|
 |
17c662 |
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
|
17c662 |
index 6dc63758d..e0d86abfd 100644
|
|
|
17c662 |
--- a/tests/Makefile.am
|
|
|
17c662 |
+++ b/tests/Makefile.am
|
|
|
17c662 |
@@ -36,7 +36,13 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h test-chains.h \
|
|
|
17c662 |
certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem \
|
|
|
17c662 |
certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \
|
|
|
17c662 |
certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem \
|
|
|
17c662 |
- cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c
|
|
|
17c662 |
+ cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c \
|
|
|
17c662 |
+ testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm \
|
|
|
17c662 |
+ testpkcs11-certs/ca.crt testpkcs11-certs/ca-tmpl \
|
|
|
17c662 |
+ testpkcs11-certs/client.key testpkcs11-certs/server.crt \
|
|
|
17c662 |
+ testpkcs11-certs/server-tmpl testpkcs11-certs/ca.key \
|
|
|
17c662 |
+ testpkcs11-certs/client.crt testpkcs11-certs/client-tmpl \
|
|
|
17c662 |
+ testpkcs11-certs/server.key
|
|
|
17c662 |
|
|
|
17c662 |
AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
|
|
|
17c662 |
AM_CPPFLAGS = \
|
|
|
17c662 |
@@ -160,6 +166,9 @@ dist_check_SCRIPTS = rfc2253-escape-test
|
|
|
17c662 |
|
|
|
17c662 |
if !WINDOWS
|
|
|
17c662 |
dist_check_SCRIPTS += sni-hostname.sh
|
|
|
17c662 |
+if ENABLE_PKCS11
|
|
|
17c662 |
+dist_check_SCRIPTS += testpkcs11.sh
|
|
|
17c662 |
+endif
|
|
|
17c662 |
endif
|
|
|
17c662 |
|
|
|
17c662 |
TESTS = $(ctests) $(dist_check_SCRIPTS)
|
|
|
17c662 |
diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh
|
|
|
17c662 |
index 9c9c3fb3a..4615770f6 100644
|
|
|
17c662 |
--- a/tests/scripts/common.sh
|
|
|
17c662 |
+++ b/tests/scripts/common.sh
|
|
|
17c662 |
@@ -19,11 +19,61 @@
|
|
|
17c662 |
# along with this file; if not, write to the Free Software Foundation,
|
|
|
17c662 |
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
17c662 |
|
|
|
17c662 |
-# due to the use of $RANDOM, this script requires bash
|
|
|
17c662 |
+export TZ="UTC"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Check for a utility to list ports. Both ss and netstat will list
|
|
|
17c662 |
+# ports for normal users, and have similar semantics, so put the
|
|
|
17c662 |
+# command in the caller's PFCMD, or exit, indicating an unsupported
|
|
|
17c662 |
+# test. Prefer ss from iproute2 over the older netstat.
|
|
|
17c662 |
+have_port_finder() {
|
|
|
17c662 |
+ for file in $(which ss 2> /dev/null) /*bin/ss /usr/*bin/ss /usr/local/*bin/ss;do
|
|
|
17c662 |
+ if test -x "$file";then
|
|
|
17c662 |
+ PFCMD="$file";return 0
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ done
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test -z "$PFCMD";then
|
|
|
17c662 |
+ for file in $(which netstat 2> /dev/null) /bin/netstat /usr/bin/netstat /usr/local/bin/netstat;do
|
|
|
17c662 |
+ if test -x "$file";then
|
|
|
17c662 |
+ PFCMD="$file";return 0
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ done
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test -z "$PFCMD";then
|
|
|
17c662 |
+ echo "neither ss nor netstat found"
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+check_if_port_in_use() {
|
|
|
17c662 |
+ local PORT="$1"
|
|
|
17c662 |
+ local PFCMD; have_port_finder
|
|
|
17c662 |
+ $PFCMD -an|grep "[\:\.]$PORT" >/dev/null 2>&1
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+check_if_port_listening() {
|
|
|
17c662 |
+ local PORT="$1"
|
|
|
17c662 |
+ local PFCMD; have_port_finder
|
|
|
17c662 |
+ $PFCMD -anl|grep "[\:\.]$PORT"|grep LISTEN >/dev/null 2>&1
|
|
|
17c662 |
+}
|
|
|
17c662 |
|
|
|
17c662 |
-GETPORT='rc=0;while test $rc = 0;do PORT="$(((($$<<15)|RANDOM) % 63001 + 2000))";
|
|
|
17c662 |
- netstat -anl|grep "[\:\.]$PORT" >/dev/null 2>&1;
|
|
|
17c662 |
- rc=$?;done;'
|
|
|
17c662 |
+# Find a port number not currently in use.
|
|
|
17c662 |
+GETPORT='rc=0; myrandom=$(date +%N | sed s/^0*//)
|
|
|
17c662 |
+ while test $rc = 0;do
|
|
|
17c662 |
+ PORT="$(((($$<<15)|$myrandom) % 63001 + 2000))"
|
|
|
17c662 |
+ check_if_port_in_use $PORT;rc=$?
|
|
|
17c662 |
+ done
|
|
|
17c662 |
+'
|
|
|
17c662 |
+
|
|
|
17c662 |
+check_for_datefudge() {
|
|
|
17c662 |
+ TSTAMP=`datefudge -s "2006-09-23" date -u +%s || true`
|
|
|
17c662 |
+ if test "$TSTAMP" != "1158969600" || test "$WINDOWS" = 1; then
|
|
|
17c662 |
+ echo $TSTAMP
|
|
|
17c662 |
+ echo "You need datefudge to run this test"
|
|
|
17c662 |
+ exit 77
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
|
|
|
17c662 |
fail() {
|
|
|
17c662 |
PID="$1"
|
|
|
17c662 |
@@ -33,6 +83,30 @@ fail() {
|
|
|
17c662 |
exit 1
|
|
|
17c662 |
}
|
|
|
17c662 |
|
|
|
17c662 |
+exit_if_non_x86()
|
|
|
17c662 |
+{
|
|
|
17c662 |
+which lscpu >/dev/null 2>&1
|
|
|
17c662 |
+if test $? = 0;then
|
|
|
17c662 |
+ $(which lscpu)|grep Architecture|grep x86
|
|
|
17c662 |
+ if test $? != 0;then
|
|
|
17c662 |
+ echo "non-x86 CPU detected"
|
|
|
17c662 |
+ exit 0
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+exit_if_non_padlock()
|
|
|
17c662 |
+{
|
|
|
17c662 |
+which lscpu >/dev/null 2>&1
|
|
|
17c662 |
+if test $? = 0;then
|
|
|
17c662 |
+ $(which lscpu)|grep Flags|grep phe
|
|
|
17c662 |
+ if test $? != 0;then
|
|
|
17c662 |
+ echo "non-Via padlock CPU detected"
|
|
|
17c662 |
+ exit 0
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
wait_for_port()
|
|
|
17c662 |
{
|
|
|
17c662 |
local ret
|
|
|
17c662 |
@@ -40,10 +114,10 @@ wait_for_port()
|
|
|
17c662 |
sleep 4
|
|
|
17c662 |
|
|
|
17c662 |
for i in 1 2 3 4 5 6;do
|
|
|
17c662 |
- netstat -anl|grep "[\:\.]$PORT"|grep LISTEN >/dev/null 2>&1
|
|
|
17c662 |
+ check_if_port_listening ${PORT}
|
|
|
17c662 |
ret=$?
|
|
|
17c662 |
if test $ret != 0;then
|
|
|
17c662 |
- netstat -anl|grep "[\:\.]$PORT"
|
|
|
17c662 |
+ check_if_port_in_use ${PORT}
|
|
|
17c662 |
echo try $i
|
|
|
17c662 |
sleep 2
|
|
|
17c662 |
else
|
|
|
17c662 |
@@ -59,7 +133,7 @@ wait_for_free_port()
|
|
|
17c662 |
local PORT="$1"
|
|
|
17c662 |
|
|
|
17c662 |
for i in 1 2 3 4 5 6;do
|
|
|
17c662 |
- netstat -anl|grep "[\:\.]$PORT" >/dev/null 2>&1
|
|
|
17c662 |
+ check_if_port_in_use ${PORT}
|
|
|
17c662 |
ret=$?
|
|
|
17c662 |
if test $ret != 0;then
|
|
|
17c662 |
break
|
|
|
17c662 |
@@ -75,7 +149,7 @@ launch_server() {
|
|
|
17c662 |
shift
|
|
|
17c662 |
|
|
|
17c662 |
wait_for_free_port ${PORT}
|
|
|
17c662 |
- ${SERV} ${DEBUG} -p "${PORT}" $* >/dev/null 2>&1 &
|
|
|
17c662 |
+ ${SERV} ${DEBUG} -p "${PORT}" $* >/dev/null &
|
|
|
17c662 |
}
|
|
|
17c662 |
|
|
|
17c662 |
launch_pkcs11_server() {
|
|
|
17c662 |
@@ -94,7 +168,7 @@ launch_bare_server() {
|
|
|
17c662 |
shift
|
|
|
17c662 |
|
|
|
17c662 |
wait_for_free_port ${PORT}
|
|
|
17c662 |
- ${SERV} $* >/dev/null 2>&1 &
|
|
|
17c662 |
+ ${SERV} $* >/dev/null &
|
|
|
17c662 |
}
|
|
|
17c662 |
|
|
|
17c662 |
wait_server() {
|
|
|
17c662 |
@@ -114,3 +188,10 @@ wait_udp_server() {
|
|
|
17c662 |
sleep 4
|
|
|
17c662 |
}
|
|
|
17c662 |
|
|
|
17c662 |
+if test -x /usr/bin/lockfile-create;then
|
|
|
17c662 |
+LOCKFILE="lockfile-create global"
|
|
|
17c662 |
+UNLOCKFILE="lockfile-remove global"
|
|
|
17c662 |
+else
|
|
|
17c662 |
+LOCKFILE="lockfile global.lock"
|
|
|
17c662 |
+UNLOCKFILE="rm -f global.lock"
|
|
|
17c662 |
+fi
|
|
|
17c662 |
diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am
|
|
|
17c662 |
index 794a4bace..dae42a7ef 100644
|
|
|
17c662 |
--- a/tests/suite/Makefile.am
|
|
|
17c662 |
+++ b/tests/suite/Makefile.am
|
|
|
17c662 |
@@ -86,11 +86,10 @@ nodist_libecore_la_SOURCES = ecore/src/lib/ecore_anim.c \
|
|
|
17c662 |
|
|
|
17c662 |
|
|
|
17c662 |
nodist_check_SCRIPTS = eagain testsrn testcompat chain invalid-cert testrandom \
|
|
|
17c662 |
- testpkcs11 testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm \
|
|
|
17c662 |
testrng test-ciphersuite-names
|
|
|
17c662 |
|
|
|
17c662 |
TESTS = test-ciphersuite-names eagain testsrn testcompat chain invalid-cert \
|
|
|
17c662 |
- testpkcs11 testrng test-ciphersuite-names
|
|
|
17c662 |
+ testrng test-ciphersuite-names
|
|
|
17c662 |
|
|
|
17c662 |
if ENABLE_PKCS11
|
|
|
17c662 |
TESTS += crl-test
|
|
|
17c662 |
diff --git a/tests/testpkcs11-certs/ca-tmpl b/tests/testpkcs11-certs/ca-tmpl
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..5bf462d1e
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11-certs/ca-tmpl
|
|
|
17c662 |
@@ -0,0 +1,67 @@
|
|
|
17c662 |
+# X.509 Certificate options
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# DN options
|
|
|
17c662 |
+
|
|
|
17c662 |
+dn = "cn=CA,C=CZ"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# The serial number of the certificate
|
|
|
17c662 |
+serial = 1
|
|
|
17c662 |
+
|
|
|
17c662 |
+# In how many days, counting from today, this certificate will expire.
