|
Packit Service |
4684c1 |
#!/bin/sh
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Copyright (C) 2013 Nikos Mavrogiannopoulos
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# This file is part of GnuTLS.
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# GnuTLS is free software; you can redistribute it and/or modify it
|
|
Packit Service |
4684c1 |
# under the terms of the GNU General Public License as published by the
|
|
Packit Service |
4684c1 |
# Free Software Foundation; either version 3 of the License, or (at
|
|
Packit Service |
4684c1 |
# your option) any later version.
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# GnuTLS is distributed in the hope that it will be useful, but
|
|
Packit Service |
4684c1 |
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
4684c1 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
4684c1 |
# General Public License for more details.
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# You should have received a copy of the GNU General Public License
|
|
Packit Service |
4684c1 |
# along with GnuTLS; if not, write to the Free Software Foundation,
|
|
Packit Service |
4684c1 |
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
srcdir="${srcdir:-.}"
|
|
Packit Service |
4684c1 |
P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}"
|
|
Packit Service |
4684c1 |
CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
|
|
Packit Service |
4684c1 |
DIFF="${DIFF:-diff -b -B}"
|
|
Packit Service |
4684c1 |
SERV="${SERV:-../src/gnutls-serv${EXEEXT}}"
|
|
Packit Service |
4684c1 |
CLI="${CLI:-../src/gnutls-cli${EXEEXT}}"
|
|
Packit Service |
4684c1 |
RETCODE=0
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|
Packit Service |
4684c1 |
echo "Cannot run in FIPS140-2 mode"
|
|
Packit Service |
4684c1 |
exit 77
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if ! test -x "${P11TOOL}"; then
|
|
Packit Service |
4684c1 |
exit 77
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if ! test -x "${CERTTOOL}"; then
|
|
Packit Service |
4684c1 |
exit 77
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if ! test -x "${SERV}"; then
|
|
Packit Service |
4684c1 |
exit 77
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if ! test -x "${CLI}"; then
|
|
Packit Service |
4684c1 |
exit 77
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if ! test -z "${VALGRIND}"; then
|
|
Packit Service |
4684c1 |
VALGRIND="${LIBTOOL:-libtool} --mode=execute valgrind --leak-check=full"
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
TMPFILE="testpkcs11.$$.tmp"
|
|
Packit Service |
4684c1 |
LOGFILE="testpkcs11.debug.log"
|
|
Packit Service |
4684c1 |
CERTTOOL_PARAM="--stdout-info"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test "${WINDIR}" != ""; then
|
|
Packit Service |
4684c1 |
exit 77
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ASAN_OPTIONS="detect_leaks=0"
|
|
Packit Service |
4684c1 |
export ASAN_OPTIONS
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
have_ed25519=0
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
P11TOOL="${VALGRIND} ${P11TOOL} --batch"
|
|
Packit Service |
4684c1 |
SERV="${SERV} -q"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
. ${srcdir}/scripts/common.sh
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
rm -f "${LOGFILE}"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
exit_error () {
|
|
Packit Service |
4684c1 |
echo "check ${LOGFILE} for additional debugging information"
|
|
Packit Service |
4684c1 |
echo ""
|
|
Packit Service |
4684c1 |
echo ""
|
|
Packit Service |
4684c1 |
tail "${LOGFILE}"
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: filename
|
|
Packit Service |
4684c1 |
# ${srcdir}/testpkcs11-certs/client.key
|
|
Packit Service |
4684c1 |
write_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
filename="$3"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Writing a client private key... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label gnutls-client2 --load-privkey "${filename}" "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Checking whether object was marked private... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --list-privkeys "${token};object=gnutls-client2" 2>/dev/null | grep 'Label\:' >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo "private object was public"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Checking whether object was marked sensitive... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client2" | grep "CKA_SENSITIVE" >/dev/null 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "private object was not sensitive"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: filename
|
|
Packit Service |
4684c1 |
write_serv_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
filename="$3"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Writing the server private key... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-key --load-privkey "${filename}" "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: filename
|
|
Packit Service |
4684c1 |
write_serv_pubkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
filename="$3"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Writing the server public key... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-pubkey --load-pubkey "${filename}" "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#verify it being written
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=serv-pubkey;type=public" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=serv-pubkey;type=public"|grep "Public key" >/dev/null 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0;then
|
|
Packit Service |
4684c1 |
echo "Cannot verify the existence of the written pubkey"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: filename
|
|
Packit Service |
4684c1 |
write_serv_cert () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
filename="$3"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Writing the server certificate... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --no-mark-private --label serv-cert --load-certificate "${filename}" "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
test_delete_cert () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
