summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/cert/cert.sh
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/tests/cert/cert.sh')
-rwxr-xr-xsecurity/nss/tests/cert/cert.sh103
1 files changed, 103 insertions, 0 deletions
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index 34006efd1..b74de9be5 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -448,6 +448,27 @@ cert_add_cert()
fi
cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
+ echo "Importing RSA-PSS server certificate"
+ pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR}
+ # Let's get the key ID of the imported private key.
+ KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+ grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'`
+
+ CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request"
+ NEWSERIAL=`expr ${CERTSERIAL} + 30000`
+ certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's RSA-PSS Cert -t u,u,u"
+ certu -A -n "$CERTNAME-rsa-pss" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}-rsa-pss.cert" 2>&1
+ cert_log "SUCCESS: $CERTNAME's RSA-PSS Cert Created"
+
return 0
}
@@ -2103,6 +2124,23 @@ cert_test_implicit_db_init()
certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
}
+cert_test_token_uri()
+{
+ echo "$SCRIPTNAME: specify token with PKCS#11 URI"
+
+ CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'`
+ BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'`
+
+ CU_ACTION="List keys in NSS Certificate DB"
+ certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI}
+
+ # This token shouldn't have any keys
+ CU_ACTION="List keys in NSS Builtin Objects"
+ RETEXPECTED=255
+ certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI}
+ RETEXPECTED=0
+}
+
check_sign_algo()
{
certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
@@ -2475,6 +2513,29 @@ EOF
RETEXPECTED=0
}
+cert_test_orphan_key_delete()
+{
+ CU_ACTION="Create orphan key in serverdir"
+ certu -G -k ec -q nistp256 -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
+ # Let's get the key ID of the first orphan key.
+ # The output of certutil -K (list keys) isn't well formatted.
+ # The initial <key-number> part may or may not contain white space, which
+ # makes the use of awk to filter the column unreliable.
+ # To fix that, we remove the initial <number> field using sed, then select the
+ # column that contains the key ID.
+ ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+ sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
+ CU_ACTION="Delete orphan key"
+ certu -F -f "${R_PWFILE}" -k ${ORPHAN} -d ${PROFILEDIR}
+ # Ensure that the key is removed
+ certu -K -f "${R_PWFILE}" -d ${PROFILEDIR} | grep ${ORPHAN}
+ RET=$?
+ if [ "$RET" -eq 0 ]; then
+ html_failed "Deleting orphan key ($RET)"
+ cert_log "ERROR: Deleting orphan key failed $RET"
+ fi
+}
+
cert_test_orphan_key_reuse()
{
CU_ACTION="Create orphan key in serverdir"
@@ -2500,6 +2561,43 @@ cert_test_orphan_key_reuse()
fi
}
+cert_test_rsapss_policy()
+{
+ CERTSERIAL=`expr $CERTSERIAL + 1`
+
+ CERTNAME="TestUser-rsa-pss-policy"
+
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1)
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Verify $CERTNAME's Cert"
+ certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}"
+
+ CU_ACTION="Verify $CERTNAME's Cert with Policy"
+ cp ${PROFILEDIR}/pkcs11.txt pkcs11.txt.orig
+ cat >> ${PROFILEDIR}/pkcs11.txt << ++EOF++
+library=
+name=Policy
+config="disallow=SHA1"
+++EOF++
+ RETEXPECTED=255
+ certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}"
+ RETEXPECTED=0
+ cp pkcs11.txt.orig ${PROFILEDIR}/pkcs11.txt
+}
+
############################## cert_cleanup ############################
# local shell function to finish this script (no exit since it might be
# sourced)
@@ -2519,6 +2617,7 @@ cert_all_CA
cert_test_implicit_db_init
cert_extended_ssl
cert_ssl
+cert_test_orphan_key_delete
cert_test_orphan_key_reuse
cert_smime_client
IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
@@ -2534,6 +2633,10 @@ cert_test_password
cert_test_distrust
cert_test_ocspresp
cert_test_rsapss
+if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+ cert_test_rsapss_policy
+fi
+cert_test_token_uri
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
cert_crl_ssl