 mkdir -p ${TOOLSDIR}/html 118 cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html 119 mkdir -p ${TOOLSDIR}/data 120 cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data 121 cp ${QADIR}/tools/TestOldAES128CA.p12 ${TOOLSDIR}/data 122 cp ${QADIR}/tools/TestRSAPSS.p12 ${TOOLSDIR}/data 123 cp ${QADIR}/tools/PKCS5WithImplicitKDF.p12 ${TOOLSDIR}/data 124 cp ${QADIR}/tools/pbmac1-valid-sha256.p12 ${TOOLSDIR}/data 125 cp ${QADIR}/tools/pbmac1-valid-sha256-sha512.p12 ${TOOLSDIR}/data 126 cp ${QADIR}/tools/pbmac1-valid-sha512.p12 ${TOOLSDIR}/data 127 cp ${QADIR}/tools/pbmac1-invalid-bad-iter.p12 ${TOOLSDIR}/data 128 cp ${QADIR}/tools/pbmac1-invalid-bad-salt.p12 ${TOOLSDIR}/data 129 cp ${QADIR}/tools/pbmac1-invalid-no-length.p12 ${TOOLSDIR}/data 130 cp ${QADIR}/tools/corrupted_cert_bag.p12 ${TOOLSDIR}/data 131 132 cd ${TOOLSDIR} 133 } 134 135 ########################## list_p12_file ############################### 136 # List the key and cert in the specified p12 file 137 ######################################################################## 138 list_p12_file() 139 { 140 echo "$SCRIPTNAME: Listing Alice's pk12 file" 141 echo "pk12util -l ${1} -w ${R_PWFILE}" 142 143 ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1 144 ret=$? 145 html_msg $ret 0 "Listing ${1} (pk12util -l)" 146 check_tmpfile 147 } 148 149 ######################################################################## 150 # Import the key and cert from the specified p12 file 151 ######################################################################## 152 import_p12_file() 153 { 154 echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file to ${3}" 155 # remove the previous key so we actually decrypt the new key 156 # without this, pkcs12 will skip the key import. 157 echo "certutil -F -d ${3} -n ${2} -f ${R_PWFILE}" 158 certutil -F -d ${3} -n ${2} -f ${R_PWFILE} 159 echo "pk12util -i ${1} -d ${3} -k ${R_PWFILE} -w ${R_PWFILE}" 160 161 ${BINDIR}/pk12util -i ${1} -d ${3} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 162 ret=$? 163 echo "return=$ret expect=${4}" 164 html_msg $ret ${4} "Importing ${1} (pk12util -i)" 165 check_tmpfile 166 } 167 168 169 ######################################################################## 170 # Export the key and cert from the specified p12 file 171 ######################################################################## 172 export_p12_file() 173 { 174 # $1 p12 file 175 # $2 cert to export 176 # $3 certdb 177 # $4 key encryption cipher or "default" 178 # $5 certificate encryption cipher or "default" 179 # $6 hash algorithm or "default" 180 # $7 expected return value 181 KEY_CIPHER_OPT="-c" 182 KEY_CIPHER="${4}" 183 CERT_CIPHER_OPT="-C" 184 CERT_CIPHER="${5}" 185 HASH_ALG_OPT="-M" 186 HASH_ALG="${6}" 187 188 if [ "${KEY_CIPHER}" = "default" ]; then 189 KEY_CIPHER_OPT="" 190 KEY_CIPHER="" 191 fi 192 if [ "${CERT_CIPHER}" = "default" ]; then 193 CERT_CIPHER_OPT="" 194 CERT_CIPHER="" 195 fi 196 if [ "${HASH_ALG}" = "default" ]; then 197 HASH_ALG_OPT="" 198 HASH_ALG="" 199 fi 200 201 echo "pk12util -o \"${1}\" -n \"${2}\" -d \"${3}\" \\" 202 echo " -k ${R_PWFILE} -w ${R_PWFILE} \\" 203 echo " ${KEY_CIPHER_OPT} \"${KEY_CIPHER}\" \\" 204 echo " ${CERT_CIPHER_OPT} \"${CERT_CIPHER}\" \\" 205 echo " ${HASH_ALG_OPT} \"${HASH_ALG}\"" 206 ${BINDIR}/pk12util -o "${1}" -n "${2}" -d "${3}" \ 207 -k ${R_PWFILE} -w ${R_PWFILE} \ 208 ${KEY_CIPHER_OPT} "${KEY_CIPHER}" \ 209 ${CERT_CIPHER_OPT} "${CERT_CIPHER}" \ 210 ${HASH_ALG_OPT} "${HASH_ALG}" 2>&1 211 ret=$? 212 echo "return=$ret expect=${7}" 213 html_msg $ret ${7} "Exporting with [${4}:${5}:${6}] (pk12util -o)" 214 check_tmpfile 215 if [ ${7} -eq 0 ]; then 216 verify_p12 "${1}" "${4}" "${5}" "${6}" 217 fi 218 return $ret 219 } 220 221 ######################################################################## 222 # Exports key and cert to a p12 file, the key encryption cipher, 223 # the cert encryption cipher, and/or the hash algorithm are specified. 