filename="$3"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Deleting the server certificate... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=serv-cert;object-type=cert" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: bits
|
|
Packit Service |
4684c1 |
generate_rsa_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
bits="$3"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Generating RSA private key ("${bits}")... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --id 000102030405 --label gnutls-client --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Checking whether generated private key was marked private... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --list-privkeys "${token};object=gnutls-client" 2>/dev/null | grep 'Label\:' >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo "private object was public"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Checking whether private key was marked sensitive... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client" | grep "CKA_SENSITIVE" >/dev/null 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "private object was not sensitive"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: bits
|
|
Packit Service |
4684c1 |
generate_temp_rsa_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
bits="$3"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Generating RSA private key ("${bits}")... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-rsa-"${bits}" --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# if test ${RETCODE} = 0; then
|
|
Packit Service |
4684c1 |
# echo -n "* Testing private key flags... "
|
|
Packit Service |
4684c1 |
# ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-keys "${token};object=gnutls-client2;object-type=private" >tmp-client-2.pub 2>>"${LOGFILE}"
|
|
Packit Service |
4684c1 |
# if test $? != 0; then
|
|
Packit Service |
4684c1 |
# echo failed
|
|
Packit Service |
4684c1 |
# exit_error
|
|
Packit Service |
4684c1 |
# fi
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# grep CKA_WRAP tmp-client-2.pub >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
# if test $? != 0; then
|
|
Packit Service |
4684c1 |
# echo "failed (no CKA_WRAP)"
|
|
Packit Service |
4684c1 |
# exit_error
|
|
Packit Service |
4684c1 |
# else
|
|
Packit Service |
4684c1 |
# echo ok
|
|
Packit Service |
4684c1 |
# fi
|
|
Packit Service |
4684c1 |
# fi
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
generate_temp_dsa_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
bits="$3"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Generating DSA private key ("${bits}")... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-dsa-"${bits}" --generate-dsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
generate_temp_ed25519_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
bits="$3"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Generating ed25519 private key ("${bits}")... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login -d 3 --label temp-ed25519 --generate-privkey ed25519 "${token}" --outfile tmp-client.pub >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
delete_temp_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
type="$3"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
test "${RETCODE}" = "0" || return
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Deleting private key... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=temp-${type};object-type=private" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
RETCODE=1
|
|
Packit Service |
4684c1 |
return
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
RETCODE=0
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
export_pubkey_of_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Exporting public key of generated private key... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --export-pubkey "${token};object=gnutls-client;object-type=private" --outfile tmp-client-2.pub >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${DIFF} tmp-client.pub tmp-client-2.pub
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo keys differ
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: SO PIN
|
|
Packit Service |
4684c1 |
list_pubkey_as_so () {
|
|
Packit Service |
4684c1 |
export GNUTLS_SO_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Exporting public key as SO... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --so-login --list-all "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
list_privkey_without_pin_env () {
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
pin="$2"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* List private key without GNUTLS_PIN... "
|
|
Packit Service |
4684c1 |
unset GNUTLS_PIN
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all-privkeys "${token}?pin-value=${pin}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
change_id_of_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Change the CKA_ID of generated private key... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --set-id "01a1b103" "${token};object=gnutls-client;id=%00%01%02%03%04%05;object-type=private" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "ID didn't change"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
change_label_of_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Change the CKA_LABEL of generated private key... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "new-label" "${token};object=gnutls-client;object-type=private" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=new-label;object-type=private" 2>&1 |grep 'Label: new-label' >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "label didn't change"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "gnutls-client" "${token};object=new-label;object-type=private" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: bits
|
|
Packit Service |
4684c1 |
generate_temp_ecc_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
bits="$3"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Generating ECC private key (${bits})... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --label "temp-ecc-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: bits