|
|
|
17c662 |
+expiration_days = 2590
|
|
|
17c662 |
+
|
|
|
17c662 |
+# X.509 v3 extensions
|
|
|
17c662 |
+
|
|
|
17c662 |
+# A dnsname in case of a WWW server.
|
|
|
17c662 |
+#dns_name = "localhost"
|
|
|
17c662 |
+#dns_name = "www.morethanone.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# An IP address in case of a server.
|
|
|
17c662 |
+#ip_address = "192.168.1.1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+#dns_name = "www.evenmorethanone.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# An email in case of a person
|
|
|
17c662 |
+email = "none@none.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# An URL that has CRLs (certificate revocation lists)
|
|
|
17c662 |
+# available. Needed in CA certificates.
|
|
|
17c662 |
+crl_dist_points = "http://www.getcrl.crl/getcrl/"
|
|
|
17c662 |
+
|
|
|
17c662 |
+#email = "where@none.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this is a CA certificate or not
|
|
|
17c662 |
+ca
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used for a TLS client
|
|
|
17c662 |
+#tls_www_client
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used for a TLS server
|
|
|
17c662 |
+#tls_www_server
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used to sign data (needed
|
|
|
17c662 |
+# in TLS DHE ciphersuites).
|
|
|
17c662 |
+signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used to encrypt data (needed
|
|
|
17c662 |
+# in TLS RSA ciphersuites). Note that it is preferred to use different
|
|
|
17c662 |
+# keys for encryption and signing.
|
|
|
17c662 |
+#encryption_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign other certificates.
|
|
|
17c662 |
+cert_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign CRLs.
|
|
|
17c662 |
+crl_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign code.
|
|
|
17c662 |
+#code_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign OCSP data.
|
|
|
17c662 |
+ocsp_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used for time stamping.
|
|
|
17c662 |
+#time_stamping_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used for IPsec IKE operations.
|
|
|
17c662 |
+#ipsec_ike_key
|
|
|
17c662 |
diff --git a/tests/testpkcs11-certs/ca.crt b/tests/testpkcs11-certs/ca.crt
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..e39ee41f7
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11-certs/ca.crt
|
|
|
17c662 |
@@ -0,0 +1,15 @@
|
|
|
17c662 |
+-----BEGIN CERTIFICATE-----
|
|
|
17c662 |
+MIICUjCCAbugAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL
|
|
|
17c662 |
+MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI0NTRaGA8yMDIwMTIxMzA4MjQ1NFow
|
|
|
17c662 |
+GjELMAkGA1UEAxMCQ0ExCzAJBgNVBAYTAkNaMIGfMA0GCSqGSIb3DQEBAQUAA4GN
|
|
|
17c662 |
+ADCBiQKBgQCoomr+kiRtx+/doF2FRSOxqBuuLbcpK5KwxtYk82L8MQzzJijfjS88
|
|
|
17c662 |
+4kCijlR6dqD0oDS70ngNogg2uIgn1SfLTTgXw/v6w/nMnMIYZ+ePrF5WD1qGeOAu
|
|
|
17c662 |
+R+qts4Y4rfb9Yb8sXIPdui7HelqimJaVeMxAYJsqRBSixDSpYbkEhwIDAQABo4Gj
|
|
|
17c662 |
+MIGgMA8GA1UdEwEB/wQFMAMBAf8wGAYDVR0RBBEwD4ENbm9uZUBub25lLm9yZzAT
|
|
|
17c662 |
+BgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBQS
|
|
|
17c662 |
+DtpREkBWrvQcbcyhsD0oYX4zATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vd3d3
|
|
|
17c662 |
+LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOBgQBzRzkYVGhl0ltc
|
|
|
17c662 |
+iVvXModMh9cb1TcUrc2nhfEh63u5ZF1/8MJPaMMLw3FZmGc5B8lNYOoWiSqK/Ark
|
|
|
17c662 |
+iO9chPwqRKWY8n52USgGDcUNRxbwCa2vOQg9cdSWIcdt18W5mtJ3hz+CDaT8ZH8t
|
|
|
17c662 |
+sVW/i5eG6O7o3rZGSwbcC1pgIWZqCw==
|
|
|
17c662 |
+-----END CERTIFICATE-----
|
|
|
17c662 |
diff --git a/tests/testpkcs11-certs/ca.key b/tests/testpkcs11-certs/ca.key
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..62f5bfae3
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11-certs/ca.key
|
|
|
17c662 |
@@ -0,0 +1,94 @@
|
|
|
17c662 |
+Public Key Info:
|
|
|
17c662 |
+ Public Key Algorithm: RSA
|
|
|
17c662 |
+ Key Security Level: Weak (1024 bits)
|
|
|
17c662 |
+
|
|
|
17c662 |
+modulus:
|
|
|
17c662 |
+ 00:a8:a2:6a:fe:92:24:6d:c7:ef:dd:a0:5d:85:45:
|
|
|
17c662 |
+ 23:b1:a8:1b:ae:2d:b7:29:2b:92:b0:c6:d6:24:f3:
|
|
|
17c662 |
+ 62:fc:31:0c:f3:26:28:df:8d:2f:3c:e2:40:a2:8e:
|
|
|
17c662 |
+ 54:7a:76:a0:f4:a0:34:bb:d2:78:0d:a2:08:36:b8:
|
|
|
17c662 |
+ 88:27:d5:27:cb:4d:38:17:c3:fb:fa:c3:f9:cc:9c:
|
|
|
17c662 |
+ c2:18:67:e7:8f:ac:5e:56:0f:5a:86:78:e0:2e:47:
|
|
|
17c662 |
+ ea:ad:b3:86:38:ad:f6:fd:61:bf:2c:5c:83:dd:ba:
|
|
|
17c662 |
+ 2e:c7:7a:5a:a2:98:96:95:78:cc:40:60:9b:2a:44:
|
|
|
17c662 |
+ 14:a2:c4:34:a9:61:b9:04:87:
|
|
|
17c662 |
+
|
|
|
17c662 |
+public exponent:
|
|
|
17c662 |
+ 01:00:01:
|
|
|
17c662 |
+
|
|
|
17c662 |
+private exponent:
|
|
|
17c662 |
+ 08:f8:4a:b4:ab:d5:60:39:88:5a:c3:92:f5:e9:cd:
|
|
|
17c662 |
+ 92:3f:9c:e9:50:e9:33:39:6c:1e:17:15:80:f5:a9:
|
|
|
17c662 |
+ 48:3c:db:b1:7b:50:25:43:ff:45:3f:cb:ac:59:e1:
|
|
|
17c662 |
+ c8:79:d2:e9:f0:33:9d:e1:fe:1c:cb:87:a0:51:84:
|
|
|
17c662 |
+ 7c:89:ec:09:e0:3d:c9:df:ca:43:d9:c1:79:3c:47:
|
|
|
17c662 |
+ f7:8e:71:bf:a5:6e:11:87:0d:d9:2e:5a:5d:a0:d3:
|
|
|
17c662 |
+ ba:5b:9c:23:db:33:54:5f:a2:2f:db:28:05:9d:07:
|
|
|
17c662 |
+ a4:d4:76:0e:ef:d1:f9:c3:f9:21:01:ad:06:4c:9d:
|
|
|
17c662 |
+ 59:14:09:37:91:df:86:01:
|
|
|
17c662 |
+
|
|
|
17c662 |
+prime1:
|
|
|
17c662 |
+ 00:d6:e8:07:49:7f:a6:6a:d7:f3:76:84:4b:a9:cb:
|
|
|
17c662 |
+ 91:66:8a:c8:07:54:29:25:1d:e4:70:dd:2c:fd:ff:
|
|
|
17c662 |
+ dc:c6:0c:24:75:4f:a0:ca:82:e2:b6:3b:8b:f0:7b:
|
|
|
17c662 |
+ 37:c3:97:be:6c:b3:5f:91:a6:c0:56:48:aa:aa:3a:
|
|
|
17c662 |
+ d9:12:24:b7:81:
|
|
|
17c662 |
+
|
|
|
17c662 |
+prime2:
|
|
|
17c662 |
+ 00:c8:e1:50:40:9b:7e:34:9c:44:88:1e:16:4b:bf:
|
|
|
17c662 |
+ 04:0f:a6:b0:2b:9d:2f:a2:84:29:96:54:35:69:68:
|
|
|
17c662 |
+ 6f:a2:a7:2b:8a:de:e9:9e:0e:6f:b3:cf:d8:af:68:
|
|
|
17c662 |
+ 33:52:a6:e4:b5:d1:21:d0:6b:d2:d2:a6:af:97:62:
|
|
|
17c662 |
+ 44:fe:b8:00:07:
|
|
|
17c662 |
+
|
|
|
17c662 |
+coefficient:
|
|
|
17c662 |
+ 75:16:b8:48:0b:61:9a:a9:78:b1:72:93:94:51:54:
|
|
|
17c662 |
+ c1:07:69:b8:b1:dc:61:4a:f5:ef:b7:9c:f5:07:74:
|
|
|
17c662 |
+ 0d:8e:1a:a2:51:ea:00:91:ef:05:75:42:53:4d:6a:
|
|
|
17c662 |
+ e3:f5:de:07:a5:55:5f:8b:37:58:55:2b:43:ef:b2:
|
|
|
17c662 |
+ d0:38:a8:89:
|
|
|
17c662 |
+
|
|
|
17c662 |
+exp1:
|
|
|
17c662 |
+ 00:c9:b9:60:e5:b7:e1:b1:56:e5:dc:70:d0:49:20:
|
|
|
17c662 |
+ a1:6a:3c:89:08:80:12:63:19:cd:0d:b8:3e:fc:69:
|
|
|
17c662 |
+ 48:85:ca:6e:0a:83:e5:2d:52:70:96:98:0c:82:7e:
|
|
|
17c662 |
+ 56:d8:cd:3e:5c:f0:7e:9b:cc:87:ac:36:67:a4:84:
|
|
|
17c662 |
+ ba:af:92:31:81:
|
|
|
17c662 |
+
|
|
|
17c662 |
+exp2:
|
|
|
17c662 |
+ 65:0a:d8:78:36:fe:8b:6e:13:16:b8:b3:94:54:37:
|
|
|
17c662 |
+ b1:bb:b1:9f:ae:88:18:62:0c:1d:1e:ac:63:21:f2:
|
|
|
17c662 |
+ 0d:49:b3:20:3e:32:1a:9b:be:5a:1e:f1:2a:81:ea:
|
|
|
17c662 |
+ 56:e7:b5:e1:32:99:a4:a1:a7:c0:e7:b1:29:1f:77:
|
|
|
17c662 |
+ fe:fc:04:9f:
|
|
|
17c662 |
+
|
|
|
17c662 |
+
|
|
|
17c662 |
+Public Key ID: 12:0E:DA:51:12:40:56:AE:F4:1C:6D:CC:A1:B0:3D:28:61:7E:33:01
|
|
|
17c662 |
+Public key's random art:
|
|
|
17c662 |
++--[ RSA 1024]----+
|
|
|
17c662 |
+|.E*++.o |
|
|
|
17c662 |
+|oo *.B . |
|
|
|
17c662 |
+|..++O * |
|
|
|
17c662 |
+| o.*oB . |
|
|
|
17c662 |
+| o + o S |
|
|
|
17c662 |
+| . |
|
|
|
17c662 |
+| |
|
|
|
17c662 |
+| |
|
|
|
17c662 |
+| |
|
|
|
17c662 |
++-----------------+
|
|
|
17c662 |
+
|
|
|
17c662 |
+-----BEGIN RSA PRIVATE KEY-----
|
|
|
17c662 |
+MIICXAIBAAKBgQCoomr+kiRtx+/doF2FRSOxqBuuLbcpK5KwxtYk82L8MQzzJijf
|
|
|
17c662 |
+jS884kCijlR6dqD0oDS70ngNogg2uIgn1SfLTTgXw/v6w/nMnMIYZ+ePrF5WD1qG
|
|
|
17c662 |
+eOAuR+qts4Y4rfb9Yb8sXIPdui7HelqimJaVeMxAYJsqRBSixDSpYbkEhwIDAQAB
|
|
|
17c662 |
+AoGACPhKtKvVYDmIWsOS9enNkj+c6VDpMzlsHhcVgPWpSDzbsXtQJUP/RT/LrFnh
|
|
|
17c662 |
+yHnS6fAzneH+HMuHoFGEfInsCeA9yd/KQ9nBeTxH945xv6VuEYcN2S5aXaDTuluc
|
|
|
17c662 |
+I9szVF+iL9soBZ0HpNR2Du/R+cP5IQGtBkydWRQJN5HfhgECQQDW6AdJf6Zq1/N2
|
|
|
17c662 |
+hEupy5FmisgHVCklHeRw3Sz9/9zGDCR1T6DKguK2O4vwezfDl75ss1+RpsBWSKqq
|
|
|
17c662 |
+OtkSJLeBAkEAyOFQQJt+NJxEiB4WS78ED6awK50vooQpllQ1aWhvoqcrit7png5v
|
|
|
17c662 |
+s8/Yr2gzUqbktdEh0GvS0qavl2JE/rgABwJBAMm5YOW34bFW5dxw0EkgoWo8iQiA
|
|
|
17c662 |
+EmMZzQ24PvxpSIXKbgqD5S1ScJaYDIJ+VtjNPlzwfpvMh6w2Z6SEuq+SMYECQGUK
|
|
|
17c662 |
+2Hg2/otuExa4s5RUN7G7sZ+uiBhiDB0erGMh8g1JsyA+Mhqbvloe8SqB6lbnteEy
|
|
|
17c662 |
+maShp8DnsSkfd/78BJ8CQHUWuEgLYZqpeLFyk5RRVMEHabix3GFK9e+3nPUHdA2O
|
|
|
17c662 |
+GqJR6gCR7wV1QlNNauP13gelVV+LN1hVK0PvstA4qIk=
|
|
|
17c662 |
+-----END RSA PRIVATE KEY-----
|
|
|
17c662 |
diff --git a/tests/testpkcs11-certs/client-tmpl b/tests/testpkcs11-certs/client-tmpl
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..a22eef84b
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11-certs/client-tmpl
|
|
|
17c662 |
@@ -0,0 +1,67 @@
|
|
|
17c662 |
+# X.509 Certificate options
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# DN options
|
|
|
17c662 |
+
|
|
|
17c662 |
+dn = "cn=Client,C=CZ"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# The serial number of the certificate
|
|
|
17c662 |
+serial = 3
|
|
|
17c662 |
+
|
|
|
17c662 |
+# In how many days, counting from today, this certificate will expire.
|
|
|
17c662 |
+expiration_days = 2590
|
|
|
17c662 |
+
|
|
|
17c662 |
+# X.509 v3 extensions
|
|
|
17c662 |
+
|
|
|
17c662 |
+# A dnsname in case of a WWW server.
|
|
|
17c662 |
+#dns_name = "localhost"
|
|
|
17c662 |
+#dns_name = "www.morethanone.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# An IP address in case of a server.
|
|
|
17c662 |
+#ip_address = "192.168.1.1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+#dns_name = "www.evenmorethanone.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# An email in case of a person
|
|
|
17c662 |
+email = "none@none.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# An URL that has CRLs (certificate revocation lists)
|
|
|
17c662 |
+# available. Needed in CA certificates.
|
|
|
17c662 |
+#crl_dist_points = "http://www.getcrl.crl/getcrl/"
|
|
|
17c662 |
+
|
|
|
17c662 |
+#email = "where@none.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this is a CA certificate or not
|
|
|
17c662 |
+#ca
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used for a TLS client
|
|
|
17c662 |
+tls_www_client
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used for a TLS server
|
|
|
17c662 |
+#tls_www_server
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used to sign data (needed
|
|
|
17c662 |
+# in TLS DHE ciphersuites).
|
|
|
17c662 |
+signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used to encrypt data (needed
|
|
|
17c662 |
+# in TLS RSA ciphersuites). Note that it is preferred to use different
|
|
|
17c662 |
+# keys for encryption and signing.
|
|
|
17c662 |
+#encryption_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign other certificates.
|
|
|
17c662 |
+#cert_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign CRLs.
|
|
|
17c662 |
+#crl_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign code.
|
|
|
17c662 |
+#code_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign OCSP data.
|
|
|
17c662 |
+#ocsp_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used for time stamping.
|
|
|
17c662 |
+#time_stamping_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used for IPsec IKE operations.
|
|
|
17c662 |
+#ipsec_ike_key
|
|
|
17c662 |
diff --git a/tests/testpkcs11-certs/client.crt b/tests/testpkcs11-certs/client.crt
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..6f75590d2
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11-certs/client.crt
|
|
|
17c662 |
@@ -0,0 +1,16 @@
|
|
|
17c662 |
+-----BEGIN CERTIFICATE-----
|
|
|
17c662 |
+MIICdDCCAd2gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL
|
|
|
17c662 |
+MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI1MjdaGA8yMDIwMTIxMzA4MjUyN1ow
|
|
|
17c662 |
+HjEPMA0GA1UEAxMGQ2xpZW50MQswCQYDVQQGEwJDWjCBnzANBgkqhkiG9w0BAQEF
|
|
|
17c662 |
+AAOBjQAwgYkCgYEAvQRIzvKyhr3tqmB4Pe+91DWSFayaNtcrDIT597bhxugVYW8o
|
|
|
17c662 |
+jB206kx5aknAMA3PQGYcGqkLrt+nsJcmOIXDZsC6P4zeOSsF1PPhDAoX3bkUr2lF
|
|
|
17c662 |
+MEt374eKdg1yvyhRxt4DOR6aD4gkC7fVtaYdgV6yXpJGMHV05LBIgQ7QtykCAwEA
|
|
|
17c662 |
+AaOBwTCBvjAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBgGA1Ud
|
|
|
17c662 |
+EQQRMA+BDW5vbmVAbm9uZS5vcmcwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQU
|
|
|
17c662 |
+Dbinh11GaaJcTyOpmxPYuttsiGowHwYDVR0jBBgwFoAUEg7aURJAVq70HG3MobA9
|
|
|
17c662 |
+KGF+MwEwLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dl
|
|
|
17c662 |
+dGNybC8wDQYJKoZIhvcNAQELBQADgYEAN/Henso+5zzuFQWTpJXlUsWtRQAFhRY3
|
|
|
17c662 |
+WVt3xtnyPs4pF/LKBp3Ov0GLGBkz5YlyJGFNESSyUviMsH7g7rJM8i7Bph6BQTE9
|
|
|
17c662 |
+XdqbZPc0opfms4EHjmlXj5HQ0f0yoxHnLk43CR+vmbn0JPuurnEKAwjznAJR8GxI
|
|
|
17c662 |
+R2MRyMxdGqs=
|
|
|
17c662 |
+-----END CERTIFICATE-----
|
|
|
17c662 |
diff --git a/tests/testpkcs11-certs/client.key b/tests/testpkcs11-certs/client.key
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..9277bdfd8
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11-certs/client.key
|
|
|
17c662 |
@@ -0,0 +1,94 @@
|
|
|
17c662 |
+Public Key Info:
|
|
|
17c662 |
+ Public Key Algorithm: RSA
|
|
|
17c662 |
+ Key Security Level: Weak (1024 bits)
|
|
|
17c662 |
+
|
|
|
17c662 |
+modulus:
|
|
|
17c662 |
+ 00:bd:04:48:ce:f2:b2:86:bd:ed:aa:60:78:3d:ef:
|
|
|
17c662 |
+ bd:d4:35:92:15:ac:9a:36:d7:2b:0c:84:f9:f7:b6:
|
|
|
17c662 |
+ e1:c6:e8:15:61:6f:28:8c:1d:b4:ea:4c:79:6a:49:
|
|
|
17c662 |
+ c0:30:0d:cf:40:66:1c:1a:a9:0b:ae:df:a7:b0:97:
|
|
|
17c662 |
+ 26:38:85:c3:66:c0:ba:3f:8c:de:39:2b:05:d4:f3:
|
|
|
17c662 |
+ e1:0c:0a:17:dd:b9:14:af:69:45:30:4b:77:ef:87:
|
|
|
17c662 |
+ 8a:76:0d:72:bf:28:51:c6:de:03:39:1e:9a:0f:88:
|
|
|
17c662 |
+ 24:0b:b7:d5:b5:a6:1d:81:5e:b2:5e:92:46:30:75:
|
|
|
17c662 |
+ 74:e4:b0:48:81:0e:d0:b7:29:
|
|
|
17c662 |
+
|
|
|
17c662 |
+public exponent:
|
|
|
17c662 |
+ 01:00:01:
|
|
|
17c662 |
+
|
|
|
17c662 |
+private exponent:
|
|
|
17c662 |
+ 00:a5:eb:b1:e2:00:07:98:e1:f6:53:de:35:0e:e1:
|
|
|
17c662 |
+ 79:78:63:c2:25:c6:8a:e4:e3:02:46:0e:20:c3:43:
|
|
|
17c662 |
+ 45:73:ee:5c:7e:58:2e:76:b8:c9:0b:f7:2f:89:8e:
|
|
|
17c662 |
+ cd:e7:20:e8:32:36:b0:2a:f3:03:6f:71:a2:e9:0f:
|
|
|
17c662 |
+ f5:9c:1e:47:84:54:2b:67:12:e3:f4:20:80:7f:54:
|
|
|
17c662 |
+ 81:63:f4:41:4a:6f:8f:89:e8:83:24:64:87:b5:2b:
|
|
|
17c662 |
+ 5b:25:55:c5:b6:e8:1d:c9:a0:a9:68:0d:2d:1f:06:
|
|
|
17c662 |
+ ac:46:6a:96:93:96:16:24:fe:7f:e4:00:c7:bf:37:
|
|
|
17c662 |
+ fe:48:6f:3f:94:0b:36:9e:81:
|
|
|
17c662 |
+
|
|
|
17c662 |
+prime1:
|
|
|
17c662 |
+ 00:dd:8b:ef:a9:f3:e9:7a:97:6f:50:2f:d4:93:ff:
|
|
|
17c662 |
+ 0b:6d:52:b4:2c:64:d2:bb:6c:a7:ca:5d:5f:31:ba:
|
|
|
17c662 |
+ 2c:f6:59:09:34:57:5f:3c:cd:f5:2b:a0:c7:7a:ac:
|
|
|
17c662 |
+ e2:20:64:a8:58:24:a3:02:c3:7f:7b:c5:7b:31:4e:
|
|
|
17c662 |
+ de:81:6b:48:f9:
|
|
|
17c662 |
+
|
|
|
17c662 |
+prime2:
|
|
|
17c662 |
+ 00:da:69:4a:53:be:3d:36:07:58:a7:8e:58:4e:cd:
|
|
|
17c662 |
+ 90:cd:72:54:7c:40:89:ab:fd:3a:8b:6d:d0:9c:b0:
|
|
|
17c662 |
+ 00:7f:11:6a:b7:f2:4e:e0:81:8b:23:09:3f:c4:6f:
|
|
|
17c662 |
+ f7:6d:06:b1:c8:83:63:87:72:c7:43:01:24:5d:2d:
|
|
|
17c662 |
+ 88:7f:b9:1b:b1:
|
|
|
17c662 |
+
|
|
|
17c662 |
+coefficient:
|
|
|
17c662 |
+ 30:19:e0:d7:bd:0f:0d:96:b0:65:64:00:82:2a:9d:
|
|
|
17c662 |
+ 6c:52:a6:89:a6:db:89:e3:7f:10:c3:3b:5b:97:73:
|
|
|
17c662 |
+ ea:13:af:fc:4c:3e:72:5e:da:cb:b7:d4:b6:2c:d0:
|
|
|
17c662 |
+ 05:c3:58:bb:2d:59:2c:50:1f:08:6d:03:53:ba:ec:
|
|
|
17c662 |
+ 15:ec:b6:08:
|
|
|
17c662 |
+
|
|
|
17c662 |
+exp1:
|
|
|
17c662 |
+ 00:d0:6d:4e:54:3d:bc:72:30:f5:f0:22:8f:83:8c:
|
|
|
17c662 |
+ 76:5b:ab:6b:06:38:f4:68:8f:98:6b:b1:dc:55:14:
|
|
|
17c662 |
+ 2a:28:b9:2b:07:ab:0b:56:51:0d:4e:b6:3b:f5:15:
|
|
|
17c662 |
+ a0:c7:88:eb:37:c1:7f:fa:a1:a1:d5:f7:bc:26:6f:
|
|
|
17c662 |
+ 64:b5:ad:11:41:
|
|
|
17c662 |
+
|
|
|
17c662 |
+exp2:
|
|
|
17c662 |
+ 2a:a6:b1:0b:15:75:62:9d:a0:a4:67:d9:ba:d9:cd:
|
|
|
17c662 |
+ d3:30:e6:6a:b5:37:ad:4c:70:28:56:33:8c:c5:99:
|
|
|
17c662 |
+ f3:36:75:7e:a2:64:e0:d6:ab:53:16:35:4b:a9:09:
|
|
|
17c662 |
+ ca:52:aa:59:1b:bf:4d:ee:0e:17:79:9b:9e:4e:8b:
|
|
|
17c662 |
+ ff:55:28:a1:
|
|
|
17c662 |
+
|
|
|
17c662 |
+
|
|
|
17c662 |
+Public Key ID: 0D:B8:A7:87:5D:46:69:A2:5C:4F:23:A9:9B:13:D8:BA:DB:6C:88:6A
|
|
|
17c662 |
+Public key's random art:
|
|
|
17c662 |
++--[ RSA 1024]----+
|
|
|
17c662 |
+| |
|
|
|
17c662 |
+| . . . |
|
|
|
17c662 |
+| . * * |
|
|
|
17c662 |
+| + = X . |
|
|
|
17c662 |
+| . B S = |
|
|
|
17c662 |
+| . O o |
|
|
|
17c662 |
+| ...* o |
|
|
|
17c662 |
+| E. .+.o |
|
|
|
17c662 |
+|o. ooo |
|
|
|
17c662 |
++-----------------+
|
|
|
17c662 |
+
|
|
|
17c662 |
+-----BEGIN RSA PRIVATE KEY-----
|
|
|
17c662 |
+MIICXQIBAAKBgQC9BEjO8rKGve2qYHg9773UNZIVrJo21ysMhPn3tuHG6BVhbyiM
|
|
|
17c662 |
+HbTqTHlqScAwDc9AZhwaqQuu36ewlyY4hcNmwLo/jN45KwXU8+EMChfduRSvaUUw
|
|
|
17c662 |
+S3fvh4p2DXK/KFHG3gM5HpoPiCQLt9W1ph2BXrJekkYwdXTksEiBDtC3KQIDAQAB
|
|
|
17c662 |
+AoGBAKXrseIAB5jh9lPeNQ7heXhjwiXGiuTjAkYOIMNDRXPuXH5YLna4yQv3L4mO
|
|
|
17c662 |
+zecg6DI2sCrzA29xoukP9ZweR4RUK2cS4/QggH9UgWP0QUpvj4nogyRkh7UrWyVV
|
|
|
17c662 |
+xbboHcmgqWgNLR8GrEZqlpOWFiT+f+QAx783/khvP5QLNp6BAkEA3YvvqfPpepdv
|
|
|
17c662 |
+UC/Uk/8LbVK0LGTSu2ynyl1fMbos9lkJNFdfPM31K6DHeqziIGSoWCSjAsN/e8V7
|
|
|
17c662 |
+MU7egWtI+QJBANppSlO+PTYHWKeOWE7NkM1yVHxAiav9Oott0JywAH8RarfyTuCB
|
|
|
17c662 |
+iyMJP8Rv920GsciDY4dyx0MBJF0tiH+5G7ECQQDQbU5UPbxyMPXwIo+DjHZbq2sG
|
|
|
17c662 |
+OPRoj5hrsdxVFCoouSsHqwtWUQ1Otjv1FaDHiOs3wX/6oaHV97wmb2S1rRFBAkAq
|
|
|
17c662 |
+prELFXVinaCkZ9m62c3TMOZqtTetTHAoVjOMxZnzNnV+omTg1qtTFjVLqQnKUqpZ
|
|
|
17c662 |
+G79N7g4XeZueTov/VSihAkAwGeDXvQ8NlrBlZACCKp1sUqaJptuJ438Qwztbl3Pq
|
|
|
17c662 |
+E6/8TD5yXtrLt9S2LNAFw1i7LVksUB8IbQNTuuwV7LYI
|
|
|
17c662 |
+-----END RSA PRIVATE KEY-----
|
|
|
17c662 |
diff --git a/tests/testpkcs11-certs/server-tmpl b/tests/testpkcs11-certs/server-tmpl
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..23103b4a9
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11-certs/server-tmpl
|
|
|
17c662 |
@@ -0,0 +1,67 @@
|
|
|
17c662 |
+# X.509 Certificate options
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# DN options
|
|
|
17c662 |
+
|
|
|
17c662 |
+dn = "cn=Server,C=CZ"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# The serial number of the certificate
|
|
|
17c662 |
+serial = 2
|
|
|
17c662 |
+
|
|
|
17c662 |
+# In how many days, counting from today, this certificate will expire.
|
|
|
17c662 |
+expiration_days = 2590
|
|
|
17c662 |
+
|
|
|
17c662 |
+# X.509 v3 extensions
|
|
|
17c662 |
+
|
|
|
17c662 |
+# A dnsname in case of a WWW server.
|
|
|
17c662 |
+dns_name = "localhost"
|
|
|
17c662 |
+#dns_name = "www.morethanone.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# An IP address in case of a server.
|
|
|
17c662 |
+ip_address = "127.0.0.1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+#dns_name = "www.evenmorethanone.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# An email in case of a person
|
|
|
17c662 |
+email = "none@none.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# An URL that has CRLs (certificate revocation lists)
|
|
|
17c662 |
+# available. Needed in CA certificates.
|
|
|
17c662 |
+#crl_dist_points = "http://www.getcrl.crl/getcrl/"
|
|
|
17c662 |
+
|
|
|
17c662 |
+#email = "where@none.org"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this is a CA certificate or not
|
|
|
17c662 |
+#ca
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used for a TLS client
|
|
|
17c662 |
+#tls_www_client
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used for a TLS server
|
|
|
17c662 |
+tls_www_server
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used to sign data (needed
|
|
|
17c662 |
+# in TLS DHE ciphersuites).
|
|
|
17c662 |
+signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this certificate will be used to encrypt data (needed
|
|
|
17c662 |
+# in TLS RSA ciphersuites). Note that it is preferred to use different
|
|
|
17c662 |
+# keys for encryption and signing.
|
|
|
17c662 |
+encryption_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign other certificates.
|
|
|
17c662 |
+#cert_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign CRLs.
|
|
|
17c662 |
+#crl_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign code.
|
|
|
17c662 |
+#code_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used to sign OCSP data.
|
|
|
17c662 |
+#ocsp_signing_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used for time stamping.
|
|
|
17c662 |
+#time_stamping_key
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Whether this key will be used for IPsec IKE operations.