224 # The key and cert are imported and the p12 file is listed 225 ######################################################################## 226 export_list_import() 227 { 228 export_p12_file Alice.p12 Alice "${P_R_ALICEDIR}" "${@}" 0 229 list_p12_file Alice.p12 230 import_p12_file Alice.p12 Alice "${P_R_COPYDIR}" 0 231 } 232 233 ######################################################################## 234 # Exports key and cert to a p12 file, the key encryption cipher, 235 # the cert encryption cipher, and/or the hash algorithm are specified. 236 # expected results as well. These may purposefully fail for unallowed 237 # policies 238 ######################################################################## 239 export_import_policy() 240 { 241 export_ret=${1} 242 import_ret=${2} 243 export_dir=${3} 244 import_dir=${4} 245 shift 4 246 export_p12_file Alice.p12 Alice "${export_dir}" "${@}" ${export_ret} 247 if [ ${export_ret} -eq 0 ]; then 248 import_p12_file Alice.p12 Alice "${import_dir}" ${import_ret} 249 fi 250 } 251 252 tools_p12_policy() 253 { 254 export_dir=${P_R_ALICEDIR} 255 import_dir=${P_R_COPYDIR} 256 # make sure we are using generic default policy. 257 unset NSS_ALLOW_WEAK_SIGNATURE_ALG 258 259 save_pkcs11 ${export_dir} 260 save_pkcs11 ${import_dir} 261 ignore_blank_lines ${PKCS12POLICY} | \ 262 while read export_ret import_ret export_policy import_policy key_cipher cert_cipher hash testname 263 do 264 echo "$SCRIPTNAME: PKCS12 Policy Test {${testname}} ---------------" 265 export_policy=`echo ${export_policy} | sed -e 's;_; ;g'` 266 import_policy=`echo ${import_policy} | sed -e 's;_; ;g'` 267 key_cipher=`echo ${key_cipher} | sed -e 's;_; ;g'` 268 cert_cipher=`echo ${cert_cipher} | sed -e 's;_; ;g'` 269 hash=`echo ${hash} | sed -e 's;_; ;g'` 270 setup_policy "${export_policy}" ${export_dir} 271 setup_policy "${import_policy}" ${import_dir} 272 273 export_import_policy ${export_ret} ${import_ret} ${export_dir} ${import_dir} "${key_cipher}" "${cert_cipher}" "${hash}" 274 done 275 restore_pkcs11 ${export_dir} 276 restore_pkcs11 ${import_dir} 277 } 278 279 ######################################################################## 280 # Export using the pkcs5pbe ciphers for key and certificate encryption. 281 # List the contents of and import from the p12 file. 282 ######################################################################## 283 tools_p12_export_list_import_all_pkcs5pbe_ciphers() 284 { 285 local saveIFS="${IFS}" 286 export NSS_ALLOW_WEAK_SIGNATURE_ALG=1 287 IFS=, 288 for key_cipher in ${PKCS5v1_PBE_CIPHERS} default; do 289 for cert_cipher in ${PKCS5v1_PBE_CIPHERS} default none; do 290 for hash in ${PBE_HASH}; do 291 export_list_import "${key_cipher}" "${cert_cipher}" "${hash}" 292 done 293 done 294 done 295 IFS="${saveIFS}" 296 } 297 298 ######################################################################## 299 # Export using the pkcs5v2 ciphers for key and certificate encryption. 300 # List the contents of and import from the p12 file. 301 ######################################################################## 302 tools_p12_export_list_import_all_pkcs5v2_ciphers() 303 { 304 local saveIFS="${IFS}" 305 export NSS_ALLOW_WEAK_SIGNATURE_ALG=1 306 IFS=, 307 for key_cipher in ${PKCS5v2_PBE_CIPHERS} default; do 308 for cert_cipher in ${PKCS5v2_PBE_CIPHERS} default none; do 309 for hash in ${PBE_HASH}; do 310 export_list_import "${key_cipher}" "${cert_cipher}" "${hash}" 311 done 312 done 313 done 314 IFS="${saveIFS}" 315 } 316 317 ######################################################################## 318 # Export using the pkcs12v2pbe ciphers for key and certificate encryption. 