diff options
| author | cvs2hg <devnull@localhost> | 2008-05-09 23:56:05 +0000 |
|---|---|---|
| committer | cvs2hg <devnull@localhost> | 2008-05-09 23:56:05 +0000 |
| commit | b47e2bc5575349ea864d653639ec2be1e4d1f187 (patch) | |
| tree | 35a95c2fbe5de8043c2ab7df0a2861c5682c9cbe /security/nss/tests/fips | |
| parent | e60e2c081e012dcbe9156de25fc8c87a85233532 (diff) | |
| download | nss-hg-b47e2bc5575349ea864d653639ec2be1e4d1f187.tar.gz | |
fixup commit for branch 'JSS_4_2_BRANCH'
Diffstat (limited to 'security/nss/tests/fips')
| -rwxr-xr-x | security/nss/tests/fips/fips.sh | 319 |
1 files changed, 0 insertions, 319 deletions
diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh deleted file mode 100755 index 1950d76b0..000000000 --- a/security/nss/tests/fips/fips.sh +++ /dev/null @@ -1,319 +0,0 @@ -#! /bin/sh -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1994-2000 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -######################################################################## -# mozilla/security/nss/tests/fips/fips.sh -# -# Script to test basic functionallity of NSS in FIPS-compliant mode -# -# needs to work on all Unix and Windows platforms -# -# tests implemented: -# -# special strings -# --------------- -# -######################################################################## - -############################## fips_init ############################## -# local shell function to initialize this script -######################################################################## -fips_init() -{ - SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh - - if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for - CLEANUP="${SCRIPTNAME}" # cleaning this script will do it - fi - - if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then - cd ../common - . ./init.sh - fi - if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here - cd ../cert - . ./cert.sh - fi - SCRIPTNAME=fips.sh - html_head "FIPS 140 Compliance Tests" - - grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || { - Exit 15 "Fatal - FIPS of cert.sh needs to pass first" - } - - COPYDIR=${FIPSDIR}/copydir - - R_FIPSDIR=../fips - P_R_FIPSDIR=../fips - R_COPYDIR=../fips/copydir - - if [ -n "${MULTIACCESS_DBM}" ]; then - P_R_FIPSDIR="multiaccess:${D_FIPS}" - fi - - mkdir -p ${FIPSDIR} - mkdir -p ${COPYDIR} - - cd ${FIPSDIR} -} - -############################## fips_140 ############################## -# local shell function to test basic functionality of NSS while in -# FIPS 140 compliant mode -######################################################################## -fips_140() -{ - echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------" - echo "modutil -dbdir ${P_R_FIPSDIR} -list" - ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1 - ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1 - html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "." - - echo "$SCRIPTNAME: List the FIPS module certificates -----------------" - echo "certutil -d ${P_R_FIPSDIR} -L" - ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1 - html_msg $? 0 "List the FIPS module certificates (certutil -L)" "." - - echo "$SCRIPTNAME: List the FIPS module keys -------------------------" - echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" - ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 - html_msg $? 0 "List the FIPS module keys (certutil -K)" "." - - echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password" - echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}" - ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1 - RET=$? - html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "." - echo "certutil -K returned $RET" - - echo "$SCRIPTNAME: Validate the certificate --------------------------" - echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}" - ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE} - html_msg $? 0 "Validate the certificate (certutil -V -e)" "." - - echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --" - echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" - ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 - html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "." - - echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------" - echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt" - ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1 - html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "." - - echo "$SCRIPTNAME: List the FIPS module certificates -----------------" - echo "certutil -d ${P_R_FIPSDIR} -L" - certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` - ret=$? - echo "${certs}" - if [ ${ret} -eq 0 ]; then - echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null - ret=$? - fi - html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." - - - echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module" - echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}" - ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1 - html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "." - - echo "$SCRIPTNAME: List the FIPS module certificates -----------------" - echo "certutil -d ${P_R_FIPSDIR} -L" - certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` - ret=$? - echo "${certs}" - if [ ${ret} -eq 0 ]; then - echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null - if [ $? -eq 0 ]; then - ret=255 - fi - fi - html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." - - echo "$SCRIPTNAME: List the FIPS module keys." - echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" - ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 - # certutil -K now returns a failure if no keys are found. This verifies that - # our delete succeded. - html_msg $? 