summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/tools
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/tests/tools')
-rw-r--r--security/nss/tests/tools/sign.html8
-rw-r--r--security/nss/tests/tools/signjs.html11
-rw-r--r--security/nss/tests/tools/tools.sh498
3 files changed, 517 insertions, 0 deletions
diff --git a/security/nss/tests/tools/sign.html b/security/nss/tests/tools/sign.html
new file mode 100644
index 000000000..1ec9f7b79
--- /dev/null
+++ b/security/nss/tests/tools/sign.html
@@ -0,0 +1,8 @@
+<html>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<body>
+Sign this javascriptless page.
+</body>
+</html>
diff --git a/security/nss/tests/tools/signjs.html b/security/nss/tests/tools/signjs.html
new file mode 100644
index 000000000..ba22925bd
--- /dev/null
+++ b/security/nss/tests/tools/signjs.html
@@ -0,0 +1,11 @@
+<html>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<body>
+<script language="JavaScript">
+document.write("<h3>Sign this javascript</h3>");
+</script>
+Here's some plain content.
+</body>
+</html>
diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh
new file mode 100644
index 000000000..26abf3e4e
--- /dev/null
+++ b/security/nss/tests/tools/tools.sh
@@ -0,0 +1,498 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/tools/tools.sh
+#
+# Script to test basic functionality of NSS tools
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+# pk12util
+# signtool
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+
+ export pkcs12v2pbeWithSha1And128BitRc4=\
+"PKCS #12 V2 PBE With SHA-1 and 128 Bit RC4"
+
+ export pkcs12v2pbeWithSha1And40BitRc4=\
+"PKCS #12 V2 PBE With SHA-1 and 40 Bit RC4"
+
+ export pkcs12v2pbeWithSha1AndTripleDESCBC=\
+"PKCS #12 V2 PBE With SHA-1 and Triple DES-CBC"
+
+ export pkcs12v2pbeWithSha1And128BitRc2Cbc=\
+"PKCS #12 V2 PBE With SHA-1 and 128 Bit RC2 CBC"
+
+ export pkcs12v2pbeWithSha1And40BitRc2Cbc=\
+"PKCS #12 V2 PBE With SHA-1 and 40 Bit RC2 CBC"
+
+ export pkcs12v2pbeWithMd2AndDESCBC=\
+"PKCS #5 Password Based Encryption with MD2 and DES-CBC"
+
+ export pkcs12v2pbeWithMd5AndDESCBC=\
+"PKCS #5 Password Based Encryption with MD5 and DES-CBC"
+
+ export pkcs12v2pbeWithSha1AndDESCBC=\
+"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
+
+ export pkcs5pbeWithMD2AndDEScbc=\
+"PKCS #5 Password Based Encryption with MD2 and DES-CBC"
+
+ export pkcs5pbeWithMD5AndDEScbc=\
+"PKCS #5 Password Based Encryption with MD5 and DES-CBC"
+
+ export pkcs5pbeWithSha1AndDEScbc=\
+"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
+
+############################## tools_init ##############################
+# local shell function to initialize this script
+########################################################################
+tools_init()
+{
+ SCRIPTNAME=tools.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ SCRIPTNAME=tools.sh
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ html_head "Tools Tests with ECC"
+ else
+ html_head "Tools Tests"
+ fi
+
+ grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+ Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
+ }
+
+ TOOLSDIR=${HOSTDIR}/tools
+ COPYDIR=${TOOLSDIR}/copydir
+ SIGNDIR=${TOOLSDIR}/signdir
+
+ R_TOOLSDIR=../tools
+ R_COPYDIR=../tools/copydir
+ R_SIGNDIR=../tools/signdir
+ P_R_COPYDIR=${R_COPYDIR}
+ P_R_SIGNDIR=${R_SIGNDIR}
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ P_R_COPYDIR="multiaccess:Tools.$version"
+ P_R_SIGNDIR="multiaccess:Tools.sign.$version"
+ fi
+
+ mkdir -p ${TOOLSDIR}
+ mkdir -p ${COPYDIR}
+ mkdir -p ${SIGNDIR}
+ cp ${ALICEDIR}/* ${SIGNDIR}/
+ mkdir -p ${TOOLSDIR}/html
+ cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
+
+ cd ${TOOLSDIR}
+}
+
+########################## list_p12_file ###############################
+# List the key and cert in the specified p12 file
+########################################################################
+list_p12_file()
+{
+ echo "$SCRIPTNAME: Listing Alice's pk12 file"
+ echo "pk12util -l ${1} -w ${R_PWFILE}"
+
+ ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Listing ${1} (pk12util -l)"
+ check_tmpfile
+}
+
+########################################################################
+# Import the key and cert from the specified p12 file
+########################################################################
+import_p12_file()
+{
+ echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file"
+ echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+
+ ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing ${1} (pk12util -i)"
+ check_tmpfile
+}
+
+########################################################################
+# Export the key and cert to a p12 file using default ciphers
+########################################################################
+export_with_default_ciphers()
+{
+ echo "$SCRIPTNAME: Exporting Alice's key & cert with [default:default] (pk12util -o)"
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting Alices's key & cert with [default:default] (pk12util -o)"
+ check_tmpfile
+ return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, the key encryption cipher is specified
+# and the cert encryption cipher is blank for default.
