diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-07-01 15:39:48 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-07-01 15:45:28 +0200 |
| commit | cd8a5d83421e2551528bfcf2acc540f3973a92f9 (patch) | |
| tree | 6512ed0dc1321cf8dfe5587c7be9ef4853ecb6e1 /tests | |
| parent | 9920da566c0a1ba97a5322b824019c6de00a0d52 (diff) | |
| download | gnutls-cd8a5d83421e2551528bfcf2acc540f3973a92f9.tar.gz | |
tests: improved testpkcs11 suite
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/suite/Makefile.am | 2 | ||||
| -rwxr-xr-x | tests/suite/testpkcs11 | 366 | ||||
| -rw-r--r-- | tests/suite/testpkcs11.pkcs15 | 46 | ||||
| -rw-r--r-- | tests/suite/testpkcs11.sc-hsm | 51 | ||||
| -rwxr-xr-x | tests/suite/testpkcs11.softhsm | 50 |
5 files changed, 371 insertions, 144 deletions
diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index 2a68f889be..9ccd0618d8 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -86,7 +86,7 @@ nodist_libecore_la_SOURCES = ecore/src/lib/ecore_anim.c \ nodist_check_SCRIPTS = eagain testsrn testcompat chain invalid-cert testrandom \ - testpkcs11 testrng + testpkcs11 testrng testpkcs11.pkcs15 testpkcs11.softhsm TESTS = ciphersuite/test-ciphersuites.sh eagain testsrn testcompat chain invalid-cert \ testpkcs11 testrng diff --git a/tests/suite/testpkcs11 b/tests/suite/testpkcs11 index 00218f8a6b..c71f3e9386 100755 --- a/tests/suite/testpkcs11 +++ b/tests/suite/testpkcs11 @@ -25,177 +25,257 @@ DIFF="${DIFF:-diff -b -B}" SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q" CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" PORT="${PORT:-5561}" -unset RETCODE +RETCODE=0 + +TMPFILE=$srcdir/testpkcs11.debug +CERTTOOL_PARAM="--stdout-info" if test "${WINDIR}" != "";then exit 77 fi -if ! test -x "/usr/bin/softhsm";then - exit 77 -fi - . $srcdir/../scripts/common.sh -echo "Testing PKCS11 support" +rm -f $TMPFILE -# erase SC +exit_error () { + echo "Check $TMPFILE for additional debugging information" + echo "" + echo "" + tail $TMPFILE + exit 1 +} -CERTTOOL_PARAM="--stdout-info" -if test "$1" = "pkcs15";then - echo -n "* Erasing smart card... " - pkcs15-init -E >/dev/null #2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit 1 - fi - - echo -n "* Initializing smart card... " - pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin 1234 --pin 1234 --puk 111111 --label "GnuTLS-Test" >/dev/null #2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit 1 - fi -else - export SOFTHSM_CONF="softhsm-testpkcs11.config" - if test -f /usr/lib/softhsm/libsofthsm.so;then - ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so" - else - ADDITIONAL_PARAM="--provider /usr/lib64/softhsm/libsofthsm.so" - fi - echo "0:./softhsm-testpkcs11.db" > $SOFTHSM_CONF - - echo -n "* Initializing smart card... " - softhsm --init-token --slot 0 --label "GnuTLS-Test" --so-pin 1234 --pin 1234 >/dev/null #2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit 1 - fi -fi +# $1: token +# $2: PIN +# $3: filename +# $srcdir/pkcs11-certs/client.key +write_privkey () { + export GNUTLS_PIN=$2 -# find token name -TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` + filename=$3 + token=$1 + echo -n "* Writing a client private key... " + $P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client2 --load-privkey "$filename" "$token" >>$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi +} -echo "* Token: $TOKEN" -if test x"$TOKEN" = x;then - echo "Could not find generated token" - exit 1 -fi +# $1: token +# $2: PIN +# $3: bits +generate_rsa_privkey () { + export GNUTLS_PIN=$2 + token=$1 + bits=$3 -export GNUTLS_PIN=1234 + echo -n "* Generating RSA private key ($bits)... " + $P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-rsa --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + RETCODE=1 + fi +} -echo -n "* Writing a client private key... " -$P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client2 --load-privkey $srcdir/pkcs11-certs/client.key "$TOKEN" >/dev/null #2>&1 -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi +# $1: token +# $2: PIN +# $3: bits +generate_ecc_privkey () { + export GNUTLS_PIN=$2 + token=$1 + bits=$3 -echo -n "* Generating client private key... " -$P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-rsa --bits 1024 "$TOKEN" >tmp-client.pub #2>&1 -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi + echo -n "* Generating ECC private key ($bits)... " + $P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-ecc --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + RETCODE=1 + fi +} -echo -n "* Generating client certificate... " -$CERTTOOL $CERTTOOL_PARAM $ADDITIONAL_PARAM --generate-certificate --load-ca-privkey $srcdir/pkcs11-certs/ca.key --load-ca-certificate $srcdir/pkcs11-certs/ca.crt \ - --template $srcdir/pkcs11-certs/client-tmpl --load-privkey "$TOKEN;object=gnutls-client;object-type=private" \ - --load-pubkey tmp-client.pub > tmp-client.crt #2>/dev/null -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi +# $1: token +# $2: PIN +# $3: cakey: $srcdir/pkcs11-certs/ca.key +# $4: cacert: $srcdir/pkcs11-certs/ca.crt +# +# Tests writing a certificate which corresponds to the given key, +# as well as the CA certificate, and tries to export them. +write_certificate_test () { + export GNUTLS_PIN=$2 + token=$1 + cakey=$3 + cacert=$4 + pubkey=$5 -echo -n "* Writing client certificate... " -$P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client --load-certificate tmp-client.crt "$TOKEN" >/dev/null #2>&1 -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi + echo -n "* Generating client certificate... " + $CERTTOOL $CERTTOOL_PARAM $ADDITIONAL_PARAM --generate-certificate --load-ca-privkey "$cakey" --load-ca-certificate "$cacert" \ + --template $srcdir/pkcs11-certs/client-tmpl --load-privkey "$token;object=gnutls-client;object-type=private" \ + --load-pubkey "$pubkey" --outfile tmp-client.crt >>$TMPFILE 2>&1 -echo -n "* Writing certificate of client's CA... " -$P11TOOL $ADDITIONAL_PARAM --so-login --write --trusted --label gnutls-ca --load-certificate $srcdir/pkcs11-certs/ca.crt "$TOKEN" >/dev/null #2>&1 -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi -echo -n "* Trying to obtain back the cert... " -$P11TOOL $ADDITIONAL_PARAM --export "$TOKEN;object=gnutls-ca;object-type=cert" >crt1.tmp #2>/dev/null -$DIFF crt1.tmp $srcdir/pkcs11-certs/ca.crt -if test $? != 0;then - echo "failed. Exported certificate differs!" - exit 1 -fi -rm -f crt1.tmp -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi + echo -n "* Writing client certificate... " + $P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client --load-certificate tmp-client.crt "$token" >>$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi -echo -n "* Trying to obtain the full chain... " -$P11TOOL $ADDITIONAL_PARAM --login --export-chain "$TOKEN;object=gnutls-client;object-type=cert"|$CERTTOOL $CERTTOOL_PARAM -i >crt1.tmp #2>/dev/null + echo -n "* Writing certificate of client's CA... " + $P11TOOL $ADDITIONAL_PARAM --so-login --ca --write --trusted --label gnutls-ca --load-certificate "$cacert" "$token" >>$TMPFILE 2>&1 + + if test $? = 0;then + echo ok + else + echo failed + return + fi + + echo -n "* Trying to obtain back the cert... " + $P11TOOL $ADDITIONAL_PARAM --export "$token;object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>$TMPFILE 2>&1 + $DIFF crt1.tmp $srcdir/pkcs11-certs/ca.crt + if test $? != 0;then + echo "failed. Exported certificate differs (crt1.tmp)!" + exit_error + fi + rm -f crt1.tmp + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Trying to obtain the full chain... " + $P11TOOL $ADDITIONAL_PARAM --login --export-chain "$token;object=gnutls-client;object-type=cert"|$CERTTOOL $CERTTOOL_PARAM -i --outfile crt1.tmp >>$TMPFILE 2>&1 + + cat tmp-client.crt $srcdir/pkcs11-certs/ca.crt|$CERTTOOL $CERTTOOL_PARAM -i >crt2.tmp + $DIFF crt1.tmp crt2.tmp + if test $? != 0;then + echo "failed. Exported certificate chain differs!" + exit_error + fi + rm -f crt1.tmp crt2.tmp + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi +} + + +# $1: token +# $2: PIN +# $3: certfile +# $4: keyfile +# $5: cafile +# +# Tests using a certificate and key pair using gnutls-serv and gnutls-cli. +use_certificate_test () { + export GNUTLS_PIN=$2 + token=$1 + certfile=$3 + keyfile=$4 + cafile=$5 + + echo -n "* Using PKCS #11 with gnutls-cli... " + # start server + launch_server $$ --echo --priority NORMAL --x509certfile="$certfile" \ + --x509keyfile="$keyfile" --x509cafile="$cafile" \ + --require-client-cert >>$TMPFILE 2>&1 & + + PID=$! + wait_server $PID + + # connect to server using SC + $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 && \ + fail $PID "Connection should have failed!" + + $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$certfile" \ + --x509keyfile="$keyfile" --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 || \ + fail $PID "Connection (with files) should have succeeded!" + + $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$token;object=gnutls-client;object-type=cert" \ + --x509keyfile="$token;object=gnutls-client;object-type=private" \ + --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 || \ + fail $PID "Connection (with SC) should have succeeded!" + + kill $PID + wait + + echo ok +} + + + +echo "Testing PKCS11 support" + +# erase SC + +type=$1 + +if test -z "$type";then + echo "usage: $0: [pkcs15|softhsm|sc-hsm]" + if test -x "/usr/bin/softhsm";then + echo "assuming 'softhsm'" + echo "" + type=softhsm + else + exit 1 + fi -cat tmp-client.crt $srcdir/pkcs11-certs/ca.crt|$CERTTOOL $CERTTOOL_PARAM -i >crt2.tmp -$DIFF crt1.tmp crt2.tmp -if test $? != 0;then - echo "failed. Exported certificate chain differs!" - exit 1 fi -rm -f crt1.tmp crt2.tmp -if test $? = 0;then - echo ok -else - echo failed - exit 1 + +. $srcdir/testpkcs11.$type + +export GNUTLS_PIN=12345678 +export GNUTLS_SO_PIN=00000000 + +init_card $GNUTLS_PIN $GNUTLS_SO_PIN + +# find token name +TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` + +echo "* Token: $TOKEN" +if test x"$TOKEN" = x;then + echo "Could not find generated token" + exit_error fi -echo -n "* Trying using PKCS #11 with gnutls-cli... " -# start server -launch_server $$ --echo --priority NORMAL --x509certfile=$srcdir/pkcs11-certs/server.crt \ - --x509keyfile=$srcdir/pkcs11-certs/server.key --x509cafile=$srcdir/pkcs11-certs/ca.crt \ - --require-client-cert >/dev/null 2>&1 & -PID=$! -wait_server $PID +#write a given privkey +write_privkey $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/client.key" + +generate_ecc_privkey $TOKEN $GNUTLS_PIN 256 -# connect to server using SC -$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 && \ - fail $PID "Connection should have failed!" +generate_ecc_privkey $TOKEN $GNUTLS_PIN 384 -$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile=$srcdir/pkcs11-certs/client.crt \ - --x509keyfile=$srcdir/pkcs11-certs/client.key --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 || \ - fail $PID "Connection (with files) should have succeeded!" +generate_rsa_privkey $TOKEN $GNUTLS_PIN 2048 -$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$TOKEN;object=gnutls-client;object-type=cert" \ - --x509keyfile="$TOKEN;object=gnutls-client;object-type=private" \ - --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 || \ - fail $PID "Connection (with SC) should have succeeded!" +generate_rsa_privkey $TOKEN $GNUTLS_PIN 1024 -kill $PID -wait +write_certificate_test $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/ca.key" "$srcdir/pkcs11-certs/ca.crt" tmp-client.pub -echo ok +use_certificate_test $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/server.crt" "$srcdir/pkcs11-certs/server.key" "$srcdir/pkcs11-certs/ca.crt" -echo "* All smart cards tests succeeded" -rm -f tmp-client.crt tmp-client.pub $SOFTHSM_CONF +if test $RETCODE = 0;then + echo "* All smart cards tests succeeded" +fi +rm -f tmp-client.crt tmp-client.pub $TMPFILE exit 0 diff --git a/tests/suite/testpkcs11.pkcs15 b/tests/suite/testpkcs11.pkcs15 new file mode 100644 index 0000000000..d72163b16a --- /dev/null +++ b/tests/suite/testpkcs11.pkcs15 @@ -0,0 +1,46 @@ +#!/bin/sh + +# Copyright (C) 2013 Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + +init_card () { + PIN=$1 + PUK=$2 + + echo -n "* Erasing smart card... " + pkcs15-init -E >$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + cat $TMPFILE + exit_error + fi + + echo -n "* Initializing smart card... " + pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin $PIN --pin $PIN --puk $PUK --label "GnuTLS-Test" >$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + cat $TMPFILE + exit_error + fi +} + diff --git a/tests/suite/testpkcs11.sc-hsm b/tests/suite/testpkcs11.sc-hsm new file mode 100644 index 0000000000..03b86a408f --- /dev/null +++ b/tests/suite/testpkcs11.sc-hsm @@ -0,0 +1,51 @@ +#!/bin/sh + +# Copyright (C) 2013 Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + +init_card () { + PIN=$1 + PUK=3537363231383830 + export GNUTLS_SO_PIN=$PUK + + echo -n "* Erasing smart card... " + sc-hsm-tool --initialize --so-pin $PUK --pin $PIN --label=GnuTLS-Test >>$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Initializing smart card... " + TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` + if test -z "$TOKEN";then + echo "Could not find initialized card" + exit_error + fi + + $P11TOOL $ADDITIONAL_PARAM --initialize "$TOKEN" --set-so-pin $PUK --set-pin $PIN --label "GnuTLS-Test" >>$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi +} + diff --git a/tests/suite/testpkcs11.softhsm b/tests/suite/testpkcs11.softhsm new file mode 100755 index 0000000000..ddaaff4f73 --- /dev/null +++ b/tests/suite/testpkcs11.softhsm @@ -0,0 +1,50 @@ +#!/bin/sh + +# Copyright (C) 2013 Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +export SOFTHSM_CONF="softhsm-testpkcs11.config" + +if test -f /usr/lib/softhsm/libsofthsm.so;then + ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so" +else + ADDITIONAL_PARAM="--provider /usr/lib64/softhsm/libsofthsm.so" +fi + +init_card () { + PIN=$1 + PUK=$2 + + if ! test -x "/usr/bin/softhsm";then + echo "Could not find /usr/bin/softhsm" + exit 77 + fi + + rm -f ./softhsm-testpkcs11.db + echo "0:./softhsm-testpkcs11.db" > $SOFTHSM_CONF + + echo -n "* Initializing smart card... " + softhsm --init-token --slot 0 --label "GnuTLS-Test" --so-pin $PUK --pin $PIN >/dev/null #2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi +} + |