#include "../test-chains.h"
#define URL "pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=test"
+#define CONFIG "softhsm.config"
/* GnuTLS internally calls time() to find out the current time when
verifying certificates. To avoid a time bomb, we hard code the
gnutls_global_set_log_level(4711);
/* write softhsm.config */
- fp = fopen("softhsm.config", "w");
+ fp = fopen(CONFIG, "w");
if (fp == NULL) {
fprintf(stderr, "error writing softhsm.config\n");
exit(1);
fputs("0:./softhsm.db\n", fp);
fclose(fp);
- setenv("SOFTHSM_CONF", "softhsm.config", 0);
+ setenv("SOFTHSM_CONF", CONFIG, 0);
system("softhsm --init-token --slot 0 --label test --so-pin 1234 --pin 1234");
if (debug)
printf("Exit status...%d\n", exit_val);
+ remove(CONFIG);
exit(exit_val);
}
echo "Testing PKCS11 support"
# erase SC
-echo -n "* Erasing smart card... "
-pkcs15-init -E >/dev/null 2>&1
-if test $? = 0;then
- echo ok
-else
- echo failed
- exit 1
-fi
-echo -n "* Initializing smart card... "
-pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin 1234 --pin 1234 --puk 111111 --label "GnuTLS-Test" >/dev/null 2>&1
-if test $? = 0;then
- echo ok
+if test "$1" = "pkcs15";then
+ echo -n "* Erasing smart card... "
+ pkcs15-init -E >/dev/null 2>&1
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ exit 1
+ fi
+
+ echo -n "* Initializing smart card... "
+ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin 1234 --pin 1234 --puk 111111 --label "GnuTLS-Test" >/dev/null 2>&1
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ exit 1
+ fi
else
- echo failed
- exit 1
+ export SOFTHSM_CONF="softhsm.config"
+ if test -f /usr/lib/softhsm/libsofthsm.so;then
+ ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so"
+ else
+ ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so"
+ fi
+
+ echo -n "* Initializing smart card... "
+ softhsm --init-token --slot 0 --label "GnuTLS-Test" --so-pin 1234 --pin 1234 >/dev/null 2>&1
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ exit 1
+ fi
fi
# find token name
-TOKEN=`$P11TOOL --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'`
+TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'`
echo "* Token: $TOKEN"
if test x"$TOKEN" = x;then
export GNUTLS_PIN=1234
echo -n "* Writing a client private key... "
-$P11TOOL --login --write --label gnutls-client2 --load-privkey $srcdir/pkcs11-certs/client.key "$TOKEN" >/dev/null 2>&1
+$P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client2 --load-privkey $srcdir/pkcs11-certs/client.key "$TOKEN" >/dev/null 2>&1
if test $? = 0;then
echo ok
else
fi
echo -n "* Generating client private key... "
-$P11TOOL --login --label gnutls-client --generate-rsa --bits 1024 "$TOKEN" >tmp-client.pub 2>&1
+$P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-rsa --bits 1024 "$TOKEN" >tmp-client.pub 2>&1
if test $? = 0;then
echo ok
else
fi
echo -n "* Generating client certificate... "
-$CERTTOOL --generate-certificate --load-ca-privkey $srcdir/pkcs11-certs/ca.key --load-ca-certificate $srcdir/pkcs11-certs/ca.crt \
+$CERTTOOL $ADDITIONAL_PARAM --generate-certificate --load-ca-privkey $srcdir/pkcs11-certs/ca.key --load-ca-certificate $srcdir/pkcs11-certs/ca.crt \
--template $srcdir/pkcs11-certs/client-tmpl --load-privkey "$TOKEN;object=gnutls-client;object-type=private" \
--load-pubkey tmp-client.pub > tmp-client.crt 2>/dev/null
if test $? = 0;then
fi
echo -n "* Writing client certificate... "
-$P11TOOL --login --write --label gnutls-client --load-certificate tmp-client.crt "$TOKEN" >/dev/null 2>&1
+$P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client --load-certificate tmp-client.crt "$TOKEN" >/dev/null 2>&1
if test $? = 0;then
echo ok
else
fi
echo -n "* Writing certificate of client's CA... "
-$P11TOOL --login --write --label gnutls-ca --load-certificate $srcdir/pkcs11-certs/ca.crt "$TOKEN" >/dev/null 2>&1
+$P11TOOL $ADDITIONAL_PARAM --so-login --write --trusted --label gnutls-ca --load-certificate $srcdir/pkcs11-certs/ca.crt "$TOKEN" >/dev/null 2>&1
if test $? = 0;then
echo ok
else
fi
echo -n "* Trying to obtain back the cert... "
-$P11TOOL --export "$TOKEN;object=gnutls-ca;object-type=cert" >crt1.tmp 2>/dev/null
+$P11TOOL $ADDITIONAL_PARAM --export "$TOKEN;object=gnutls-ca;object-type=cert" >crt1.tmp 2>/dev/null
$DIFF crt1.tmp $srcdir/pkcs11-certs/ca.crt
if test $? != 0;then
echo "failed. Exported certificate differs!"
fi
echo -n "* Trying to obtain the full chain... "
-$P11TOOL --export-chain "$TOKEN;object=gnutls-client;object-type=cert"|$CERTTOOL -i >crt1.tmp 2>/dev/null
+$P11TOOL $ADDITIONAL_PARAM --login --export-chain "$TOKEN;object=gnutls-client;object-type=cert"|$CERTTOOL -i >crt1.tmp 2>/dev/null
cat tmp-client.crt $srcdir/pkcs11-certs/ca.crt|$CERTTOOL -i >crt2.tmp
$DIFF crt1.tmp crt2.tmp
wait_server $PID
# connect to server using SC
-$CLI -p $PORT localhost --priority NORMAL --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 && \
+$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 && \
fail $PID "Connection should have failed!"
-$CLI -p $PORT localhost --priority NORMAL --x509certfile=$srcdir/pkcs11-certs/client.crt \
+$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile=$srcdir/pkcs11-certs/client.crt \
--x509keyfile=$srcdir/pkcs11-certs/client.key --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 || \
fail $PID "Connection (with files) should have succeeded!"
-$CLI -p $PORT localhost --priority NORMAL --x509certfile="$TOKEN;object=gnutls-client;object-type=cert" \
+$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$TOKEN;object=gnutls-client;object-type=cert" \
--x509keyfile="$TOKEN;object=gnutls-client;object-type=private" \
--x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 || \
fail $PID "Connection (with SC) should have succeeded!"