#!/bin/sh # Copyright (C) 2015 Nikos Mavrogiannopoulos # # GnuTLS is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 3 of the License, or (at # your option) any later version. # # GnuTLS is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # This test checks if the search for objects in tokens will continue past the # first token found. # # Generic PKCS#11 URIs are used to make the search to match more than one # token. The search should be able to find the objects in each device, which are # labeled differently per token. # # This test also contains a negative test to verify that the engine will not try # to login to a token if more than one token matched the search. This is why it # is required to have only one match to be able to use a private key. outdir="output.$$" # Load common test functions . ${srcdir}/rsa-common.sh PIN=1234 PUK=1234 NUM_DEVICES=5 # Initialize the SoftHSM DB init_db # Create some devices create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label" sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf" export OPENSSL_ENGINES="../src/.libs/" export OPENSSL_CONF="${outdir}/engines.cnf" PRIVATE_KEY="pkcs11:token=libp11-test-3;object=label-3;type=private;pin-value=1234" PRIVATE_KEY_WITHOUT_TOKEN="pkcs11:object=label-3;type=private;pin-value=1234" PUBLIC_KEY_ANY="pkcs11:type=public" CERTIFICATE="pkcs11:object=label-3;type=cert;pin-value=1234" # Create input file echo "secret" > "${outdir}/in.txt" # Verify that it doesn't try to login if more than one token matched the search openssl pkeyutl -engine pkcs11 -keyform engine \ -inkey "${PRIVATE_KEY_WITHOUT_TOKEN}" \ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt" if test $? = 0;then echo "Did not fail when the PKCS#11 URI matched multiple tokens" exit 1; fi # Generate signature specifying the token in the PKCS#11 URI openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt" if test $? != 0;then echo "Failed to sign file using PKCS#11 URI ${PRIVATE_KEY}" exit 1; fi # Verify the signature using the public key from each token i=0 while [ $i -le ${NUM_DEVICES} ]; do pubkey="pkcs11:object=label-$i;type=public;pin-value=1234" openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${pubkey}" \ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" if test $? != 0;then echo "Failed to verify the signature using the PKCS#11 URI ${pubkey}" exit 1; fi i=$(($i + 1)) done # Verify the signature using a certificate without specifying the token openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${CERTIFICATE}" \ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" if test $? != 0;then echo "Failed to verify the signature using the PKCS#11 URI ${CERTIFICATE}" exit 1; fi # Verify the signature using the first public key found openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY_ANY}" \ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" if test $? != 0;then echo "Failed to verify the signature using the PKCS#11 URI ${PUBLIC_KEY_ANY}." exit 1; fi rm -rf "$outdir" exit 0