|
|
Packit Service |
4684c1 |
# The same as generate_temp_ecc_privkey but no explicit login is performed.
|
|
Packit Service |
4684c1 |
# p11tool should detect that login is required for the operation.
|
|
Packit Service |
4684c1 |
generate_temp_ecc_privkey_no_login () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
bits="$3"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Generating ECC private key without --login (${bits})... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --label "temp-ecc-no-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: name
|
|
Packit Service |
4684c1 |
# $2: label prefix
|
|
Packit Service |
4684c1 |
# $3: generate option
|
|
Packit Service |
4684c1 |
# $4: token
|
|
Packit Service |
4684c1 |
# $5: PIN
|
|
Packit Service |
4684c1 |
# $6: bits
|
|
Packit Service |
4684c1 |
import_privkey () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$5"
|
|
Packit Service |
4684c1 |
name="$1"
|
|
Packit Service |
4684c1 |
prefix="$2"
|
|
Packit Service |
4684c1 |
gen_option="$3"
|
|
Packit Service |
4684c1 |
token="$4"
|
|
Packit Service |
4684c1 |
bits="$6"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
outfile="tmp-${prefix}-${bits}.pem"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Importing ${name} private key (${bits})... "
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
"${CERTTOOL}" ${CERTTOOL_PARAM} --generate-privkey "${gen_option}" --pkcs8 --password= --outfile "${outfile}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label "${prefix}-${bits}" --load-privkey "${outfile}" "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
import_temp_rsa_privkey () {
|
|
Packit Service |
4684c1 |
import_privkey RSA temp-rsa --rsa $@
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
import_temp_ecc_privkey () {
|
|
Packit Service |
4684c1 |
import_privkey ECC temp-ecc --ecc $@
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
import_temp_ed25519_privkey () {
|
|
Packit Service |
4684c1 |
import_privkey ed25519 temp-ed25519 --key-type ed25519 $@
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
import_temp_dsa_privkey () {
|
|
Packit Service |
4684c1 |
import_privkey DSA temp-dsa --dsa $@
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key
|
|
Packit Service |
4684c1 |
# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# Tests writing a certificate which corresponds to the given key,
|
|
Packit Service |
4684c1 |
# as well as the CA certificate, and tries to export them.
|
|
Packit Service |
4684c1 |
write_certificate_test () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
cakey="$3"
|
|
Packit Service |
4684c1 |
cacert="$4"
|
|
Packit Service |
4684c1 |
pubkey="$5"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Generating client certificate... "
|
|
Packit Service |
4684c1 |
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
|
|
Packit Service |
4684c1 |
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
|
|
Packit Service |
4684c1 |
--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Writing client certificate... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --id "01a1b103" --label gnutls-client --load-certificate tmp-client.crt "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Checking whether ID was correctly set... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "ID was not set on copy"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test -n "${BROKEN_SOFTHSM2}";then
|
|
Packit Service |
4684c1 |
return
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Checking whether object was public... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --list-all-certs "${token};object=gnutls-client;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "certificate object was not public"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test -n "${BROKEN_SOFTHSM2}";then
|
|
Packit Service |
4684c1 |
return
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Writing certificate of client's CA... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --mark-trusted --mark-ca --write --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
ret=$?
|
|
Packit Service |
4684c1 |
if test ${ret} != 0; then
|
|
Packit Service |
4684c1 |
echo "Failed with PIN, trying to write with so PIN" >>"${LOGFILE}"
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --so-login --mark-ca --write --mark-trusted --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
ret=$?
