1#! /bin/bash
2#
3# This Source Code Form is subject to the terms of the Mozilla Public
4# License, v. 2.0. If a copy of the MPL was not distributed with this
5# file, You can obtain one at http://mozilla.org/MPL/2.0/.
6
7########################################################################
8#
9# mozilla/security/nss/tests/tools/tools.sh
10#
11# Script to test basic functionality of NSS tools
12#
13# needs to work on all Unix and Windows platforms
14#
15# tests implemented:
16#    pk12util
17#    signtool
18#
19# special strings
20# ---------------
21#   FIXME ... known problems, search for this string
22#   NOTE .... unexpected behavior
23########################################################################
24
25  export pkcs12v2pbeWithSha1And128BitRc4=\
26"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4"
27
28  export pkcs12v2pbeWithSha1And40BitRc4=\
29"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4"
30
31  export pkcs12v2pbeWithSha1AndTripleDESCBC=\
32"PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC"
33
34  export pkcs12v2pbeWithSha1And128BitRc2Cbc=\
35"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC"
36
37  export pkcs12v2pbeWithSha1And40BitRc2Cbc=\
38"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC"
39
40  export pkcs5pbeWithMD2AndDEScbc=\
41"PKCS #5 Password Based Encryption with MD2 and DES-CBC"
42
43  export pkcs5pbeWithMD5AndDEScbc=\
44"PKCS #5 Password Based Encryption with MD5 and DES-CBC"
45
46  export pkcs5pbeWithSha1AndDEScbc=\
47"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
48
49  # if we change the defaults in pk12util, update these variables
50  export CERT_ENCRYPTION_DEFAULT="AES-128-CBC"
51  export KEY_ENCRYPTION_DEFAULT="AES-256-CBC"
52  export HASH_DEFAULT="SHA-256"
53
54  export PKCS5v1_PBE_CIPHERS="${pkcs5pbeWithMD2AndDEScbc},\
55${pkcs5pbeWithMD5AndDEScbc},\
56${pkcs5pbeWithSha1AndDEScbc}"
57  export PKCS12_PBE_CIPHERS="${pkcs12v2pbeWithSha1And128BitRc4},\
58${pkcs12v2pbeWithSha1And40BitRc4},\
59${pkcs12v2pbeWithSha1AndTripleDESCBC},\
60${pkcs12v2pbeWithSha1And128BitRc2Cbc},\
61${pkcs12v2pbeWithSha1And40BitRc2Cbc}"
62  export PKCS5v2_PBE_CIPHERS="RC2-CBC,DES-EDE3-CBC,AES-128-CBC,AES-192-CBC,\
63AES-256-CBC,CAMELLIA-128-CBC,CAMELLIA-192-CBC,CAMELLIA-256-CBC"
64  export PBE_CIPHERS="${PKCS5v1_PBE_CIPHERS},${PKCS12_PBE_CIPHERS},${PKCS5v2_PBE_CIPHERS}"
65  export PBE_CIPHERS_CLASSES="${pkcs5pbeWithSha1AndDEScbc},\
66${pkcs12v2pbeWithSha1AndTripleDESCBC},AES-256-CBC,default"
67  export PBE_HASH="SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,default"
68
69############################## tools_init ##############################
70# local shell function to initialize this script
71########################################################################
72tools_init()
73{
74  SCRIPTNAME=tools.sh      # sourced - $0 would point to all.sh
75
76  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
77      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
78  fi
79
80  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
81      cd ../common
82      . ./init.sh
83  fi
84  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
85      cd ../cert
86      . ./cert.sh
87  fi
88  SCRIPTNAME=tools.sh
89
90  html_head "Tools Tests"
91
92  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
93      Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
