#! /bin/bash # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. ######################################################################## # # mozilla/security/nss/tests/tools/tools.sh # # Script to test basic functionality of NSS tools # # needs to work on all Unix and Windows platforms # # tests implemented: # pk12util # signtool # # special strings # --------------- # FIXME ... known problems, search for this string # NOTE .... unexpected behavior ######################################################################## export pkcs12v2pbeWithSha1And128BitRc4=\ "PKCS #12 V2 PBE With SHA-1 and 128 Bit RC4" export pkcs12v2pbeWithSha1And40BitRc4=\ "PKCS #12 V2 PBE With SHA-1 and 40 Bit RC4" export pkcs12v2pbeWithSha1AndTripleDESCBC=\ "PKCS #12 V2 PBE With SHA-1 and 3KEY Triple DES-CBC" export pkcs12v2pbeWithSha1And128BitRc2Cbc=\ "PKCS #12 V2 PBE With SHA-1 and 128 Bit RC2 CBC" export pkcs12v2pbeWithSha1And40BitRc2Cbc=\ "PKCS #12 V2 PBE With SHA-1 and 40 Bit RC2 CBC" export pkcs12v2pbeWithMd2AndDESCBC=\ "PKCS #5 Password Based Encryption with MD2 and DES-CBC" export pkcs12v2pbeWithMd5AndDESCBC=\ "PKCS #5 Password Based Encryption with MD5 and DES-CBC" export pkcs12v2pbeWithSha1AndDESCBC=\ "PKCS #5 Password Based Encryption with SHA-1 and DES-CBC" export pkcs5pbeWithMD2AndDEScbc=\ "PKCS #5 Password Based Encryption with MD2 and DES-CBC" export pkcs5pbeWithMD5AndDEScbc=\ "PKCS #5 Password Based Encryption with MD5 and DES-CBC" export pkcs5pbeWithSha1AndDEScbc=\ "PKCS #5 Password Based Encryption with SHA-1 and DES-CBC" ############################## tools_init ############################## # local shell function to initialize this script ######################################################################## tools_init() { SCRIPTNAME=tools.sh # sourced - $0 would point to all.sh if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for CLEANUP="${SCRIPTNAME}" # cleaning this script will do it fi if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then cd ../common . ./init.sh fi if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here cd ../cert . ./cert.sh fi SCRIPTNAME=tools.sh html_head "Tools Tests" grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { Exit 15 "Fatal - S/MIME of cert.sh needs to pass first" } TOOLSDIR=${HOSTDIR}/tools COPYDIR=${TOOLSDIR}/copydir SIGNDIR=${TOOLSDIR}/signdir R_TOOLSDIR=../tools R_COPYDIR=../tools/copydir R_SIGNDIR=../tools/signdir P_R_COPYDIR=${R_COPYDIR} P_R_SIGNDIR=${R_SIGNDIR} if [ -n "${MULTIACCESS_DBM}" ]; then P_R_COPYDIR="multiaccess:Tools.$version" P_R_SIGNDIR="multiaccess:Tools.sign.$version" fi mkdir -p ${TOOLSDIR} mkdir -p ${COPYDIR} mkdir -p ${SIGNDIR} cp ${ALICEDIR}/* ${SIGNDIR}/ mkdir -p ${TOOLSDIR}/html cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html mkdir -p ${TOOLSDIR}/data cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data cp ${QADIR}/tools/TestOldAES128CA.p12 ${TOOLSDIR}/data cp ${QADIR}/tools/TestRSAPSS.p12 ${TOOLSDIR}/data cd ${TOOLSDIR} } ########################## list_p12_file ############################### # List the key and cert in the specified p12 file ######################################################################## list_p12_file() { echo "$SCRIPTNAME: Listing Alice's pk12 file" echo "pk12util -l ${1} -w ${R_PWFILE}" ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Listing ${1} (pk12util -l)" check_tmpfile } ######################################################################## # Import the key and cert from the specified p12 file ######################################################################## import_p12_file() { echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file" echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Importing ${1} (pk12util -i)" check_tmpfile } ######################################################################## # Export the key and cert to a p12 file using default ciphers ######################################################################## export_with_default_ciphers() { echo "$SCRIPTNAME: Exporting Alice's key & cert with [default:default] (pk12util -o)" echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" echo " -k ${R_PWFILE} -w ${R_PWFILE}" ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \ -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Exporting Alices's key & cert with [default:default] (pk12util -o)" check_tmpfile return $ret } ######################################################################## # Exports key/cert to a p12 file, the key encryption cipher is specified # and the cert encryption cipher is blank for default. ######################################################################## export_with_key_cipher() { # $1 key encryption cipher echo "$SCRIPTNAME: Exporting with [${1}:default]" echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" echo " -k ${R_PWFILE} -w ${R_PWFILE} -c ${1}" ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \ -k ${R_PWFILE} -w ${R_PWFILE} -c "${1}" 2>&1 ret=$? html_msg $ret 0 "Exporting with [${1}:default] (pk12util -o)" check_tmpfile return $ret } ######################################################################## # Exports key/cert to a p12 file, the key encryption cipher is left # empty for default and the cert encryption cipher is specified. ######################################################################## export_with_cert_cipher() { # $1 certificate encryption cipher echo "$SCRIPTNAME: Exporting with [default:${1}]" echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" echo " -k ${R_PWFILE} -w ${R_PWFILE} -C ${1}" ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \ -k ${R_PWFILE} -w ${R_PWFILE} -C "${1}" 2>&1 ret=$? html_msg $ret 0 "Exporting with [default:${1}] (pk12util -o)" check_tmpfile return $ret } ######################################################################## # Exports key/cert to a p12 file, both the key encryption cipher and # the cert encryption cipher are specified. ######################################################################## export_with_both_key_and_cert_cipher() { # $1 key encryption cipher or "" # $2 certificate encryption cipher or "" echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" echo " -k ${R_PWFILE} -w ${R_PWFILE} -c ${1} -C ${2}" ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ -k ${R_PWFILE} -w ${R_PWFILE} \ -c "${1}" -C "${2}" 2>&1 ret=$? html_msg $ret 0 "Exporting with [${1}:${2}] (pk12util -o)" check_tmpfile return $ret } ######################################################################## # Exports key and cert to a p12 file, both the key encryption cipher # and the cert encryption cipher are specified. The key and cert are # imported and the p12 file is listed ######################################################################## export_list_import() { # $1 key encryption cipher # $2 certificate encryption cipher if [ "${1}" != "DEFAULT" -a "${2}" != "DEFAULT" ]; then export_with_both_key_and_cert_cipher "${1}" "${2}" elif [ "${1}" != "DEFAULT" -a "${2}" = "DEFAULT" ]; then export_with_key_cipher "${1}" elif [ "${1}" = "DEFAULT" -a "${2}" != "DEFAULT" ]; then export_with_cert_cipher "${2}" else export_with_default_ciphers fi list_p12_file Alice.p12 import_p12_file Alice.p12 } ######################################################################## # Export using the pkcs5pbe ciphers for key and certificate encryption. # List the contents of and import from the p12 file. ######################################################################## tools_p12_export_list_import_all_pkcs5pbe_ciphers() { # specify each on key and cert cipher for key_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \ "${pkcs5pbeWithMD5AndDEScbc}" \ "${pkcs5pbeWithSha1AndDEScbc}"\ "DEFAULT"; do for cert_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \ "${pkcs5pbeWithMD5AndDEScbc}" \ "${pkcs5pbeWithSha1AndDEScbc}" \ "DEFAULT"\ "none"; do export_list_import "${key_cipher}" "${cert_cipher}" done done } ######################################################################## # Export using the pkcs5v2 ciphers for key and certificate encryption. # List the contents of and import from the p12 file. ######################################################################## tools_p12_export_list_import_all_pkcs5v2_ciphers() { # These should pass for key_cipher in\ RC2-CBC \ DES-EDE3-CBC \ AES-128-CBC \ AES-192-CBC \ AES-256-CBC \ CAMELLIA-128-CBC \ CAMELLIA-192-CBC \ CAMELLIA-256-CBC; do #--------------------------------------------------------------- # Bug 452464 - pk12util -o fails when -C option specifies # Camellia ciphers # FIXME Restore these to the list # CAMELLIA-128-CBC, \ # CAMELLIA-192-CBC, \ # CAMELLIA-256-CBC, \ # when 452464 is fixed #--------------------------------------------------------------- for cert_cipher in \ RC2-CBC \ DES-EDE3-CBC \ AES-128-CBC \ AES-192-CBC \ AES-256-CBC \ none; do export_list_import ${key_cipher} ${cert_cipher} done done } ######################################################################## # Export using the pkcs12v2pbe ciphers for key and certificate encryption. # List the contents of and import from the p12 file. ######################################################################## tools_p12_export_list_import_all_pkcs12v2pbe_ciphers() { #--------------------------------------------------------------- # Bug 452471 - pk12util -o fails when -c option specifies pkcs12v2 PBE ciphers # FIXME - Restore these to the list # "${pkcs12v2pbeWithSha1And128BitRc4}" \ # "${pkcs12v2pbeWithSha1And40BitRc4}" \ # "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \ # "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \ # "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \ # "${pkcs12v2pbeWithMd2AndDESCBC}" \ # "${pkcs12v2pbeWithMd5AndDESCBC}" \ # "${pkcs12v2pbeWithSha1AndDESCBC}" \ # "DEFAULT"; do # when 452471 is fixed #--------------------------------------------------------------- # for key_cipher in \ key_cipher="DEFAULT" for cert_cipher in "${pkcs12v2pbeWithSha1And128BitRc4}" \ "${pkcs12v2pbeWithSha1And40BitRc4}" \ "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \ "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \ "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \ "${pkcs12v2pbeWithMd2AndDESCBC}" \ "${pkcs12v2pbeWithMd5AndDESCBC}" \ "${pkcs12v2pbeWithSha1AndDESCBC}" \ "DEFAULT"\ "none"; do export_list_import "${key_cipher}" "${cert_cipher}" done #done } ######################################################################### # Export with no encryption on key should fail but on cert should pass ######################################################################### tools_p12_export_with_none_ciphers() { # use none as the key encryption algorithm default for the cert one # should fail echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" echo " -k ${R_PWFILE} -w ${R_PWFILE} -c none" ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ -k ${R_PWFILE} -w ${R_PWFILE} \ -c none 2>&1 ret=$? html_msg $ret 30 "Exporting with [none:default] (pk12util -o)" check_tmpfile # use default as the key encryption algorithm none for the cert one # should pass echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" echo " -k ${R_PWFILE} -w ${R_PWFILE} -C none" ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ -k ${R_PWFILE} -w ${R_PWFILE} \ -C none 2>&1 ret=$? html_msg $ret 0 "Exporting with [default:none] (pk12util -o)" check_tmpfile } ######################################################################### # Export with invalid cipher should fail ######################################################################### tools_p12_export_with_invalid_ciphers() { echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" echo " -k ${R_PWFILE} -w ${R_PWFILE} -c INVALID_CIPHER" ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ -k ${R_PWFILE} -w ${R_PWFILE} \ -c INVALID_CIPHER 2>&1 ret=$? html_msg $ret 30 "Exporting with [INVALID_CIPHER:default] (pk12util -o)" check_tmpfile echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" echo " -k ${R_PWFILE} -w ${R_PWFILE} -C INVALID_CIPHER" ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ -k ${R_PWFILE} -w ${R_PWFILE} \ -C INVALID_CIPHER 2>&1 ret=$? html_msg $ret 30 "Exporting with [default:INVALID_CIPHER] (pk12util -o)" check_tmpfile } ######################################################################### # Exports using the default key and certificate encryption ciphers. # Imports from and lists the contents of the p12 file. # Repeats the test with ECC if enabled. ######################################################################## tools_p12_export_list_import_with_default_ciphers() { echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers" export_list_import "DEFAULT" "DEFAULT" echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------" echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" echo " -w ${R_PWFILE}" ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)" check_tmpfile echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------" echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)" check_tmpfile echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------" echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}" ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)" check_tmpfile } tools_p12_import_old_files() { echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------" echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.21 (PBES2 with BMPString password)" check_tmpfile echo "pk12util -i TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.29.5 (PBES2 with incorrect AES-128-CBC algorithm ID)" check_tmpfile } tools_p12_import_rsa_pss_private_key() { echo "$SCRIPTNAME: Importing RSA-PSS private key from PKCS#12 file --------------" ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestRSAPSS.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '' 2>&1 ret=$? html_msg $ret 0 "Importing RSA-PSS private key from PKCS#12 file" check_tmpfile # Check if RSA-PSS identifier is included in the key listing ${BINDIR}/certutil -d ${P_R_COPYDIR} -K -f ${R_PWFILE} | grep '^<[0-9 ]*> *rsaPss' ret=$? html_msg $ret 0 "Listing RSA-PSS private key imported from PKCS#12 file" check_tmpfile return $ret } ############################## tools_p12 ############################### # local shell function to test basic functionality of pk12util ######################################################################## tools_p12() { tools_p12_export_list_import_with_default_ciphers tools_p12_export_list_import_all_pkcs5v2_ciphers tools_p12_export_list_import_all_pkcs5pbe_ciphers tools_p12_export_list_import_all_pkcs12v2pbe_ciphers tools_p12_export_with_none_ciphers tools_p12_export_with_invalid_ciphers tools_p12_import_old_files if [ "${TEST_MODE}" = "SHARED_DB" ] ; then tools_p12_import_rsa_pss_private_key fi } ############################## tools_sign ############################## # local shell function pk12util uses a hardcoded tmp file, if this exists # and is owned by another user we don't get reasonable errormessages ######################################################################## check_tmpfile() { if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then echo "Error: pk12util temp file exists. Please remove this file and" echo " rerun the test (/tmp/Pk12uTemp) " fi } ############################## tools_sign ############################## # local shell function to test basic functionality of signtool ######################################################################## tools_sign() { echo "$SCRIPTNAME: Create objsign cert -------------------------------" echo "signtool -G \"objectsigner\" -d ${P_R_SIGNDIR} -p \"nss\"" ${BINDIR}/signtool -G "objsigner" -d ${P_R_SIGNDIR} -p "nss" 2>&1 <&1 ret=$? ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \ -x -t ',,' -z "${R_NOISE_FILE}" ret=$? html_msg $ret 0 "Test if DB created by modutil -create is initialized" check_tmpfile } ############################## tools_cleanup ########################### # local shell function to finish this script (no exit since it might be # sourced) ######################################################################## tools_cleanup() { html "
" cd ${QADIR} . common/cleanup.sh } ################## main ################################################# tools_init tools_p12 tools_sign tools_modutil tools_cleanup