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test ${ret} = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Testing certificate flags... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all-certs "${token};object=gnutls-ca;object-type=cert" >${TMPFILE} 2>&1
|
|
Packit Service |
4684c1 |
grep Flags ${TMPFILE}|head -n 1 >tmp-client-2.pub 2>>"${LOGFILE}"
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
grep CKA_TRUSTED tmp-client-2.pub >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "failed (no CKA_TRUSTED)"
|
|
Packit Service |
4684c1 |
#exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
grep "CKA_CERTIFICATE_CATEGORY=CA" tmp-client-2.pub >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "failed (no CKA_CERTIFICATE_CATEGORY=CA)"
|
|
Packit Service |
4684c1 |
#exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Checking output of certificate"
|
|
Packit Service |
4684c1 |
grep "Expires: Sun Dec 13 08:24:54 2020" ${TMPFILE} >/dev/null
|
|
Packit Service |
4684c1 |
if test $? != 0;then
|
|
Packit Service |
4684c1 |
echo "failed. Expiration time not found"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
grep "X.509 Certificate (RSA-1024)" ${TMPFILE} >/dev/null
|
|
Packit Service |
4684c1 |
if test $? != 0;then
|
|
Packit Service |
4684c1 |
echo "failed. Certificate type and size not found."
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
grep "Label: gnutls-ca" ${TMPFILE} >/dev/null
|
|
Packit Service |
4684c1 |
if test $? != 0;then
|
|
Packit Service |
4684c1 |
echo "failed. Certificate label not found."
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
grep "Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;" ${TMPFILE} >/dev/null
|
|
Packit Service |
4684c1 |
if test $? != 0;then
|
|
Packit Service |
4684c1 |
echo "failed. Object flags were not found."
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
rm -f ${TMPFILE}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Trying to obtain back the cert... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --export "${token};object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
${DIFF} crt1.tmp "${srcdir}/testpkcs11-certs/ca.crt"
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "failed. Exported certificate differs (crt1.tmp)!"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
rm -f crt1.tmp
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Trying to obtain the full chain... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --export-chain "${token};object=gnutls-client;object-type=cert"|"${CERTTOOL}" ${CERTTOOL_PARAM} -i --outfile crt1.tmp >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cat tmp-client.crt ${srcdir}/testpkcs11-certs/ca.crt|"${CERTTOOL}" ${CERTTOOL_PARAM} -i >crt2.tmp
|
|
Packit Service |
4684c1 |
${DIFF} crt1.tmp crt2.tmp
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "failed. Exported certificate chain differs!"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
rm -f crt1.tmp crt2.tmp
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key
|
|
Packit Service |
4684c1 |
# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# Tests writing a certificate which corresponds to the given key,
|
|
Packit Service |
4684c1 |
# and verifies whether the ID is the same. Should utilize the
|
|
Packit Service |
4684c1 |
# ID of the public key.
|
|
Packit Service |
4684c1 |
write_certificate_id_test_rsa () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
cakey="$3"
|
|
Packit Service |
4684c1 |
cacert="$4"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Generating RSA private key on HSM... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa --bits 1024 "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Checking whether right ID is set on copy... "
|
|
Packit Service |
4684c1 |
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
|
|
Packit Service |
4684c1 |
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=xxx1-rsa;object-type=private" \
|
|
Packit Service |
4684c1 |
--outfile tmp-client.crt >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
id=$(${P11TOOL} ${ADDITIONAL_PARAM} --list-all "${token};object=xxx1-rsa;object-type=public" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//')
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx1-rsa --load-certificate tmp-client.crt "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx1-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "ID '$id' was not set on copy"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key
|
|
Packit Service |
4684c1 |
# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# Tests writing a certificate which corresponds to the given key,