|
|
|
17c662 |
+#ipsec_ike_key
|
|
|
17c662 |
diff --git a/tests/testpkcs11-certs/server.crt b/tests/testpkcs11-certs/server.crt
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..694a0101f
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11-certs/server.crt
|
|
|
17c662 |
@@ -0,0 +1,16 @@
|
|
|
17c662 |
+-----BEGIN CERTIFICATE-----
|
|
|
17c662 |
+MIICdjCCAd+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQDEwJDQTEL
|
|
|
17c662 |
+MAkGA1UEBhMCQ1owIhgPMjAxMzExMTAwODI1MDJaGA8yMDIwMTIxMzA4MjUwMlow
|
|
|
17c662 |
+HjEPMA0GA1UEAxMGU2VydmVyMQswCQYDVQQGEwJDWjCBnzANBgkqhkiG9w0BAQEF
|
|
|
17c662 |
+AAOBjQAwgYkCgYEApf9FBAZadRuU0AGrH4xgNh5V5tFDErTba2bF8b7USLRUzETm
|
|
|
17c662 |
++qBW87I6QXWDFsZlvyyzrpINmpbG3UNr3cVLgT7DLC2ct5nZFT4j25BYswcr0V5C
|
|
|
17c662 |
+00BAz6NUcuTzY0e0iN+H80H/mUr3Xu5r9wJca1LGTspBF1NOTNoAunlSm3cCAwEA
|
|
|
17c662 |
+AaOBwzCBwDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA
|
|
|
17c662 |
+ATATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQW
|
|
|
17c662 |
+BBSsHXo5y3IXlGZsdERzQJFEwKBDfTAfBgNVHSMEGDAWgBQSDtpREkBWrvQcbcyh
|
|
|
17c662 |
+sD0oYX4zATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vd3d3LmdldGNybC5jcmwv
|
|
|
17c662 |
+Z2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOBgQBG1omwPssQQPTLd4WeCQyuM/Yj1kOO
|
|
|
17c662 |
+VwFOATVs2+XELAGg6GVrSS302+JKdW51j+11NpIMgJfgaeRdZkgBNR4uOi1okOQh
|
|
|
17c662 |
+Asm8TC3ex3v1rxZdunp0wBQ/H/ox4zMM5Ds8ITtQNeUwXqUj3tPorTWFEsNegTnY
|
|
|
17c662 |
+WmV1jslH8fZ4Fg==
|
|
|
17c662 |
+-----END CERTIFICATE-----
|
|
|
17c662 |
diff --git a/tests/testpkcs11-certs/server.key b/tests/testpkcs11-certs/server.key
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..56e48735a
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11-certs/server.key
|
|
|
17c662 |
@@ -0,0 +1,94 @@
|
|
|
17c662 |
+Public Key Info:
|
|
|
17c662 |
+ Public Key Algorithm: RSA
|
|
|
17c662 |
+ Key Security Level: Weak (1024 bits)
|
|
|
17c662 |
+
|
|
|
17c662 |
+modulus:
|
|
|
17c662 |
+ 00:a5:ff:45:04:06:5a:75:1b:94:d0:01:ab:1f:8c:
|
|
|
17c662 |
+ 60:36:1e:55:e6:d1:43:12:b4:db:6b:66:c5:f1:be:
|
|
|
17c662 |
+ d4:48:b4:54:cc:44:e6:fa:a0:56:f3:b2:3a:41:75:
|
|
|
17c662 |
+ 83:16:c6:65:bf:2c:b3:ae:92:0d:9a:96:c6:dd:43:
|
|
|
17c662 |
+ 6b:dd:c5:4b:81:3e:c3:2c:2d:9c:b7:99:d9:15:3e:
|
|
|
17c662 |
+ 23:db:90:58:b3:07:2b:d1:5e:42:d3:40:40:cf:a3:
|
|
|
17c662 |
+ 54:72:e4:f3:63:47:b4:88:df:87:f3:41:ff:99:4a:
|
|
|
17c662 |
+ f7:5e:ee:6b:f7:02:5c:6b:52:c6:4e:ca:41:17:53:
|
|
|
17c662 |
+ 4e:4c:da:00:ba:79:52:9b:77:
|
|
|
17c662 |
+
|
|
|
17c662 |
+public exponent:
|
|
|
17c662 |
+ 01:00:01:
|
|
|
17c662 |
+
|
|
|
17c662 |
+private exponent:
|
|
|
17c662 |
+ 55:76:38:45:1b:34:45:28:9f:13:fc:57:ea:d5:2d:
|
|
|
17c662 |
+ cf:8f:0c:b0:da:3a:0b:0e:7c:0d:2e:8b:68:ab:d3:
|
|
|
17c662 |
+ c5:5e:ba:6d:b4:67:aa:cf:14:15:41:44:46:e1:46:
|
|
|
17c662 |
+ 4d:5a:75:95:d8:60:e5:d6:a2:14:5d:de:22:9a:8c:
|
|
|
17c662 |
+ 95:4f:f7:4f:cd:eb:65:a0:29:35:b1:16:b7:c2:74:
|
|
|
17c662 |
+ f1:a4:45:43:6c:77:59:37:b3:cb:43:60:80:29:5e:
|
|
|
17c662 |
+ b6:99:60:9a:12:4d:2b:54:2e:c3:3a:76:96:7d:72:
|
|
|
17c662 |
+ b1:72:24:f1:2a:2d:ff:99:92:1e:bb:55:f1:58:6e:
|
|
|
17c662 |
+ 64:08:36:26:4b:b2:c6:99:
|
|
|
17c662 |
+
|
|
|
17c662 |
+prime1:
|
|
|
17c662 |
+ 00:c7:65:44:0f:4e:6b:51:cd:d4:0b:84:9c:a9:30:
|
|
|
17c662 |
+ 1b:7b:6d:9a:ca:f7:27:8d:8f:b5:05:81:b8:0d:d2:
|
|
|
17c662 |
+ a2:b3:e3:ab:bb:04:a1:8d:ec:dc:65:38:99:e9:e1:
|
|
|
17c662 |
+ 4f:70:47:79:8d:e6:3a:f0:9f:7b:3b:aa:bd:80:1d:
|
|
|
17c662 |
+ 4d:0d:2a:00:7d:
|
|
|
17c662 |
+
|
|
|
17c662 |
+prime2:
|
|
|
17c662 |
+ 00:d5:1e:d4:82:40:de:a6:ce:1a:59:93:b8:51:c6:
|
|
|
17c662 |
+ 55:15:7f:83:d0:11:ac:a1:44:0a:95:f0:e5:96:03:
|
|
|
17c662 |
+ 53:5e:2c:27:eb:63:5f:b7:1c:06:64:fb:35:c9:a3:
|
|
|
17c662 |
+ a1:1a:fb:f2:3c:31:a1:51:58:40:5e:24:28:dd:ba:
|
|
|
17c662 |
+ dc:c4:14:22:03:
|
|
|
17c662 |
+
|
|
|
17c662 |
+coefficient:
|
|
|
17c662 |
+ 00:9c:b5:66:d6:6d:93:93:da:0f:15:96:48:07:c6:
|
|
|
17c662 |
+ 4a:eb:ae:da:2a:fc:d8:b3:03:cb:5e:5e:10:9e:7f:
|
|
|
17c662 |
+ e8:49:96:db:70:6b:ef:d7:5a:4a:a4:f5:2a:da:89:
|
|
|
17c662 |
+ 39:b4:51:09:64:4c:75:92:57:ee:4f:9e:4d:55:f9:
|
|
|
17c662 |
+ d0:34:0e:6f:43:
|
|
|
17c662 |
+
|
|
|
17c662 |
+exp1:
|
|
|
17c662 |
+ 2a:3c:5f:10:46:f2:20:9f:d2:bc:a5:d8:71:56:09:
|
|
|
17c662 |
+ 5c:39:b9:42:28:dc:2d:f6:34:c7:f7:d4:3e:c9:51:
|
|
|
17c662 |
+ 41:7d:86:50:d5:08:4b:81:d2:a5:76:39:d3:fa:af:
|
|
|
17c662 |
+ d2:fe:b0:d6:c7:df:d0:3c:57:e4:29:a4:7e:50:b6:
|
|
|
17c662 |
+ 93:85:44:19:
|
|
|
17c662 |
+
|
|
|
17c662 |
+exp2:
|
|
|
17c662 |
+ 1a:1b:38:b4:eb:f5:5a:41:8d:00:c4:13:a4:10:c3:
|
|
|
17c662 |
+ 83:6a:a7:5e:e9:8b:58:05:d9:b6:1c:58:43:54:0c:
|
|
|
17c662 |
+ f6:50:3a:63:9f:3c:ae:55:84:83:02:32:c8:8c:7e:
|
|
|
17c662 |
+ c3:ab:71:34:e6:6f:78:63:73:1f:15:16:dc:72:73:
|
|
|
17c662 |
+ 70:a1:76:b9:
|
|
|
17c662 |
+
|
|
|
17c662 |
+
|
|
|
17c662 |
+Public Key ID: AC:1D:7A:39:CB:72:17:94:66:6C:74:44:73:40:91:44:C0:A0:43:7D
|
|
|
17c662 |
+Public key's random art:
|
|
|
17c662 |
++--[ RSA 1024]----+
|
|
|
17c662 |
+| ...o.BX+. |
|
|
|
17c662 |
+| . .. E oo |
|
|
|
17c662 |
+| o + o |
|
|
|
17c662 |
+| o B |
|
|
|
17c662 |
+| S= |
|
|
|
17c662 |
+| + o. |
|
|
|
17c662 |
+| o = . |
|
|
|
17c662 |
+| .o.o. |
|
|
|
17c662 |
+| oo. |
|
|
|
17c662 |
++-----------------+
|
|
|
17c662 |
+
|
|
|
17c662 |
+-----BEGIN RSA PRIVATE KEY-----
|
|
|
17c662 |
+MIICXAIBAAKBgQCl/0UEBlp1G5TQAasfjGA2HlXm0UMStNtrZsXxvtRItFTMROb6
|
|
|
17c662 |
+oFbzsjpBdYMWxmW/LLOukg2alsbdQ2vdxUuBPsMsLZy3mdkVPiPbkFizByvRXkLT
|
|
|
17c662 |
+QEDPo1Ry5PNjR7SI34fzQf+ZSvde7mv3AlxrUsZOykEXU05M2gC6eVKbdwIDAQAB
|
|
|
17c662 |
+AoGAVXY4RRs0RSifE/xX6tUtz48MsNo6Cw58DS6LaKvTxV66bbRnqs8UFUFERuFG
|
|
|
17c662 |
+TVp1ldhg5daiFF3eIpqMlU/3T83rZaApNbEWt8J08aRFQ2x3WTezy0NggCletplg
|
|
|
17c662 |
+mhJNK1Quwzp2ln1ysXIk8Sot/5mSHrtV8VhuZAg2JkuyxpkCQQDHZUQPTmtRzdQL
|
|
|
17c662 |
+hJypMBt7bZrK9yeNj7UFgbgN0qKz46u7BKGN7NxlOJnp4U9wR3mN5jrwn3s7qr2A
|
|
|
17c662 |
+HU0NKgB9AkEA1R7UgkDeps4aWZO4UcZVFX+D0BGsoUQKlfDllgNTXiwn62NftxwG
|
|
|
17c662 |
+ZPs1yaOhGvvyPDGhUVhAXiQo3brcxBQiAwJAKjxfEEbyIJ/SvKXYcVYJXDm5Qijc
|
|
|
17c662 |
+LfY0x/fUPslRQX2GUNUIS4HSpXY50/qv0v6w1sff0DxX5CmkflC2k4VEGQJAGhs4
|
|
|
17c662 |
+tOv1WkGNAMQTpBDDg2qnXumLWAXZthxYQ1QM9lA6Y588rlWEgwIyyIx+w6txNOZv
|
|
|
17c662 |
+eGNzHxUW3HJzcKF2uQJBAJy1ZtZtk5PaDxWWSAfGSuuu2ir82LMDy15eEJ5/6EmW
|
|
|
17c662 |
+23Br79daSqT1KtqJObRRCWRMdZJX7k+eTVX50DQOb0M=
|
|
|
17c662 |
+-----END RSA PRIVATE KEY-----
|
|
|
17c662 |
diff --git a/tests/testpkcs11.pkcs15 b/tests/testpkcs11.pkcs15
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..565282a31
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11.pkcs15
|
|
|
17c662 |
@@ -0,0 +1,45 @@
|
|
|
17c662 |
+#!/bin/sh
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# This file is part of GnuTLS.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# GnuTLS is free software; you can redistribute it and/or modify it
|
|
|
17c662 |
+# under the terms of the GNU General Public License as published by the
|
|
|
17c662 |
+# Free Software Foundation; either version 3 of the License, or (at
|
|
|
17c662 |
+# your option) any later version.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# GnuTLS is distributed in the hope that it will be useful, but
|
|
|
17c662 |
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
17c662 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
17c662 |
+# General Public License for more details.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# You should have received a copy of the GNU General Public License
|
|
|
17c662 |
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
|
|
17c662 |
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
17c662 |
+
|
|
|
17c662 |
+
|
|
|
17c662 |
+init_card () {
|
|
|
17c662 |
+ PIN="$1"
|
|
|
17c662 |
+ PUK="$2"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Erasing smart card... "
|
|
|
17c662 |
+ pkcs15-init -E >"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ cat "${TMPFILE}"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Initializing smart card... "
|
|
|
17c662 |
+ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin "${PIN}" --pin "${PIN}" --puk "${PUK}" --label "GnuTLS-Test" >"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ cat "${TMPFILE}"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
diff --git a/tests/testpkcs11.sc-hsm b/tests/testpkcs11.sc-hsm
|
|
|
17c662 |
new file mode 100644
|
|
|
17c662 |
index 000000000..f3eab685f
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11.sc-hsm
|
|
|
17c662 |
@@ -0,0 +1,50 @@
|
|
|
17c662 |
+#!/bin/sh
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# This file is part of GnuTLS.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# GnuTLS is free software; you can redistribute it and/or modify it
|
|
|
17c662 |
+# under the terms of the GNU General Public License as published by the
|
|
|
17c662 |
+# Free Software Foundation; either version 3 of the License, or (at
|
|
|
17c662 |
+# your option) any later version.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# GnuTLS is distributed in the hope that it will be useful, but
|
|
|
17c662 |
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
17c662 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
17c662 |
+# General Public License for more details.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# You should have received a copy of the GNU General Public License
|
|
|
17c662 |
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
|
|
17c662 |
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
17c662 |
+
|
|
|
17c662 |
+
|
|
|
17c662 |
+init_card () {
|
|
|
17c662 |
+ PIN="$1"
|
|
|
17c662 |
+ PUK=3537363231383830
|
|
|
17c662 |
+ export GNUTLS_SO_PIN="${PUK}"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Erasing smart card... "
|
|
|
17c662 |
+ sc-hsm-tool --initialize --so-pin "${PUK}" --pin "${PIN}" --label=GnuTLS-Test >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Initializing smart card... "
|
|
|
17c662 |
+ TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'`
|
|
|
17c662 |
+ if test -z "${TOKEN}"; then
|
|
|
17c662 |
+ echo "Could not find initialized card"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --initialize "${TOKEN}" --set-so-pin "${PUK}" --set-pin "${PIN}" --label "GnuTLS-Test" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
|
|
|
17c662 |
new file mode 100755
|
|
|
17c662 |
index 000000000..e8cdcd30d
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11.sh
|
|
|
17c662 |
@@ -0,0 +1,938 @@
|
|
|
17c662 |
+#!/bin/sh
