Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 733 insertions, 0 deletions

diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh
new file mode 100755
index 0000000000..15a41e39cf
--- /dev/null
+++ b/security/nss/tests/tools/tools.sh
@@ -0,0 +1,733 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/tools/tools.sh
+#
+# Script to test basic functionality of NSS tools
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+#    pk12util
+#    signtool
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+########################################################################
+
+  export pkcs12v2pbeWithSha1And128BitRc4=\
+"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4"
+
+  export pkcs12v2pbeWithSha1And40BitRc4=\
+"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4"
+
+  export pkcs12v2pbeWithSha1AndTripleDESCBC=\
+"PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC"
+
+  export pkcs12v2pbeWithSha1And128BitRc2Cbc=\
+"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC"
+
+  export pkcs12v2pbeWithSha1And40BitRc2Cbc=\
+"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC"
+
+  export pkcs5pbeWithMD2AndDEScbc=\
+"PKCS #5 Password Based Encryption with MD2 and DES-CBC"
+
+  export pkcs5pbeWithMD5AndDEScbc=\
+"PKCS #5 Password Based Encryption with MD5 and DES-CBC"
+
+  export pkcs5pbeWithSha1AndDEScbc=\
+"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
+
+  # if we change the defaults in pk12util, update these variables
+  export CERT_ENCRYPTION_DEFAULT="AES-128-CBC"
+  export KEY_ENCRYPTION_DEFAULT="AES-256-CBC"
+  export HASH_DEFAULT="SHA-256"
+
+  export PKCS5v1_PBE_CIPHERS="${pkcs5pbeWithMD2AndDEScbc},\
+${pkcs5pbeWithMD5AndDEScbc},\
+${pkcs5pbeWithSha1AndDEScbc}"
+  export PKCS12_PBE_CIPHERS="${pkcs12v2pbeWithSha1And128BitRc4},\
+${pkcs12v2pbeWithSha1And40BitRc4},\
+${pkcs12v2pbeWithSha1AndTripleDESCBC},\
+${pkcs12v2pbeWithSha1And128BitRc2Cbc},\
+${pkcs12v2pbeWithSha1And40BitRc2Cbc}"
+  export PKCS5v2_PBE_CIPHERS="RC2-CBC,DES-EDE3-CBC,AES-128-CBC,AES-192-CBC,\
+AES-256-CBC,CAMELLIA-128-CBC,CAMELLIA-192-CBC,CAMELLIA-256-CBC"
+  export PBE_CIPHERS="${PKCS5v1_PBE_CIPHERS},${PKCS12_PBE_CIPHERS},${PKCS5v2_PBE_CIPHERS}"
+  export PBE_CIPHERS_CLASSES="${pkcs5pbeWithSha1AndDEScbc},\
+${pkcs12v2pbeWithSha1AndTripleDESCBC},AES-256-CBC,default"
+  export PBE_HASH="SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,default"
+
+############################## tools_init ##############################
+# local shell function to initialize this script
+########################################################################
+tools_init()
+{
+  SCRIPTNAME=tools.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=tools.sh
+
+  html_head "Tools Tests"
+
+  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
+  }
+
+  TOOLSDIR=${HOSTDIR}/tools
+  COPYDIR=${TOOLSDIR}/copydir
+  SIGNDIR=${TOOLSDIR}/signdir
+
+  R_TOOLSDIR=../tools
+  R_COPYDIR=../tools/copydir
+  R_SIGNDIR=../tools/signdir
+  P_R_COPYDIR=${R_COPYDIR}
+  P_R_SIGNDIR=${R_SIGNDIR}
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+      P_R_COPYDIR="multiaccess:Tools.$version"
+      P_R_SIGNDIR="multiaccess:Tools.sign.$version"
+  fi
+
+  mkdir -p ${TOOLSDIR}
+  mkdir -p ${COPYDIR}
+  mkdir -p ${SIGNDIR}
+  cp ${ALICEDIR}/* ${SIGNDIR}/
+  mkdir -p ${TOOLSDIR}/html
+  cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
+  mkdir -p ${TOOLSDIR}/data
+  cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data
+  cp ${QADIR}/tools/TestOldAES128CA.p12 ${TOOLSDIR}/data
+  cp ${QADIR}/tools/TestRSAPSS.p12 ${TOOLSDIR}/data
+
+  cd ${TOOLSDIR}
+}
+
+########################## list_p12_file ###############################
+# List the key and cert in the specified p12 file
+########################################################################
+list_p12_file()
+{
+  echo "$SCRIPTNAME: Listing Alice's pk12 file"
+  echo "pk12util -l ${1} -w ${R_PWFILE}"
+
+  ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Listing ${1} (pk12util -l)"
+  check_tmpfile
+}
+
+########################################################################
