diff options
Diffstat (limited to 'tests/suite/testpkcs11')
| -rwxr-xr-x | tests/suite/testpkcs11 | 366 |
1 files changed, 223 insertions, 143 deletions
diff --git a/tests/suite/testpkcs11 b/tests/suite/testpkcs11 index 00218f8a6b..c71f3e9386 100755 --- a/tests/suite/testpkcs11 +++ b/tests/suite/testpkcs11 @@ -25,177 +25,257 @@ DIFF="${DIFF:-diff -b -B}" SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q" CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" PORT="${PORT:-5561}" -unset RETCODE +RETCODE=0 + +TMPFILE=$srcdir/testpkcs11.debug +CERTTOOL_PARAM="--stdout-info" if test "${WINDIR}" != "";then exit 77 fi -if ! test -x "/usr/bin/softhsm";then - exit 77 -fi - . $srcdir/../scripts/common.sh -echo "Testing PKCS11 support" +rm -f $TMPFILE -# erase SC +exit_error () { + echo "Check $TMPFILE for additional debugging information" + echo "" + echo "" + tail $TMPFILE + exit 1 +} -CERTTOOL_PARAM="--stdout-info" -if test "$1" = "pkcs15";then - echo -n "* Erasing smart card... " - pkcs15-init -E >/dev/null #2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit 1 - fi - - echo -n "* Initializing smart card... " - pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin 1234 --pin 1234 --puk 111111 --label "GnuTLS-Test" >/dev/null #2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit 1 - fi -else - export SOFTHSM_CONF="softhsm-testpkcs11.config" - if test -f /usr/lib/softhsm/libsofthsm.so;then - ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so" - else - ADDITIONAL_PARAM="--provider /usr/lib64/softhsm/libsofthsm.so" - fi - echo "0:./softhsm-testpkcs11.db" > $SOFTHSM_CONF - - echo -n "* Initializing smart card... " - softhsm --init-token --slot 0 --label "GnuTLS-Test" --so-pin 1234 --pin 1234 >/dev/null #2>&1 - if test $? = 0;then - echo ok - else - echo failed - exit 1 - fi -fi +# $1: token +# $2: PIN +# $3: filename +# $srcdir/pkcs11-certs/client.key +write_privkey () { + export GNUTLS_PIN=$2 -# find token name -TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` + filename=$3 + token=$1 + echo -n "* Writing a client private key... " + $P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client2 --load-privkey "$filename" "$token" >>$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi +} -echo "* Token: $TOKEN" -if test x"$TOKEN" = x;then - echo "Could not find generated token" - exit 1 -fi +# $1: token +# $2: PIN +# $3: bits +generate_rsa_privkey () { + export GNUTLS_PIN=$2 + token=$1 + bits=$3 -export GNUTLS_PIN=1234 + echo -n "* Generating RSA private key ($bits)... " + $P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-rsa --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + RETCODE=1 + fi +} -echo -n "* Writing a client private key... " -$P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client2 --load-privkey $srcdir/pkcs11-certs/client.key "$TOKEN" >/dev/null #2>&1 -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi +# $1: token +# $2: PIN +# $3: bits +generate_ecc_privkey () { + export GNUTLS_PIN=$2 + token=$1 + bits=$3 -echo -n "* Generating client private key... " -$P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-rsa --bits 1024 "$TOKEN" >tmp-client.pub #2>&1 -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi + echo -n "* Generating ECC private key ($bits)... " + $P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-ecc --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + RETCODE=1 + fi +} -echo -n "* Generating client certificate... " -$CERTTOOL $CERTTOOL_PARAM $ADDITIONAL_PARAM --generate-certificate --load-ca-privkey $srcdir/pkcs11-certs/ca.key --load-ca-certificate $srcdir/pkcs11-certs/ca.crt \ - --template $srcdir/pkcs11-certs/client-tmpl --load-privkey "$TOKEN;object=gnutls-client;object-type=private" \ - --load-pubkey tmp-client.pub > tmp-client.crt #2>/dev/null -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi +# $1: token +# $2: PIN +# $3: cakey: $srcdir/pkcs11-certs/ca.key +# $4: cacert: $srcdir/pkcs11-certs/ca.crt +# +# Tests writing a certificate which corresponds to the given key, +# as well as the CA certificate, and tries to export them. +write_certificate_test () { + export GNUTLS_PIN=$2 + token=$1 + cakey=$3 + cacert=$4 + pubkey=$5 -echo -n "* Writing client certificate... " -$P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client --load-certificate tmp-client.crt "$TOKEN" >/dev/null #2>&1 -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi + echo -n "* Generating client certificate... " + $CERTTOOL $CERTTOOL_PARAM $ADDITIONAL_PARAM --generate-certificate --load-ca-privkey "$cakey" --load-ca-certificate "$cacert" \ + --template $srcdir/pkcs11-certs/client-tmpl --load-privkey "$token;object=gnutls-client;object-type=private" \ + --load-pubkey "$pubkey" --outfile tmp-client.crt >>$TMPFILE 2>&1 -echo -n "* Writing certificate of client's CA... " -$P11TOOL $ADDITIONAL_PARAM --so-login --write --trusted --label gnutls-ca --load-certificate $srcdir/pkcs11-certs/ca.crt "$TOKEN" >/dev/null #2>&1 -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi -echo -n "* Trying to obtain back the cert... " -$P11TOOL $ADDITIONAL_PARAM --export "$TOKEN;object=gnutls-ca;object-type=cert" >crt1.tmp #2>/dev/null -$DIFF crt1.tmp $srcdir/pkcs11-certs/ca.crt -if test $? != 0;then - echo "failed. Exported certificate differs!" - exit 1 -fi -rm -f crt1.tmp -if test $? = 0;then - echo ok -else - echo failed - exit 1 -fi + echo -n "* Writing client certificate... " + $P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client --load-certificate tmp-client.crt "$token" >>$TMPFILE 2>&1 + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi -echo -n "* Trying to obtain the full chain... " -$P11TOOL $ADDITIONAL_PARAM --login --export-chain "$TOKEN;object=gnutls-client;object-type=cert"|$CERTTOOL $CERTTOOL_PARAM -i >crt1.tmp #2>/dev/null + echo -n "* Writing certificate of client's CA... " + $P11TOOL $ADDITIONAL_PARAM --so-login --ca --write --trusted --label gnutls-ca --load-certificate "$cacert" "$token" >>$TMPFILE 2>&1 + + if test $? = 0;then + echo ok + else + echo failed + return + fi + + echo -n "* Trying to obtain back the cert... " + $P11TOOL $ADDITIONAL_PARAM --export "$token;object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>$TMPFILE 2>&1 + $DIFF crt1.tmp $srcdir/pkcs11-certs/ca.crt + if test $? != 0;then + echo "failed. Exported certificate differs (crt1.tmp)!" + exit_error + fi + rm -f crt1.tmp + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi + + echo -n "* Trying to obtain the full chain... " + $P11TOOL $ADDITIONAL_PARAM --login --export-chain "$token;object=gnutls-client;object-type=cert"|$CERTTOOL $CERTTOOL_PARAM -i --outfile crt1.tmp >>$TMPFILE 2>&1 + + cat tmp-client.crt $srcdir/pkcs11-certs/ca.crt|$CERTTOOL $CERTTOOL_PARAM -i >crt2.tmp + $DIFF crt1.tmp crt2.tmp + if test $? != 0;then + echo "failed. Exported certificate chain differs!" + exit_error + fi + rm -f crt1.tmp crt2.tmp + if test $? = 0;then + echo ok + else + echo failed + exit_error + fi +} + + +# $1: token +# $2: PIN +# $3: certfile +# $4: keyfile +# $5: cafile +# +# Tests using a certificate and key pair using gnutls-serv and gnutls-cli. +use_certificate_test () { + export GNUTLS_PIN=$2 + token=$1 + certfile=$3 + keyfile=$4 + cafile=$5 + + echo -n "* Using PKCS #11 with gnutls-cli... " + # start server + launch_server $$ --echo --priority NORMAL --x509certfile="$certfile" \ + --x509keyfile="$keyfile" --x509cafile="$cafile" \ + --require-client-cert >>$TMPFILE 2>&1 & + + PID=$! + wait_server $PID + + # connect to server using SC + $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 && \ + fail $PID "Connection should have failed!" + + $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$certfile" \ + --x509keyfile="$keyfile" --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 || \ + fail $PID "Connection (with files) should have succeeded!" + + $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$token;object=gnutls-client;object-type=cert" \ + --x509keyfile="$token;object=gnutls-client;object-type=private" \ + --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 || \ + fail $PID "Connection (with SC) should have succeeded!" + + kill $PID + wait + + echo ok +} + + + +echo "Testing PKCS11 support" + +# erase SC + +type=$1 + +if test -z "$type";then + echo "usage: $0: [pkcs15|softhsm|sc-hsm]" + if test -x "/usr/bin/softhsm";then + echo "assuming 'softhsm'" + echo "" + type=softhsm + else + exit 1 + fi -cat tmp-client.crt $srcdir/pkcs11-certs/ca.crt|$CERTTOOL $CERTTOOL_PARAM -i >crt2.tmp -$DIFF crt1.tmp crt2.tmp -if test $? != 0;then - echo "failed. Exported certificate chain differs!" - exit 1 fi -rm -f crt1.tmp crt2.tmp -if test $? = 0;then - echo ok -else - echo failed - exit 1 + +. $srcdir/testpkcs11.$type + +export GNUTLS_PIN=12345678 +export GNUTLS_SO_PIN=00000000 + +init_card $GNUTLS_PIN $GNUTLS_SO_PIN + +# find token name +TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` + +echo "* Token: $TOKEN" +if test x"$TOKEN" = x;then + echo "Could not find generated token" + exit_error fi -echo -n "* Trying using PKCS #11 with gnutls-cli... " -# start server -launch_server $$ --echo --priority NORMAL --x509certfile=$srcdir/pkcs11-certs/server.crt \ - --x509keyfile=$srcdir/pkcs11-certs/server.key --x509cafile=$srcdir/pkcs11-certs/ca.crt \ - --require-client-cert >/dev/null 2>&1 & -PID=$! -wait_server $PID +#write a given privkey +write_privkey $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/client.key" + +generate_ecc_privkey $TOKEN $GNUTLS_PIN 256 -# connect to server using SC -$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 && \ - fail $PID "Connection should have failed!" +generate_ecc_privkey $TOKEN $GNUTLS_PIN 384 -$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile=$srcdir/pkcs11-certs/client.crt \ - --x509keyfile=$srcdir/pkcs11-certs/client.key --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 || \ - fail $PID "Connection (with files) should have succeeded!" +generate_rsa_privkey $TOKEN $GNUTLS_PIN 2048 -$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$TOKEN;object=gnutls-client;object-type=cert" \ - --x509keyfile="$TOKEN;object=gnutls-client;object-type=private" \ - --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 || \ - fail $PID "Connection (with SC) should have succeeded!" +generate_rsa_privkey $TOKEN $GNUTLS_PIN 1024 -kill $PID -wait +write_certificate_test $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/ca.key" "$srcdir/pkcs11-certs/ca.crt" tmp-client.pub -echo ok +use_certificate_test $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/server.crt" "$srcdir/pkcs11-certs/server.key" "$srcdir/pkcs11-certs/ca.crt" -echo "* All smart cards tests succeeded" -rm -f tmp-client.crt tmp-client.pub $SOFTHSM_CONF +if test $RETCODE = 0;then + echo "* All smart cards tests succeeded" +fi +rm -f tmp-client.crt tmp-client.pub $TMPFILE exit 0 |