diff options
Diffstat (limited to '')
| -rw-r--r-- | security/nss/tests/tools/TestOldAES128CA.p12 | bin | 0 -> 2628 bytes | |||
| -rw-r--r-- | security/nss/tests/tools/TestOldCA.p12 | bin | 0 -> 2588 bytes | |||
| -rw-r--r-- | security/nss/tests/tools/TestRSAPSS.p12 | bin | 0 -> 2554 bytes | |||
| -rw-r--r-- | security/nss/tests/tools/sign.html | 8 | ||||
| -rw-r--r-- | security/nss/tests/tools/signjs.html | 11 | ||||
| -rwxr-xr-x | security/nss/tests/tools/tools.sh | 733 |
6 files changed, 752 insertions, 0 deletions
diff --git a/security/nss/tests/tools/TestOldAES128CA.p12 b/security/nss/tests/tools/TestOldAES128CA.p12 Binary files differnew file mode 100644 index 0000000000..a05be8bdeb --- /dev/null +++ b/security/nss/tests/tools/TestOldAES128CA.p12 diff --git a/security/nss/tests/tools/TestOldCA.p12 b/security/nss/tests/tools/TestOldCA.p12 Binary files differnew file mode 100644 index 0000000000..40d5671b9d --- /dev/null +++ b/security/nss/tests/tools/TestOldCA.p12 diff --git a/security/nss/tests/tools/TestRSAPSS.p12 b/security/nss/tests/tools/TestRSAPSS.p12 Binary files differnew file mode 100644 index 0000000000..91473891c8 --- /dev/null +++ b/security/nss/tests/tools/TestRSAPSS.p12 diff --git a/security/nss/tests/tools/sign.html b/security/nss/tests/tools/sign.html new file mode 100644 index 0000000000..1ec9f7b79e --- /dev/null +++ b/security/nss/tests/tools/sign.html @@ -0,0 +1,8 @@ +<html> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> +<body> +Sign this javascriptless page. +</body> +</html> diff --git a/security/nss/tests/tools/signjs.html b/security/nss/tests/tools/signjs.html new file mode 100644 index 0000000000..ba22925bd4 --- /dev/null +++ b/security/nss/tests/tools/signjs.html @@ -0,0 +1,11 @@ +<html> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> +<body> +<script language="JavaScript"> +document.write("<h3>Sign this javascript</h3>"); +</script> +Here's some plain content. +</body> +</html> diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh new file mode 100755 index 0000000000..15a41e39cf --- /dev/null +++ b/security/nss/tests/tools/tools.sh @@ -0,0 +1,733 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/tools/tools.sh +# +# Script to test basic functionality of NSS tools +# +# needs to work on all Unix and Windows platforms +# +# tests implemented: +# pk12util +# signtool +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## + + export pkcs12v2pbeWithSha1And128BitRc4=\ +"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4" + + export pkcs12v2pbeWithSha1And40BitRc4=\ +"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4" + + export pkcs12v2pbeWithSha1AndTripleDESCBC=\ +"PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC" + + export pkcs12v2pbeWithSha1And128BitRc2Cbc=\ +"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC" + + export pkcs12v2pbeWithSha1And40BitRc2Cbc=\ +"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC" + + export pkcs5pbeWithMD2AndDEScbc=\ +"PKCS #5 Password Based Encryption with MD2 and DES-CBC" + + export pkcs5pbeWithMD5AndDEScbc=\ +"PKCS #5 Password Based Encryption with MD5 and DES-CBC" + + export pkcs5pbeWithSha1AndDEScbc=\ +"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC" + + # if we change the defaults in pk12util, update these variables + export CERT_ENCRYPTION_DEFAULT="AES-128-CBC" + export KEY_ENCRYPTION_DEFAULT="AES-256-CBC" + export HASH_DEFAULT="SHA-256" + + export PKCS5v1_PBE_CIPHERS="${pkcs5pbeWithMD2AndDEScbc},\ +${pkcs5pbeWithMD5AndDEScbc},\ +${pkcs5pbeWithSha1AndDEScbc}" + export PKCS12_PBE_CIPHERS="${pkcs12v2pbeWithSha1And128BitRc4},\ +${pkcs12v2pbeWithSha1And40BitRc4},\ +${pkcs12v2pbeWithSha1AndTripleDESCBC},\ +${pkcs12v2pbeWithSha1And128BitRc2Cbc},\ +${pkcs12v2pbeWithSha1And40BitRc2Cbc}" + export