|
|
Packit Service |
4684c1 |
# and verifies whether the ID is the same. Should utilize the
|
|
Packit Service |
4684c1 |
# ID of the private key.
|
|
Packit Service |
4684c1 |
write_certificate_id_test_rsa2 () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
cakey="$3"
|
|
Packit Service |
4684c1 |
cacert="$4"
|
|
Packit Service |
4684c1 |
tmpkey="key.$$.tmp"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Generating RSA private key... "
|
|
Packit Service |
4684c1 |
${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 1024 --outfile ${tmpkey} >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Checking whether right ID is set on copy... "
|
|
Packit Service |
4684c1 |
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
|
|
Packit Service |
4684c1 |
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey ${tmpkey} \
|
|
Packit Service |
4684c1 |
--outfile tmp-client.crt >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx2-rsa --load-privkey ${tmpkey} "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx2-rsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//')
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
rm -f ${tmpkey}
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx2-rsa --load-certificate tmp-client.crt "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx2-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "ID '$id' was not set on copy"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key
|
|
Packit Service |
4684c1 |
# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# Tests writing a certificate which corresponds to the given key,
|
|
Packit Service |
4684c1 |
# and verifies whether the ID is the same. Should utilize the
|
|
Packit Service |
4684c1 |
# ID of the private key.
|
|
Packit Service |
4684c1 |
write_certificate_id_test_ecdsa () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
cakey="$3"
|
|
Packit Service |
4684c1 |
cacert="$4"
|
|
Packit Service |
4684c1 |
tmpkey="key.$$.tmp"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Generating ECDSA private key... "
|
|
Packit Service |
4684c1 |
${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --ecdsa --outfile ${tmpkey} >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit 1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Checking whether right ID is set on copy... "
|
|
Packit Service |
4684c1 |
"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
|
|
Packit Service |
4684c1 |
--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey ${tmpkey} \
|
|
Packit Service |
4684c1 |
--outfile tmp-client.crt >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx-ecdsa --load-privkey ${tmpkey} "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx-ecdsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//')
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
rm -f ${tmpkey}
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx-ecdsa --load-certificate tmp-client.crt "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx-ecdsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "ID '$id' was not set on copy"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
test_sign () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Testing signatures using the private key... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};object=serv-key" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "failed. Cannot test signatures."
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Testing RSA-PSS signatures using the private key... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --sign-params rsa-pss --test-sign "${token};object=serv-key" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
rc=$?
|
|
Packit Service |
4684c1 |
if test $rc != 0; then
|
|
Packit Service |
4684c1 |
if test $rc = 2; then
|
|
Packit Service |
4684c1 |
echo "failed. RSA-PSS not supported."
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo "failed. Cannot test signatures."
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Testing signatures using the private key (with ID)... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};id=%ac%1d%7a%39%cb%72%17%94%66%6c%74%44%73%40%91%44%c0%a0%43%7d" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};id=%ac%1d%7a%39%cb%72%17%94%66%6c%74%44%73%40%91%44%c0%a0%43%7d" 2>&1|grep "Verifying against public key in the token..."|grep ok >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "failed. Cannot test signatures with ID."
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# This tests the signing operation as well as the usage of --set-pin
|
|
Packit Service |
4684c1 |
test_sign_set_pin () {
|
|
Packit Service |
4684c1 |
pin="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
unset GNUTLS_PIN
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Testing signatures using the private key and --set-pin... "
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --set-pin ${pin} --test-sign "${token};object=serv-key" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo "failed. Cannot test signatures."
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN=${pin}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# $1: token
|
|
Packit Service |
4684c1 |
# $2: PIN
|
|
Packit Service |
4684c1 |
# $3: certfile
|
|
Packit Service |
4684c1 |
# $4: keyfile
|
|
Packit Service |
4684c1 |
# $5: cafile
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# Tests using a certificate and key pair using gnutls-serv and gnutls-cli.
|
|
Packit Service |
4684c1 |
use_certificate_test () {
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="$2"
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
certfile="$3"
|
|
Packit Service |
4684c1 |
keyfile="$4"
|
|
Packit Service |
4684c1 |
cafile="$5"
|
|
Packit Service |
4684c1 |
txt="$6"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
|
|
Packit Service |
4684c1 |
# start server
|
|
Packit Service |
4684c1 |
eval "${GETPORT}"
|
|
Packit Service |
4684c1 |
launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \
|
|
Packit Service |
4684c1 |
--x509keyfile="$keyfile" --x509cafile="${cafile}" \
|
|
Packit Service |
4684c1 |
--verify-client-cert --require-client-cert >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
PID=$!
