diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-01-20 16:55:26 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-01-25 09:00:07 +0100 |
| commit | e433d0842de99d3da8ec254029d198606e4ab3e7 (patch) | |
| tree | a265c27cc8e58494427122d40826fc6b164e1bf4 | |
| parent | 507b98149be040e52b29670451952ffd1674951c (diff) | |
| download | gnutls-e433d0842de99d3da8ec254029d198606e4ab3e7.tar.gz | |
tests: verify that a written certificate will inherit its ID from privkey
That is, whether p11tool will do the right thing and figure the proper
ID to use for a certificate object, if the public key is available.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rwxr-xr-x | tests/suite/testpkcs11.sh | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/tests/suite/testpkcs11.sh b/tests/suite/testpkcs11.sh index 6e043e5292..c49624870c 100755 --- a/tests/suite/testpkcs11.sh +++ b/tests/suite/testpkcs11.sh @@ -517,6 +517,168 @@ write_certificate_test () { fi } +# $1: token +# $2: PIN +# $3: cakey: ${srcdir}/pkcs11-certs/ca.key +# $4: cacert: ${srcdir}/pkcs11-certs/ca.crt +# +# Tests writing a certificate which corresponds to the given key, +# and verifies whether the ID is the same. Should utilize the +# ID of the public key. +write_certificate_id_test_rsa () { + export GNUTLS_PIN="$2" + token="$1" + cakey="$3" + cacert="$4" + + echo -n "* Generating RSA private key on HSM... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa --bits 1024 "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit 1 + fi + + echo -n "* Checking whether right ID is set on copy... " + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/pkcs11-certs/client-tmpl --load-privkey "${token};object=xxx1-rsa;object-type=private" \ + --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 + + if test $? != 0; then + echo failed + exit_error + fi + + id=$(${P11TOOL} ${ADDITIONAL_PARAM} --list-all "${token};object=xxx1-rsa;object-type=public" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx1-rsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo failed + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx1-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo "ID '$id' was not set on copy" + exit_error + fi + echo ok +} + +# $1: token +# $2: PIN +# $3: cakey: ${srcdir}/pkcs11-certs/ca.key +# $4: cacert: ${srcdir}/pkcs11-certs/ca.crt +# +# Tests writing a certificate which corresponds to the given key, +# and verifies whether the ID is the same. Should utilize the +# ID of the private key. +write_certificate_id_test_rsa2 () { + export GNUTLS_PIN="$2" + token="$1" + cakey="$3" + cacert="$4" + tmpkey="key.$$.tmp" + + echo -n "* Generating RSA private key... " + ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 1024 --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit 1 + fi + + echo -n "* Checking whether right ID is set on copy... " + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/pkcs11-certs/client-tmpl --load-privkey ${tmpkey} \ + --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 + + if test $? != 0; then + echo failed + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx2-rsa --load-privkey ${tmpkey} "${token}" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo failed + exit_error + fi + + id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx2-rsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') + + rm -f ${tmpkey} + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx2-rsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo failed + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx2-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo "ID '$id' was not set on copy" + exit_error + fi + echo ok +} + +# $1: token +# $2: PIN +# $3: cakey: ${srcdir}/pkcs11-certs/ca.key +# $4: cacert: ${srcdir}/pkcs11-certs/ca.crt +# +# Tests writing a certificate which corresponds to the given key, +# and verifies whether the ID is the same. Should utilize the +# ID of the private key. +write_certificate_id_test_ecdsa () { + export GNUTLS_PIN="$2" + token="$1" + cakey="$3" + cacert="$4" + tmpkey="key.$$.tmp" + + echo -n "* Generating ECDSA private key... " + ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --ecdsa --outfile ${tmpkey} >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit 1 + fi + + echo -n "* Checking whether right ID is set on copy... " + "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \ + --template ${srcdir}/pkcs11-certs/client-tmpl --load-privkey ${tmpkey} \ + --outfile tmp-client.crt >>"${TMPFILE}" 2>&1 + + if test $? != 0; then + echo failed + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx-ecdsa --load-privkey ${tmpkey} "${token}" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo failed + exit_error + fi + + id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx-ecdsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//') + + rm -f ${tmpkey} + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx-ecdsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo failed + exit_error + fi + + ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx-ecdsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1 + if test $? != 0; then + echo "ID '$id' was not set on copy" + exit_error + fi + echo ok +} + test_sign () { export GNUTLS_PIN="$2" token="$1" @@ -657,6 +819,10 @@ use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;objec use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/pkcs11-certs/ca.crt" "abbrv URLs" +write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/pkcs11-certs/ca.key" "${srcdir}/pkcs11-certs/ca.crt" +write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/pkcs11-certs/ca.key" "${srcdir}/pkcs11-certs/ca.crt" +write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/pkcs11-certs/ca.key" "${srcdir}/pkcs11-certs/ca.crt" + if test ${RETCODE} = 0; then echo "* All smart cards tests succeeded" fi |