diff options
Diffstat (limited to 'tests/suite/testpkcs11')
-rwxr-xr-x | tests/suite/testpkcs11 | 479 |
1 files changed, 0 insertions, 479 deletions
diff --git a/tests/suite/testpkcs11 b/tests/suite/testpkcs11 deleted file mode 100755 index 71a58c358b..0000000000 --- a/tests/suite/testpkcs11 +++ /dev/null @@ -1,479 +0,0 @@ -#!/bin/bash - -# Copyright (C) 2013 Nikos Mavrogiannopoulos -# -# This file is part of GnuTLS. -# -# GnuTLS is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 3 of the License, or (at -# your option) any later version. -# -# GnuTLS is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with GnuTLS; if not, write to the Free Software Foundation, -# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -srcdir="${srcdir:-.}" -P11TOOL="${P11TOOL:-../../src/p11tool$EXEEXT}" -CERTTOOL="${CERTTOOL:-../../src/certtool$EXEEXT}" -DIFF="${DIFF:-diff -b -B}" -SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q" -CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" -RETCODE=0 - -if ! test -z "${VALGRIND}";then -VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --leak-check=no" -fi - -TMPFILE=$srcdir/testpkcs11.debug -CERTTOOL_PARAM="--stdout-info" - -if test "${WINDIR}" != "";then - exit 77 -fi - -P11TOOL="$VALGRIND $P11TOOL --batch" - -. $srcdir/../scripts/common.sh - -eval "${GETPORT}" - -rm -f $TMPFILE - -exit_error () { - echo "Check $TMPFILE for additional debugging information" - echo "" - echo "" - tail $TMPFILE - exit 1 -} - -# $1: token -# $2: PIN -# $3: filename -# $srcdir/pkcs11-certs/client.key -write_privkey () { - export GNUTLS_PIN=$2 - - filename=$3 - token=$1 - echo -n "* Writing a client private key... " - $P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client2 --load-privkey "$filename" "$token" >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi -} - -# $1: token -# $2: PIN -# $3: filename -write_serv_privkey () { - export GNUTLS_PIN=$2 - - filename=$3 - token=$1 - echo -n "* Writing the server private key... " - $P11TOOL $ADDITIONAL_PARAM --login --write --label serv-key --load-privkey "$filename" "$token" >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - -} - -# $1: token -# $2: PIN -# $3: filename -write_serv_cert () { - export GNUTLS_PIN=$2 - - filename=$3 - token=$1 - echo -n "* Writing the server certificate... " - $P11TOOL $ADDITIONAL_PARAM --login --write --no-mark-private --label serv-cert --load-certificate "$filename" "$token" >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - -} - -# $1: token -# $2: PIN -# $3: bits -generate_rsa_privkey () { - export GNUTLS_PIN=$2 - token=$1 - bits=$3 - - echo -n "* Generating RSA private key ($bits)... " - $P11TOOL $ADDITIONAL_PARAM --login --id 000102030405 --label gnutls-client --generate-rsa --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit 1 - fi -} - -generate_dsa_privkey () { - export GNUTLS_PIN=$2 - token=$1 - bits=$3 - - echo -n "* Generating DSA private key ($bits)... " - $P11TOOL $ADDITIONAL_PARAM --login --id 000102030405 --label gnutls-client-dsa --generate-dsa --bits $bits "$token" >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit 1 - fi -} - -# $1: token -# $2: PIN -# $3: bits -generate_temp_rsa_privkey () { - export GNUTLS_PIN=$2 - token=$1 - bits=$3 - - echo -n "* Generating RSA private key ($bits)... " - $P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-rsa --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1 - if test $? = 0;then - RETCODE=0 - echo ok - else - echo failed - RETCODE=1 - fi -} - -# $1: token -# $2: PIN -delete_temp_privkey () { - export GNUTLS_PIN=$2 - token=$1 - - test "$RETCODE" = "0" || return - - echo -n "* Deleting private key... " - $P11TOOL $ADDITIONAL_PARAM --login --delete "$token;object=gnutls-client;object-type=private" >>$TMPFILE 2>&1 - - if test $? != 0;then - echo failed - RETCODE=1 - return - fi - - RETCODE=0 - echo ok -} - -# $1: token -# $2: PIN -# $3: bits -export_pubkey_of_privkey () { - export GNUTLS_PIN=$2 - token=$1 - bits=$3 - - echo -n "* Exporting public key of generated private key... " - $P11TOOL $ADDITIONAL_PARAM --login --export-pubkey "$token;object=gnutls-client;object-type=private" --outfile tmp-client-2.pub >>$TMPFILE 2>&1 - if test $? != 0;then - echo failed - exit 1 - fi - - $DIFF tmp-client.pub tmp-client-2.pub - if test $? != 0;then - echo keys differ - exit 1 - fi - - echo ok -} - -# $1: token -# $2: PIN -change_id_of_privkey () { - export GNUTLS_PIN="$2" - token="$1" - - echo -n "* Change the CKA_ID of generated private key... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-id "01a1b103" "${token};object=gnutls-client;id=%00%01%02%03%04%05;object-type=private" >>"${TMPFILE}" 2>&1 - if test $? != 0; then - echo failed - exit_error - fi - - ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1 - if test $? != 0; then - echo "ID didn't change" - exit_error - fi - - echo ok -} - -# $1: token -# $2: PIN -change_label_of_privkey () { - export GNUTLS_PIN="$2" - token="$1" - - echo -n "* Change the CKA_LABEL of generated private key... " - ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "new-label" "${token};object=gnutls-client;object-type=private" >>"${TMPFILE}" 2>&1 - if test $? != 0; then - echo failed - exit_error - fi - - ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=new-label;object-type=private" 2>&1 |grep 'Label: new-label' >>"${TMPFILE}" 2>&1 - if test $? != 0; then - echo "label didn't change" - exit_error - fi - - ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "gnutls-client" "${token};object=new-label;object-type=private" >>"${TMPFILE}" 2>&1 - if test $? != 0; then - echo failed - exit_error - fi - - echo ok -} - -# $1: token -# $2: PIN -# $3: bits -generate_temp_ecc_privkey () { - export GNUTLS_PIN=$2 - token=$1 - bits=$3 - - echo -n "* Generating ECC private key ($bits)... " - $P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-ecc --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1 - if test $? = 0;then - RETCODE=0 - echo ok - else - echo failed - RETCODE=1 - fi -} - -# $1: token -# $2: PIN -# $3: cakey: $srcdir/pkcs11-certs/ca.key -# $4: cacert: $srcdir/pkcs11-certs/ca.crt -# -# Tests writing a certificate which corresponds to the given key, -# as well as the CA certificate, and tries to export them. -write_certificate_test () { - export GNUTLS_PIN=$2 - token=$1 - cakey=$3 - cacert=$4 - pubkey=$5 - - echo -n "* Generating client certificate... " - $CERTTOOL $CERTTOOL_PARAM $ADDITIONAL_PARAM --generate-certificate --load-ca-privkey "$cakey" --load-ca-certificate "$cacert" \ - --template $srcdir/pkcs11-certs/client-tmpl --load-privkey "$token;object=gnutls-client;object-type=private" \ - --load-pubkey "$pubkey" --outfile tmp-client.crt >>$TMPFILE 2>&1 - - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Writing client certificate... " - $P11TOOL $ADDITIONAL_PARAM --login --write --id "01a1b103" --label gnutls-client --load-certificate tmp-client.crt "$token" >>$TMPFILE 2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Checking whether ID was correctly set... " - $P11TOOL $ADDITIONAL_PARAM --login --list-certs "$token;object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>$TMPFILE 2>&1 - if test $? != 0;then - echo "ID was not set on copy" - exit_error - fi - echo ok - - echo -n "* Writing certificate of client's CA... " - $P11TOOL $ADDITIONAL_PARAM --login --ca --write --trusted --label gnutls-ca --load-certificate "$cacert" "$token" >>$TMPFILE 2>&1 - ret=$? - if test $ret != 0;then - $P11TOOL $ADDITIONAL_PARAM --so-login --ca --write --trusted --label gnutls-ca --load-certificate "$cacert" "$token" >>$TMPFILE 2>&1 - ret=$? - fi - - if test $ret = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Trying to obtain back the cert... " - $P11TOOL $ADDITIONAL_PARAM --export "$token;object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>$TMPFILE 2>&1 - $DIFF crt1.tmp $srcdir/pkcs11-certs/ca.crt - if test $? != 0;then - echo "failed. Exported certificate differs (crt1.tmp)!" - exit_error - fi - rm -f crt1.tmp - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi - - echo -n "* Trying to obtain the full chain... " - $P11TOOL $ADDITIONAL_PARAM --login --export-chain "$token;object=gnutls-client;object-type=cert"|$CERTTOOL $CERTTOOL_PARAM -i --outfile crt1.tmp >>$TMPFILE 2>&1 - - cat tmp-client.crt $srcdir/pkcs11-certs/ca.crt|$CERTTOOL $CERTTOOL_PARAM -i >crt2.tmp - $DIFF crt1.tmp crt2.tmp - if test $? != 0;then - echo "failed. Exported certificate chain differs!" - exit_error - fi - rm -f crt1.tmp crt2.tmp - if test $? = 0;then - echo ok - else - echo failed - exit_error - fi -} - - -# $1: token -# $2: PIN -# $3: certfile -# $4: keyfile -# $5: cafile -# -# Tests using a certificate and key pair using gnutls-serv and gnutls-cli. -use_certificate_test () { - export GNUTLS_PIN=$2 - token=$1 - certfile=$3 - keyfile=$4 - cafile=$5 - - echo -n "* Using PKCS #11 with gnutls-cli... " - # start server - launch_pkcs11_server $$ "$ADDITIONAL_PARAM" --echo --priority NORMAL --x509certfile="$certfile" \ - --x509keyfile="$keyfile" --x509cafile="$cafile" \ - --require-client-cert >>$TMPFILE 2>&1 - PID=$! - wait_server $PID - - # connect to server using SC - $VALGRIND $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 && \ - fail $PID "Connection should have failed!" - - $VALGRIND $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$certfile" \ - --x509keyfile="$keyfile" --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 || \ - fail $PID "Connection (with files) should have succeeded!" - - $VALGRIND $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$token;object=gnutls-client;object-type=cert" \ - --x509keyfile="$token;object=gnutls-client;object-type=private" \ - --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 || \ - fail $PID "Connection (with SC) should have succeeded!" - - kill $PID - wait - - echo ok -} - - - -echo "Testing PKCS11 support" - -# erase SC - -type=$1 - -if test -z "$type";then - echo "usage: $0: [pkcs15|softhsm|sc-hsm]" - if test -x "/usr/bin/softhsm" || test -x "/usr/bin/softhsm2-util";then - echo "assuming 'softhsm'" - echo "" - type=softhsm - else - exit 1 - fi - -fi - -. $srcdir/testpkcs11.$type - -export GNUTLS_PIN=12345678 -export GNUTLS_SO_PIN=00000000 - -init_card $GNUTLS_PIN $GNUTLS_SO_PIN - -# find token name -TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` - -echo "* Token: $TOKEN" -if test x"$TOKEN" = x;then - echo "Could not find generated token" - exit_error -fi - -#write a given privkey -write_privkey $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/client.key" - -generate_temp_ecc_privkey $TOKEN $GNUTLS_PIN 256 -delete_temp_privkey $TOKEN $GNUTLS_PIN - -generate_temp_ecc_privkey $TOKEN $GNUTLS_PIN 384 -delete_temp_privkey $TOKEN $GNUTLS_PIN - -generate_temp_rsa_privkey $TOKEN $GNUTLS_PIN 2048 -delete_temp_privkey $TOKEN $GNUTLS_PIN - -#export_pubkey_of_privkey $TOKEN $GNUTLS_PIN - -generate_dsa_privkey $TOKEN $GNUTLS_PIN 1024 -generate_rsa_privkey $TOKEN $GNUTLS_PIN 1024 -change_id_of_privkey $TOKEN $GNUTLS_PIN -change_label_of_privkey $TOKEN $GNUTLS_PIN - -write_certificate_test $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/ca.key" "$srcdir/pkcs11-certs/ca.crt" tmp-client.pub - -write_serv_privkey $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/server.key" -write_serv_cert $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/server.crt" - -use_certificate_test $TOKEN $GNUTLS_PIN "$TOKEN;object=serv-cert;object-type=cert" "$TOKEN;object=serv-key;object-type=private" "$srcdir/pkcs11-certs/ca.crt" - -if test $RETCODE = 0;then - echo "* All smart cards tests succeeded" -fi -rm -f tmp-client.crt tmp-client.pub tmp-client-2.pub $TMPFILE - -exit 0 |