|
|
Packit Service |
4684c1 |
wait_server ${PID}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# connect to server using SC
|
|
Packit Service |
4684c1 |
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
|
|
Packit Service |
4684c1 |
fail ${PID} "Connection should have failed!"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
|
|
Packit Service |
4684c1 |
--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
|
|
Packit Service |
4684c1 |
fail ${PID} "Connection (with files) should have succeeded!"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
|
|
Packit Service |
4684c1 |
--x509keyfile="${token};object=gnutls-client;object-type=private" \
|
|
Packit Service |
4684c1 |
--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
|
|
Packit Service |
4684c1 |
fail ${PID} "Connection (with SC) should have succeeded!"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
kill ${PID}
|
|
Packit Service |
4684c1 |
wait
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
reset_pins () {
|
|
Packit Service |
4684c1 |
token="$1"
|
|
Packit Service |
4684c1 |
UPIN="$2"
|
|
Packit Service |
4684c1 |
SOPIN="$3"
|
|
Packit Service |
4684c1 |
NEWPIN=88654321
|
|
Packit Service |
4684c1 |
LARGE_NEWPIN="1234123412341234123412341234123" #31 chars
|
|
Packit Service |
4684c1 |
TOO_LARGE_NEWPIN="12341234123412341234123412341234" #32 chars
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Setting SO PIN... "
|
|
Packit Service |
4684c1 |
# Test admin PIN
|
|
Packit Service |
4684c1 |
GNUTLS_NEW_SO_PIN="${NEWPIN}" \
|
|
Packit Service |
4684c1 |
GNUTLS_SO_PIN="${SOPIN}" \
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --initialize-so-pin "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# reset back
|
|
Packit Service |
4684c1 |
echo -n "* Re-setting SO PIN... "
|
|
Packit Service |
4684c1 |
TMP="${NEWPIN}"
|
|
Packit Service |
4684c1 |
GNUTLS_SO_PIN="${TMP}" \
|
|
Packit Service |
4684c1 |
GNUTLS_NEW_SO_PIN="${SOPIN}" \
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --initialize-so-pin "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Setting too large SO PIN... "
|
|
Packit Service |
4684c1 |
GNUTLS_NEW_SO_PIN="${TOO_LARGE_NEWPIN}" \
|
|
Packit Service |
4684c1 |
GNUTLS_SO_PIN="${SOPIN}" \
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --initialize-so-pin "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Setting large SO PIN... "
|
|
Packit Service |
4684c1 |
GNUTLS_NEW_SO_PIN="${LARGE_NEWPIN}" \
|
|
Packit Service |
4684c1 |
GNUTLS_SO_PIN="${SOPIN}" \
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --initialize-so-pin "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# reset back
|
|
Packit Service |
4684c1 |
echo -n "* Re-setting SO PIN... "
|
|
Packit Service |
4684c1 |
TMP="${LARGE_NEWPIN}"
|
|
Packit Service |
4684c1 |
GNUTLS_SO_PIN="${TMP}" \
|
|
Packit Service |
4684c1 |
GNUTLS_NEW_SO_PIN="${SOPIN}" \
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --initialize-so-pin "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
NEWPIN=977654321
|
|
Packit Service |
4684c1 |
# Test user PIN
|
|
Packit Service |
4684c1 |
echo -n "* Setting user PIN... "
|
|
Packit Service |
4684c1 |
export GNUTLS_SO_PIN="${SOPIN}"
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="${NEWPIN}"
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --initialize-pin "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Re-setting user PIN... "
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="${UPIN}"
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --initialize-pin "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Setting too large user PIN... "
|
|
Packit Service |
4684c1 |
export GNUTLS_SO_PIN="${SOPIN}"
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="${TOO_LARGE_NEWPIN}"
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --initialize-pin "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? = 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Setting large user PIN... "