94  }
95
96  TOOLSDIR=${HOSTDIR}/tools
97  COPYDIR=${TOOLSDIR}/copydir
98  SIGNDIR=${TOOLSDIR}/signdir
99
100  R_TOOLSDIR=../tools
101  R_COPYDIR=../tools/copydir
102  R_SIGNDIR=../tools/signdir
103  P_R_COPYDIR=${R_COPYDIR}
104  P_R_SIGNDIR=${R_SIGNDIR}
105  if [ -n "${MULTIACCESS_DBM}" ]; then
106      P_R_COPYDIR="multiaccess:Tools.$version"
107      P_R_SIGNDIR="multiaccess:Tools.sign.$version"
108  fi
109
110  mkdir -p ${TOOLSDIR}
111  mkdir -p ${COPYDIR}
112  mkdir -p ${SIGNDIR}
113  cp ${ALICEDIR}/* ${SIGNDIR}/
114  mkdir -p ${TOOLSDIR}/html
115  cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
116  mkdir -p ${TOOLSDIR}/data
117  cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data
118  cp ${QADIR}/tools/TestOldAES128CA.p12 ${TOOLSDIR}/data
119  cp ${QADIR}/tools/TestRSAPSS.p12 ${TOOLSDIR}/data
120
121  cd ${TOOLSDIR}
122}
123
124########################## list_p12_file ###############################
125# List the key and cert in the specified p12 file
126########################################################################
127list_p12_file()
128{
129  echo "$SCRIPTNAME: Listing Alice's pk12 file"
130  echo "pk12util -l ${1} -w ${R_PWFILE}"
131
132  ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1
133  ret=$?
134  html_msg $ret 0 "Listing ${1} (pk12util -l)"
135  check_tmpfile
136}
137
138########################################################################
139# Import the key and cert from the specified p12 file
140########################################################################
141import_p12_file()
142{
143  echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file"
144  echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
145
146  ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
147  ret=$?
148  html_msg $ret 0 "Importing ${1} (pk12util -i)"
149  check_tmpfile
150}
151
152
153########################################################################
154# Export the key and cert from the specified p12 file
155########################################################################
156export_p12_file()
157{
158  # $1 p12 file
159  # $2 cert to export
160  # $3 certdb
161  # $4 key encryption cipher or "default"
162  # $5 certificate encryption cipher or "default"
163  # $6 hash algorithm or "default"
164  KEY_CIPHER_OPT="-c"
165  KEY_CIPHER="${4}"
166  CERT_CIPHER_OPT="-C"
167  CERT_CIPHER="${5}"
168  HASH_ALG_OPT="-M"
169  HASH_ALG="${6}"
170
171  if [ "${KEY_CIPHER}" = "default" ]; then
172    KEY_CIPHER_OPT=""
173    KEY_CIPHER=""
174  fi
175  if [ "${CERT_CIPHER}" = "default" ]; then
176    CERT_CIPHER_OPT=""
177    CERT_CIPHER=""
178  fi
179  if [ "${HASH_ALG}" = "default" ]; then
180    HASH_ALG_OPT=""
181    HASH_ALG=""
182  fi
183
184  echo "pk12util -o \"${1}\" -n \"${2}\" -d \"${3}\" \\"
185  echo "         -k ${R_PWFILE} -w ${R_PWFILE} \\"
186  echo "         ${KEY_CIPHER_OPT} \"${KEY_CIPHER}\" \\"
187  echo "         ${CERT_CIPHER_OPT} \"${CERT_CIPHER}\" \\"
188  echo "         ${HASH_ALG_OPT} \"${HASH_ALG}\""
189  ${BINDIR}/pk12util -o "${1}" -n "${2}" -d "${3}" \
190                       -k ${R_PWFILE} -w ${R_PWFILE} \
191                       ${KEY_CIPHER_OPT} "${KEY_CIPHER}" \
192                       ${CERT_CIPHER_OPT} "${CERT_CIPHER}" \
193                       ${HASH_ALG_OPT} "${HASH_ALG}" 2>&1
194  ret=$?
