1#! /bin/bash 2# 3# This Source Code Form is subject to the terms of the Mozilla Public 4# License, v. 2.0. If a copy of the MPL was not distributed with this 5# file, You can obtain one at http://mozilla.org/MPL/2.0/. 6 7######################################################################## 8# 9# mozilla/security/nss/tests/tools/tools.sh 10# 11# Script to test basic functionality of NSS tools 12# 13# needs to work on all Unix and Windows platforms 14# 15# tests implemented: 16# pk12util 17# signtool 18# 19# special strings 20# --------------- 21# FIXME ... known problems, search for this string 22# NOTE .... unexpected behavior 23######################################################################## 24 25 export pkcs12v2pbeWithSha1And128BitRc4=\ 26"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4" 27 28 export pkcs12v2pbeWithSha1And40BitRc4=\ 29"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4" 30 31 export pkcs12v2pbeWithSha1AndTripleDESCBC=\ 32"PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC" 33 34 export pkcs12v2pbeWithSha1And128BitRc2Cbc=\ 35"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC" 36 37 export pkcs12v2pbeWithSha1And40BitRc2Cbc=\ 38"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC" 39 40 export pkcs5pbeWithMD2AndDEScbc=\ 41"PKCS #5 Password Based Encryption with MD2 and DES-CBC" 42 43 export pkcs5pbeWithMD5AndDEScbc=\ 44"PKCS #5 Password Based Encryption with MD5 and DES-CBC" 45 46 export pkcs5pbeWithSha1AndDEScbc=\ 47"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC" 48 49 # if we change the defaults in pk12util, update these variables 50 export CERT_ENCRYPTION_DEFAULT="AES-128-CBC" 51 export KEY_ENCRYPTION_DEFAULT="AES-256-CBC" 52 export HASH_DEFAULT="SHA-256" 53 54 export PKCS5v1_PBE_CIPHERS="${pkcs5pbeWithMD2AndDEScbc},\ 55${pkcs5pbeWithMD5AndDEScbc},\ 56${pkcs5pbeWithSha1AndDEScbc}" 57 export PKCS12_PBE_CIPHERS="${pkcs12v2pbeWithSha1And128BitRc4},\ 58${pkcs12v2pbeWithSha1And40BitRc4},\ 59${pkcs12v2pbeWithSha1AndTripleDESCBC},\ 60${pkcs12v2pbeWithSha1And128BitRc2Cbc},\ 61${pkcs12v2pbeWithSha1And40BitRc2Cbc}" 62 export PKCS5v2_PBE_CIPHERS="RC2-CBC,DES-EDE3-CBC,AES-128-CBC,AES-192-CBC,\ 63AES-256-CBC,CAMELLIA-128-CBC,CAMELLIA-192-CBC,CAMELLIA-256-CBC" 64 export PBE_CIPHERS="${PKCS5v1_PBE_CIPHERS},${PKCS12_PBE_CIPHERS},${PKCS5v2_PBE_CIPHERS}" 65 export PBE_CIPHERS_CLASSES="${pkcs5pbeWithSha1AndDEScbc},\ 66${pkcs12v2pbeWithSha1AndTripleDESCBC},AES-256-CBC,default" 67 export PBE_HASH="SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,default" 68 69############################## tools_init ############################## 70# local shell function to initialize this script 71######################################################################## 72tools_init() 73{ 74 SCRIPTNAME=tools.sh # sourced - $0 would point to all.sh 75 76 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for 77 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it 78 fi 79 80 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then 81 cd ../common 82 . ./init.sh 83 fi 84 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here 85 cd ../cert 86 . ./cert.sh 87 fi 88 SCRIPTNAME=tools.sh 89 90 html_head "Tools Tests" 91 92 grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { 93 Exit 15 "Fatal - S/MIME of cert.sh needs to pass first" 94 } 95 96 TOOLSDIR=${HOSTDIR}/tools 97 COPYDIR=${TOOLSDIR}/copydir 98 SIGNDIR=${TOOLSDIR}/signdir 99 100 R_TOOLSDIR=../tools 101 R_COPYDIR=../tools/copydir 102 R_SIGNDIR=../tools/signdir 103 P_R_COPYDIR=${R_COPYDIR} 104 P_R_SIGNDIR=${R_SIGNDIR} 105 if [ -n "${MULTIACCESS_DBM}" ]; then 106 P_R_COPYDIR="multiaccess:Tools.$version" 107 P_R_SIGNDIR="multiaccess:Tools.sign.