diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-12-19 19:01:31 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-12-19 19:14:36 +0100 |
commit | 53b9f714adbb7973068a2a1b83591263291b27eb (patch) | |
tree | 830a3f399f36e13a7b220ab66c108a4f7678d5a3 | |
parent | 655ff87be2c80bbb3d3656f55887d7d067d6189c (diff) | |
download | gnutls-53b9f714adbb7973068a2a1b83591263291b27eb.tar.gz |
tests: added check for certtool loading CA certificates from PKCS#11
-rw-r--r-- | tests/suite/Makefile.am | 2 | ||||
-rwxr-xr-x | tests/suite/certtool-pkcs11.sh | 176 | ||||
-rwxr-xr-x | tests/suite/testpkcs11.softhsm | 14 |
3 files changed, 184 insertions, 8 deletions
diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index 6f1c4b08cb..ae7c647f5c 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -90,7 +90,7 @@ EXTRA_DIST += testcompat-main-polarssl testcompat-main-openssl testcompat-common testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm nodist_check_SCRIPTS = testsrn.sh chain.sh invalid-cert.sh \ testrng.sh testcompat-polarssl.sh testcompat-openssl.sh \ - testrandom.sh pkcs7-cat + testrandom.sh pkcs7-cat certtool-pkcs11.sh if ENABLE_PKCS11 nodist_check_SCRIPTS += testpkcs11.sh crl-test diff --git a/tests/suite/certtool-pkcs11.sh b/tests/suite/certtool-pkcs11.sh new file mode 100755 index 0000000000..7bc0784249 --- /dev/null +++ b/tests/suite/certtool-pkcs11.sh @@ -0,0 +1,176 @@ +#!/bin/bash + +# Copyright (C) 2016 Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +P11TOOL="${P11TOOL:-../../src/p11tool${EXEEXT}}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff -b -B}" +SERV="${SERV:-../../src/gnutls-serv${EXEEXT}} -q" +CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" +RETCODE=0 + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute valgrind --leak-check=full" +fi + +TMPFILE="verify-pkcs11.debug" +CERTTOOL_PARAM="--stdout-info" + +if test "${WINDIR}" != ""; then + exit 77 +fi + +P11TOOL="${VALGRIND} ${P11TOOL} --batch" + +. ${srcdir}/../scripts/common.sh + +rm -f "${TMPFILE}" + +exit_error () { + echo "check ${TMPFILE} for additional debugging information" + echo "" + echo "" + tail "${TMPFILE}" + exit 1 +} + +check_for_datefudge + +# $1: token +# $2: PIN +# $3: filename +# $4: label +write_ca_cert () { + export GNUTLS_PIN="$2" + filename="$3" + token="$1" + label="$4" + + echo -n "* Writing the CA certificate... " + ${P11TOOL} ${ADDITIONAL_PARAM} --mark-ca --mark-trusted --no-mark-private --so-login --write --label "$label" --load-certificate "${filename}" "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi + +} + +# $1: token +# $2: PIN +# $3: filename +write_ca_privkey () { + export GNUTLS_PIN="$2" + filename="$3" + token="$1" + + echo -n "* Writing the CA private key... " + ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label CA-key --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo failed + exit_error + fi +} + +# $1: URL +# $2: cert file to verify +verify_certificate_test() { + url=$1 + file=$2 + + echo -n "* Verifying a certificate... " + datefudge -s "2015-10-10" \ + $CERTTOOL ${ADDITIONAL_PARAM} --verify --load-ca-certificate "$url" --infile "$file" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo "failed $file with $url" + exit_error + fi +} + +generate_cert() { + url=$1 + + echo -n "* Generating a certificate... " + $CERTTOOL ${ADDITIONAL_PARAM} --generate-certificate --load-ca-certificate "$url" --load-ca-privkey "${srcdir}/pkcs11-certs/ca.key" --load-privkey "${srcdir}/pkcs11-certs/server.key" --template "${srcdir}/pkcs11-certs/server-tmpl" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo "failed generation with $url" + exit_error + fi +} + +generate_cert_with_key() { + ca_url=$1 + ca_key_url=$2 + + echo -n "* Generating a certificate (privkey in pkcs11)... " + $CERTTOOL ${ADDITIONAL_PARAM} --generate-certificate --load-ca-certificate "${ca_url}" --load-ca-privkey "${ca_key_url}" --load-privkey "${srcdir}/pkcs11-certs/server.key" --template "${srcdir}/pkcs11-certs/server-tmpl" >>"${TMPFILE}" 2>&1 + if test $? = 0; then + echo ok + else + echo "failed generation with $url" + exit_error + fi +} + +echo "Testing PKCS11 verification" + +# erase SC + +type="softhsm" + +. "${srcdir}/testpkcs11.${type}" + +export GNUTLS_PIN=12345678 +export GNUTLS_SO_PIN=00000000 + +init_card "${GNUTLS_PIN}" "${GNUTLS_SO_PIN}" + +# find token name +TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'` + +echo "* Token: ${TOKEN}" +if test "x${TOKEN}" = x; then + echo "Could not find generated token" + exit_error +fi + +write_ca_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/pkcs11-certs/ca.crt" "CA" + +verify_certificate_test "${TOKEN};object=CA;object-type=cert" "${srcdir}/pkcs11-certs/server.crt" +verify_certificate_test "${TOKEN};object=CA;object-type=cert" "${srcdir}/pkcs11-certs/client.crt" +generate_cert "${TOKEN};object=CA;object-type=cert" + +write_ca_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/pkcs11-certs/ca.key" + +generate_cert_with_key "${TOKEN};object=CA;object-type=cert" "${TOKEN};object=CA-key;object-type=private" + +if test ${RETCODE} = 0; then + echo "* All tests succeeded" +fi +rm -f "${TMPFILE}" + +exit 0 diff --git a/tests/suite/testpkcs11.softhsm b/tests/suite/testpkcs11.softhsm index 3ec5076318..4f7f9f10d8 100755 --- a/tests/suite/testpkcs11.softhsm +++ b/tests/suite/testpkcs11.softhsm @@ -35,7 +35,7 @@ init_card () { PUK="$2" if test -x "/usr/bin/softhsm2-util"; then - export SOFTHSM2_CONF="softhsm-testpkcs11.config" + export SOFTHSM2_CONF="softhsm-testpkcs11.$$.config.tmp" SOFTHSM_TOOL="/usr/bin/softhsm2-util" ${SOFTHSM_TOOL} --version|grep "2.0.0" >/dev/null 2>&1 if test $? = 0; then @@ -45,7 +45,7 @@ init_card () { fi if test -x "/usr/bin/softhsm"; then - export SOFTHSM_CONF="softhsm-testpkcs11.config" + export SOFTHSM_CONF="softhsm-testpkcs11.$$.config.tmp" SOFTHSM_TOOL="/usr/bin/softhsm" fi @@ -55,13 +55,13 @@ init_card () { fi if test -z "${SOFTHSM_CONF}"; then - rm -rf ./softhsm-testpkcs11.db - mkdir -p ./softhsm-testpkcs11.db + rm -rf ./softhsm-testpkcs11.$$.tmp + mkdir -p ./softhsm-testpkcs11.$$.tmp echo "objectstore.backend = file" > "${SOFTHSM2_CONF}" - echo "directories.tokendir = ./softhsm-testpkcs11.db" >> "${SOFTHSM2_CONF}" + echo "directories.tokendir = ./softhsm-testpkcs11.$$.tmp" >> "${SOFTHSM2_CONF}" else - rm -rf ./softhsm-testpkcs11.db - echo "0:./softhsm-testpkcs11.db" > "${SOFTHSM_CONF}" + rm -rf ./softhsm-testpkcs11.$$.tmp + echo "0:./softhsm-testpkcs11.$$.tmp" > "${SOFTHSM_CONF}" fi |