195  html_msg $ret 0 "Exporting with [${4}:${5}:${6}] (pk12util -o)"
196  check_tmpfile
197  verify_p12 "${1}" "${4}" "${5}" "${6}"
198  return $ret
199}
200
201########################################################################
202# Exports key and cert to a p12 file, the key encryption cipher,
203# the cert encryption cipher, and/or the hash algorithm are specified.
204# The key and cert are imported and the p12 file is listed
205########################################################################
206export_list_import()
207{
208  export_p12_file Alice.p12 Alice "${P_R_ALICEDIR}" "${@}"
209  list_p12_file Alice.p12
210  import_p12_file Alice.p12
211}
212
213########################################################################
214# Export using the pkcs5pbe ciphers for key and certificate encryption.
215# List the contents of and import from the p12 file.
216########################################################################
217tools_p12_export_list_import_all_pkcs5pbe_ciphers()
218{
219  local saveIFS="${IFS}"
220  IFS=,
221  for key_cipher in ${PKCS5v1_PBE_CIPHERS} default; do
222      for cert_cipher in ${PKCS5v1_PBE_CIPHERS} default none; do
223          for hash in ${PBE_HASH}; do
224                  export_list_import "${key_cipher}" "${cert_cipher}" "${hash}"
225           done
226      done
227  done
228  IFS="${saveIFS}"
229}
230
231########################################################################
232# Export using the pkcs5v2 ciphers for key and certificate encryption.
233# List the contents of and import from the p12 file.
234########################################################################
235tools_p12_export_list_import_all_pkcs5v2_ciphers()
236{
237  local saveIFS="${IFS}"
238  IFS=,
239  for key_cipher in ${PKCS5v2_PBE_CIPHERS} default; do
240      for cert_cipher in ${PKCS5v2_PBE_CIPHERS} default none; do
241          for hash in ${PBE_HASH}; do
242                  export_list_import "${key_cipher}" "${cert_cipher}" "${hash}"
243           done
244      done
245  done
246  IFS="${saveIFS}"
247}
248
249########################################################################
250# Export using the pkcs12v2pbe ciphers for key and certificate encryption.
251# List the contents of and import from the p12 file.
252########################################################################
253tools_p12_export_list_import_all_pkcs12v2pbe_ciphers()
254{
255  local saveIFS="${IFS}"
256  IFS=,
257  for key_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default; do
258      for cert_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default none; do
259          for hash in ${PBE_HASH}; do
260                  export_list_import "${key_cipher}" "${cert_cipher}" "${hash}"
261           done
262      done
263  done
264  IFS="${saveIFS}"
265}
266
267########################################################################
268# Spot check all ciphers.
269# using the traditional tests, we wind up running almost 1300 tests.
270# This isn't too bad for debug builds in which the interator is set to 1000.
271# for optimized builds, the iterator is set to 60000, which means a 30
272# minute test will  now take more than 2 hours. This tests most combinations
273# and results in only about 300 tests. We are stil testing all ciphers
274# for both key and cert encryption, and we are testing them against
275# one of each class of cipher (pkcs5v1, pkcs5v2, pkcs12).
276########################################################################
277tools_p12_export_list_import_most_ciphers()
278{
279  local saveIFS="${IFS}"
280  IFS=,
281  for cipher in ${PBE_CIPHERS}; do
282    for class in ${PBE_CIPHERS_CLASSES}; do
283      # we'll test the case of cipher == class below the for loop
284      if [ "${cipher}" != "${class}" ]; then
285          export_list_import "${class}" "${cipher}" "SHA-1"
286          export_list_import "${cipher}" "${class}" "SHA-256"
287      fi
288    done
289    export_list_import "${cipher}" "none" "SHA-224"
290    export_list_import "${cipher}" "${cipher}" "SHA-384"
291  done
292  for class in ${PBE_CIPHERS_CLASSES}; do
293    for hash in ${PBE_HASH}; do
294      export_list_import "${class}" "${class}" "${hash}"
295    done
296  done
297  IFS="${saveIFS}"
298}
299
300#########################################################################
301# Export with no encryption on key should fail but on cert should pass
302#########################################################################
303tools_p12_export_with_none_ciphers()
304{
305  # use none as the key encryption algorithm default for the cert one
306  # should fail
307
308  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
309  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -c none"
310  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
311                       -k ${R_PWFILE} -w ${R_PWFILE} \
312                       -c none 2>&1
313  ret=$?