PKCS5v2_PBE_CIPHERS="RC2-CBC,DES-EDE3-CBC,AES-128-CBC,AES-192-CBC,\ +AES-256-CBC,CAMELLIA-128-CBC,CAMELLIA-192-CBC,CAMELLIA-256-CBC" + export PBE_CIPHERS="${PKCS5v1_PBE_CIPHERS},${PKCS12_PBE_CIPHERS},${PKCS5v2_PBE_CIPHERS}" + export PBE_CIPHERS_CLASSES="${pkcs5pbeWithSha1AndDEScbc},\ +${pkcs12v2pbeWithSha1AndTripleDESCBC},AES-256-CBC,default" + export PBE_HASH="SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,default" + +############################## tools_init ############################## +# local shell function to initialize this script +######################################################################## +tools_init() +{ + SCRIPTNAME=tools.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=tools.sh + + html_head "Tools Tests" + + grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { + Exit 15 "Fatal - S/MIME of cert.sh needs to pass first" + } + + TOOLSDIR=${HOSTDIR}/tools + COPYDIR=${TOOLSDIR}/copydir + SIGNDIR=${TOOLSDIR}/signdir + + R_TOOLSDIR=../tools + R_COPYDIR=../tools/copydir + R_SIGNDIR=../tools/signdir + P_R_COPYDIR=${R_COPYDIR} + P_R_SIGNDIR=${R_SIGNDIR} + if [ -n "${MULTIACCESS_DBM}" ]; then + P_R_COPYDIR="multiaccess:Tools.$version" + P_R_SIGNDIR="multiaccess:Tools.sign.$version" + fi + + mkdir -p ${TOOLSDIR} + mkdir -p ${COPYDIR} + mkdir -p ${SIGNDIR} + cp ${ALICEDIR}/* ${SIGNDIR}/ + mkdir -p ${TOOLSDIR}/html + cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html + mkdir -p ${TOOLSDIR}/data + cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data + cp ${QADIR}/tools/TestOldAES128CA.p12 ${TOOLSDIR}/data + cp ${QADIR}/tools/TestRSAPSS.p12 ${TOOLSDIR}/data + + cd ${TOOLSDIR} +} + +########################## list_p12_file ############################### +# List the key and cert in the specified p12 file +######################################################################## +list_p12_file() +{ + echo "$SCRIPTNAME: Listing Alice's pk12 file" + echo "pk12util -l ${1} -w ${R_PWFILE}" + + ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Listing ${1} (pk12util -l)" + check_tmpfile +} + +######################################################################## +# Import the key and cert from the specified p12 file +######################################################################## +import_p12_file() +{ + echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file" + echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" + + ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Importing ${1} (pk12util -i)" + check_tmpfile +} + + +######################################################################## +# Export the key and cert from the specified p12 file +######################################################################## +export_p12_file() +{ + # $1 p12 file + # $2 cert to export + # $3 certdb + # $4 key encryption cipher or "default" + # $5 certificate encryption cipher or "default" + # $6 hash algorithm or "default" + KEY_CIPHER_OPT="-c" + KEY_CIPHER="${4}" + CERT_CIPHER_OPT="-C" + CERT_CIPHER="${5}" + HASH_ALG_OPT="-M" + HASH_ALG="${6}" + + if [ "${KEY_CIPHER}" = "default" ]; then + KEY_CIPHER_OPT="" + KEY_CIPHER="" + fi + if [ "${CERT_CIPHER}" = "default" ]; then + CERT_CIPHER_OPT="" + CERT_CIPHER="" + fi + if [ "${HASH_ALG}" = "default" ]; then + HASH_ALG_OPT="" + HASH_ALG="" + fi + + echo "pk12util -o \"${1}\" -n \"${2}\" -d \"${3}\" \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} \\" + echo " ${KEY_CIPHER_OPT} \"${KEY_CIPHER}\" \\" + echo " ${CERT_CIPHER_OPT} \"${CERT_CIPHER}\" \\" + echo " ${HASH_ALG_OPT} \"${HASH_ALG}\"" + ${BINDIR}/pk12util -o "${1}" -n "${2}" -d "${3}" \ + -k ${R_PWFILE} -w ${R_PWFILE} \ + ${KEY_CIPHER_OPT} "${KEY_CIPHER}" \ + ${CERT_CIPHER_OPT} "${CERT_CIPHER}" \ + ${HASH_ALG_OPT} "${HASH_ALG}" 2>&1 + ret=$? + html_msg $ret 0 "Exporting