319 # List the contents of and import from the p12 file. 320 ######################################################################## 321 tools_p12_export_list_import_all_pkcs12v2pbe_ciphers() 322 { 323 local saveIFS="${IFS}" 324 IFS=, 325 export NSS_ALLOW_WEAK_SIGNATURE_ALG=1 326 for key_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default; do 327 for cert_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default none; do 328 for hash in ${PBE_HASH}; do 329 export_list_import "${key_cipher}" "${cert_cipher}" "${hash}" 330 done 331 done 332 done 333 IFS="${saveIFS}" 334 } 335 336 ######################################################################## 337 # Spot check all ciphers. 338 # using the traditional tests, we wind up running almost 1300 tests. 339 # This isn't too bad for debug builds in which the interator is set to 1000. 340 # for optimized builds, the iterator is set to 60000, which means a 30 341 # minute test will now take more than 2 hours. This tests most combinations 342 # and results in only about 300 tests. We are stil testing all ciphers 343 # for both key and cert encryption, and we are testing them against 344 # one of each class of cipher (pkcs5v1, pkcs5v2, pkcs12). 345 ######################################################################## 346 tools_p12_export_list_import_most_ciphers() 347 { 348 local saveIFS="${IFS}" 349 IFS=, 350 export NSS_ALLOW_WEAK_SIGNATURE_ALG=1 351 for cipher in ${PBE_CIPHERS}; do 352 for class in ${PBE_CIPHERS_CLASSES}; do 353 # we'll test the case of cipher == class below the for loop 354 if [ "${cipher}" != "${class}" ]; then 355 export_list_import "${class}" "${cipher}" "SHA-1" 356 export_list_import "${cipher}" "${class}" "SHA-256" 357 fi 358 done 359 export_list_import "${cipher}" "none" "SHA-224" 360 export_list_import "${cipher}" "${cipher}" "HMAC SHA-512" 361 done 362 for class in ${PBE_CIPHERS_CLASSES}; do 363 for hash in ${PBE_HASH_CLASSES}; do 364 export_list_import "${class}" "${class}" "${hash}" 365 done 366 done 367 IFS="${saveIFS}" 368 } 369 370 ######################################################################### 371 # Export with no encryption on key should fail but on cert should pass 372 ######################################################################### 373 tools_p12_export_with_none_ciphers() 374 { 375 # use none as the key encryption algorithm default for the cert one 376 # should fail 377 378 echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" 379 echo " -k ${R_PWFILE} -w ${R_PWFILE} -c none" 380 ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ 381 -k ${R_PWFILE} -w ${R_PWFILE} \ 382 -c none 2>&1 383 ret=$? 384 html_msg $ret 30 "Exporting with [none:default:default] (pk12util -o)" 385 check_tmpfile 386 387 # use default as the key encryption algorithm none for the cert one 388 # should pass 389 390 echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" 391 echo " -k ${R_PWFILE} -w ${R_PWFILE} -C none" 392 ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ 393 -k ${R_PWFILE} -w ${R_PWFILE} \ 394 -C none 2>&1 395 ret=$? 396 html_msg $ret 0 "Exporting with [default:none:default] (pk12util -o)" 397 check_tmpfile 398 verify_p12 Alice.p12 "default" "none" "default" 399 } 400 401 ######################################################################### 402 # Export with invalid cipher should fail 403 ######################################################################### 404 tools_p12_export_with_invalid_ciphers() 405 { 406 echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" 407 echo " -k ${R_PWFILE} -w ${R_PWFILE} -c INVALID_CIPHER" 408 ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ 409 -k ${R_PWFILE} -w ${R_PWFILE} \ 410 -c INVALID_CIPHER 2>&1 411 ret=$? 