|
|
Packit Service |
4684c1 |
export GNUTLS_SO_PIN="${SOPIN}"
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="${LARGE_NEWPIN}"
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --initialize-pin "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo -n "* Re-setting user PIN... "
|
|
Packit Service |
4684c1 |
export GNUTLS_PIN="${UPIN}"
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --login --initialize-pin "${token}" >>"${LOGFILE}" 2>&1
|
|
Packit Service |
4684c1 |
if test $? != 0; then
|
|
Packit Service |
4684c1 |
echo failed
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
echo ok
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo "Testing PKCS11 support"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# erase SC
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
type="$1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test -z "${type}"; then
|
|
Packit Service |
4684c1 |
echo "usage: $0: [pkcs15|softhsm|sc-hsm]"
|
|
Packit Service |
4684c1 |
if test -x "/usr/bin/softhsm" || test -x "/usr/bin/softhsm2-util"; then
|
|
Packit Service |
4684c1 |
echo "assuming 'softhsm'"
|
|
Packit Service |
4684c1 |
echo ""
|
|
Packit Service |
4684c1 |
type=softhsm
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
exit 77
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
. "${srcdir}/testpkcs11.${type}"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
export TEST_PIN=12345678
|
|
Packit Service |
4684c1 |
export TEST_SO_PIN=00000001
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
init_card "${TEST_PIN}" "${TEST_SO_PIN}"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# find token name
|
|
Packit Service |
4684c1 |
TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'`
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
echo "* Token: ${TOKEN}"
|
|
Packit Service |
4684c1 |
if test "x${TOKEN}" = x; then
|
|
Packit Service |
4684c1 |
echo "Could not find generated token"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --list-mechanisms ${TOKEN}|grep 25519 >/dev/null
|
|
Packit Service |
4684c1 |
if test $? = 0;then
|
|
Packit Service |
4684c1 |
have_ed25519=1
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
${P11TOOL} ${ADDITIONAL_PARAM} --list-mechanisms ${TOKEN} > ${TMPFILE}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Verify that we output flags correctly
|
|
Packit Service |
4684c1 |
if grep AES_CTR ${TMPFILE} | grep -v "keysize range (16, 32)" ; then
|
|
Packit Service |
4684c1 |
echo "Keysize range error"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if grep AES_CTR ${TMPFILE} | grep -v "encrypt decrypt" ; then
|
|
Packit Service |
4684c1 |
echo "Error with encrypt/decrypt flags"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if grep KEY_WRAP ${TMPFILE} | grep -v "wrap.unwrap" ; then
|
|
Packit Service |
4684c1 |
echo "Error with wrap/unwrap flags"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if grep AES_CMAC ${TMPFILE} | grep -v "sign verify" ; then
|
|
Packit Service |
4684c1 |
echo "Error with sign/verify flags"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if grep "CKM_SHA256 " ${TMPFILE} | grep -v "digest" ; then
|
|
Packit Service |
4684c1 |
echo "Error with digest flags"
|
|
Packit Service |
4684c1 |
exit_error
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
reset_pins "${TOKEN}" "${TEST_PIN}" "${TEST_SO_PIN}"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#write a given privkey
|
|
Packit Service |
4684c1 |
write_privkey "${TOKEN}" "${TEST_PIN}" "${srcdir}/testpkcs11-certs/client.key"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
generate_temp_ecc_privkey "${TOKEN}" "${TEST_PIN}" 256
|
|
Packit Service |
4684c1 |
delete_temp_privkey "${TOKEN}" "${TEST_PIN}" ecc-256
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
generate_temp_ecc_privkey_no_login "${TOKEN}" "${TEST_PIN}" 256