$version" 108 fi 109 110 mkdir -p ${TOOLSDIR} 111 mkdir -p ${COPYDIR} 112 mkdir -p ${SIGNDIR} 113 cp ${ALICEDIR}/* ${SIGNDIR}/ 114 mkdir -p ${TOOLSDIR}/html 115 cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html 116 mkdir -p ${TOOLSDIR}/data 117 cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data 118 cp ${QADIR}/tools/TestOldAES128CA.p12 ${TOOLSDIR}/data 119 cp ${QADIR}/tools/TestRSAPSS.p12 ${TOOLSDIR}/data 120 121 cd ${TOOLSDIR} 122} 123 124########################## list_p12_file ############################### 125# List the key and cert in the specified p12 file 126######################################################################## 127list_p12_file() 128{ 129 echo "$SCRIPTNAME: Listing Alice's pk12 file" 130 echo "pk12util -l ${1} -w ${R_PWFILE}" 131 132 ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1 133 ret=$? 134 html_msg $ret 0 "Listing ${1} (pk12util -l)" 135 check_tmpfile 136} 137 138######################################################################## 139# Import the key and cert from the specified p12 file 140######################################################################## 141import_p12_file() 142{ 143 echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file" 144 echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" 145 146 ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 147 ret=$? 148 html_msg $ret 0 "Importing ${1} (pk12util -i)" 149 check_tmpfile 150} 151 152 153######################################################################## 154# Export the key and cert from the specified p12 file 155######################################################################## 156export_p12_file() 157{ 158 # $1 p12 file 159 # $2 cert to export 160 # $3 certdb 161 # $4 key encryption cipher or "default" 162 # $5 certificate encryption cipher or "default" 163 # $6 hash algorithm or "default" 164 KEY_CIPHER_OPT="-c" 165 KEY_CIPHER="${4}" 166 CERT_CIPHER_OPT="-C" 167 CERT_CIPHER="${5}" 168 HASH_ALG_OPT="-M" 169 HASH_ALG="${6}" 170 171 if [ "${KEY_CIPHER}" = "default" ]; then 172 KEY_CIPHER_OPT="" 173 KEY_CIPHER="" 174 fi 175 if [ "${CERT_CIPHER}" = "default" ]; then 176 CERT_CIPHER_OPT="" 177 CERT_CIPHER="" 178 fi 179 if [ "${HASH_ALG}" = "default" ]; then 180 HASH_ALG_OPT="" 181 HASH_ALG="" 182 fi 183 184 echo "pk12util -o \"${1}\" -n \"${2}\" -d \"${3}\" \\" 185 echo " -k ${R_PWFILE} -w ${R_PWFILE} \\" 186 echo " ${KEY_CIPHER_OPT} \"${KEY_CIPHER}\" \\" 187 echo " ${CERT_CIPHER_OPT} \"${CERT_CIPHER}\" \\" 188 echo " ${HASH_ALG_OPT} \"${HASH_ALG}\"" 189 ${BINDIR}/pk12util -o "${1}" -n "${2}" -d "${3}" \ 190 -k ${R_PWFILE} -w ${R_PWFILE} \ 191 ${KEY_CIPHER_OPT} "${KEY_CIPHER}" \ 192 ${CERT_CIPHER_OPT} "${CERT_CIPHER}" \ 193 ${HASH_ALG_OPT} "${HASH_ALG}" 2>&1 194 ret=$? 195 html_msg $ret 0 "Exporting with [${4}:${5}:${6}] (pk12util -o)" 196 check_tmpfile 197 verify_p12 "${1}" "${4}" "${5}" "${6}" 198 return $ret 199} 200 201######################################################################## 202# Exports key and cert to a p12 file, the key encryption cipher, 203# the cert encryption cipher, and/or the hash algorithm are specified. 204# The key and cert are imported and the p12 file is listed 205######################################################################## 206export_list_import() 207{ 208 export_p12_file Alice.p12 Alice "${P_R_ALICEDIR}" "${@}" 209 list_p12_file Alice.p12 210 import_p12_file Alice.p12 211} 212 213######################################################################## 214# Export using the pkcs5pbe ciphers for key and certificate encryption. 