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# This file is part of GnuTLS.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# GnuTLS is free software; you can redistribute it and/or modify it
|
|
|
17c662 |
+# under the terms of the GNU General Public License as published by the
|
|
|
17c662 |
+# Free Software Foundation; either version 3 of the License, or (at
|
|
|
17c662 |
+# your option) any later version.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# GnuTLS is distributed in the hope that it will be useful, but
|
|
|
17c662 |
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
17c662 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
17c662 |
+# General Public License for more details.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# You should have received a copy of the GNU General Public License
|
|
|
17c662 |
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
|
|
17c662 |
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
17c662 |
+
|
|
|
17c662 |
+srcdir="${srcdir:-.}"
|
|
|
17c662 |
+P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}"
|
|
|
17c662 |
+CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
|
|
|
17c662 |
+DIFF="${DIFF:-diff -b -B}"
|
|
|
17c662 |
+SERV="${SERV:-../src/gnutls-serv${EXEEXT}}"
|
|
|
17c662 |
+CLI="${CLI:-../src/gnutls-cli${EXEEXT}}"
|
|
|
17c662 |
+RETCODE=0
|
|
|
17c662 |
+
|
|
|
17c662 |
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
|
|
|
17c662 |
+ echo "Cannot run in FIPS140-2 mode"
|
|
|
17c662 |
+ exit 77
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+if ! test -x "${P11TOOL}"; then
|
|
|
17c662 |
+ exit 77
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+if ! test -x "${CERTTOOL}"; then
|
|
|
17c662 |
+ exit 77
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+if ! test -x "${SERV}"; then
|
|
|
17c662 |
+ exit 77
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+if ! test -x "${CLI}"; then
|
|
|
17c662 |
+ exit 77
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+if ! test -z "${VALGRIND}"; then
|
|
|
17c662 |
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute valgrind --leak-check=full"
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+TMPFILE="testpkcs11.debug.log"
|
|
|
17c662 |
+CERTTOOL_PARAM="--stdout-info"
|
|
|
17c662 |
+
|
|
|
17c662 |
+if test "${WINDIR}" != ""; then
|
|
|
17c662 |
+ exit 77
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ASAN_OPTIONS="detect_leaks=0"
|
|
|
17c662 |
+export ASAN_OPTIONS
|
|
|
17c662 |
+
|
|
|
17c662 |
+P11TOOL="${VALGRIND} ${P11TOOL} --batch"
|
|
|
17c662 |
+SERV="${SERV} -q"
|
|
|
17c662 |
+
|
|
|
17c662 |
+. ${srcdir}/scripts/common.sh
|
|
|
17c662 |
+
|
|
|
17c662 |
+rm -f "${TMPFILE}"
|
|
|
17c662 |
+
|
|
|
17c662 |
+exit_error () {
|
|
|
17c662 |
+ echo "check ${TMPFILE} for additional debugging information"
|
|
|
17c662 |
+ echo ""
|
|
|
17c662 |
+ echo ""
|
|
|
17c662 |
+ tail "${TMPFILE}"
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: filename
|
|
|
17c662 |
+# ${srcdir}/testpkcs11-certs/client.key
|
|
|
17c662 |
+write_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ filename="$3"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Writing a client private key... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label gnutls-client2 --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Checking whether object was marked private... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --list-privkeys "${token};object=gnutls-client2" 2>/dev/null | grep 'Label\:' >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo "private object was public"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Checking whether object was marked sensitive... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client2" | grep "CKA_SENSITIVE" >/dev/null 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "private object was not sensitive"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: filename
|
|
|
17c662 |
+write_serv_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ filename="$3"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Writing the server private key... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-key --load-privkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: filename
|
|
|
17c662 |
+write_serv_pubkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ filename="$3"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Writing the server public key... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label serv-pubkey --load-pubkey "${filename}" "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ #verify it being written
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=serv-pubkey;type=public" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=serv-pubkey;type=public"|grep "Public key" >/dev/null 2>&1
|
|
|
17c662 |
+ if test $? != 0;then
|
|
|
17c662 |
+ echo "Cannot verify the existence of the written pubkey"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: filename
|
|
|
17c662 |
+write_serv_cert () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ filename="$3"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Writing the server certificate... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --no-mark-private --label serv-cert --load-certificate "${filename}" "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+test_delete_cert () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ filename="$3"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Deleting the server certificate... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=serv-cert;object-type=cert" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: bits
|
|
|
17c662 |
+generate_rsa_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ bits="$3"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Generating RSA private key ("${bits}")... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --id 000102030405 --label gnutls-client --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Checking whether generated private key was marked private... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --list-privkeys "${token};object=gnutls-client" 2>/dev/null | grep 'Label\:' >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo "private object was public"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Checking whether private key was marked sensitive... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client" | grep "CKA_SENSITIVE" >/dev/null 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "private object was not sensitive"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: bits
|
|
|
17c662 |
+generate_temp_rsa_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ bits="$3"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Generating RSA private key ("${bits}")... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-rsa-"${bits}" --generate-rsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+# if test ${RETCODE} = 0; then
|
|
|
17c662 |
+# echo -n "* Testing private key flags... "
|
|
|
17c662 |
+# ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-keys "${token};object=gnutls-client2;object-type=private" >tmp-client-2.pub 2>>"${TMPFILE}"
|
|
|
17c662 |
+# if test $? != 0; then
|
|
|
17c662 |
+# echo failed
|
|
|
17c662 |
+# exit_error
|
|
|
17c662 |
+# fi
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# grep CKA_WRAP tmp-client-2.pub >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+# if test $? != 0; then
|
|
|
17c662 |
+# echo "failed (no CKA_WRAP)"
|
|
|
17c662 |
+# exit_error
|
|
|
17c662 |
+# else
|
|
|
17c662 |
+# echo ok
|
|
|
17c662 |
+# fi
|
|
|
17c662 |
+# fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+generate_temp_dsa_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ bits="$3"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Generating DSA private key ("${bits}")... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label temp-dsa-"${bits}" --generate-dsa --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+delete_temp_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ type="$3"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ test "${RETCODE}" = "0" || return
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Deleting private key... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --delete "${token};object=temp-${type};object-type=private" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ RETCODE=1
|
|
|
17c662 |
+ return
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ RETCODE=0
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: bits
|
|
|
17c662 |
+export_pubkey_of_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ bits="$3"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Exporting public key of generated private key... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-pubkey "${token};object=gnutls-client;object-type=private" --outfile tmp-client-2.pub >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${DIFF} tmp-client.pub tmp-client-2.pub
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo keys differ
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+change_id_of_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Change the CKA_ID of generated private key... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-id "01a1b103" "${token};object=gnutls-client;id=%00%01%02%03%04%05;object-type=private" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "ID didn't change"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+change_label_of_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Change the CKA_LABEL of generated private key... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "new-label" "${token};object=gnutls-client;object-type=private" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=new-label;object-type=private" 2>&1 |grep 'Label: new-label' >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "label didn't change"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-label "gnutls-client" "${token};object=new-label;object-type=private" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: bits
|
|
|
17c662 |
+generate_temp_ecc_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ bits="$3"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Generating ECC private key (${bits})... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label "temp-ecc-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: bits
|
|
|
17c662 |
+# The same as generate_temp_ecc_privkey but no explicit login is performed.
