SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q"
CLI="${CLI:-../../src/gnutls-cli$EXEEXT}"
PORT="${PORT:-5561}"
-unset RETCODE
+RETCODE=0
+
+TMPFILE=$srcdir/testpkcs11.debug
+CERTTOOL_PARAM="--stdout-info"
if test "${WINDIR}" != "";then
exit 77
fi
-if ! test -x "/usr/bin/softhsm";then
- exit 77
-fi
-
. $srcdir/../scripts/common.sh
-echo "Testing PKCS11 support"
+rm -f $TMPFILE
-# erase SC
+exit_error () {
+ echo "Check $TMPFILE for additional debugging information"
+ echo ""
+ echo ""
+ tail $TMPFILE
+ exit 1
+}
-CERTTOOL_PARAM="--stdout-info"
-if test "$1" = "pkcs15";then
- echo -n "* Erasing smart card... "
- pkcs15-init -E >/dev/null #2>&1
- if test $? = 0;then
- echo ok
- else
- echo failed
- exit 1
- fi
-
- echo -n "* Initializing smart card... "
- pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --so-pin 1234 --pin 1234 --puk 111111 --label "GnuTLS-Test" >/dev/null #2>&1
- if test $? = 0;then
- echo ok
- else
- echo failed
- exit 1
- fi
-else
- export SOFTHSM_CONF="softhsm-testpkcs11.config"
- if test -f /usr/lib/softhsm/libsofthsm.so;then
- ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so"
- else
- ADDITIONAL_PARAM="--provider /usr/lib64/softhsm/libsofthsm.so"
- fi
- echo "0:./softhsm-testpkcs11.db" > $SOFTHSM_CONF
-
- echo -n "* Initializing smart card... "
- softhsm --init-token --slot 0 --label "GnuTLS-Test" --so-pin 1234 --pin 1234 >/dev/null #2>&1
- if test $? = 0;then
- echo ok
- else
- echo failed
- exit 1
- fi
-fi
+# $1: token
+# $2: PIN
+# $3: filename
+# $srcdir/pkcs11-certs/client.key
+write_privkey () {
+ export GNUTLS_PIN=$2
-# find token name
-TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'`
+ filename=$3
+ token=$1
+ echo -n "* Writing a client private key... "
+ $P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client2 --load-privkey "$filename" "$token" >>$TMPFILE 2>&1
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ exit_error
+ fi
+}
-echo "* Token: $TOKEN"
-if test x"$TOKEN" = x;then
- echo "Could not find generated token"
- exit 1
-fi
+# $1: token
+# $2: PIN
+# $3: bits
+generate_rsa_privkey () {
+ export GNUTLS_PIN=$2
+ token=$1
+ bits=$3
-export GNUTLS_PIN=1234
+ echo -n "* Generating RSA private key ($bits)... "
+ $P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-rsa --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ RETCODE=1
+ fi
+}
-echo -n "* Writing a client private key... "
-$P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client2 --load-privkey $srcdir/pkcs11-certs/client.key "$TOKEN" >/dev/null #2>&1
-if test $? = 0;then
- echo ok
-else
- echo failed
- exit 1
-fi
+# $1: token
+# $2: PIN
+# $3: bits
+generate_ecc_privkey () {
+ export GNUTLS_PIN=$2
+ token=$1
+ bits=$3
-echo -n "* Generating client private key... "
-$P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-rsa --bits 1024 "$TOKEN" >tmp-client.pub #2>&1
-if test $? = 0;then
- echo ok
-else
- echo failed
- exit 1
-fi
+ echo -n "* Generating ECC private key ($bits)... "
+ $P11TOOL $ADDITIONAL_PARAM --login --label gnutls-client --generate-ecc --bits $bits "$token" --outfile tmp-client.pub >>$TMPFILE 2>&1
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ RETCODE=1
+ fi
+}
-echo -n "* Generating client certificate... "
-$CERTTOOL $CERTTOOL_PARAM $ADDITIONAL_PARAM --generate-certificate --load-ca-privkey $srcdir/pkcs11-certs/ca.key --load-ca-certificate $srcdir/pkcs11-certs/ca.crt \
- --template $srcdir/pkcs11-certs/client-tmpl --load-privkey "$TOKEN;object=gnutls-client;object-type=private" \
- --load-pubkey tmp-client.pub > tmp-client.crt #2>/dev/null
-if test $? = 0;then
- echo ok
-else
- echo failed
- exit 1
-fi
+# $1: token
+# $2: PIN
+# $3: cakey: $srcdir/pkcs11-certs/ca.key
+# $4: cacert: $srcdir/pkcs11-certs/ca.crt
+#
+# Tests writing a certificate which corresponds to the given key,
+# as well as the CA certificate, and tries to export them.