412 html_msg $ret 30 "Exporting with [INVALID_CIPHER:default] (pk12util -o)" 413 check_tmpfile 414 415 echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" 416 echo " -k ${R_PWFILE} -w ${R_PWFILE} -C INVALID_CIPHER" 417 ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ 418 -k ${R_PWFILE} -w ${R_PWFILE} \ 419 -C INVALID_CIPHER 2>&1 420 ret=$? 421 html_msg $ret 30 "Exporting with [default:INVALID_CIPHER] (pk12util -o)" 422 check_tmpfile 423 424 } 425 426 ######################################################################### 427 # Exports using the default key and certificate encryption ciphers. 428 # Imports from and lists the contents of the p12 file. 429 # Repeats the test with ECC if enabled. 430 ######################################################################## 431 tools_p12_export_list_import_with_default_ciphers() 432 { 433 echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers" 434 435 export_list_import "default" "default" "default" 436 437 echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------" 438 echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" 439 echo " -w ${R_PWFILE}" 440 ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ 441 -w ${R_PWFILE} 2>&1 442 ret=$? 443 html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)" 444 check_tmpfile 445 verify_p12 Alice-ec.p12 "default" "default" "default" 446 447 echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------" 448 echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" 449 ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 450 ret=$? 451 html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)" 452 check_tmpfile 453 454 echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------" 455 echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}" 456 ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1 457 ret=$? 458 html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)" 459 check_tmpfile 460 461 echo "$SCRIPTNAME: Exporting Alice's email EC cert & key with long pw------" 462 echo "pk12util -o Alice-ec-long.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" 463 echo " -w ${R_LONGPWFILE}" 464 ${BINDIR}/pk12util -o Alice-ec-long.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ 465 -w ${R_LONGPWFILE} 2>&1 466 ret=$? 467 html_msg $ret 0 "Exporting Alice's email EC cert & key with long pw (pk12util -o)" 468 check_tmpfile 469 verify_p12 Alice-ec-long.p12 "default" "default" "default" 470 471 echo "$SCRIPTNAME: Importing Alice's email EC cert & key with long pw-----" 472 echo "pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE}" 473 ${BINDIR}/pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE} 2>&1 474 ret=$? 475 html_msg $ret 0 "Importing Alice's email EC cert & key with long pw (pk12util -i)" 476 check_tmpfile 477 478 echo "$SCRIPTNAME: Listing Alice's pk12 EC file with long pw ------------" 479 echo "pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE}" 480 ${BINDIR}/pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE} 2>&1 481 ret=$? 482 html_msg $ret 0 "Listing Alice's pk12 EC file with long pw (pk12util -l)" 483 check_tmpfile 484 } 485 486 tools_p12_import_old_files() 487 { 488 echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------" 489 echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" 490 ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 491 ret=$? 492 html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.21 (PBES2 with BMPString password)" 493 check_tmpfile 494 495 echo "pk12util -i TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" 496 ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 497 ret=$? 