|
|
|
17c662 |
+# p11tool should detect that login is required for the operation.
|
|
|
17c662 |
+generate_temp_ecc_privkey_no_login () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ bits="$3"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Generating ECC private key without --login (${bits})... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --label "temp-ecc-no-${bits}" --generate-ecc --bits "${bits}" "${token}" --outfile tmp-client.pub >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: name
|
|
|
17c662 |
+# $2: label prefix
|
|
|
17c662 |
+# $3: generate option
|
|
|
17c662 |
+# $4: token
|
|
|
17c662 |
+# $5: PIN
|
|
|
17c662 |
+# $6: bits
|
|
|
17c662 |
+import_privkey () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$5"
|
|
|
17c662 |
+ name="$1"
|
|
|
17c662 |
+ prefix="$2"
|
|
|
17c662 |
+ gen_option="$3"
|
|
|
17c662 |
+ token="$4"
|
|
|
17c662 |
+ bits="$6"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ outfile="tmp-${prefix}-${bits}.pem"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Importing ${name} private key (${bits})... "
|
|
|
17c662 |
+
|
|
|
17c662 |
+ "${CERTTOOL}" ${CERTTOOL_PARAM} --generate-privkey "${gen_option}" --pkcs8 --password= --outfile "${outfile}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label "${prefix}-${bits}" --load-privkey "${outfile}" "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+import_temp_rsa_privkey () {
|
|
|
17c662 |
+ import_privkey RSA temp-rsa --rsa $@
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+import_temp_ecc_privkey () {
|
|
|
17c662 |
+ import_privkey ECC temp-ecc --ecc $@
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+import_temp_dsa_privkey () {
|
|
|
17c662 |
+ import_privkey DSA temp-dsa --dsa $@
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key
|
|
|
17c662 |
+# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# Tests writing a certificate which corresponds to the given key,
|
|
|
17c662 |
+# as well as the CA certificate, and tries to export them.
|
|
|
17c662 |
+write_certificate_test () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ cakey="$3"
|
|
|
17c662 |
+ cacert="$4"
|
|
|
17c662 |
+ pubkey="$5"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Generating client certificate... "
|
|
|
17c662 |
+ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
|
|
|
17c662 |
+ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
|
|
|
17c662 |
+ --load-pubkey "$pubkey" --outfile tmp-client.crt >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Writing client certificate... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --id "01a1b103" --label gnutls-client --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Checking whether ID was correctly set... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=gnutls-client;object-type=private;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "ID was not set on copy"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test -n "${BROKEN_SOFTHSM2}";then
|
|
|
17c662 |
+ return
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Checking whether object was public... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --list-all-certs "${token};object=gnutls-client;id=%01%a1%b1%03" 2>&1 | grep 'ID: 01:a1:b1:03' >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "certificate object was not public"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test -n "${BROKEN_SOFTHSM2}";then
|
|
|
17c662 |
+ return
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Writing certificate of client's CA... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --mark-trusted --mark-ca --write --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ ret=$?
|
|
|
17c662 |
+ if test ${ret} != 0; then
|
|
|
17c662 |
+ echo "Failed with PIN, trying to write with so PIN" >>"${TMPFILE}"
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --so-login --mark-ca --write --mark-trusted --label gnutls-ca --load-certificate "${cacert}" "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ ret=$?
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test ${ret} = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Testing certificate flags... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all-certs "${token};object=gnutls-ca;object-type=cert" |grep Flags|head -n 1 >tmp-client-2.pub 2>>"${TMPFILE}"
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ grep CKA_TRUSTED tmp-client-2.pub >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "failed (no CKA_TRUSTED)"
|
|
|
17c662 |
+ #exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ grep "CKA_CERTIFICATE_CATEGORY=CA" tmp-client-2.pub >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "failed (no CKA_CERTIFICATE_CATEGORY=CA)"
|
|
|
17c662 |
+ #exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Trying to obtain back the cert... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --export "${token};object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ ${DIFF} crt1.tmp "${srcdir}/testpkcs11-certs/ca.crt"
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "failed. Exported certificate differs (crt1.tmp)!"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ rm -f crt1.tmp
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Trying to obtain the full chain... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --export-chain "${token};object=gnutls-client;object-type=cert"|"${CERTTOOL}" ${CERTTOOL_PARAM} -i --outfile crt1.tmp >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+
|
|
|
17c662 |
+ cat tmp-client.crt ${srcdir}/testpkcs11-certs/ca.crt|"${CERTTOOL}" ${CERTTOOL_PARAM} -i >crt2.tmp
|
|
|
17c662 |
+ ${DIFF} crt1.tmp crt2.tmp
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "failed. Exported certificate chain differs!"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ rm -f crt1.tmp crt2.tmp
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key
|
|
|
17c662 |
+# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# Tests writing a certificate which corresponds to the given key,
|
|
|
17c662 |
+# and verifies whether the ID is the same. Should utilize the
|
|
|
17c662 |
+# ID of the public key.
|
|
|
17c662 |
+write_certificate_id_test_rsa () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ cakey="$3"
|
|
|
17c662 |
+ cacert="$4"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Generating RSA private key on HSM... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --label xxx1-rsa --generate-rsa --bits 1024 "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Checking whether right ID is set on copy... "
|
|
|
17c662 |
+ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
|
|
|
17c662 |
+ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=xxx1-rsa;object-type=private" \
|
|
|
17c662 |
+ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --list-all "${token};object=xxx1-rsa;object-type=public" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//')
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx1-rsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx1-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "ID '$id' was not set on copy"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key
|
|
|
17c662 |
+# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# Tests writing a certificate which corresponds to the given key,
|
|
|
17c662 |
+# and verifies whether the ID is the same. Should utilize the
|
|
|
17c662 |
+# ID of the private key.
|
|
|
17c662 |
+write_certificate_id_test_rsa2 () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ cakey="$3"
|
|
|
17c662 |
+ cacert="$4"
|
|
|
17c662 |
+ tmpkey="key.$$.tmp"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Generating RSA private key... "
|
|
|
17c662 |
+ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --bits 1024 --outfile ${tmpkey} >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Checking whether right ID is set on copy... "
|
|
|
17c662 |
+ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
|
|
|
17c662 |
+ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey ${tmpkey} \
|
|
|
17c662 |
+ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx2-rsa --load-privkey ${tmpkey} "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx2-rsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//')
|
|
|
17c662 |
+
|
|
|
17c662 |
+ rm -f ${tmpkey}
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx2-rsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx2-rsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "ID '$id' was not set on copy"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: cakey: ${srcdir}/testpkcs11-certs/ca.key
|
|
|
17c662 |
+# $4: cacert: ${srcdir}/testpkcs11-certs/ca.crt
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# Tests writing a certificate which corresponds to the given key,
|
|
|
17c662 |
+# and verifies whether the ID is the same. Should utilize the
|
|
|
17c662 |
+# ID of the private key.
|
|
|
17c662 |
+write_certificate_id_test_ecdsa () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ cakey="$3"
|
|
|
17c662 |
+ cacert="$4"
|
|
|
17c662 |
+ tmpkey="key.$$.tmp"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Generating ECDSA private key... "
|
|
|
17c662 |
+ ${CERTTOOL} ${ADDITIONAL_PARAM} --generate-privkey --ecdsa --outfile ${tmpkey} >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit 1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Checking whether right ID is set on copy... "
|
|
|
17c662 |
+ "${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM} --generate-certificate --load-ca-privkey "${cakey}" --load-ca-certificate "${cacert}" \
|
|
|
17c662 |
+ --template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey ${tmpkey} \
|
|
|
17c662 |
+ --outfile tmp-client.crt >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label xxx-ecdsa --load-privkey ${tmpkey} "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ id=$(${P11TOOL} ${ADDITIONAL_PARAM} --login --list-all "${token};object=xxx-ecdsa;object-type=private" 2>&1 | grep 'ID: '|sed -e 's/ID://' -e 's/^[ \t]*//' -e 's/[ \t]*$//')
|
|
|
17c662 |
+
|
|
|
17c662 |
+ rm -f ${tmpkey}
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label tmp-xxx-ecdsa --load-certificate tmp-client.crt "${token}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-certs "${token};object=tmp-xxx-ecdsa;object-type=cert" 2>&1 | grep "ID: ${id}" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "ID '$id' was not set on copy"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+test_sign () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Testing signatures using the private key... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "failed. Cannot test signatures."
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Testing RSA-PSS signatures using the private key... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --sign-params rsa-pss --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ rc=$?
|
|
|
17c662 |
+ if test $rc != 0; then
|
|
|
17c662 |
+ if test $rc = 2; then
|
|
|
17c662 |
+ echo "failed. RSA-PSS not supported."
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo "failed. Cannot test signatures."
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Testing signatures using the private key (with ID)... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};id=%ac%1d%7a%39%cb%72%17%94%66%6c%74%44%73%40%91%44%c0%a0%43%7d" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --test-sign "${token};id=%ac%1d%7a%39%cb%72%17%94%66%6c%74%44%73%40%91%44%c0%a0%43%7d" 2>&1|grep "Verifying against public key in the token..."|grep ok >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "failed. Cannot test signatures with ID."
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# This tests the signing operation as well as the usage of --set-pin
|
|
|
17c662 |
+test_sign_set_pin () {
|
|
|
17c662 |
+ pin="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ unset GNUTLS_PIN
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Testing signatures using the private key and --set-pin... "
|
|
|
17c662 |
+ ${P11TOOL} ${ADDITIONAL_PARAM} --login --set-pin ${pin} --test-sign "${token};object=serv-key" >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+ if test $? != 0; then
|
|
|
17c662 |
+ echo "failed. Cannot test signatures."
