summaryrefslogtreecommitdiff
path: root/tests/p11-kit-trust.sh
blob: 0af827231093fdc7827558c8917721af9adc9098 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/bin/sh

# Copyright (C) 2017 Red Hat, Inc.
#
# This file is part of p11-kit.
#
# p11-kit is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# p11-kit is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

#set -e

srcdir="${srcdir:-.}"
P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}"
CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
DIFF="${DIFF:-diff}"

EXPORTED_FILE=out.$$.tmp
DER_FILE=out-der.$$.tmp
TMPFILE=out-tmp.$$.tmp

for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/;do
	if test -f "${lib}/p11-kit-trust.so"; then
		MODULE="${lib}/p11-kit-trust.so"
		echo "located ${MODULE}"
		break
	fi
done

if ! test -x "${P11TOOL}"; then
	echo "p11tool was not found"
	exit 77
fi

if ! test -f "${MODULE}"; then
	echo "p11-kit trust module was not found"
	exit 77
fi

TRUST_PATH="${srcdir}/p11-kit-trust-data/"
CACERT=${TRUST_PATH}/Example_Root_CA.pem

# Test whether a CA extracted from a trust store can retrieve stapled
# extensions.

OPTS="--provider ${MODULE} --provider-opts trusted,p11-kit:paths=\"${TRUST_PATH}\""

# Informational
${P11TOOL} --list-all-certs ${OPTS} 'pkcs11:'


####
# Test 1: Extract the CA certificate from store

${P11TOOL} --export 'pkcs11:object=Example%20CA' ${OPTS} --outder --outfile ${EXPORTED_FILE}
if test "$?" != "0"; then
	echo "Exporting failed (1)"
	exit 1
fi

${CERTTOOL} -i --infile ${CACERT} --outder --outfile ${DER_FILE}
if test "$?" != "0"; then
	echo "Exporting failed (2)"
	exit 1
fi

${DIFF} ${EXPORTED_FILE} ${DER_FILE}
if test "$?" != "0"; then
	echo "Files ${EXPORTED_FILE} and ${DER_FILE} are not identical"
	exit 1
fi

rm -f ${EXPORTED_FILE} ${DER_FILE} ${TMPFILE}

echo "Root CA retrieval test passed..."

####
# Test 2: Extract the certificate from store with the stapled data

${P11TOOL} --export-stapled 'pkcs11:object=Example%20CA' ${OPTS} --outder --outfile ${EXPORTED_FILE}
if test "$?" != "0"; then
	echo "Exporting failed (3)"
	exit 1
fi

${CERTTOOL} -i --infile ${CACERT} --outder --outfile ${DER_FILE}
if test "$?" != "0"; then
	echo "Exporting failed (4)"
	exit 1
fi

${DIFF} ${EXPORTED_FILE} ${DER_FILE}
if test "$?" = "0"; then
	echo "Files are identical; no extensions were stapled"
	exit 1
fi

${CERTTOOL} -i --inder --infile ${EXPORTED_FILE} --outfile ${TMPFILE}
if test "$?" != "0"; then
	echo "PEM converting failed"
	exit 1
fi

grep -i "Name Constraints" ${TMPFILE}
if test "$?" != "0"; then
	cat ${TMPFILE}
	echo "No name constraints found (1)"
	exit 1
fi

grep -i "Permitted" ${TMPFILE}
if test "$?" != "0"; then
	cat ${TMPFILE}
	echo "No name constraints found (2)"
	exit 1
fi

grep -i "DNSname: example.com" ${TMPFILE}
if test "$?" != "0"; then
	cat ${TMPFILE}
	echo "No name constraints found (3)"
	exit 1
fi

echo "Root CA with stapled extensions retrieval test passed..."

rm -f ${EXPORTED_FILE} ${DER_FILE} ${TMPFILE}
exit 0