498 html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.29.5 (PBES2 with incorrect AES-128-CBC algorithm ID)" 499 check_tmpfile 500 501 echo "pk12util -i PKCS5WithImplicitKDF.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W pasword" 502 ${BINDIR}/pk12util -i ${TOOLSDIR}/data/PKCS5WithImplicitKDF.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W password 2>&1 503 ret=$? 504 html_msg $ret 0 "Importing PKCS#12 file with and implicit KDF value" 505 check_tmpfile 506 507 echo "pk12util -I -l corrupted_cert_bag.p12 -W start" 508 ${BINDIR}/pk12util -I -l ${TOOLSDIR}/data/corrupted_cert_bag.p12 -W start 2>&1 509 ret=$? 510 html_msg $ret 17 "Listing a PKCS#12 file with corrupted certificate bag" 511 check_tmpfile 512 513 } 514 515 tools_p12_import_rsa_pss_private_key() 516 { 517 echo "$SCRIPTNAME: Importing RSA-PSS private key from PKCS#12 file --------------" 518 ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestRSAPSS.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '' 2>&1 519 ret=$? 520 html_msg $ret 0 "Importing RSA-PSS private key from PKCS#12 file" 521 check_tmpfile 522 523 # Check if RSA-PSS identifier is included in the key listing 524 ${BINDIR}/certutil -d ${P_R_COPYDIR} -K -f ${R_PWFILE} | grep '^<[0-9 ]*> *rsaPss' 525 ret=$? 526 html_msg $ret 0 "Listing RSA-PSS private key imported from PKCS#12 file" 527 check_tmpfile 528 529 return $ret 530 } 531 532 tools_p12_import_pbmac1_samples() 533 { 534 echo "$SCRIPTNAME: Importing private key pbmac1 PKCS#12 file --------------" 535 echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha256.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" 536 ${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha256.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 537 ret=$? 538 html_msg $ret 0 "Importing private key pbmac1 hmac-sha-256 from PKCS#12 file" 539 check_tmpfile 540 541 echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha256-sha512.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" 542 ${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha256-sha512.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 543 ret=$? 544 html_msg $ret 0 "Importing private key pbmac1 hmac-sha-256 and hmac-sha-512 prf from PKCS#12 file" 545 check_tmpfile 546 547 echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha512.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" 548 ${BINDIR}/pk12util -i ${TOOLSDIR}/data/pbmac1-valid-sha512.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 549 ret=$? 550 html_msg $ret 0 "Importing private key pbmac1 hmac-sha-512 from PKCS#12 file" 551 check_tmpfile 552 553 echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I" 554 ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1 555 ret=$? 556 html_msg $ret 19 "Fail to list private key with bad iterator" 557 check_tmpfile 558 559 echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I" 560 ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1 561 ret=$? 562 echo "Fail to list private key with bad salt val=$ret" 563 html_msg $ret 19 "Fail to import private key with bad salt" 564 check_tmpfile 565 566 echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I " 567 ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1 568 ret=$? 569 echo "Fail to import private key with no length val=$ret" 570 html_msg $ret 19 "Fail to import private key with no length" 571 check_tmpfile 572 } 573 574 ############################## tools_p12 ############################### 575 # local shell function to test basic functionality of pk12util 576 ######################################################################## 577 tools_p12() 578 { 579 tools_p12_export_list_import_with_default_ciphers 580 # optimized builds have a larger iterator, so they can't run as many 581 # pkcs12 tests and complete in a reasonable time. Use the iterateration 582 # count from the previous tests to determine how many tests 583 # we can run. 584 iteration_count=$(pp -t p12 -i Alice-ec.p12 | grep "Iterations: " | sed -e 's;.