215# List the contents of and import from the p12 file. 216######################################################################## 217tools_p12_export_list_import_all_pkcs5pbe_ciphers() 218{ 219 local saveIFS="${IFS}" 220 IFS=, 221 for key_cipher in ${PKCS5v1_PBE_CIPHERS} default; do 222 for cert_cipher in ${PKCS5v1_PBE_CIPHERS} default none; do 223 for hash in ${PBE_HASH}; do 224 export_list_import "${key_cipher}" "${cert_cipher}" "${hash}" 225 done 226 done 227 done 228 IFS="${saveIFS}" 229} 230 231######################################################################## 232# Export using the pkcs5v2 ciphers for key and certificate encryption. 233# List the contents of and import from the p12 file. 234######################################################################## 235tools_p12_export_list_import_all_pkcs5v2_ciphers() 236{ 237 local saveIFS="${IFS}" 238 IFS=, 239 for key_cipher in ${PKCS5v2_PBE_CIPHERS} default; do 240 for cert_cipher in ${PKCS5v2_PBE_CIPHERS} default none; do 241 for hash in ${PBE_HASH}; do 242 export_list_import "${key_cipher}" "${cert_cipher}" "${hash}" 243 done 244 done 245 done 246 IFS="${saveIFS}" 247} 248 249######################################################################## 250# Export using the pkcs12v2pbe ciphers for key and certificate encryption. 251# List the contents of and import from the p12 file. 252######################################################################## 253tools_p12_export_list_import_all_pkcs12v2pbe_ciphers() 254{ 255 local saveIFS="${IFS}" 256 IFS=, 257 for key_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default; do 258 for cert_cipher in ${PKCS12_PBE_CIPHERS} ${PKCS5v1_PBE_CIPHERS} default none; do 259 for hash in ${PBE_HASH}; do 260 export_list_import "${key_cipher}" "${cert_cipher}" "${hash}" 261 done 262 done 263 done 264 IFS="${saveIFS}" 265} 266 267######################################################################## 268# Spot check all ciphers. 269# using the traditional tests, we wind up running almost 1300 tests. 270# This isn't too bad for debug builds in which the interator is set to 1000. 271# for optimized builds, the iterator is set to 60000, which means a 30 272# minute test will now take more than 2 hours. This tests most combinations 273# and results in only about 300 tests. We are stil testing all ciphers 274# for both key and cert encryption, and we are testing them against 275# one of each class of cipher (pkcs5v1, pkcs5v2, pkcs12). 276######################################################################## 277tools_p12_export_list_import_most_ciphers() 278{ 279 local saveIFS="${IFS}" 280 IFS=, 281 for cipher in ${PBE_CIPHERS}; do 282 for class in ${PBE_CIPHERS_CLASSES}; do 283 # we'll test the case of cipher == class below the for loop 284 if [ "${cipher}" != "${class}" ]; then 285 export_list_import "${class}" "${cipher}" "SHA-1" 286 export_list_import "${cipher}" "${class}" "SHA-256" 287 fi 288 done 289 export_list_import "${cipher}" "none" "SHA-224" 290 export_list_import "${cipher}" "${cipher}" "SHA-384" 291 done 292 for class in ${PBE_CIPHERS_CLASSES}; do 293 for hash in ${PBE_HASH}; do 294 export_list_import "${class}" "${class}" "${hash}" 295 done 296 done 297 IFS="${saveIFS}" 298} 299 300######################################################################### 301# Export with no encryption on key should fail but on cert should pass 302######################################################################### 303tools_p12_export_with_none_ciphers() 304{ 305 # use none as the key encryption algorithm default for the cert one 306 # should fail 307 308 echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" 309 echo " -k ${R_PWFILE} -w ${R_PWFILE} -c none" 310 ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ 311 -k ${R_PWFILE} -w ${R_PWFILE} \ 312 -c none 2>&1 313 ret=$? 