with [${4}:${5}:${6}] (pk12util -o)" + check_tmpfile + verify_p12 "${1}" "${4}" "${5}" "${6}" + return $ret +} + +######################################################################## +# Exports key and cert to a p12 file, the key encryption cipher, +# the cert encryption cipher, and/or the hash algorithm are specified. +# The key and cert are imported and the p12 file is listed +######################################################################## +export_list_import() +{ + export_p12_file Alice.p12 Alice "${P_R_ALICEDIR}" "${@}" + list_p12_file Alice.p12 + import_p12_file Alice.p12 +} + +######################################################################## +# Export using the pkcs5pbe ciphers for key and certificate encryption. +# List the contents of and import from the p12 file. +######################################################################## +tools_p12_export_list_import_all_pkcs5pbe_ciphers() +{ + local saveIFS="${IFS}" + IFS=, + for key_cipher in ${PKCS5v1_PBE_CIPHERS} default; do + for cert_cipher in ${PKCS5v1_PBE_CIPHERS} default none; do + for hash in ${PBE_HASH}; do + export_list_import "${key_cipher}" "${cert_cipher}" "${hash}" + done + done + done + IFS="${saveIFS}" +} + +######################################################################## +# Export using the pkcs5v2 ciphers for key and certificate encryption. +# List the contents of and import from the p12 file. +######################################################################## +tools_p12_export_list_import_all_pkcs5v2_ciphers() +{ + local saveIFS="${IFS}" + IFS=, + for key_cipher in ${PKCS5v2_PBE_CIPHERS} default; do + for cert_cipher in ${PKCS5v2_PBE_CIPHERS} default none; do + for hash in ${PBE_HASH}; do + export_list_import "${key_cipher}" "${cert_cipher}" "${hash}" + done + done + done + IFS="${saveIFS}" +} + +######################################################################## +# Export using the pkcs12v2pbe ciphers for key and certificate encryption. +# List the contents of and import from the p12 file. +######################################################################## +tools_p12_export_list_import_all_pkcs12v2pbe_ciphers() +{ + local saveIFS="${IFS}" + IFS=, + for key_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default; do + for cert_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default none; do + for hash in ${PBE_HASH}; do + export_list_import "${key_cipher}" "${cert_cipher}" "${hash}" + done + done + done + IFS="${saveIFS}" +} + +######################################################################## +# Spot check all ciphers. +# using the traditional tests, we wind up running almost 1300 tests. +# This isn't too bad for debug builds in which the interator is set to 1000. +# for optimized builds, the iterator is set to 60000, which means a 30 +# minute test will now take more than 2 hours. This tests most combinations +# and results in only about 300 tests. We are stil testing all ciphers +# for both key and cert encryption, and we are testing them against +# one of each class of cipher (pkcs5v1, pkcs5v2, pkcs12). +######################################################################## +tools_p12_export_list_import_most_ciphers() +{ + local saveIFS="${IFS}" + IFS=, + for cipher in ${PBE_CIPHERS}; do + for class in ${PBE_CIPHERS_CLASSES}; do + # we'll test the case of cipher == class below the for loop + if [ "${cipher}" != "${class}" ]; then + export_list_import "${class}" "${cipher}" "SHA-1" + export_list_import "${cipher}" "${class}" "SHA-256" + fi + done + export_list_import "${cipher}" "none" "SHA-224" + export_list_import "${cipher}" "${cipher}" "SHA-384" + done + for class in ${PBE_CIPHERS_CLASSES}; do + for hash in ${PBE_HASH}; do + export_list_import "${class}" "${class}" "${hash}" + done + done + IFS="${saveIFS}" +} + +######################################################################### +# Export with no encryption on key should fail but on cert should pass +######################################################################### +tools_p12_export_with_none_ciphers() +{ + # use none as the key encryption algorithm default for the cert one + # should fail + + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -c none" + ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} \ + -c none 2>&1 + ret=$? + html_msg $ret 30 "Exporting with [none:default:default] (pk12util -o)" + check_tmpfile + + # use default as the key encryption algorithm none for the cert one + # should pass + + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -C none" + ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} \ + -C none 2>&1 + ret=$? + html_msg $ret 0 "Exporting with [default:none:default] (pk12util -o)" + check_tmpfile + verify_p12 Alice.p12 "default" "none" "default" +} + +######################################################################### +# Export with invalid cipher should fail +######################################################################### +tools_p12_export_with_invalid_ciphers() +{ + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -c INVALID_CIPHER" + ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} \ + -c INVALID_CIPHER 2>&1 + ret=$? + html_msg $ret 30 "Exporting with [INVALID_CIPHER:default] (pk12util -o)" + check_tmpfile + + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -C INVALID_CIPHER" + ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} \ + -C INVALID_CIPHER 2>&1 + ret=$? + html_msg $ret 30 "Exporting with [default:INVALID_CIPHER] (pk12util -o)" + check_tmpfile + +} + +######################################################################### +# Exports using the default key and certificate encryption ciphers. +# Imports from and lists the contents of the p12 file. +# Repeats the test with ECC if enabled. +######################################################################## +tools_p12_export_list_import_with_default_ciphers() +{ + echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers" + + export_list_import "default" "default" "default" + + echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------" + echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" + echo " -w ${R_PWFILE}" + ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ + -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)" + check_tmpfile + verify_p12 Alice-ec.p12 "default" "default" "default" + + echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------" + echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" + ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)" + check_tmpfile + + echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------" + echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}" + ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)" + check_tmpfile + + echo "$SCRIPTNAME: Exporting Alice's email EC cert & key with long pw------" + echo "pk12util -o Alice-ec-long.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" + echo " -w ${R_LONGPWFILE}" + ${BINDIR}/pk12util -o Alice-ec-long.