+########################################################################
+export_with_key_cipher()
+{
+ # $1 key encryption cipher
+ echo "$SCRIPTNAME: Exporting with [${1}:default]"
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -c ${1}"
+ ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} -c "${1}" 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting with [${1}:default] (pk12util -o)"
+ check_tmpfile
+ return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, the key encryption cipher is left
+# empty for default and the cert encryption cipher is specified.
+########################################################################
+export_with_cert_cipher()
+{
+ # $1 certificate encryption cipher
+ echo "$SCRIPTNAME: Exporting with [default:${1}]"
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -C ${1}"
+ ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} -C "${1}" 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting with [default:${1}] (pk12util -o)"
+ check_tmpfile
+ return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, both the key encryption cipher and
+# the cert encryption cipher are specified.
+########################################################################
+export_with_both_key_and_cert_cipher()
+{
+ # $1 key encryption cipher or ""
+ # $2 certificate encryption cipher or ""
+
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -c ${1} -C ${2}"
+ ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} \
+ -c "${1}" -C "${2}" 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting with [${1}:${2}] (pk12util -o)"
+ check_tmpfile
+ return $ret
+}
+
+########################################################################
+# Exports key and cert to a p12 file, both the key encryption cipher
+# and the cert encryption cipher are specified. The key and cert are
+# imported and the p12 file is listed
+########################################################################
+export_list_import()
+{
+ # $1 key encryption cipher
+ # $2 certificate encryption cipher
+
+ if [ "${1}" != "DEFAULT" -a "${2}" != "DEFAULT" ]; then
+ export_with_both_key_and_cert_cipher "${1}" "${2}"
+ elif [ "${1}" != "DEFAULT" -a "${2}" = "DEFAULT" ]; then
+ export_with_key_cipher "${1}"
+ elif [ "${1}" = "DEFAULT" -a "${2}" != "DEFAULT" ]; then
+ export_with_cert_cipher "${2}"
+ else
+ export_with_default_ciphers
+ fi
+
+ list_p12_file Alice.p12
+ import_p12_file Alice.p12
+}
+
+########################################################################
+# Export using the pkcs5pbe ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs5pbe_ciphers()
+{
+ # specify each on key and cert cipher
+ for key_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \
+ "${pkcs5pbeWithMD5AndDEScbc}" \
+ "${pkcs5pbeWithSha1AndDEScbc}"\
+ "DEFAULT"; do
+ for cert_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \
+ "${pkcs5pbeWithMD5AndDEScbc}" \
+ "${pkcs5pbeWithSha1AndDEScbc}" \
+ "DEFAULT"\
+ "null"; do
+ export_list_import "${key_cipher}" "${cert_cipher}"
+ done
+ done
+}
+
+########################################################################
+# Export using the pkcs5v2 ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs5v2_ciphers()
+{
+ # These should pass
+ for key_cipher in\
+ RC2-CBC \
+ DES-EDE3-CBC \
+ AES-128-CBC \
+ AES-192-CBC \
+ AES-256-CBC \
+ CAMELLIA-128-CBC \
+ CAMELLIA-192-CBC \
+ CAMELLIA-256-CBC; do
+
+#---------------------------------------------------------------
+# Bug 452464 - pk12util -o fails when -C option specifies AES or
+# Camellia ciphers
+# FIXME Restore these to the list
+# AES-128-CBC, \
+# AES-192-CBC, \
+# AES-256-CBC, \
+# CAMELLIA-128-CBC, \
+# CAMELLIA-192-CBC, \
+# CAMELLIA-256-CBC, \
+# when 452464 is fixed
+#---------------------------------------------------------------
+ for cert_cipher in \
+ RC2-CBC \
+ DES-EDE3-CBC \
+ null; do
+ export_list_import ${key_cipher} ${cert_cipher}
+ done
+ done
+}
+
+########################################################################
+# Export using the pkcs12v2pbe ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs12v2pbe_ciphers()
+{
+#---------------------------------------------------------------
+# Bug 452471 - pk12util -o fails when -c option specifies pkcs12v2 PBE ciphers
+# FIXME - Restore these to the list
+# "${pkcs12v2pbeWithSha1And128BitRc4}" \
+# "${pkcs12v2pbeWithSha1And40BitRc4}" \
+# "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \
+# "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \
+# "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \
+# "${pkcs12v2pbeWithMd2AndDESCBC}" \
+# "${pkcs12v2pbeWithMd5AndDESCBC}" \
+# "${pkcs12v2pbeWithSha1AndDESCBC}" \
+# "DEFAULT"; do
+# when 452471 is fixed
+#---------------------------------------------------------------
+# for key_cipher in \
+ key_cipher="DEFAULT"
+ for cert_cipher in "${pkcs12v2pbeWithSha1And128BitRc4}" \
+ "${pkcs12v2pbeWithSha1And40BitRc4}" \
+ "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \
+ "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \
+ "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \
+ "${pkcs12v2pbeWithMd2AndDESCBC}" \
+ "${pkcs12v2pbeWithMd5AndDESCBC}" \
+ "${pkcs12v2pbeWithSha1AndDESCBC}" \
+ "DEFAULT"\
+ "null"; do
+ export_list_import "${key_cipher}" "${key_cipher}"
+ done
+ #done
+}
+
+#########################################################################
+# Export with no encryption on key should fail but on cert should pass
+#########################################################################
+tools_p12_export_with_null_ciphers()
+{
+ # use null as the key encryption algorithm default for the cert one
+ # should fail
+
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -c null"
+ ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} \
+ -c null 2>&1
+ ret=$?