+# Import the key and cert from the specified p12 file
+########################################################################
+import_p12_file()
+{
+  echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file"
+  echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+
+  ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Importing ${1} (pk12util -i)"
+  check_tmpfile
+}
+
+
+########################################################################
+# Export the key and cert from the specified p12 file
+########################################################################
+export_p12_file()
+{
+  # $1 p12 file
+  # $2 cert to export
+  # $3 certdb
+  # $4 key encryption cipher or "default"
+  # $5 certificate encryption cipher or "default"
+  # $6 hash algorithm or "default"
+  KEY_CIPHER_OPT="-c"
+  KEY_CIPHER="${4}"
+  CERT_CIPHER_OPT="-C"
+  CERT_CIPHER="${5}"
+  HASH_ALG_OPT="-M"
+  HASH_ALG="${6}"
+
+  if [ "${KEY_CIPHER}" = "default" ]; then
+    KEY_CIPHER_OPT=""
+    KEY_CIPHER=""
+  fi
+  if [ "${CERT_CIPHER}" = "default" ]; then
+    CERT_CIPHER_OPT=""
+    CERT_CIPHER=""
+  fi
+  if [ "${HASH_ALG}" = "default" ]; then
+    HASH_ALG_OPT=""
+    HASH_ALG=""
+  fi
+
+  echo "pk12util -o \"${1}\" -n \"${2}\" -d \"${3}\" \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} \\"
+  echo "         ${KEY_CIPHER_OPT} \"${KEY_CIPHER}\" \\"
+  echo "         ${CERT_CIPHER_OPT} \"${CERT_CIPHER}\" \\"
+  echo "         ${HASH_ALG_OPT} \"${HASH_ALG}\""
+  ${BINDIR}/pk12util -o "${1}" -n "${2}" -d "${3}" \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       ${KEY_CIPHER_OPT} "${KEY_CIPHER}" \
+                       ${CERT_CIPHER_OPT} "${CERT_CIPHER}" \
+                       ${HASH_ALG_OPT} "${HASH_ALG}" 2>&1
+  ret=$?
+  html_msg $ret 0 "Exporting with [${4}:${5}:${6}] (pk12util -o)"
+  check_tmpfile
+  verify_p12 "${1}" "${4}" "${5}" "${6}"
+  return $ret
+}
+
+########################################################################
+# Exports key and cert to a p12 file, the key encryption cipher,
+# the cert encryption cipher, and/or the hash algorithm are specified.
+# The key and cert are imported and the p12 file is listed
+########################################################################
+export_list_import()
+{
+  export_p12_file Alice.p12 Alice "${P_R_ALICEDIR}" "${@}"
+  list_p12_file Alice.p12
+  import_p12_file Alice.p12
+}
+
+########################################################################
+# Export using the pkcs5pbe ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs5pbe_ciphers()
+{
+  local saveIFS="${IFS}"
+  IFS=,
+  for key_cipher in ${PKCS5v1_PBE_CIPHERS} default; do
+      for cert_cipher in ${PKCS5v1_PBE_CIPHERS} default none; do
+          for hash in ${PBE_HASH}; do
+                  export_list_import "${key_cipher}" "${cert_cipher}" "${hash}"
+           done
+      done
+  done
+  IFS="${saveIFS}"
+}
+
+########################################################################
+# Export using the pkcs5v2 ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs5v2_ciphers()
+{
+  local saveIFS="${IFS}"
+  IFS=,
+  for key_cipher in ${PKCS5v2_PBE_CIPHERS} default; do
+      for cert_cipher in ${PKCS5v2_PBE_CIPHERS} default none; do
+          for hash in ${PBE_HASH}; do
+                  export_list_import "${key_cipher}" "${cert_cipher}" "${hash}"
+           done
+      done
+  done
+  IFS="${saveIFS}"
+}
+
+########################################################################
+# Export using the pkcs12v2pbe ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs12v2pbe_ciphers()
+{
+  local saveIFS="${IFS}"
+  IFS=,
+  for key_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default; do
+      for cert_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default none; do
+          for hash in ${PBE_HASH}; do
+                  export_list_import "${key_cipher}" "${cert_cipher}" "${hash}"
+           done
+      done
+  done
+  IFS="${saveIFS}"
+}
+
+########################################################################
+# Spot check all ciphers.