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ + -w ${R_LONGPWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Exporting Alice's email EC cert & key with long pw (pk12util -o)" + check_tmpfile + verify_p12 Alice-ec-long.p12 "default" "default" "default" + + echo "$SCRIPTNAME: Importing Alice's email EC cert & key with long pw-----" + echo "pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE}" + ${BINDIR}/pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Importing Alice's email EC cert & key with long pw (pk12util -i)" + check_tmpfile + + echo "$SCRIPTNAME: Listing Alice's pk12 EC file with long pw ------------" + echo "pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE}" + ${BINDIR}/pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Listing Alice's pk12 EC file with long pw (pk12util -l)" + check_tmpfile +} + +tools_p12_import_old_files() +{ + echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------" + echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" + ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.21 (PBES2 with BMPString password)" + check_tmpfile + + echo "pk12util -i TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" + ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.29.5 (PBES2 with incorrect AES-128-CBC algorithm ID)" + check_tmpfile +} + +tools_p12_import_rsa_pss_private_key() +{ + echo "$SCRIPTNAME: Importing RSA-PSS private key from PKCS#12 file --------------" + ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestRSAPSS.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '' 2>&1 + ret=$? + html_msg $ret 0 "Importing RSA-PSS private key from PKCS#12 file" + check_tmpfile + + # Check if RSA-PSS identifier is included in the key listing + ${BINDIR}/certutil -d ${P_R_COPYDIR} -K -f ${R_PWFILE} | grep '^<[0-9 ]*> *rsaPss' + ret=$? + html_msg $ret 0 "Listing RSA-PSS private key imported from PKCS#12 file" + check_tmpfile + + return $ret +} + +############################## tools_p12 ############################### +# local shell function to test basic functionality of pk12util +######################################################################## +tools_p12() +{ + tools_p12_export_list_import_with_default_ciphers + # optimized builds have a larger iterator, so they can't run as many + # pkcs12 tests and complete in a reasonable time. Use the iterateration + # count from the previous tests to determine how many tests + # we can run. + iteration_count=$(pp -t p12 -i Alice-ec.p12 | grep "Iterations: " | sed -e 's;.*Iterations: ;;' -e 's;(.*).*;;') + echo "Iteration count=${iteration_count}" + if [ -n "${iteration_count}" -a ${iteration_count} -le 10000 ]; then + tools_p12_export_list_import_all_pkcs5v2_ciphers + tools_p12_export_list_import_all_pkcs12v2pbe_ciphers + else + tools_p12_export_list_import_most_ciphers + fi + tools_p12_export_with_none_ciphers + tools_p12_export_with_invalid_ciphers + tools_p12_import_old_files + if [ "${TEST_MODE}" = "SHARED_DB" ] ; then + tools_p12_import_rsa_pss_private_key + fi +} + +############################## tools_sign ############################## +# local shell function pk12util uses a hardcoded tmp file, if this exists +# and is owned by another user we don't get reasonable errormessages +######################################################################## +check_tmpfile() +{ + if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then + echo "Error: pk12util temp file exists. Please remove this file and" + echo " rerun the test (/tmp/Pk12uTemp) " + fi +} + +############################## tools_sign ############################## +# make sure the generated p12 file has the characteristics we expected +######################################################################## +verify_p12() +{ + KEY_ENCRYPTION=$(map_cipher "${2}" "${KEY_ENCRYPTION_DEFAULT}") + CERT_ENCRYPTION=$(map_cipher "${3}" "${CERT_ENCRYPTION_DEFAULT}") + HASH=$(map_cipher "${4}" "${HASH_DEFAULT}") + + STATE="NOBAGS" # state records if we are in the key or cert bag + CERT_ENCRYPTION_NOT_FOUND=1 + KEY_ENCRYPTION_NOT_FOUND=1 + CERT_ENCRYPTION_FAIL=0 + KEY_ENCRYPTION_FAIL=0 + HASH_FAIL=0 + TMP=$(mktemp /tmp/p12Verify.XXXXXX) + which pk12util + local saveIFS="${IFS}" + IFS=" \ +" + # use pp to dump the pkcs12 file, only the unencrypted portions are visible + # if there are multiple