diff options
| author | Lorry <lorry@roadtrain.codethink.co.uk> | 2012-07-18 20:31:20 +0100 |
|---|---|---|
| committer | Lorry <lorry@roadtrain.codethink.co.uk> | 2012-07-18 20:31:20 +0100 |
| commit | e43ad1f4ce7f1504e6f01fc8a90d5c0398013383 (patch) | |
| tree | 03504d9d81336081b899c9f34cc0f66801caf67c /mozilla/security/nss/tests/fips/fips.sh | |
| download | nss-e43ad1f4ce7f1504e6f01fc8a90d5c0398013383.tar.gz | |
Tarball conversion
Diffstat (limited to 'mozilla/security/nss/tests/fips/fips.sh')
| -rwxr-xr-x | mozilla/security/nss/tests/fips/fips.sh | 319 |
1 files changed, 319 insertions, 0 deletions
diff --git a/mozilla/security/nss/tests/fips/fips.sh b/mozilla/security/nss/tests/fips/fips.sh new file mode 100755 index 0000000..7596b7f --- /dev/null +++ b/mozilla/security/nss/tests/fips/fips.sh @@ -0,0 +1,319 @@ +#! /bin/bash +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +######################################################################## +# mozilla/security/nss/tests/fips/fips.sh +# +# Script to test basic functionallity of NSS in FIPS-compliant mode +# +# needs to work on all Unix and Windows platforms +# +# tests implemented: +# +# special strings +# --------------- +# +######################################################################## + +############################## fips_init ############################## +# local shell function to initialize this script +######################################################################## +fips_init() +{ + SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=fips.sh + html_head "FIPS 140 Compliance Tests" + + grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || { + Exit 15 "Fatal - FIPS of cert.sh needs to pass first" + } + + COPYDIR=${FIPSDIR}/copydir + + R_FIPSDIR=../fips + P_R_FIPSDIR=../fips + R_COPYDIR=../fips/copydir + + if [ -n "${MULTIACCESS_DBM}" ]; then + P_R_FIPSDIR="multiaccess:${D_FIPS}" + fi + + mkdir -p ${FIPSDIR} + mkdir -p ${COPYDIR} + + cd ${FIPSDIR} +} + +############################## fips_140 ############################## +# local shell function to test basic functionality of NSS while in +# FIPS 140 compliant mode +######################################################################## +fips_140() +{ + echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------" + echo "modutil -dbdir ${P_R_FIPSDIR} -list" + ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1 + ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1 + html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1 + html_msg $? 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys -------------------------" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "." + + echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1 + RET=$? + html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "." + echo "certutil -K returned $RET" + + echo "$SCRIPTNAME: Validate the certificate --------------------------" + echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE} + html_msg $? 0 "Validate the certificate (certutil -V -e)" "." + + echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --" + echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "." + + echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------" + echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1 + html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + ret=$? + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + + echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module" + echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + if [ $? -eq 0 ]; then + ret=255 + fi + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys." + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + # certutil -K now returns a failure if no keys are found. This verifies that + # our delete succeded. + html_msg $? 255 "List the FIPS module keys (certutil -K)" "." + + + echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" + echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + ret=$? + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys --------------------------" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "." + + + echo "$SCRIPTNAME: Delete the certificate from the FIPS module" + echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1 + html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + if [ $? -eq 0 ]; then + ret=255 + fi + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + + echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" + echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + ret=$? + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys --------------------------" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "." + + + echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------" + echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}" + ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "." + + echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------" + echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n" + ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1 + html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "." + + LIBDIR="${DIST}/${OBJDIR}/lib" + MANGLEDIR="${FIPSDIR}/mangle" + + # There are different versions of cp command on different systems, some of them + # copies only symlinks, others doesn't have option to disable links, so there + # is needed to copy files one by one. + echo "mkdir ${MANGLEDIR}" + mkdir ${MANGLEDIR} + for lib in `ls ${LIBDIR}`; do + echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}" + cp ${LIBDIR}/${lib} ${MANGLEDIR} + done + + echo "$SCRIPTNAME: Detect mangled softoken--------------------------" + SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} + + echo "mangling ${SOFTOKEN}" + echo "mangle -i ${SOFTOKEN} -o -8 -b 5" + ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1 + if [ $? -eq 0 ]; then + if [ "${OS_ARCH}" = "WINNT" ]; then + DBTEST=`which dbtest` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + DBTEST=`cygpath -m ${DBTEST}` + MANGLEDIR=`cygpath -u ${MANGLEDIR}` + fi + echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}" + PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + elif [ "${OS_ARCH}" = "HP-UX" ]; then + echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + elif [ "${OS_ARCH}" = "AIX" ]; then + echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + elif [ "${OS_ARCH}" = "Darwin" ]; then + echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + else + echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + fi + + html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "." + else + html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}" + fi +} + +############################## fips_cleanup ############################ +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +fips_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +fips_init +fips_140 +fips_cleanup +echo "fips.sh done" |