+# using the traditional tests, we wind up running almost 1300 tests.
+# This isn't too bad for debug builds in which the interator is set to 1000.
+# for optimized builds, the iterator is set to 60000, which means a 30
+# minute test will  now take more than 2 hours. This tests most combinations
+# and results in only about 300 tests. We are stil testing all ciphers
+# for both key and cert encryption, and we are testing them against
+# one of each class of cipher (pkcs5v1, pkcs5v2, pkcs12).
+########################################################################
+tools_p12_export_list_import_most_ciphers()
+{
+  local saveIFS="${IFS}"
+  IFS=,
+  for cipher in ${PBE_CIPHERS}; do
+    for class in ${PBE_CIPHERS_CLASSES}; do
+      # we'll test the case of cipher == class below the for loop
+      if [ "${cipher}" != "${class}" ]; then
+          export_list_import "${class}" "${cipher}" "SHA-1"
+          export_list_import "${cipher}" "${class}" "SHA-256"
+      fi
+    done
+    export_list_import "${cipher}" "none" "SHA-224"
+    export_list_import "${cipher}" "${cipher}" "SHA-384"
+  done
+  for class in ${PBE_CIPHERS_CLASSES}; do
+    for hash in ${PBE_HASH}; do
+      export_list_import "${class}" "${class}" "${hash}"
+    done
+  done
+  IFS="${saveIFS}"
+}
+
+#########################################################################
+# Export with no encryption on key should fail but on cert should pass
+#########################################################################
+tools_p12_export_with_none_ciphers()
+{
+  # use none as the key encryption algorithm default for the cert one
+  # should fail
+
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -c none"
+  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       -c none 2>&1
+  ret=$?
+  html_msg $ret 30 "Exporting with [none:default:default] (pk12util -o)"
+  check_tmpfile
+
+  # use default as the key encryption algorithm none for the cert one
+  # should pass
+
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -C none"
+  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       -C none 2>&1
+  ret=$?
+  html_msg $ret 0 "Exporting with [default:none:default] (pk12util -o)"
+  check_tmpfile
+  verify_p12 Alice.p12 "default" "none" "default"
+}
+
+#########################################################################
+# Export with invalid cipher should fail
+#########################################################################
+tools_p12_export_with_invalid_ciphers()
+{
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -c INVALID_CIPHER"
+  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       -c INVALID_CIPHER 2>&1
+  ret=$?
+  html_msg $ret 30 "Exporting with [INVALID_CIPHER:default] (pk12util -o)"
+  check_tmpfile
+
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -C INVALID_CIPHER"
+  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       -C INVALID_CIPHER 2>&1
+  ret=$?
+  html_msg $ret 30 "Exporting with [default:INVALID_CIPHER] (pk12util -o)"
+  check_tmpfile
+
+}
+
+#########################################################################
+# Exports using the default key and certificate encryption ciphers.
+# Imports from  and lists the contents of the p12 file.
+# Repeats the test with ECC if enabled.
+########################################################################
+tools_p12_export_list_import_with_default_ciphers()
+{
+  echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers"
+
+  export_list_import "default" "default" "default"
+
+  echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
+  echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+  echo "         -w ${R_PWFILE}"
+  ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+       -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
+  check_tmpfile
+  verify_p12 Alice-ec.p12 "default" "default" "default"
+
+  echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
+  echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+  ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
+  check_tmpfile
+
+  echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
+  echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
+  ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
+  check_tmpfile
+
+  echo "$SCRIPTNAME: Exporting Alice's email EC cert & key with long pw------"
+  echo "pk12util -o Alice-ec-long.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+  echo "         -w ${R_LONGPWFILE}"
+  ${BINDIR}/pk12util -o Alice-ec-long.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+       -w ${R_LONGPWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Exporting Alice's email EC cert & key with long pw (pk12util -o)"
+  check_tmpfile
+  verify_p12 Alice-ec-long.p12 "default" "default" "default"
+
+  echo "$SCRIPTNAME: Importing Alice's email EC cert & key with long pw-----"
+  echo "pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE}"
+  ${BINDIR}/pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Importing Alice's email EC cert & key with long pw (pk12util -i)"
+  check_tmpfile
+
+  echo "$SCRIPTNAME: Listing Alice's pk12 EC file with long pw ------------"
+  echo "pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE}"
+  ${BINDIR}/pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Listing Alice's pk12 EC file with long pw (pk12util -l)"
+  check_tmpfile
+}
+
+tools_p12_import_old_files()
+{
+  echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------"
+  echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+  ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.21 (PBES2 with BMPString password)"
+  check_tmpfile
+
+  echo "pk12util -i TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+  ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.29.5 (PBES2 with incorrect AES-128-CBC algorithm ID)"
+  check_tmpfile
+}
+
+tools_p12_import_rsa_pss_private_key()
+{
+  echo "$SCRIPTNAME: Importing RSA-PSS private key from PKCS#12 file --------------"
+  ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestRSAPSS.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '' 2>&1
+  ret=$?