314 html_msg $ret 30 "Exporting with [none:default:default] (pk12util -o)" 315 check_tmpfile 316 317 # use default as the key encryption algorithm none for the cert one 318 # should pass 319 320 echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" 321 echo " -k ${R_PWFILE} -w ${R_PWFILE} -C none" 322 ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ 323 -k ${R_PWFILE} -w ${R_PWFILE} \ 324 -C none 2>&1 325 ret=$? 326 html_msg $ret 0 "Exporting with [default:none:default] (pk12util -o)" 327 check_tmpfile 328 verify_p12 Alice.p12 "default" "none" "default" 329} 330 331######################################################################### 332# Export with invalid cipher should fail 333######################################################################### 334tools_p12_export_with_invalid_ciphers() 335{ 336 echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" 337 echo " -k ${R_PWFILE} -w ${R_PWFILE} -c INVALID_CIPHER" 338 ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ 339 -k ${R_PWFILE} -w ${R_PWFILE} \ 340 -c INVALID_CIPHER 2>&1 341 ret=$? 342 html_msg $ret 30 "Exporting with [INVALID_CIPHER:default] (pk12util -o)" 343 check_tmpfile 344 345 echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" 346 echo " -k ${R_PWFILE} -w ${R_PWFILE} -C INVALID_CIPHER" 347 ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ 348 -k ${R_PWFILE} -w ${R_PWFILE} \ 349 -C INVALID_CIPHER 2>&1 350 ret=$? 351 html_msg $ret 30 "Exporting with [default:INVALID_CIPHER] (pk12util -o)" 352 check_tmpfile 353 354} 355 356######################################################################### 357# Exports using the default key and certificate encryption ciphers. 358# Imports from and lists the contents of the p12 file. 359# Repeats the test with ECC if enabled. 360######################################################################## 361tools_p12_export_list_import_with_default_ciphers() 362{ 363 echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers" 364 365 export_list_import "default" "default" "default" 366 367 echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------" 368 echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" 369 echo " -w ${R_PWFILE}" 370 ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ 371 -w ${R_PWFILE} 2>&1 372 ret=$? 373 html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)" 374 check_tmpfile 375 verify_p12 Alice-ec.p12 "default" "default" "default" 376 377 echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------" 378 echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" 379 ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 380 ret=$? 381 html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)" 382 check_tmpfile 383 384 echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------" 385 echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}" 386 ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1 387 ret=$? 388 html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)" 389 check_tmpfile 390} 391 392tools_p12_import_old_files() 393{ 394 echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------" 395 echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" 396 ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 397 ret=$? 398 html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.21 (PBES2 with BMPString password)" 399 check_tmpfile 400 401 echo "pk12util -i TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" 402 ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 403 ret=$? 404 html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.29.5 (PBES2 with incorrect AES-128-CBC algorithm ID)" 405 check_tmpfile 406} 407 408tools_p12_import_rsa_pss_private_key() 409{ 410 echo "$SCRIPTNAME: Importing RSA-PSS private key from PKCS#12 file --------------" 411 ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestRSAPSS.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '' 2>&1 412 ret=$? 413 html_msg $ret 0 "Importing RSA-PSS private key from PKCS#12 file" 414 check_tmpfile 415 416 # Check if RSA-PSS identifier is included in the key listing 417 ${BINDIR}/certutil -d ${P_R_COPYDIR} -K -f ${R_PWFILE} | grep '^<[0-9 ]*> *rsaPss' 418 ret=$? 419 html_msg $ret 0 "Listing RSA-PSS private key imported from PKCS#12 file" 420 check_tmpfile 421 422 return $ret 423} 424 425############################## tools_p12 ############################### 426# local shell function to test basic functionality of pk12util 427######################################################################## 428tools_p12() 429{ 430 tools_p12_export_list_import_with_default_ciphers 431 # optimized builds have a larger iterator, so they can't run as many 432 # pkcs12 tests and complete in a reasonable time. Use the iterateration 433 # count from the previous tests to determine how many tests 434 # we can run. 435 iteration_count=$(pp -t p12 -i Alice-ec.p12 | grep "Iterations: " | sed -e 's;.*Iterations: ;;' -e 's;(.*).*;;') 436 echo "Iteration count=${iteration_count}" 437 if [ -n "${iteration_count}" -a ${iteration_count} -le 10000 ]; then 438 tools_p12_export_list_import_all_pkcs5v2_ciphers 439 tools_p12_export_list_import_all_pkcs12v2pbe_ciphers 440 else 441 tools_p12_export_list_import_most_ciphers 442 fi 443 tools_p12_export_with_none_ciphers 444 tools_p12_export_with_invalid_ciphers 445 tools_p12_import_old_files 446 if [ "${TEST_MODE}" = "SHARED_DB" ] ; then 447 tools_p12_import_rsa_pss_private_key 448 fi 449} 450 451############################## tools_sign ############################## 452# local shell function pk12util uses a hardcoded tmp file, if this exists 453# and is owned by another user we don't get reasonable errormessages 454######################################################################## 455check_tmpfile() 456{ 457 if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then 458 echo "Error: pk12util temp file exists. Please remove this file and" 459 echo " rerun the test (/tmp/Pk12uTemp) " 460 fi 461} 462 463############################## tools_sign ############################## 464# make sure the generated p12 file has the characteristics we expected 465######################################################################## 466verify_p12() 467{ 468 KEY_ENCRYPTION=$(map_cipher "${2}" "${KEY_ENCRYPTION_DEFAULT}") 469 CERT_ENCRYPTION=$(map_cipher "${3}" "${CERT_ENCRYPTION_DEFAULT}") 470 HASH=$(map_cipher "${4}" "${HASH_DEFAULT}") 471 472 STATE="NOBAGS" # state records if we are in the key or cert bag 473 CERT_ENCRYPTION_NOT_FOUND=1 474 KEY_ENCRYPTION_NOT_FOUND=1 475 CERT_ENCRYPTION_FAIL=0 476 KEY_ENCRYPTION_FAIL=0 477 HASH_FAIL=0 478 TMP=$(mktemp /tmp/p12Verify.XXXXXX) 479 which pk12util 480 local saveIFS="${IFS}" 481 IFS=" \ 482" 483 # use pp to dump the pkcs12 file, only the unencrypted portions are visible 484 # if there are multiple entries, we fail if any of those entries have the 485 # wrong encryption. We also fail if we can't find any encryption info. 486 # Use a file rather than a pipe so that while do can modify our variables. 487 # We're only interested in extracting the encryption algorithms are here, 488 # p12util -l will verify that decryption works properly. 489 pp -t pkcs12 -i ${1} -o ${TMP} 490 while read line ; do 491 # first up: if we see an unencrypted key bag, then we know that the key 492 # was unencrypted (NOTE: pk12util currently can't generate these kinds of 493 # files). 