314  html_msg $ret 30 "Exporting with [none:default:default] (pk12util -o)"
315  check_tmpfile
316
317  # use default as the key encryption algorithm none for the cert one
318  # should pass
319
320  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
321  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -C none"
322  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
323                       -k ${R_PWFILE} -w ${R_PWFILE} \
324                       -C none 2>&1
325  ret=$?
326  html_msg $ret 0 "Exporting with [default:none:default] (pk12util -o)"
327  check_tmpfile
328  verify_p12 Alice.p12 "default" "none" "default"
329}
330
331#########################################################################
332# Export with invalid cipher should fail
333#########################################################################
334tools_p12_export_with_invalid_ciphers()
335{
336  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
337  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -c INVALID_CIPHER"
338  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
339                       -k ${R_PWFILE} -w ${R_PWFILE} \
340                       -c INVALID_CIPHER 2>&1
341  ret=$?
342  html_msg $ret 30 "Exporting with [INVALID_CIPHER:default] (pk12util -o)"
343  check_tmpfile
344
345  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
346  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -C INVALID_CIPHER"
347  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
348                       -k ${R_PWFILE} -w ${R_PWFILE} \
349                       -C INVALID_CIPHER 2>&1
350  ret=$?
351  html_msg $ret 30 "Exporting with [default:INVALID_CIPHER] (pk12util -o)"
352  check_tmpfile
353
354}
355
356#########################################################################
357# Exports using the default key and certificate encryption ciphers.
358# Imports from  and lists the contents of the p12 file.
359# Repeats the test with ECC if enabled.
360########################################################################
361tools_p12_export_list_import_with_default_ciphers()
362{
363  echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers"
364
365  export_list_import "default" "default" "default"
366
367  echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
368  echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
369  echo "         -w ${R_PWFILE}"
370  ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
371       -w ${R_PWFILE} 2>&1
372  ret=$?
373  html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
374  check_tmpfile
375  verify_p12 Alice-ec.p12 "default" "default" "default"
376
377  echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
378  echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
379  ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
380  ret=$?
381  html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
382  check_tmpfile
383
384  echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
385  echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
386  ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
387  ret=$?
388  html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
389  check_tmpfile
390}
391
392tools_p12_import_old_files()
393{
394  echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------"
395  echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
396  ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
397  ret=$?
398  html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.21 (PBES2 with BMPString password)"
399  check_tmpfile
400
401  echo "pk12util -i TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
402  ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
403  ret=$?
404  html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.29.5 (PBES2 with incorrect AES-128-CBC algorithm ID)"
405  check_tmpfile
406}
407
408tools_p12_import_rsa_pss_private_key()
409{
410  echo "$SCRIPTNAME: Importing RSA-PSS private key from PKCS#12 file --------------"
411  ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestRSAPSS.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '' 2>&1
412  ret=$?
413  html_msg $ret 0 "Importing RSA-PSS private key from PKCS#12 file"
414  check_tmpfile
415
416  # Check if RSA-PSS identifier is included in the key listing
417  ${BINDIR}/certutil -d ${P_R_COPYDIR} -K -f ${R_PWFILE} | grep '^<[0-9 ]*> *rsaPss'
418  ret=$?
419  html_msg $ret 0 "Listing RSA-PSS private key imported from PKCS#12 file"
420  check_tmpfile
421
422  return $ret
423}
424
425############################## tools_p12 ###############################
426# local shell function to test basic functionality of pk12util
427########################################################################
428tools_p12()
429{
430  tools_p12_export_list_import_with_default_ciphers
431  # optimized builds have a larger iterator, so they can't run as many
432  # pkcs12 tests and complete in a reasonable time. Use the iterateration
433  # count from the previous tests to determine how many tests
434  # we can run.