+  html_msg $ret 0 "Importing RSA-PSS private key from PKCS#12 file"
+  check_tmpfile
+
+  # Check if RSA-PSS identifier is included in the key listing
+  ${BINDIR}/certutil -d ${P_R_COPYDIR} -K -f ${R_PWFILE} | grep '^<[0-9 ]*> *rsaPss'
+  ret=$?
+  html_msg $ret 0 "Listing RSA-PSS private key imported from PKCS#12 file"
+  check_tmpfile
+
+  return $ret
+}
+
+############################## tools_p12 ###############################
+# local shell function to test basic functionality of pk12util
+########################################################################
+tools_p12()
+{
+  tools_p12_export_list_import_with_default_ciphers
+  # optimized builds have a larger iterator, so they can't run as many
+  # pkcs12 tests and complete in a reasonable time. Use the iterateration
+  # count from the previous tests to determine how many tests
+  # we can run.
+  iteration_count=$(pp -t p12 -i Alice-ec.p12 | grep "Iterations: " | sed -e 's;.*Iterations: ;;' -e 's;(.*).*;;')
+  echo "Iteration count=${iteration_count}"
+  if [ -n "${iteration_count}" -a  ${iteration_count} -le 10000 ]; then
+      tools_p12_export_list_import_all_pkcs5v2_ciphers
+      tools_p12_export_list_import_all_pkcs12v2pbe_ciphers
+  else
+      tools_p12_export_list_import_most_ciphers
+  fi
+  tools_p12_export_with_none_ciphers
+  tools_p12_export_with_invalid_ciphers
+  tools_p12_import_old_files
+  if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+    tools_p12_import_rsa_pss_private_key
+  fi
+}
+
+############################## tools_sign ##############################
+# local shell function pk12util uses a hardcoded tmp file, if this exists
+# and is owned by another user we don't get reasonable errormessages
+########################################################################
+check_tmpfile()
+{
+  if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then
+      echo "Error: pk12util temp file exists. Please remove this file and"
+      echo "       rerun the test (/tmp/Pk12uTemp) "
+  fi
+}
+
+############################## tools_sign ##############################
+# make sure the generated p12 file has the characteristics we expected
+########################################################################
+verify_p12()
+{
+  KEY_ENCRYPTION=$(map_cipher "${2}" "${KEY_ENCRYPTION_DEFAULT}")
+  CERT_ENCRYPTION=$(map_cipher "${3}" "${CERT_ENCRYPTION_DEFAULT}")
+  HASH=$(map_cipher "${4}" "${HASH_DEFAULT}")
+
+  STATE="NOBAGS"   # state records if we are in the key or cert bag
+  CERT_ENCRYPTION_NOT_FOUND=1
+  KEY_ENCRYPTION_NOT_FOUND=1
+  CERT_ENCRYPTION_FAIL=0
+  KEY_ENCRYPTION_FAIL=0
+  HASH_FAIL=0
+  TMP=$(mktemp /tmp/p12Verify.XXXXXX)
+  which pk12util
+  local saveIFS="${IFS}"
+  IFS=" 	\
+"
+  # use pp to dump the pkcs12 file, only the unencrypted portions are visible
+  # if there are multiple entries, we fail if any of those entries have the
+  # wrong encryption. We also fail if we can't find any encryption info.
+  # Use a file rather than a pipe so that while do can modify our variables.
+  # We're only interested in extracting the encryption algorithms are here,
+  # p12util -l will verify that decryption works properly.