494 if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 Key Bag" ]]; then 495 KEY_ENCRYPTION_NOT_FOUND=0 496 if [ "${KEY_ENCRYPTION}" != "none" ]; then 497 KEY_ENCRYPTION_FAIL=1 498 echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"none\"" 499 fi 500 continue 501 fi 502 # if we find the the Cert Bag, then we know that the certificate was not 503 # encrypted 504 if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 Cert Bag" ]]; then 505 CERT_ENCRYPTION_NOT_FOUND=0 506 if [ "${CERT_ENCRYPTION}" != "none" ]; then 507 CERT_ENCRYPTION_FAIL=1 508 echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"none\"" 509 fi 510 continue 511 fi 512 # we found the shrouded key bag, the next encryption informtion should be 513 # for the key. 514 if [[ "${line}" =~ "Bag "[0-9]+" ID: PKCS #12 V1 PKCS8 Shrouded Key Bag" ]]; then 515 STATE="KEY" 516 continue 517 fi 518 # If we found PKCS #7 Encrypted Data, it must be the encrypted certificate 519 # (well it could be any encrypted certificate, or a crl, but in p12util 520 # they will all have the same encryption value 521 if [[ "${line}" = "PKCS #7 Encrypted Data:" ]]; then 522 STATE="CERT" 523 continue 524 fi 525 # check the Mac 526 if [[ "${line}" =~ "Mac Digest Algorithm ID: ".* ]]; then 527 MAC="${line##Mac Digest Algorithm ID: }" 528 if [ "${MAC}" != "${HASH}" ]; then 529 HASH_FAIL=1 530 echo "--Mac Hash mismatch: expected \"${HASH}\" found \"${MAC}\"" 531 fi 532 fi 533 # check the KDF 534 if [[ "${line}" =~ "KDF algorithm: ".* ]]; then 535 KDF="${line##KDF algorithm: }" 536 if [ "${KDF}" != "HMAC ${HASH}" ]; then 537 HASH_FAIL=1 538 echo "--KDF Hash mismatch: expected \"HMAC ${HASH}\" found \"${KDF}\"" 539 fi 540 fi 541 # Content Encryption Algorithm is the PKCS #5 algorithm ID. 542 if [[ "${line}" =~ .*"Encryption Algorithm: ".* ]]; then 543 # Strip the [Content ]EncryptionAlgorithm 544 ENCRYPTION="${line##Content }" 545 ENCRYPTION="${ENCRYPTION##Encryption Algorithm: }" 546 # If that algorithm id is PKCS #5 V2, then skip forward looking 547 # for the Cipher: field. 548 if [[ "${ENCRYPTION}" =~ "PKCS #5 Password Based Encryption v2"\ * ]]; then 549 continue; 550 fi 551 case ${STATE} in 552 "KEY") 553 KEY_ENCRYPTION_NOT_FOUND=0 554 if [ "${KEY_ENCRYPTION}" != "${ENCRYPTION}" ]; then 555 KEY_ENCRYPTION_FAIL=1 556 echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"${ENCRYPTION}\"" 557 fi 558 ;; 559 "CERT") 560 CERT_ENCRYPTION_NOT_FOUND=0 561 if [ "${CERT_ENCRYPTION}" != "${ENCRYPTION}" ]; then 562 CERT_ENCRYPTION_FAIL=1 563 echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\"" 564 fi 565 ;; 566 esac 567 fi 568 # handle the PKCS 5 case 569 if [[ "${line}" =~ "Cipher: ".* ]]; then 570 ENCRYPTION="${line#Cipher: }" 571 case ${STATE} in 572 "KEY") 573 KEY_ENCRYPTION_NOT_FOUND=0 574 if [ "${KEY_ENCRYPTION}" != "${ENCRYPTION}" ]; then 575 KEY_ENCRYPTION_FAIL=1 576 echo "--Key encryption mismatch: expected \"${KEY_ENCRYPTION}\" found \"${ENCRYPTION}\"" 577 fi 578 ;; 579 "CERT") 580 CERT_ENCRYPTION_NOT_FOUND=0 581 if [ "${CERT_ENCRYPTION}" != "${ENCRYPTION}" ]; then 582 CERT_ENCRYPTION_FAIL=1 583 echo "--Cert encryption mismatch: expected \"${CERT_ENCRYPTION}\" found \"${ENCRYPTION}\"" 584 fi 585 ;; 586 esac 587 fi 588 done < ${TMP} 589 IFS="${saveIFS}" 590 # we've scanned the file, set the return value to a combination of 591 # KEY and CERT state variables. If everything is as expected, they should 592 # add up to 0. 