+ html_msg $ret 30 "Exporting with [null:default] (pk12util -o)"
+ check_tmpfile
+
+ # use default as the key encryption algorithm null for the cert one
+ # should pass
+
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -C null"
+ ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} \
+ -C null 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting with [default:null] (pk12util -o)"
+ check_tmpfile
+
+}
+
+#########################################################################
+# Exports using the default key and certificate encryption ciphers.
+# Imports from and lists the contents of the p12 file.
+# Repeats the test with ECC if enabled.
+########################################################################
+tools_p12_export_list_import_with_default_ciphers()
+{
+ echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers"
+
+ export_list_import "DEFAULT" "DEFAULT"
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
+ echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+ echo " -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+ -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
+ check_tmpfile
+
+ echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
+ echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
+ check_tmpfile
+
+ echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
+ echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
+ check_tmpfile
+ fi
+}
+
+############################## tools_p12 ###############################
+# local shell function to test basic functionality of pk12util
+########################################################################
+tools_p12()
+{
+ tools_p12_export_list_import_with_default_ciphers
+ tools_p12_export_list_import_all_pkcs5v2_ciphers
+ tools_p12_export_list_import_all_pkcs5pbe_ciphers
+ tools_p12_export_list_import_all_pkcs12v2pbe_ciphers
+ tools_p12_export_with_null_ciphers
+}
+
+############################## tools_sign ##############################
+# local shell function pk12util uses a hardcoded tmp file, if this exists
+# and is owned by another user we don't get reasonable errormessages
+########################################################################
+check_tmpfile()
+{
+ if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then
+ echo "Error: pk12util temp file exists. Please remove this file and"
+ echo " rerun the test (/tmp/Pk12uTemp) "
+ fi
+}
+
+############################## tools_sign ##############################
+# local shell function to test basic functionality of signtool
+########################################################################
+tools_sign()
+{
+ echo "$SCRIPTNAME: Create objsign cert -------------------------------"
+ echo "signtool -G \"objectsigner\" -d ${P_R_SIGNDIR} -p \"nss\""
+ ${BINDIR}/signtool -G "objsigner" -d ${P_R_SIGNDIR} -p "nss" 2>&1 <<SIGNSCRIPT
+y
+TEST
+MOZ
+NSS
+NY
+US
+liz
+liz@moz.org
+SIGNSCRIPT
+ html_msg $? 0 "Create objsign cert (signtool -G)"
+
+ echo "$SCRIPTNAME: Signing a jar of files ----------------------------"
+ echo "signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\"
+ echo " ${R_TOOLSDIR}/html"
+ ${BINDIR}/signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p "nss" -k objsigner \
+ ${R_TOOLSDIR}/html
+ html_msg $? 0 "Signing a jar of files (signtool -Z)"
+
+ echo "$SCRIPTNAME: Listing signed files in jar ----------------------"
+ echo "signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner"
+ ${BINDIR}/signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner
+ html_msg $? 0 "Listing signed files in jar (signtool -v)"
+
+ echo "$SCRIPTNAME: Show who signed jar ------------------------------"
+ echo "signtool -w nojs.jar -d ${P_R_SIGNDIR}"
+ ${BINDIR}/signtool -w nojs.jar -d ${P_R_SIGNDIR}
+ html_msg $? 0 "Show who signed jar (signtool -w)"
+
+ echo "$SCRIPTNAME: Signing a xpi of files ----------------------------"
+ echo "signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\"
+ echo " ${R_TOOLSDIR}/html"
+ ${BINDIR}/signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p "nss" -k objsigner \
+ ${R_TOOLSDIR}/html
+ html_msg $? 0 "Signing a xpi of files (signtool -Z -X)"
+
+ echo "$SCRIPTNAME: Listing signed files in xpi ----------------------"
+ echo "signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner"
+ ${BINDIR}/signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner
+ html_msg $? 0 "Listing signed files in xpi (signtool -v)"
+
+ echo "$SCRIPTNAME: Show who signed xpi ------------------------------"
+ echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}"
+ ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR}
+ html_msg $? 0 "Show who signed xpi (signtool -w)"
+
+}
+
+############################## tools_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+tools_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+tools_init
+tools_p12
+tools_sign
+tools_cleanup
+
+