+  pp -t pkcs12 -i ${1} -o ${TMP}
+  while read line ; do
+     # first up: if we see an unencrypted key bag, then we know that the key
+     # was unencrypted (NOTE: pk12util currently can't generate these kinds of
+     # files).
+     if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 Key Bag" ]]; then
+        KEY_ENCRYPTION_NOT_FOUND=0
+        if [ "${KEY_ENCRYPTION}" != "none" ]; then
+            KEY_ENCRYPTION_FAIL=1
+            echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"none\""
+        fi
+       continue
+     fi
+     # if we find the the Cert Bag, then we know that the certificate was not
+     # encrypted
+     if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 Cert Bag" ]]; then
+        CERT_ENCRYPTION_NOT_FOUND=0
+        if [ "${CERT_ENCRYPTION}" != "none" ]; then
+            CERT_ENCRYPTION_FAIL=1
+           echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"none\""
+        fi
+        continue
+     fi
+     # we found the shrouded key bag, the next encryption informtion should be
+     # for the key.
+     if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 PKCS8 Shrouded Key Bag" ]]; then
+        STATE="KEY"
+        continue
+     fi
+     # If we found PKCS #7 Encrypted Data, it must be the encrypted certificate
+     # (well it could be any encrypted certificate, or a crl, but in p12util
+     # they will all have the same encryption value
+     if [[ "${line}" =  "PKCS #7 Encrypted Data:" ]]; then
+        STATE="CERT"
+        continue
+     fi
+     # check the Mac
+     if [[ "${line}" =~ "Mac Digest Algorithm ID: ".* ]]; then
+        MAC="${line##Mac Digest Algorithm ID: }"
+        if [ "${MAC}" != "${HASH}" ]; then
+            HASH_FAIL=1
+            echo "--Mac Hash mismatch: expected \"${HASH}\" found \"${MAC}\""
+        fi
+     fi
+     # check the KDF
+     if [[ "${line}" =~ "KDF algorithm: ".* ]]; then
+        KDF="${line##KDF algorithm: }"
+        if [ "${KDF}" != "HMAC ${HASH}" ]; then
+            HASH_FAIL=1
+            echo "--KDF Hash mismatch: expected \"HMAC ${HASH}\" found \"${KDF}\""
+        fi
+     fi
+     # Content Encryption Algorithm is the PKCS #5 algorithm ID.
+     if [[  "${line}" =~ .*"Encryption Algorithm: ".* ]]; then
+        # Strip the [Content ]EncryptionAlgorithm
+        ENCRYPTION="${line##Content }"
+        ENCRYPTION="${ENCRYPTION##Encryption Algorithm: }"
+        # If that algorithm id is PKCS #5 V2, then skip forward looking
+        # for the Cipher: field.
+        if [[ "${ENCRYPTION}" =~ "PKCS #5 Password Based Encryption v2"\ * ]]; then
+            continue;
+        fi
+        case ${STATE} in
+        "KEY")
+            KEY_ENCRYPTION_NOT_FOUND=0
+            if [ "${KEY_ENCRYPTION}" != "${ENCRYPTION}" ]; then
+                KEY_ENCRYPTION_FAIL=1
+                echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"${ENCRYPTION}\""
+            fi
+            ;;
+        "CERT")
+            CERT_ENCRYPTION_NOT_FOUND=0
+            if [ "${CERT_ENCRYPTION}" != "${ENCRYPTION}" ]; then
+                CERT_ENCRYPTION_FAIL=1
+                echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\""
+            fi
+            ;;
+        esac
+     fi
+     # handle the PKCS 5 case
+     if [[ "${line}" =~ "Cipher: ".* ]]; then
+        ENCRYPTION="${line#Cipher: }"
+        case ${STATE} in
+        "KEY")
+            KEY_ENCRYPTION_NOT_FOUND=0
+            if [ "${KEY_ENCRYPTION}" != "${ENCRYPTION}" ]; then
+                KEY_ENCRYPTION_FAIL=1
+                echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"${ENCRYPTION}\""
+            fi
+            ;;
+        "CERT")
+            CERT_ENCRYPTION_NOT_FOUND=0
+            if [ "${CERT_ENCRYPTION}" != "${ENCRYPTION}" ]; then
+                CERT_ENCRYPTION_FAIL=1
+                echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\""
+            fi
+            ;;
+        esac
+     fi
+  done < ${TMP}
+  IFS="${saveIFS}"
+  # we've scanned the file, set the return value to a combination of
+  # KEY and CERT state variables. If everything is as expected, they should
+  # add up to 0.