|
|
Packit Service |
4684c1 |
delete_temp_privkey "${TOKEN}" "${TEST_PIN}" ecc-no-256
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
generate_temp_ecc_privkey "${TOKEN}" "${TEST_PIN}" 384
|
|
Packit Service |
4684c1 |
delete_temp_privkey "${TOKEN}" "${TEST_PIN}" ecc-384
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test $have_ed25519 != 0;then
|
|
Packit Service |
4684c1 |
generate_temp_ed25519_privkey "${TOKEN}" "${TEST_PIN}" ed25519
|
|
Packit Service |
4684c1 |
delete_temp_privkey "${TOKEN}" "${TEST_PIN}" ed25519
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
generate_temp_rsa_privkey "${TOKEN}" "${TEST_PIN}" 2048
|
|
Packit Service |
4684c1 |
delete_temp_privkey "${TOKEN}" "${TEST_PIN}" rsa-2048
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
generate_temp_dsa_privkey "${TOKEN}" "${TEST_PIN}" 3072
|
|
Packit Service |
4684c1 |
delete_temp_privkey "${TOKEN}" "${TEST_PIN}" dsa-3072
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
import_temp_rsa_privkey "${TOKEN}" "${TEST_PIN}" 1024
|
|
Packit Service |
4684c1 |
delete_temp_privkey "${TOKEN}" "${TEST_PIN}" rsa-1024
|
|
Packit Service |
4684c1 |
import_temp_ecc_privkey "${TOKEN}" "${TEST_PIN}" 256
|
|
Packit Service |
4684c1 |
delete_temp_privkey "${TOKEN}" "${TEST_PIN}" ecc-256
|
|
Packit Service |
4684c1 |
import_temp_dsa_privkey "${TOKEN}" "${TEST_PIN}" 2048
|
|
Packit Service |
4684c1 |
delete_temp_privkey "${TOKEN}" "${TEST_PIN}" dsa-2048
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test $have_ed25519 != 0;then
|
|
Packit Service |
4684c1 |
import_temp_ed25519_privkey "${TOKEN}" "${TEST_PIN}" ed25519
|
|
Packit Service |
4684c1 |
delete_temp_privkey "${TOKEN}" "${TEST_PIN}" ed25519
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
generate_rsa_privkey "${TOKEN}" "${TEST_PIN}" 1024
|
|
Packit Service |
4684c1 |
change_id_of_privkey "${TOKEN}" "${TEST_PIN}"
|
|
Packit Service |
4684c1 |
export_pubkey_of_privkey "${TOKEN}" "${TEST_PIN}"
|
|
Packit Service |
4684c1 |
change_label_of_privkey "${TOKEN}" "${TEST_PIN}"
|
|
Packit Service |
4684c1 |
list_pubkey_as_so "${TOKEN}" "${TEST_SO_PIN}"
|
|
Packit Service |
4684c1 |
list_privkey_without_pin_env "${TOKEN}" "${TEST_PIN}"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
write_certificate_test "${TOKEN}" "${TEST_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub
|
|
Packit Service |
4684c1 |
write_serv_privkey "${TOKEN}" "${TEST_PIN}" "${srcdir}/testpkcs11-certs/server.key"
|
|
Packit Service |
4684c1 |
write_serv_cert "${TOKEN}" "${TEST_PIN}" "${srcdir}/testpkcs11-certs/server.crt"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
write_serv_pubkey "${TOKEN}" "${TEST_PIN}" "${srcdir}/testpkcs11-certs/server.crt"
|
|
Packit Service |
4684c1 |
test_sign "${TOKEN}" "${TEST_PIN}"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
use_certificate_test "${TOKEN}" "${TEST_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
use_certificate_test "${TOKEN}" "${TEST_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
write_certificate_id_test_rsa "${TOKEN}" "${TEST_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
|
|
Packit Service |
4684c1 |
write_certificate_id_test_rsa2 "${TOKEN}" "${TEST_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
|
|
Packit Service |
4684c1 |
write_certificate_id_test_ecdsa "${TOKEN}" "${TEST_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
test_delete_cert "${TOKEN}" "${TEST_PIN}"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
test_sign_set_pin "${TOKEN}" "${TEST_PIN}"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if test ${RETCODE} = 0; then
|
|
Packit Service |
4684c1 |
echo "* All smart cards tests succeeded"
|
|
Packit Service |
4684c1 |
fi
|
|
Packit Service |
4684c1 |
rm -f tmp-client.crt tmp-client.pub tmp-client-2.pub "${LOGFILE}" "${TMPFILE}"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
exit 0
|