593 ret=$((${HASH_FAIL} * 10000 + ${KEY_ENCRYPTION_FAIL} * 1000 + ${KEY_ENCRYPTION_NOT_FOUND} * 100 + ${CERT_ENCRYPTION_FAIL} * 10 + ${CERT_ENCRYPTION_NOT_FOUND})) 594 rm -r ${TMP} 595 html_msg $ret 0 "Verifying p12 file generated with [${2}:${3}:${4}]" 596} 597 598# 599# this handles any mapping we need from requested cipher to 600# actual cipher. For instance ciphers which already have 601# PKCS 5 v1 PBE will be mapped to those pbes by pk12util. 602map_cipher() 603{ 604 if [ "${1}" = "default" ]; then 605 echo "${2}" 606 return 607 fi 608 case "${1}" in 609 # these get mapped to the PKCS5 v1 or PKCS 12 attributes, not PKCS 5v2 610 RC2-CBC) 611 echo "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" 612 return ;; 613 DES-EDE3-CBC) 614 echo "${pkcs12v2pbeWithSha1AndTripleDESCBC}" 615 return;; 616 esac 617 echo "${1}" 618} 619 620############################## tools_sign ############################## 621# local shell function to test basic functionality of signtool 622######################################################################## 623tools_sign() 624{ 625 echo "$SCRIPTNAME: Create objsign cert -------------------------------" 626 echo "signtool -G \"objectsigner\" -d ${P_R_SIGNDIR} -p \"nss\"" 627 ${BINDIR}/signtool -G "objsigner" -d ${P_R_SIGNDIR} -p "nss" 2>&1 <<SIGNSCRIPT 628y 629TEST 630MOZ 631NSS 632NY 633US 634liz 635liz@moz.org 636SIGNSCRIPT 637 html_msg $? 0 "Create objsign cert (signtool -G)" 638 639 echo "$SCRIPTNAME: Signing a jar of files ----------------------------" 640 echo "signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\" 641 echo " ${R_TOOLSDIR}/html" 642 ${BINDIR}/signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p "nss" -k objsigner \ 643 ${R_TOOLSDIR}/html 644 html_msg $? 0 "Signing a jar of files (signtool -Z)" 645 646 echo "$SCRIPTNAME: Listing signed files in jar ----------------------" 647 echo "signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner" 648 ${BINDIR}/signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner 649 html_msg $? 0 "Listing signed files in jar (signtool -v)" 650 651 echo "$SCRIPTNAME: Show who signed jar ------------------------------" 652 echo "signtool -w nojs.jar -d ${P_R_SIGNDIR}" 653 ${BINDIR}/signtool -w nojs.jar -d ${P_R_SIGNDIR} 654 html_msg $? 0 "Show who signed jar (signtool -w)" 655 656 echo "$SCRIPTNAME: Signing a xpi of files ----------------------------" 657 echo "signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\" 658 echo " ${R_TOOLSDIR}/html" 659 ${BINDIR}/signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p "nss" -k objsigner \ 660 ${R_TOOLSDIR}/html 661 html_msg $? 0 "Signing a xpi of files (signtool -Z -X)" 662 663 echo "$SCRIPTNAME: Listing signed files in xpi ----------------------" 664 echo "signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner" 665 ${BINDIR}/signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner 666 html_msg $? 0 "Listing signed files in xpi (signtool -v)" 667 668 echo "$SCRIPTNAME: Show who signed xpi ------------------------------" 669 echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}" 670 ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR} 671 html_msg $? 0 "Show who signed xpi (signtool -w)" 672 673} 674 675tools_modutil() 676{ 677 echo "$SCRIPTNAME: Test if DB created by modutil -create is initialized" 678 mkdir -p ${R_TOOLSDIR}/moddir 679 # copied from modu function in cert.sh 680 # echo is used to press Enter expected by modutil 681 echo | ${BINDIR}/modutil -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1 682 ret=$? 683 ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \ 684 -x -t ',,' -z "${R_NOISE_FILE}" 685 ret=$? 686 html_msg $ret 0 "Test if DB created by modutil -create is initialized" 687 check_tmpfile 688} 689 690############################## tools_cleanup ########################### 691# local shell function to finish this script (no exit since it might be 692# sourced) 693######################################################################## 694tools_cleanup() 695{ 696 html "</TABLE><BR>" 697 cd ${QADIR} 698 . common/cleanup.sh 699} 700 701################## main ################################################# 702 703tools_init 704tools_p12 705tools_sign 706tools_modutil 707tools_cleanup 708 709 710