+  ret=$((${HASH_FAIL} * 10000 + ${KEY_ENCRYPTION_FAIL} * 1000 + ${KEY_ENCRYPTION_NOT_FOUND} * 100 + ${CERT_ENCRYPTION_FAIL} * 10 + ${CERT_ENCRYPTION_NOT_FOUND}))
+  rm -r ${TMP}
+  html_msg $ret 0 "Verifying p12 file generated with [${2}:${3}:${4}]"
+}
+
+#
+# this handles any mapping we need from requested cipher to
+# actual cipher. For instance ciphers which already have
+# PKCS 5 v1 PBE will be mapped to those pbes by pk12util.
+map_cipher()
+{
+   if [ "${1}" = "default" ]; then
+      echo "${2}"
+      return
+   fi
+   case "${1}" in
+   # these get mapped to the PKCS5 v1 or PKCS 12 attributes, not PKCS 5v2
+   RC2-CBC)
+      echo "${pkcs12v2pbeWithSha1And128BitRc2Cbc}"
+      return ;;
+   DES-EDE3-CBC)
+      echo "${pkcs12v2pbeWithSha1AndTripleDESCBC}"
+      return;;
+   esac
+   echo "${1}"
+}
+
+############################## tools_sign ##############################
+# local shell function to test basic functionality of signtool
+########################################################################
+tools_sign()
+{
+  echo "$SCRIPTNAME: Create objsign cert -------------------------------"
+  echo "signtool -G \"objectsigner\" -d ${P_R_SIGNDIR} -p \"nss\""
+  ${BINDIR}/signtool -G "objsigner" -d ${P_R_SIGNDIR} -p "nss" 2>&1 <<SIGNSCRIPT
+y
+TEST
+MOZ
+NSS
+NY
+US
+liz
+liz@moz.org
+SIGNSCRIPT
+  html_msg $? 0 "Create objsign cert (signtool -G)"
+
+  echo "$SCRIPTNAME: Signing a jar of files ----------------------------"
+  echo "signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\"
+  echo "         ${R_TOOLSDIR}/html"
+  ${BINDIR}/signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p "nss" -k objsigner \
+           ${R_TOOLSDIR}/html
+  html_msg $? 0 "Signing a jar of files (signtool -Z)"
+
+  echo "$SCRIPTNAME: Listing signed files in jar ----------------------"
+  echo "signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner"
+  ${BINDIR}/signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner
+  html_msg $? 0 "Listing signed files in jar (signtool -v)"
+
+  echo "$SCRIPTNAME: Show who signed jar ------------------------------"
+  echo "signtool -w nojs.jar -d ${P_R_SIGNDIR}"
+  ${BINDIR}/signtool -w nojs.jar -d ${P_R_SIGNDIR}
+  html_msg $? 0 "Show who signed jar (signtool -w)"
+
+  echo "$SCRIPTNAME: Signing a xpi of files ----------------------------"
+  echo "signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\"
+  echo "         ${R_TOOLSDIR}/html"
+  ${BINDIR}/signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p "nss" -k objsigner \
+           ${R_TOOLSDIR}/html
+  html_msg $? 0 "Signing a xpi of files (signtool -Z -X)"
+
+  echo "$SCRIPTNAME: Listing signed files in xpi ----------------------"
+  echo "signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner"
+  ${BINDIR}/signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner
+  html_msg $? 0 "Listing signed files in xpi (signtool -v)"
+
+  echo "$SCRIPTNAME: Show who signed xpi ------------------------------"
+  echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}"
+  ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR}
+  html_msg $? 0 "Show who signed xpi (signtool -w)"
+
+}
+
+tools_modutil()
+{
+  echo "$SCRIPTNAME: Test if DB created by modutil -create is initialized"
+  mkdir -p ${R_TOOLSDIR}/moddir
+  # copied from modu function in cert.sh
+  # echo is used to press Enter expected by modutil
+  echo | ${BINDIR}/modutil -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1
+  ret=$?
+  ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \
+	   -x -t ',,' -z "${R_NOISE_FILE}"
+  ret=$?
+  html_msg $ret 0 "Test if DB created by modutil -create is initialized"
+  check_tmpfile
+}
+
+############################## tools_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+tools_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+tools_init
+tools_p12
+tools_sign
+tools_modutil
+tools_cleanup
+
+