435  iteration_count=$(pp -t p12 -i Alice-ec.p12 | grep "Iterations: " | sed -e 's;.*Iterations: ;;' -e 's;(.*).*;;')
436  echo "Iteration count=${iteration_count}"
437  if [ -n "${iteration_count}" -a  ${iteration_count} -le 10000 ]; then
438      tools_p12_export_list_import_all_pkcs5v2_ciphers
439      tools_p12_export_list_import_all_pkcs12v2pbe_ciphers
440  else
441      tools_p12_export_list_import_most_ciphers
442  fi
443  tools_p12_export_with_none_ciphers
444  tools_p12_export_with_invalid_ciphers
445  tools_p12_import_old_files
446  if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
447    tools_p12_import_rsa_pss_private_key
448  fi
449}
450
451############################## tools_sign ##############################
452# local shell function pk12util uses a hardcoded tmp file, if this exists
453# and is owned by another user we don't get reasonable errormessages
454########################################################################
455check_tmpfile()
456{
457  if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then
458      echo "Error: pk12util temp file exists. Please remove this file and"
459      echo "       rerun the test (/tmp/Pk12uTemp) "
460  fi
461}
462
463############################## tools_sign ##############################
464# make sure the generated p12 file has the characteristics we expected
465########################################################################
466verify_p12()
467{
468  KEY_ENCRYPTION=$(map_cipher "${2}" "${KEY_ENCRYPTION_DEFAULT}")
469  CERT_ENCRYPTION=$(map_cipher "${3}" "${CERT_ENCRYPTION_DEFAULT}")
470  HASH=$(map_cipher "${4}" "${HASH_DEFAULT}")
471
472  STATE="NOBAGS"   # state records if we are in the key or cert bag
473  CERT_ENCRYPTION_NOT_FOUND=1
474  KEY_ENCRYPTION_NOT_FOUND=1
475  CERT_ENCRYPTION_FAIL=0
476  KEY_ENCRYPTION_FAIL=0
477  HASH_FAIL=0
478  TMP=$(mktemp /tmp/p12Verify.XXXXXX)
479  which pk12util
480  local saveIFS="${IFS}"
481  IFS=" 	\
482"
483  # use pp to dump the pkcs12 file, only the unencrypted portions are visible
484  # if there are multiple entries, we fail if any of those entries have the
485  # wrong encryption. We also fail if we can't find any encryption info.
486  # Use a file rather than a pipe so that while do can modify our variables.
487  # We're only interested in extracting the encryption algorithms are here,
488  # p12util -l will verify that decryption works properly.
489  pp -t pkcs12 -i ${1} -o ${TMP}
490  while read line ; do
491     # first up: if we see an unencrypted key bag, then we know that the key
492     # was unencrypted (NOTE: pk12util currently can't generate these kinds of
493     # files).
494     if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 Key Bag" ]]; then
495        KEY_ENCRYPTION_NOT_FOUND=0
496        if [ "${KEY_ENCRYPTION}" != "none" ]; then
497            KEY_ENCRYPTION_FAIL=1
498            echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"none\""
499        fi
500       continue
501     fi
502     # if we find the the Cert Bag, then we know that the certificate was not
503     # encrypted
504     if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 Cert Bag" ]]; then
505        CERT_ENCRYPTION_NOT_FOUND=0
506        if [ "${CERT_ENCRYPTION}" != "none" ]; then
507            CERT_ENCRYPTION_FAIL=1
508           echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"none\""
509        fi
510        continue
511     fi
512     # we found the shrouded key bag, the next encryption informtion should be
513     # for the key.
