|
Packit |
549fdc |
#!/bin/sh
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
# Copyright (C) 2017 Red Hat, Inc.
|
|
Packit |
549fdc |
#
|
|
Packit |
549fdc |
# This file is part of p11-kit.
|
|
Packit |
549fdc |
#
|
|
Packit |
549fdc |
# p11-kit is free software; you can redistribute it and/or modify it
|
|
Packit |
549fdc |
# under the terms of the GNU General Public License as published by the
|
|
Packit |
549fdc |
# Free Software Foundation; either version 3 of the License, or (at
|
|
Packit |
549fdc |
# your option) any later version.
|
|
Packit |
549fdc |
#
|
|
Packit |
549fdc |
# p11-kit is distributed in the hope that it will be useful, but
|
|
Packit |
549fdc |
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
549fdc |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
549fdc |
# General Public License for more details.
|
|
Packit |
549fdc |
#
|
|
Packit |
549fdc |
# You should have received a copy of the GNU General Public License
|
|
Packit |
549fdc |
# along with GnuTLS; if not, write to the Free Software Foundation,
|
|
Packit |
549fdc |
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#set -e
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
srcdir="${srcdir:-.}"
|
|
Packit |
549fdc |
P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}"
|
|
Packit |
549fdc |
CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
|
|
Packit |
549fdc |
DIFF="${DIFF:-diff}"
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
EXPORTED_FILE=out.$$.tmp
|
|
Packit |
549fdc |
DER_FILE=out-der.$$.tmp
|
|
Packit |
549fdc |
TMPFILE=out-tmp.$$.tmp
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/;do
|
|
Packit |
549fdc |
if test -f "${lib}/p11-kit-trust.so"; then
|
|
Packit |
549fdc |
MODULE="${lib}/p11-kit-trust.so"
|
|
Packit |
549fdc |
echo "located ${MODULE}"
|
|
Packit |
549fdc |
break
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
done
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if ! test -x "${P11TOOL}"; then
|
|
Packit |
549fdc |
echo "p11tool was not found"
|
|
Packit |
549fdc |
exit 77
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if ! test -f "${MODULE}"; then
|
|
Packit |
549fdc |
echo "p11-kit trust module was not found"
|
|
Packit |
549fdc |
exit 77
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
TRUST_PATH="${srcdir}/p11-kit-trust-data/"
|
|
Packit |
549fdc |
CACERT=${TRUST_PATH}/Example_Root_CA.pem
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
# Test whether a CA extracted from a trust store can retrieve stapled
|
|
Packit |
549fdc |
# extensions.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
OPTS="--provider ${MODULE} --provider-opts trusted,p11-kit:paths=\"${TRUST_PATH}\""
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
# Informational
|
|
Packit |
549fdc |
${P11TOOL} --list-all-certs ${OPTS} 'pkcs11:'
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
####
|
|
Packit |
549fdc |
# Test 1: Extract the CA certificate from store
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
${P11TOOL} --export 'pkcs11:object=Example%20CA' ${OPTS} --outder --outfile ${EXPORTED_FILE}
|
|
Packit |
549fdc |
if test "$?" != "0"; then
|
|
Packit |
549fdc |
echo "Exporting failed (1)"
|
|
Packit |
549fdc |
exit 1
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
${CERTTOOL} -i --infile ${CACERT} --outder --outfile ${DER_FILE}
|
|
Packit |
549fdc |
if test "$?" != "0"; then
|
|
Packit |
549fdc |
echo "Exporting failed (2)"
|
|
Packit |
549fdc |
exit 1
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
${DIFF} ${EXPORTED_FILE} ${DER_FILE}
|
|
Packit |
549fdc |
if test "$?" != "0"; then
|
|
Packit |
549fdc |
echo "Files ${EXPORTED_FILE} and ${DER_FILE} are not identical"
|
|
Packit |
549fdc |
exit 1
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
rm -f ${EXPORTED_FILE} ${DER_FILE} ${TMPFILE}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
echo "Root CA retrieval test passed..."
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
####
|
|
Packit |
549fdc |
# Test 2: Extract the certificate from store with the stapled data
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
${P11TOOL} --export-stapled 'pkcs11:object=Example%20CA' ${OPTS} --outder --outfile ${EXPORTED_FILE}
|
|
Packit |
549fdc |
if test "$?" != "0"; then
|
|
Packit |
549fdc |
echo "Exporting failed (3)"
|
|
Packit |
549fdc |
exit 1
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
${CERTTOOL} -i --infile ${CACERT} --outder --outfile ${DER_FILE}
|
|
Packit |
549fdc |
if test "$?" != "0"; then
|
|
Packit |
549fdc |
echo "Exporting failed (4)"
|
|
Packit |
549fdc |
exit 1
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
${DIFF} ${EXPORTED_FILE} ${DER_FILE}
|
|
Packit |
549fdc |
if test "$?" = "0"; then
|
|
Packit |
549fdc |
echo "Files are identical; no extensions were stapled"
|
|
Packit |
549fdc |
exit 1
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
${CERTTOOL} -i --inder --infile ${EXPORTED_FILE} --outfile ${TMPFILE}
|
|
Packit |
549fdc |
if test "$?" != "0"; then
|
|
Packit |
549fdc |
echo "PEM converting failed"
|
|
Packit |
549fdc |
exit 1
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
grep -i "Name Constraints" ${TMPFILE}
|
|
Packit |
549fdc |
if test "$?" != "0"; then
|
|
Packit |
549fdc |
cat ${TMPFILE}
|
|
Packit |
549fdc |
echo "No name constraints found (1)"
|
|
Packit |
549fdc |
exit 1
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
grep -i "Permitted" ${TMPFILE}
|
|
Packit |
549fdc |
if test "$?" != "0"; then
|
|
Packit |
549fdc |
cat ${TMPFILE}
|
|
Packit |
549fdc |
echo "No name constraints found (2)"
|
|
Packit |
549fdc |
exit 1
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
grep -i "DNSname: example.com" ${TMPFILE}
|
|
Packit |
549fdc |
if test "$?" != "0"; then
|
|
Packit |
549fdc |
cat ${TMPFILE}
|
|
Packit |
549fdc |
echo "No name constraints found (3)"
|
|
Packit |
549fdc |
exit 1
|
|
Packit |
549fdc |
fi
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
echo "Root CA with stapled extensions retrieval test passed..."
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
rm -f ${EXPORTED_FILE} ${DER_FILE} ${TMPFILE}
|
|
Packit |
549fdc |
exit 0
|