entries, we fail if any of those entries have the + # wrong encryption. We also fail if we can't find any encryption info. + # Use a file rather than a pipe so that while do can modify our variables. + # We're only interested in extracting the encryption algorithms are here, + # p12util -l will verify that decryption works properly. + pp -t pkcs12 -i ${1} -o ${TMP} + while read line ; do + # first up: if we see an unencrypted key bag, then we know that the key + # was unencrypted (NOTE: pk12util currently can't generate these kinds of + # files). + if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 Key Bag" ]]; then + KEY_ENCRYPTION_NOT_FOUND=0 + if [ "${KEY_ENCRYPTION}" != "none" ]; then + KEY_ENCRYPTION_FAIL=1 + echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"none\"" + fi + continue + fi + # if we find the the Cert Bag, then we know that the certificate was not + # encrypted + if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 Cert Bag" ]]; then + CERT_ENCRYPTION_NOT_FOUND=0 + if [ "${CERT_ENCRYPTION}" != "none" ]; then + CERT_ENCRYPTION_FAIL=1 + echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"none\"" + fi + continue + fi + # we found the shrouded key bag, the next encryption informtion should be + # for the key. + if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 PKCS8 Shrouded Key Bag" ]]; then + STATE="KEY" + continue + fi + # If we found PKCS #7 Encrypted Data, it must be the encrypted certificate + # (well it could be any encrypted certificate, or a crl, but in p12util + # they will all have the same encryption value + if [[ "${line}" = "PKCS #7 Encrypted Data:" ]]; then + STATE="CERT" + continue + fi + # check the Mac + if [[ "${line}" =~ "Mac Digest Algorithm ID: ".* ]]; then + MAC="${line##Mac Digest Algorithm ID: }" + if [ "${MAC}" != "${HASH}" ]; then + HASH_FAIL=1 + echo "--Mac Hash mismatch: expected \"${HASH}\" found \"${MAC}\"" + fi + fi + # check the KDF + if [[ "${line}" =~ "KDF algorithm: ".* ]]; then + KDF="${line##KDF algorithm: }" + if [ "${KDF}" != "HMAC ${HASH}" ]; then + HASH_FAIL=1 + echo "--KDF Hash mismatch: expected \"HMAC ${HASH}\" found \"${KDF}\"" + fi + fi + # Content Encryption Algorithm is the PKCS #5 algorithm ID. + if [[ "${line}" =~ .*"Encryption Algorithm: ".* ]]; then + # Strip the [Content ]EncryptionAlgorithm + ENCRYPTION="${line##Content }" + ENCRYPTION="${ENCRYPTION##Encryption Algorithm: }" + # If that algorithm id is PKCS #5 V2, then skip forward looking + # for the Cipher: field. + if [[ "${ENCRYPTION}" =~ "PKCS #5 Password Based Encryption v2"\ * ]]; then + continue; + fi + case ${STATE} in + "KEY") + KEY_ENCRYPTION_NOT_FOUND=0 + if [ "${KEY_ENCRYPTION}" != "${ENCRYPTION}" ]; then + KEY_ENCRYPTION_FAIL=1 + echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"${ENCRYPTION}\"" + fi + ;; + "CERT") + CERT_ENCRYPTION_NOT_FOUND=0 + if [ "${CERT_ENCRYPTION}" != "${ENCRYPTION}" ]; then + CERT_ENCRYPTION_FAIL=1 + echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\"" + fi + ;; + esac + fi + # handle the PKCS 5 case + if [[ "${line}" =~ "Cipher: ".* ]]; then + ENCRYPTION="${line#Cipher: }" + case ${STATE} in + "KEY") + KEY_ENCRYPTION_NOT_FOUND=0 + if [ "${KEY_ENCRYPTION}" != "${ENCRYPTION}" ]; then + KEY_ENCRYPTION_FAIL=1 + echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"${ENCRYPTION}\"" + fi + ;; + "CERT") + CERT_ENCRYPTION_NOT_FOUND=0 + if [ "${CERT_ENCRYPTION}" != "${ENCRYPTION}" ]; then + CERT_ENCRYPTION_FAIL=1 + echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\"" + fi + ;; + esac + fi + done < ${TMP} + IFS="${saveIFS}" + # we've scanned the file, set the return value to a combination of + # KEY and CERT state variables. If everything is as expected, they should + # add up to 0. + ret=$((${HASH_FAIL} * 10000 + ${KEY_ENCRYPTION_FAIL} * 