514     if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 PKCS8 Shrouded Key Bag" ]]; then
515        STATE="KEY"
516        continue
517     fi
518     # If we found PKCS #7 Encrypted Data, it must be the encrypted certificate
519     # (well it could be any encrypted certificate, or a crl, but in p12util
520     # they will all have the same encryption value
521     if [[ "${line}" =  "PKCS #7 Encrypted Data:" ]]; then
522        STATE="CERT"
523        continue
524     fi
525     # check the Mac
526     if [[ "${line}" =~ "Mac Digest Algorithm ID: ".* ]]; then
527        MAC="${line##Mac Digest Algorithm ID: }"
528        if [ "${MAC}" != "${HASH}" ]; then
529            HASH_FAIL=1
530            echo "--Mac Hash mismatch: expected \"${HASH}\" found \"${MAC}\""
531        fi
532     fi
533     # check the KDF
534     if [[ "${line}" =~ "KDF algorithm: ".* ]]; then
535        KDF="${line##KDF algorithm: }"
536        if [ "${KDF}" != "HMAC ${HASH}" ]; then
537            HASH_FAIL=1
538            echo "--KDF Hash mismatch: expected \"HMAC ${HASH}\" found \"${KDF}\""
539        fi
540     fi
541     # Content Encryption Algorithm is the PKCS #5 algorithm ID.
542     if [[  "${line}" =~ .*"Encryption Algorithm: ".* ]]; then
543        # Strip the [Content ]EncryptionAlgorithm
544        ENCRYPTION="${line##Content }"
545        ENCRYPTION="${ENCRYPTION##Encryption Algorithm: }"
546        # If that algorithm id is PKCS #5 V2, then skip forward looking
547        # for the Cipher: field.
548        if [[ "${ENCRYPTION}" =~ "PKCS #5 Password Based Encryption v2"\ * ]]; then
549            continue;
550        fi
551        case ${STATE} in
552        "KEY")
553            KEY_ENCRYPTION_NOT_FOUND=0
554            if [ "${KEY_ENCRYPTION}" != "${ENCRYPTION}" ]; then
555                KEY_ENCRYPTION_FAIL=1
556                echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"${ENCRYPTION}\""
557            fi
558            ;;
559        "CERT")
560            CERT_ENCRYPTION_NOT_FOUND=0
561            if [ "${CERT_ENCRYPTION}" != "${ENCRYPTION}" ]; then
562                CERT_ENCRYPTION_FAIL=1
563                echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\""
564            fi
565            ;;
566        esac
567     fi
568     # handle the PKCS 5 case
569     if [[ "${line}" =~ "Cipher: ".* ]]; then
570        ENCRYPTION="${line#Cipher: }"
571        case ${STATE} in
572        "KEY")
573            KEY_ENCRYPTION_NOT_FOUND=0
574            if [ "${KEY_ENCRYPTION}" != "${ENCRYPTION}" ]; then
575                KEY_ENCRYPTION_FAIL=1
576                echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"${ENCRYPTION}\""
577            fi
578            ;;
579        "CERT")
580            CERT_ENCRYPTION_NOT_FOUND=0
581            if [ "${CERT_ENCRYPTION}" != "${ENCRYPTION}" ]; then
582                CERT_ENCRYPTION_FAIL=1
583                echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\""
584            fi
585            ;;
586        esac
587     fi
588  done < ${TMP}
589  IFS="${saveIFS}"
590  # we've scanned the file, set the return value to a combination of
591  # KEY and CERT state variables. If everything is as expected, they should
592  # add up to 0.
593  ret=$((${HASH_FAIL} * 10000 + ${KEY_ENCRYPTION_FAIL} * 1000 + ${KEY_ENCRYPTION_NOT_FOUND} * 100 + ${CERT_ENCRYPTION_FAIL} * 10 + ${CERT_ENCRYPTION_NOT_FOUND}))
594  rm -r ${TMP}
595  html_msg $ret 0 "Verifying p12 file generated with [${2}:${3}:${4}]"
596}
597
598#
599# this handles any mapping we need from requested cipher to
600# actual cipher. For instance ciphers which already have
601# PKCS 5 v1 PBE will be mapped to those pbes by pk12util.