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+
|
|
|
17c662 |
+ export GNUTLS_PIN=${pin}
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+# $1: token
|
|
|
17c662 |
+# $2: PIN
|
|
|
17c662 |
+# $3: certfile
|
|
|
17c662 |
+# $4: keyfile
|
|
|
17c662 |
+# $5: cafile
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# Tests using a certificate and key pair using gnutls-serv and gnutls-cli.
|
|
|
17c662 |
+use_certificate_test () {
|
|
|
17c662 |
+ export GNUTLS_PIN="$2"
|
|
|
17c662 |
+ token="$1"
|
|
|
17c662 |
+ certfile="$3"
|
|
|
17c662 |
+ keyfile="$4"
|
|
|
17c662 |
+ cafile="$5"
|
|
|
17c662 |
+ txt="$6"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
|
|
|
17c662 |
+ # start server
|
|
|
17c662 |
+ eval "${GETPORT}"
|
|
|
17c662 |
+ launch_pkcs11_server $$ "${ADDITIONAL_PARAM}" --echo --priority NORMAL --x509certfile="${certfile}" \
|
|
|
17c662 |
+ --x509keyfile="$keyfile" --x509cafile="${cafile}" \
|
|
|
17c662 |
+ --verify-client-cert --require-client-cert >>"${TMPFILE}" 2>&1
|
|
|
17c662 |
+
|
|
|
17c662 |
+ PID=$!
|
|
|
17c662 |
+ wait_server ${PID}
|
|
|
17c662 |
+
|
|
|
17c662 |
+ # connect to server using SC
|
|
|
17c662 |
+ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${TMPFILE}" 2>&1 && \
|
|
|
17c662 |
+ fail ${PID} "Connection should have failed!"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
|
|
|
17c662 |
+ --x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${TMPFILE}" 2>&1 || \
|
|
|
17c662 |
+ fail ${PID} "Connection (with files) should have succeeded!"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ ${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
|
|
|
17c662 |
+ --x509keyfile="${token};object=gnutls-client;object-type=private" \
|
|
|
17c662 |
+ --x509cafile="${cafile}" </dev/null >>"${TMPFILE}" 2>&1 || \
|
|
|
17c662 |
+ fail ${PID} "Connection (with SC) should have succeeded!"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ kill ${PID}
|
|
|
17c662 |
+ wait
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
+
|
|
|
17c662 |
+
|
|
|
17c662 |
+echo "Testing PKCS11 support"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# erase SC
|
|
|
17c662 |
+
|
|
|
17c662 |
+type="$1"
|
|
|
17c662 |
+
|
|
|
17c662 |
+if test -z "${type}"; then
|
|
|
17c662 |
+ echo "usage: $0: [pkcs15|softhsm|sc-hsm]"
|
|
|
17c662 |
+ if test -x "/usr/bin/softhsm" || test -x "/usr/bin/softhsm2-util"; then
|
|
|
17c662 |
+ echo "assuming 'softhsm'"
|
|
|
17c662 |
+ echo ""
|
|
|
17c662 |
+ type=softhsm
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ exit 77
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+. "${srcdir}/testpkcs11.${type}"
|
|
|
17c662 |
+
|
|
|
17c662 |
+export GNUTLS_PIN=12345678
|
|
|
17c662 |
+export GNUTLS_SO_PIN=00000000
|
|
|
17c662 |
+
|
|
|
17c662 |
+init_card "${GNUTLS_PIN}" "${GNUTLS_SO_PIN}"
|
|
|
17c662 |
+
|
|
|
17c662 |
+# find token name
|
|
|
17c662 |
+TOKEN=`${P11TOOL} ${ADDITIONAL_PARAM} --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'`
|
|
|
17c662 |
+
|
|
|
17c662 |
+echo "* Token: ${TOKEN}"
|
|
|
17c662 |
+if test "x${TOKEN}" = x; then
|
|
|
17c662 |
+ echo "Could not find generated token"
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+#write a given privkey
|
|
|
17c662 |
+write_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/client.key"
|
|
|
17c662 |
+
|
|
|
17c662 |
+generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256
|
|
|
17c662 |
+delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256
|
|
|
17c662 |
+
|
|
|
17c662 |
+generate_temp_ecc_privkey_no_login "${TOKEN}" "${GNUTLS_PIN}" 256
|
|
|
17c662 |
+delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-no-256
|
|
|
17c662 |
+
|
|
|
17c662 |
+generate_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 384
|
|
|
17c662 |
+delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-384
|
|
|
17c662 |
+
|
|
|
17c662 |
+generate_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048
|
|
|
17c662 |
+delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-2048
|
|
|
17c662 |
+
|
|
|
17c662 |
+generate_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 3072
|
|
|
17c662 |
+delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-3072
|
|
|
17c662 |
+
|
|
|
17c662 |
+import_temp_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024
|
|
|
17c662 |
+delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" rsa-1024
|
|
|
17c662 |
+import_temp_ecc_privkey "${TOKEN}" "${GNUTLS_PIN}" 256
|
|
|
17c662 |
+delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" ecc-256
|
|
|
17c662 |
+import_temp_dsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 2048
|
|
|
17c662 |
+delete_temp_privkey "${TOKEN}" "${GNUTLS_PIN}" dsa-2048
|
|
|
17c662 |
+
|
|
|
17c662 |
+generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024
|
|
|
17c662 |
+change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
|
|
|
17c662 |
+export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
|
|
|
17c662 |
+change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
|
|
|
17c662 |
+
|
|
|
17c662 |
+write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub
|
|
|
17c662 |
+write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key"
|
|
|
17c662 |
+write_serv_cert "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt"
|
|
|
17c662 |
+
|
|
|
17c662 |
+write_serv_pubkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.crt"
|
|
|
17c662 |
+test_sign "${TOKEN}" "${GNUTLS_PIN}"
|
|
|
17c662 |
+
|
|
|
17c662 |
+use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert;object-type=cert" "${TOKEN};object=serv-key;object-type=private" "${srcdir}/testpkcs11-certs/ca.crt" "full URLs"
|
|
|
17c662 |
+
|
|
|
17c662 |
+use_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${TOKEN};object=serv-cert" "${TOKEN};object=serv-key" "${srcdir}/testpkcs11-certs/ca.crt" "abbrv URLs"
|
|
|
17c662 |
+
|
|
|
17c662 |
+write_certificate_id_test_rsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
|
|
|
17c662 |
+write_certificate_id_test_rsa2 "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
|
|
|
17c662 |
+write_certificate_id_test_ecdsa "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt"
|
|
|
17c662 |
+
|
|
|
17c662 |
+test_delete_cert "${TOKEN}" "${GNUTLS_PIN}"
|
|
|
17c662 |
+
|
|
|
17c662 |
+test_sign_set_pin "${TOKEN}" "${GNUTLS_PIN}"
|
|
|
17c662 |
+
|
|
|
17c662 |
+if test ${RETCODE} = 0; then
|
|
|
17c662 |
+ echo "* All smart cards tests succeeded"
|
|
|
17c662 |
+fi
|
|
|
17c662 |
+rm -f tmp-client.crt tmp-client.pub tmp-client-2.pub "${TMPFILE}"
|
|
|
17c662 |
+
|
|
|
17c662 |
+exit 0
|
|
|
17c662 |
diff --git a/tests/testpkcs11.softhsm b/tests/testpkcs11.softhsm
|
|
|
17c662 |
new file mode 100755
|
|
|
17c662 |
index 000000000..d79a8528e
|
|
|
17c662 |
--- /dev/null
|
|
|
17c662 |
+++ b/tests/testpkcs11.softhsm
|
|
|
17c662 |
@@ -0,0 +1,77 @@
|
|
|
17c662 |
+#!/bin/sh
|
|
|
17c662 |
+
|
|
|
17c662 |
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# This file is part of GnuTLS.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# GnuTLS is free software; you can redistribute it and/or modify it
|
|
|
17c662 |
+# under the terms of the GNU General Public License as published by the
|
|
|
17c662 |
+# Free Software Foundation; either version 3 of the License, or (at
|
|
|
17c662 |
+# your option) any later version.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# GnuTLS is distributed in the hope that it will be useful, but
|
|
|
17c662 |
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
17c662 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
17c662 |
+# General Public License for more details.
|
|
|
17c662 |
+#
|
|
|
17c662 |
+# You should have received a copy of the GNU General Public License
|
|
|
17c662 |
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
|
|
17c662 |
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
17c662 |
+
|
|
|
17c662 |
+for i in /usr/lib64/pkcs11 /usr/lib/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/lib /usr/lib64/softhsm;do
|
|
|
17c662 |
+ if test -f "$i/libsofthsm2.so"; then
|
|
|
17c662 |
+ ADDITIONAL_PARAM="--provider $i/libsofthsm2.so"
|
|
|
17c662 |
+ break
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ if test -f "$i/libsofthsm.so";then
|
|
|
17c662 |
+ ADDITIONAL_PARAM="--provider $i/libsofthsm.so"
|
|
|
17c662 |
+ break
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+done
|
|
|
17c662 |
+
|
|
|
17c662 |
+init_card () {
|
|
|
17c662 |
+ PIN="$1"
|
|
|
17c662 |
+ PUK="$2"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test -x "/usr/bin/softhsm2-util"; then
|
|
|
17c662 |
+ export SOFTHSM2_CONF="softhsm-testpkcs11.$$.config.tmp"
|
|
|
17c662 |
+ SOFTHSM_TOOL="/usr/bin/softhsm2-util"
|
|
|
17c662 |
+ ${SOFTHSM_TOOL} --version|grep "2.0.0" >/dev/null 2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo "softhsm2-util 2.0.0 is broken"
|
|
|
17c662 |
+ export BROKEN_SOFTHSM2=1
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test -x "/usr/bin/softhsm"; then
|
|
|
17c662 |
+ export SOFTHSM_CONF="softhsm-testpkcs11.$$.config.tmp"
|
|
|
17c662 |
+ SOFTHSM_TOOL="/usr/bin/softhsm"
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test -z "${SOFTHSM_TOOL}"; then
|
|
|
17c662 |
+ echo "Could not find softhsm(2) tool"
|
|
|
17c662 |
+ exit 77
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if test -z "${SOFTHSM_CONF}"; then
|
|
|
17c662 |
+ rm -rf ./softhsm-testpkcs11.$$.tmp
|
|
|
17c662 |
+ mkdir -p ./softhsm-testpkcs11.$$.tmp
|
|
|
17c662 |
+ echo "objectstore.backend = file" > "${SOFTHSM2_CONF}"
|
|
|
17c662 |
+ echo "directories.tokendir = ./softhsm-testpkcs11.$$.tmp" >> "${SOFTHSM2_CONF}"
|
|
|
17c662 |
+
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ rm -rf ./softhsm-testpkcs11.$$.tmp
|
|
|
17c662 |
+ echo "0:./softhsm-testpkcs11.$$.tmp" > "${SOFTHSM_CONF}"
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+
|
|
|
17c662 |
+
|
|
|
17c662 |
+ echo -n "* Initializing smart card... "
|
|
|
17c662 |
+ ${SOFTHSM_TOOL} --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1
|
|
|
17c662 |
+ if test $? = 0; then
|
|
|
17c662 |
+ echo ok
|
|
|
17c662 |
+ else
|
|
|
17c662 |
+ echo failed
|
|
|
17c662 |
+ exit_error
|
|
|
17c662 |
+ fi
|
|
|
17c662 |
+}
|