1000 + ${KEY_ENCRYPTION_NOT_FOUND} * 100 + ${CERT_ENCRYPTION_FAIL} * 10 + ${CERT_ENCRYPTION_NOT_FOUND})) + rm -r ${TMP} + html_msg $ret 0 "Verifying p12 file generated with [${2}:${3}:${4}]" +} + +# +# this handles any mapping we need from requested cipher to +# actual cipher. For instance ciphers which already have +# PKCS 5 v1 PBE will be mapped to those pbes by pk12util. +map_cipher() +{ + if [ "${1}" = "default" ]; then + echo "${2}" + return + fi + case "${1}" in + # these get mapped to the PKCS5 v1 or PKCS 12 attributes, not PKCS 5v2 + RC2-CBC) + echo "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" + return ;; + DES-EDE3-CBC) + echo "${pkcs12v2pbeWithSha1AndTripleDESCBC}" + return;; + esac + echo "${1}" +} + +############################## tools_sign ############################## +# local shell function to test basic functionality of signtool +######################################################################## +tools_sign() +{ + echo "$SCRIPTNAME: Create objsign cert -------------------------------" + echo "signtool -G \"objectsigner\" -d ${P_R_SIGNDIR} -p \"nss\"" + ${BINDIR}/signtool -G "objsigner" -d ${P_R_SIGNDIR} -p "nss" 2>&1 <<SIGNSCRIPT +y +TEST +MOZ +NSS +NY +US +liz +liz@moz.org +SIGNSCRIPT + html_msg $? 0 "Create objsign cert (signtool -G)" + + echo "$SCRIPTNAME: Signing a jar of files ----------------------------" + echo "signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\" + echo " ${R_TOOLSDIR}/html" + ${BINDIR}/signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p "nss" -k objsigner \ + ${R_TOOLSDIR}/html + html_msg $? 0 "Signing a jar of files (signtool -Z)" + + echo "$SCRIPTNAME: Listing signed files in jar ----------------------" + echo "signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner" + ${BINDIR}/signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner + html_msg $? 0 "Listing signed files in jar (signtool -v)" + + echo "$SCRIPTNAME: Show who signed jar ------------------------------" + echo "signtool -w nojs.jar -d ${P_R_SIGNDIR}" + ${BINDIR}/signtool -w nojs.jar -d ${P_R_SIGNDIR} + html_msg $? 0 "Show who signed jar (signtool -w)" + + echo "$SCRIPTNAME: Signing a xpi of files ----------------------------" + echo "signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\" + echo " ${R_TOOLSDIR}/html" + ${BINDIR}/signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p "nss" -k objsigner \ + ${R_TOOLSDIR}/html + html_msg $? 0 "Signing a xpi of files (signtool -Z -X)" + + echo "$SCRIPTNAME: Listing signed files in xpi ----------------------" + echo "signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner" + ${BINDIR}/signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner + html_msg $? 0 "Listing signed files in xpi (signtool -v)" + + echo "$SCRIPTNAME: Show who signed xpi ------------------------------" + echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}" + ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR} + html_msg $? 0 "Show who signed xpi (signtool -w)" + +} + +tools_modutil() +{ + echo "$SCRIPTNAME: Test if DB created by modutil -create is initialized" + mkdir -p ${R_TOOLSDIR}/moddir + # copied from modu function in cert.sh + # echo is used to press Enter expected by modutil + echo | ${BINDIR}/modutil -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1 + ret=$? + ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \ + -x -t ',,' -z "${R_NOISE_FILE}" + ret=$? + html_msg $ret 0 "Test if DB created by modutil -create is initialized" + check_tmpfile +} + +############################## tools_cleanup ########################### +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +tools_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +tools_init +tools_p12 +tools_sign +tools_modutil +tools_cleanup + + |