602map_cipher()
603{
604   if [ "${1}" = "default" ]; then
605      echo "${2}"
606      return
607   fi
608   case "${1}" in
609   # these get mapped to the PKCS5 v1 or PKCS 12 attributes, not PKCS 5v2
610   RC2-CBC)
611      echo "${pkcs12v2pbeWithSha1And128BitRc2Cbc}"
612      return ;;
613   DES-EDE3-CBC)
614      echo "${pkcs12v2pbeWithSha1AndTripleDESCBC}"
615      return;;
616   esac
617   echo "${1}"
618}
619
620############################## tools_sign ##############################
621# local shell function to test basic functionality of signtool
622########################################################################
623tools_sign()
624{
625  echo "$SCRIPTNAME: Create objsign cert -------------------------------"
626  echo "signtool -G \"objectsigner\" -d ${P_R_SIGNDIR} -p \"nss\""
627  ${BINDIR}/signtool -G "objsigner" -d ${P_R_SIGNDIR} -p "nss" 2>&1 <<SIGNSCRIPT
628y
629TEST
630MOZ
631NSS
632NY
633US
634liz
635liz@moz.org
636SIGNSCRIPT
637  html_msg $? 0 "Create objsign cert (signtool -G)"
638
639  echo "$SCRIPTNAME: Signing a jar of files ----------------------------"
640  echo "signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\"
641  echo "         ${R_TOOLSDIR}/html"
642  ${BINDIR}/signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p "nss" -k objsigner \
643           ${R_TOOLSDIR}/html
644  html_msg $? 0 "Signing a jar of files (signtool -Z)"
645
646  echo "$SCRIPTNAME: Listing signed files in jar ----------------------"
647  echo "signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner"
648  ${BINDIR}/signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner
649  html_msg $? 0 "Listing signed files in jar (signtool -v)"
650
651  echo "$SCRIPTNAME: Show who signed jar ------------------------------"
652  echo "signtool -w nojs.jar -d ${P_R_SIGNDIR}"
653  ${BINDIR}/signtool -w nojs.jar -d ${P_R_SIGNDIR}
654  html_msg $? 0 "Show who signed jar (signtool -w)"
655
656  echo "$SCRIPTNAME: Signing a xpi of files ----------------------------"
657  echo "signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\"
658  echo "         ${R_TOOLSDIR}/html"
659  ${BINDIR}/signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p "nss" -k objsigner \
660           ${R_TOOLSDIR}/html
661  html_msg $? 0 "Signing a xpi of files (signtool -Z -X)"
662
663  echo "$SCRIPTNAME: Listing signed files in xpi ----------------------"
664  echo "signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner"
665  ${BINDIR}/signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner
666  html_msg $? 0 "Listing signed files in xpi (signtool -v)"
667
668  echo "$SCRIPTNAME: Show who signed xpi ------------------------------"
669  echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}"
670  ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR}
671  html_msg $? 0 "Show who signed xpi (signtool -w)"
672
673}
674
675tools_modutil()
676{
677  echo "$SCRIPTNAME: Test if DB created by modutil -create is initialized"
678  mkdir -p ${R_TOOLSDIR}/moddir
679  # copied from modu function in cert.sh
680  # echo is used to press Enter expected by modutil
681  echo | ${BINDIR}/modutil -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1
682  ret=$?
683  ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \
684	   -x -t ',,' -z "${R_NOISE_FILE}"
685  ret=$?
686  html_msg $ret 0 "Test if DB created by modutil -create is initialized"
687  check_tmpfile
688}
689
690############################## tools_cleanup ###########################
691# local shell function to finish this script (no exit since it might be
692# sourced)
693########################################################################
694tools_cleanup()
695{
696  html "</TABLE><BR>"
697  cd ${QADIR}
698  . common/cleanup.sh
699}
700
701################## main #################################################
702
703tools_init
704tools_p12
705tools_sign
706tools_modutil
707tools_cleanup
708
709
710