255 "List the FIPS module keys (certutil -K)" "." - - - echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" - echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" - ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 - html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." - - echo "$SCRIPTNAME: List the FIPS module certificates -----------------" - echo "certutil -d ${P_R_FIPSDIR} -L" - certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` - ret=$? - echo "${certs}" - if [ ${ret} -eq 0 ]; then - echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null - ret=$? - fi - html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." - - echo "$SCRIPTNAME: List the FIPS module keys --------------------------" - echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" - ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 - html_msg $? 0 "List the FIPS module keys (certutil -K)" "." - - - echo "$SCRIPTNAME: Delete the certificate from the FIPS module" - echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}" - ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1 - html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "." - - echo "$SCRIPTNAME: List the FIPS module certificates -----------------" - echo "certutil -d ${P_R_FIPSDIR} -L" - certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` - ret=$? - echo "${certs}" - if [ ${ret} -eq 0 ]; then - echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null - if [ $? -eq 0 ]; then - ret=255 - fi - fi - html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." - - - echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" - echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" - ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 - html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." - - echo "$SCRIPTNAME: List the FIPS module certificates -----------------" - echo "certutil -d ${P_R_FIPSDIR} -L" - certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` - ret=$? - echo "${certs}" - if [ ${ret} -eq 0 ]; then - echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null - ret=$? - fi - html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." - - echo "$SCRIPTNAME: List the FIPS module keys --------------------------" - echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" - ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 - html_msg $? 0 "List the FIPS module keys (certutil -K)" "." - - - echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------" - echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}" - ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1 - html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "." - - echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------" - echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n" - ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1 - html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "." - - LIBDIR="${DIST}/${OBJDIR}/lib" - MANGLEDIR="${FIPSDIR}/mangle" - - # There are different versions of cp command on different systems, some of them - # copies only symlinks, others doesn't have option to disable links, so there - # is needed to copy files one by one. - echo "mkdir ${MANGLEDIR}" - mkdir ${MANGLEDIR} - for lib in `ls ${LIBDIR}`; do - echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}" - cp ${LIBDIR}/${lib} ${MANGLEDIR} - done - - echo "$SCRIPTNAME: Detect mangled database --------------------------" - SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} - - echo "mangling ${SOFTOKEN}" - echo "mangle -i ${SOFTOKEN} -o -8 -b 5" - ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1 - if [ $? -eq 0 ]; then - if [ "${OS_ARCH}" = "WINNT" ]; then - DBTEST=`which dbtest` - if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then - DBTEST=`cygpath -m ${DBTEST}` - MANGLEDIR=`cygpath -u ${MANGLEDIR}` - fi - echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}" - PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 - RESULT=$? - elif [ "${OS_ARCH}" = "HP-UX" ]; then - echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" - LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 - RESULT=$? - elif [ "${OS_ARCH}" = "AIX" ]; then - echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" - LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 - RESULT=$? - elif [ "${OS_ARCH}" = "Darwin" ]; then - echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" - DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 - RESULT=$? - else - echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" - LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 - RESULT=$? - fi - - html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "." - else - html_msg 0 0 "Skipping corruption test, can't open ${DLL_PREFIX}softokn3.${DLL_SUFFIX}" - fi -} - -############################## fips_cleanup ############################ -# local shell function to finish this script (no exit since it might be -# sourced) -######################################################################## -fips_cleanup() -{ - html "</TABLE><BR>" - cd ${QADIR} - . common/cleanup.sh -} - -################## main ################################################# - -fips_init -fips_140 -fips_cleanup -echo "fips.sh done" |