diff options
Diffstat (limited to 'security/nss/tests/fips/fips.sh')
-rwxr-xr-x | security/nss/tests/fips/fips.sh | 323 |
1 files changed, 323 insertions, 0 deletions
diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh new file mode 100755 index 0000000000..364930494f --- /dev/null +++ b/security/nss/tests/fips/fips.sh @@ -0,0 +1,323 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# mozilla/security/nss/tests/fips/fips.sh +# +# Script to test basic functionallity of NSS in FIPS-compliant mode +# +# needs to work on all Unix and Windows platforms +# +# tests implemented: +# +# special strings +# --------------- +# +######################################################################## + +############################## fips_init ############################## +# local shell function to initialize this script +######################################################################## +fips_init() +{ + SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=fips.sh + html_head "FIPS 140 Compliance Tests" + + grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || { + Exit 15 "Fatal - FIPS of cert.sh needs to pass first" + } + + COPYDIR=${FIPSDIR}/copydir + CAVSDIR=${FIPSDIR}/cavs/tests + CAVSRUNDIR=${FIPSDIR}/cavs/scripts + + R_FIPSDIR=../fips + P_R_FIPSDIR=../fips + R_COPYDIR=../fips/copydir + + if [ -n "${MULTIACCESS_DBM}" ]; then + P_R_FIPSDIR="multiaccess:${D_FIPS}" + fi + + mkdir -p ${FIPSDIR} + mkdir -p ${COPYDIR} + mkdir -p ${CAVSDIR} + mkdir -p ${CAVSRUNDIR} + + cd ${FIPSDIR} +} + +############################## fips_140 ############################## +# local shell function to test basic functionality of NSS while in +# FIPS 140 compliant mode +######################################################################## +fips_140() +{ + echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------" + echo "modutil -dbdir ${P_R_FIPSDIR} -list" + ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1 + ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1 + html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1 + html_msg $? 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys -------------------------" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "." + + echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1 + RET=$? + html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "." + echo "certutil -K returned $RET" + + echo "$SCRIPTNAME: Validate the certificate --------------------------" + echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE} + html_msg $? 0 "Validate the certificate (certutil -V -e)" "." + + echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --" + echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "." + + echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------" + echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1 + html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + ret=$? + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + + echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module" + echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + if [ $? -eq 0 ]; then + ret=255 + fi + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys." + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + # certutil -K now returns a failure if no keys are found. This verifies that + # our delete succeded. + html_msg $? 255 "List the FIPS module keys (certutil -K)" "." + + + echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" + echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + ret=$? + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys --------------------------" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "." + + + echo "$SCRIPTNAME: Delete the certificate from the FIPS module" + echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1 + html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + if [ $? -eq 0 ]; then + ret=255 + fi + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + + echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" + echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + ret=$? + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys --------------------------" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "." + + + echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------" + echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}" + ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "." + + echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------" + echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n" + ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1 + html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "." + + LIBDIR="${DIST}/${OBJDIR}/lib" + MANGLEDIR="${FIPSDIR}/mangle" + + # There are different versions of cp command on different systems, some of them + # copies only symlinks, others doesn't have option to disable links, so there + # is needed to copy files one by one. + echo "mkdir ${MANGLEDIR}" + mkdir ${MANGLEDIR} + for lib in `ls ${LIBDIR}`; do + echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}" + cp ${LIBDIR}/${lib} ${MANGLEDIR} + done + + echo "$SCRIPTNAME: Detect mangled softoken--------------------------" + SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} + + echo "mangling ${SOFTOKEN}" + echo "mangle -i ${SOFTOKEN} -o -8 -b 5" + # If nss was built without softoken use the system installed one. + # It's location must be specified by the package maintainer. + if [ ! -e ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then + echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}" + cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR} + fi + ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1 + if [ $? -eq 0 ]; then + if [ "${OS_ARCH}" = "WINNT" ]; then + DBTEST=`which dbtest` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + DBTEST=`cygpath -m ${DBTEST}` + MANGLEDIR=`cygpath -u ${MANGLEDIR}` + fi + echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}" + PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + elif [ "${OS_ARCH}" = "HP-UX" ]; then + echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + elif [ "${OS_ARCH}" = "AIX" ]; then + echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + elif [ "${OS_ARCH}" = "Darwin" ]; then + echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + else + echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + fi + + html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "." + else + html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}" + fi +} + +fips_cavs() +{ + if [ "${CAVS_VECTORS}" = "all" ]; then + VECTORS= + elif [ "${CAVS_VECTORS}" = "" ]; then + VECTORS="aesgcm ecdsa hmac kas tls ike rng sha" + else + VECTORS=${CAVS_VECTORS} + fi + echo "Copying CAVS vectors" + cp -r ${QADIR}/fips/cavs_samples/* ${CAVSDIR} +# we copy the scripts to the test directory because they are designed to run from their +# own directory and we want any resulting core dumps to wind up in the test_results directory. + echo "Copying CAVS scripts" + cp -r ${QADIR}/fips/cavs_scripts/* ${CAVSRUNDIR} + echo "cd ${CAVSRUNDIR}" + cd ${CAVSRUNDIR} + echo "Running CAVS tests in ${CAVSDIR}" + ./runtest.sh ${CAVSDIR} run ${VECTORS} + echo "Verifying CAVS results in ${CAVSDIR}" + ./runtest.sh ${CAVSDIR} verify ${VECTORS} + RESULT=$? + html_msg $RESULT 0 "NIST CAVS test" "${CAVSDIR}" +} + +############################## fips_cleanup ############################ +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +fips_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +fips_init +fips_140 +fips_cavs +fips_cleanup +echo "fips.sh done" |