blob: 0af827231093fdc7827558c8917721af9adc9098 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
#!/bin/sh
# Copyright (C) 2017 Red Hat, Inc.
#
# This file is part of p11-kit.
#
# p11-kit is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# p11-kit is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#set -e
srcdir="${srcdir:-.}"
P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}"
CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
DIFF="${DIFF:-diff}"
EXPORTED_FILE=out.$$.tmp
DER_FILE=out-der.$$.tmp
TMPFILE=out-tmp.$$.tmp
for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/;do
if test -f "${lib}/p11-kit-trust.so"; then
MODULE="${lib}/p11-kit-trust.so"
echo "located ${MODULE}"
break
fi
done
if ! test -x "${P11TOOL}"; then
echo "p11tool was not found"
exit 77
fi
if ! test -f "${MODULE}"; then
echo "p11-kit trust module was not found"
exit 77
fi
TRUST_PATH="${srcdir}/p11-kit-trust-data/"
CACERT=${TRUST_PATH}/Example_Root_CA.pem
# Test whether a CA extracted from a trust store can retrieve stapled
# extensions.
OPTS="--provider ${MODULE} --provider-opts trusted,p11-kit:paths=\"${TRUST_PATH}\""
# Informational
${P11TOOL} --list-all-certs ${OPTS} 'pkcs11:'
####
# Test 1: Extract the CA certificate from store
${P11TOOL} --export 'pkcs11:object=Example%20CA' ${OPTS} --outder --outfile ${EXPORTED_FILE}
if test "$?" != "0"; then
echo "Exporting failed (1)"
exit 1
fi
${CERTTOOL} -i --infile ${CACERT} --outder --outfile ${DER_FILE}
if test "$?" != "0"; then
echo "Exporting failed (2)"
exit 1
fi
${DIFF} ${EXPORTED_FILE} ${DER_FILE}
if test "$?" != "0"; then
echo "Files ${EXPORTED_FILE} and ${DER_FILE} are not identical"
exit 1
fi
rm -f ${EXPORTED_FILE} ${DER_FILE} ${TMPFILE}
echo "Root CA retrieval test passed..."
####
# Test 2: Extract the certificate from store with the stapled data
${P11TOOL} --export-stapled 'pkcs11:object=Example%20CA' ${OPTS} --outder --outfile ${EXPORTED_FILE}
if test "$?" != "0"; then
echo "Exporting failed (3)"
exit 1
fi
${CERTTOOL} -i --infile ${CACERT} --outder --outfile ${DER_FILE}
if test "$?" != "0"; then
echo "Exporting failed (4)"
exit 1
fi
${DIFF} ${EXPORTED_FILE} ${DER_FILE}
if test "$?" = "0"; then
echo "Files are identical; no extensions were stapled"
exit 1
fi
${CERTTOOL} -i --inder --infile ${EXPORTED_FILE} --outfile ${TMPFILE}
if test "$?" != "0"; then
echo "PEM converting failed"
exit 1
fi
grep -i "Name Constraints" ${TMPFILE}
if test "$?" != "0"; then
cat ${TMPFILE}
echo "No name constraints found (1)"
exit 1
fi
grep -i "Permitted" ${TMPFILE}
if test "$?" != "0"; then
cat ${TMPFILE}
echo "No name constraints found (2)"
exit 1
fi
grep -i "DNSname: example.com" ${TMPFILE}
if test "$?" != "0"; then
cat ${TMPFILE}
echo "No name constraints found (3)"
exit 1
fi
echo "Root CA with stapled extensions retrieval test passed..."
rm -f ${EXPORTED_FILE} ${DER_FILE} ${TMPFILE}
exit 0
|