*Iterations: ;;' -e 's;(.*).*;;') 585 echo "Iteration count=${iteration_count}" 586 if [ -n "${iteration_count}" -a ${iteration_count} -le 10000 ]; then 587 tools_p12_export_list_import_all_pkcs5v2_ciphers 588 tools_p12_export_list_import_all_pkcs12v2pbe_ciphers 589 else 590 tools_p12_export_list_import_most_ciphers 591 fi 592 tools_p12_export_with_none_ciphers 593 tools_p12_export_with_invalid_ciphers 594 tools_p12_import_old_files 595 tools_p12_import_pbmac1_samples 596 if using_sql; then 597 tools_p12_import_rsa_pss_private_key 598 tools_p12_policy 599 fi 600 } 601 602 ############################## tools_sign ############################## 603 # local shell function pk12util uses a hardcoded tmp file, if this exists 604 # and is owned by another user we don't get reasonable errormessages 605 ######################################################################## 606 check_tmpfile() 607 { 608 if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then 609 echo "Error: pk12util temp file exists. Please remove this file and" 610 echo " rerun the test (/tmp/Pk12uTemp) " 611 fi 612 } 613 614 ############################## tools_sign ############################## 615 # make sure the generated p12 file has the characteristics we expected 616 ######################################################################## 617 verify_p12() 618 { 619 KEY_ENCRYPTION=$(map_cipher "${2}" "${KEY_ENCRYPTION_DEFAULT}") 620 CERT_ENCRYPTION=$(map_cipher "${3}" "${CERT_ENCRYPTION_DEFAULT}") 621 HASH=$(map_cipher "${4}" "${HASH_DEFAULT}") 622 623 STATE="NOBAGS" # state records if we are in the key or cert bag 624 CERT_ENCRYPTION_NOT_FOUND=1 625 KEY_ENCRYPTION_NOT_FOUND=1 626 CERT_ENCRYPTION_FAIL=0 627 KEY_ENCRYPTION_FAIL=0 628 HASH_FAIL=0 629 TMP=$(mktemp /tmp/p12Verify.XXXXXX) 630 which pk12util 631 local saveIFS="${IFS}" 632 IFS=" \ 633 " 634 # use pp to dump the pkcs12 file, only the unencrypted portions are visible 635 # if there are multiple entries, we fail if any of those entries have the 636 # wrong encryption. We also fail if we can't find any encryption info. 637 # Use a file rather than a pipe so that while do can modify our variables. 638 # We're only interested in extracting the encryption algorithms are here, 639 # p12util -l will verify that decryption works properly. 640 pp -t pkcs12 -i ${1} -o ${TMP} 641 while read line ; do 642 # strip trailing carriage return 643 line="${line%$'\r'}" 644 # first up: if we see an unencrypted key bag, then we know that the key 645 # was unencrypted (NOTE: pk12util currently can't generate these kinds of 646 # files). 647 if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 Key Bag" ]]; then 648 KEY_ENCRYPTION_NOT_FOUND=0 649 if [ "${KEY_ENCRYPTION}" != "none" ]; then 650 KEY_ENCRYPTION_FAIL=1 651 echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"none\"" 652 fi 653 continue 654 fi 655 # if we find the the Cert Bag, then we know that the certificate was not 656 # encrypted 657 if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 Cert Bag" ]]; then 658 CERT_ENCRYPTION_NOT_FOUND=0 659 if [ "${CERT_ENCRYPTION}" != "none" ]; then 660 CERT_ENCRYPTION_FAIL=1 661 echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"none\"" 662 fi 663 continue 664 fi 665 # we found the shrouded key bag, the next encryption informtion should be 666 # for the key. 667 if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 PKCS8 Shrouded Key Bag" ]]; then 668 STATE="KEY" 669 continue 670 fi 671 # If we found PKCS #7 Encrypted Data, it must be the encrypted certificate 672 # (well it could be any encrypted certificate, or a crl, but in p12util 673 # they will all have the same encryption value 674 if [[ "${line}" = "PKCS #7 Encrypted Data:" ]]; then 675 STATE="CERT" 676 continue 677 fi 678 # check the Mac 679 if [[ "${line}" =~ "Mac Digest Algorithm ID: ".* ]]; then 680 STATE="MAC" 681 MAC="${line##Mac Digest Algorithm ID: }" 682 if [[ "${HASH}" =~ "HMAC ".* ]]; then 683 if [[ ! "${MAC}" =~ "PKCS #5 Password Based Authentication v1"\ * ]]; then 684 HASH_FAIL=1 685 echo "--MAC mismatch: expected \"PKCS #5 Password Based Authentication v1\" found \"${MAC}\"" 686 fi 687 elif [ "${MAC}" != "${HASH}" ]; then 688 HASH_FAIL=1 689 echo "--Mac Hash mismatch: expected \"${HASH}\" found \"${MAC}\"" 690 fi 691 fi 692 # check the KDF 693 if [[ "${line}" =~ "KDF algorithm: ".* ]]; then 694 KDF="${line##KDF algorithm: }" 695 if [ "${KDF}" != "HMAC ${HASH}" -a "${KDF}" != "${HASH}" ]; then 696 HASH_FAIL=1 697 echo "--KDF Hash mismatch: expected \"HMAC ${HASH}\" found \"${KDF}\"" 698 fi 699 fi 700 # Content Encryption Algorithm is the PKCS #5 algorithm ID. 701 if [[ "${line}" =~ .*"Encryption Algorithm: ".* ]]; then 702 # Strip the [Content ]EncryptionAlgorithm 703 ENCRYPTION="${line##Content }" 704 ENCRYPTION="${ENCRYPTION##Encryption Algorithm: }" 705 # If that algorithm id is PKCS #5 v2, then skip forward looking 706 # for the Cipher: field. 707 if [[ "${ENCRYPTION}" =~ "PKCS #5 Password Based Encryption v2"\ * ]]; then 708 continue; 709 fi 710 case ${STATE} in 711 "KEY") 712 KEY_ENCRYPTION_NOT_FOUND=0 713 if [ "${KEY_ENCRYPTION}" != "${ENCRYPTION}" ]; then 714 KEY_ENCRYPTION_FAIL=1 715 echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"${ENCRYPTION}\"" 716 fi 717 ;; 718 "CERT") 719 CERT_ENCRYPTION_NOT_FOUND=0 720 if [ "${CERT_ENCRYPTION}" != "${ENCRYPTION}" ]; then 721 CERT_ENCRYPTION_FAIL=1 722 echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\"" 723 fi 724 ;; 725 "MAC") 726 HASH_FAIL=1 727 echo "--unexpected encryption algorithm in MAC found \"${ENCRYPTION}\"" 728 ;; 729 esac 730 fi 731 # handle the PKCS 5 v2 case 732 if [[ "${line}" =~ "Cipher: ".* ]]; then 733 ENCRYPTION="${line#Cipher: }" 734 case ${STATE} in 735 "KEY") 736 KEY_ENCRYPTION_NOT_FOUND=0 737 if [ "${KEY_ENCRYPTION}" != "${ENCRYPTION}" ]; then 738 KEY_ENCRYPTION_FAIL=1 739 echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"${ENCRYPTION}\"" 740 fi 741 ;; 742 "CERT") 743 CERT_ENCRYPTION_NOT_FOUND=0 744 if [ "${CERT_ENCRYPTION}" != "${ENCRYPTION}" ]; then 745 CERT_ENCRYPTION_FAIL=1 746 echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\"" 747 fi 748 ;; 749 "MAC") 750 # handle the PKCS 5 v2 MAC case 751 if [ "${HASH}" != "${ENCRYPTION}" ]; then 752 HASH_FAIL=1 753 echo "--MAC HMAC mismatch: expected \"${HASH}\" found \"${ENCRYPTION}\"" 754 fi 755 ;; 756 esac 757 fi 758 done < ${TMP} 759 IFS="${saveIFS}" 760 # we've scanned the file, set the return value to a combination of 761 # KEY and CERT state variables. If everything is as expected, they should 762 # add up to 0. 763 ret=$((${HASH_FAIL} * 10000 + ${KEY_ENCRYPTION_FAIL} * 1000 + ${KEY_ENCRYPTION_NOT_FOUND} * 100 + ${CERT_ENCRYPTION_FAIL} * 10 + ${CERT_ENCRYPTION_NOT_FOUND})) 764 rm -r ${TMP} 765 html_msg $ret 0 "Verifying p12 file generated with [${2}:${3}:${4}]" 766 } 767 768 # 769 # this handles any mapping we need from requested cipher to 770 # actual cipher. For instance ciphers which already have 771 # PKCS 5 v1 PBE will be mapped to those pbes by pk12util. 772 map_cipher() 773 { 774 if [ "${1}" = "default" ]; then 775 echo "${2}" 776 return 777 fi 778 case "${1}" in 779 # these get mapped to the PKCS5 v1 or PKCS 12 attributes, not PKCS 5v2 780 RC2-CBC) 781 echo "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" 782 return ;; 783 DES-EDE3-CBC) 784 echo "${pkcs12v2pbeWithSha1AndTripleDESCBC}" 785 return;; 786 esac 787 echo "${1}" 788 } 789 790 ############################## tools_sign ############################## 791 # local shell function to test basic functionality of signtool 792 ######################################################################## 793 tools_sign() 794 { 795 echo "$SCRIPTNAME: Create objsign cert -------------------------------" 796 echo "signtool -G \"objectsigner\" -d ${P_R_SIGNDIR} -p \"nss\"" 797 ${BINDIR}/signtool -G "objsigner" -d ${P_R_SIGNDIR} -p "nss" 2>&1 <<SIGNSCRIPT 798 y 799 TEST 800 MOZ 801 NSS 802 NY 803 US 804 liz 805 liz@moz.org 806 SIGNSCRIPT 807 html_msg $? 0 "Create objsign cert (signtool -G)" 808 809 echo "$SCRIPTNAME: Signing a jar of files ----------------------------" 810 echo "signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\" 811 echo " ${R_TOOLSDIR}/html" 812 ${BINDIR}/signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p "nss" -k objsigner \ 813 ${R_TOOLSDIR}/html 814 html_msg $? 0 "Signing a jar of files (signtool -Z)" 815 816 echo "$SCRIPTNAME: Listing signed files in jar ----------------------" 817 echo "signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner" 818 ${BINDIR}/signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner 819 html_msg $? 0 "Listing signed files in jar (signtool -v)" 820 821 echo "$SCRIPTNAME: Show who signed jar ------------------------------" 822 echo "signtool -w nojs.jar -d ${P_R_SIGNDIR}" 823 ${BINDIR}/signtool -w nojs.jar -d ${P_R_SIGNDIR} 824 html_msg $? 0 "Show who signed jar (signtool -w)" 825 826 echo "$SCRIPTNAME: Signing a xpi of files ----------------------------" 827 echo "signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\" 828 echo " ${R_TOOLSDIR}/html" 829 ${BINDIR}/signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p "nss" -k objsigner \ 830 ${R_TOOLSDIR}/html 831 html_msg $? 0 "Signing a xpi of files (signtool -Z -X)" 832 833 echo "$SCRIPTNAME: Listing signed files in xpi ----------------------" 834 echo "signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner" 835 ${BINDIR}/signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner 836 html_msg $? 0 "Listing signed files in xpi (signtool -v)" 837 838 echo "$SCRIPTNAME: Show who signed xpi ------------------------------" 839 echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}" 840 ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR} 841 html_msg $? 0 "Show who signed xpi (signtool -w)" 842 843 } 844 845 tools_modutil() 846 { 847 echo "$SCRIPTNAME: Test if DB created by modutil -create is initialized" 848 mkdir -p ${R_TOOLSDIR}/moddir 849 # copied from modu function in cert.sh 850 # echo is used to press Enter expected by modutil 851 echo | ${BINDIR}/modutil -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1 852 ret=$? 853 ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \ 854 -x -t ',,' -z "${R_NOISE_FILE}" 855 ret=$? 856 html_msg $ret 0 "Test if DB created by modutil -create is initialized" 857 check_tmpfile 858 } 859 860 ############################## tools_cleanup ########################### 861 # local shell function to finish this script (no exit since it might be 862 # sourced) 863 ######################################################################## 864 tools_cleanup() 865 { 866 html "</TABLE><BR>" 867 cd ${QADIR} 868 . common/cleanup.sh 869 } 870 871 ################## main ################################################# 872 873 tools_init 874 tools_p12 875 tools_sign 876 tools_modutil 877 tools_cleanup