+write_certificate_test () {
+ export GNUTLS_PIN=$2
+ token=$1
+ cakey=$3
+ cacert=$4
+ pubkey=$5
-echo -n "* Writing client certificate... "
-$P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client --load-certificate tmp-client.crt "$TOKEN" >/dev/null #2>&1
-if test $? = 0;then
- echo ok
-else
- echo failed
- exit 1
-fi
+ echo -n "* Generating client certificate... "
+ $CERTTOOL $CERTTOOL_PARAM $ADDITIONAL_PARAM --generate-certificate --load-ca-privkey "$cakey" --load-ca-certificate "$cacert" \
+ --template $srcdir/pkcs11-certs/client-tmpl --load-privkey "$token;object=gnutls-client;object-type=private" \
+ --load-pubkey "$pubkey" --outfile tmp-client.crt >>$TMPFILE 2>&1
-echo -n "* Writing certificate of client's CA... "
-$P11TOOL $ADDITIONAL_PARAM --so-login --write --trusted --label gnutls-ca --load-certificate $srcdir/pkcs11-certs/ca.crt "$TOKEN" >/dev/null #2>&1
-if test $? = 0;then
- echo ok
-else
- echo failed
- exit 1
-fi
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ exit_error
+ fi
-echo -n "* Trying to obtain back the cert... "
-$P11TOOL $ADDITIONAL_PARAM --export "$TOKEN;object=gnutls-ca;object-type=cert" >crt1.tmp #2>/dev/null
-$DIFF crt1.tmp $srcdir/pkcs11-certs/ca.crt
-if test $? != 0;then
- echo "failed. Exported certificate differs!"
- exit 1
-fi
-rm -f crt1.tmp
-if test $? = 0;then
- echo ok
-else
- echo failed
- exit 1
-fi
+ echo -n "* Writing client certificate... "
+ $P11TOOL $ADDITIONAL_PARAM --login --write --label gnutls-client --load-certificate tmp-client.crt "$token" >>$TMPFILE 2>&1
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ exit_error
+ fi
-echo -n "* Trying to obtain the full chain... "
-$P11TOOL $ADDITIONAL_PARAM --login --export-chain "$TOKEN;object=gnutls-client;object-type=cert"|$CERTTOOL $CERTTOOL_PARAM -i >crt1.tmp #2>/dev/null
+ echo -n "* Writing certificate of client's CA... "
+ $P11TOOL $ADDITIONAL_PARAM --so-login --ca --write --trusted --label gnutls-ca --load-certificate "$cacert" "$token" >>$TMPFILE 2>&1
+
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ return
+ fi
+
+ echo -n "* Trying to obtain back the cert... "
+ $P11TOOL $ADDITIONAL_PARAM --export "$token;object=gnutls-ca;object-type=cert" --outfile crt1.tmp >>$TMPFILE 2>&1
+ $DIFF crt1.tmp $srcdir/pkcs11-certs/ca.crt
+ if test $? != 0;then
+ echo "failed. Exported certificate differs (crt1.tmp)!"
+ exit_error
+ fi
+ rm -f crt1.tmp
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ exit_error
+ fi
+
+ echo -n "* Trying to obtain the full chain... "
+ $P11TOOL $ADDITIONAL_PARAM --login --export-chain "$token;object=gnutls-client;object-type=cert"|$CERTTOOL $CERTTOOL_PARAM -i --outfile crt1.tmp >>$TMPFILE 2>&1
+
+ cat tmp-client.crt $srcdir/pkcs11-certs/ca.crt|$CERTTOOL $CERTTOOL_PARAM -i >crt2.tmp
+ $DIFF crt1.tmp crt2.tmp
+ if test $? != 0;then
+ echo "failed. Exported certificate chain differs!"
+ exit_error
+ fi
+ rm -f crt1.tmp crt2.tmp
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ exit_error
+ fi
+}
+
+
+# $1: token
+# $2: PIN
+# $3: certfile
+# $4: keyfile
+# $5: cafile
+#
+# Tests using a certificate and key pair using gnutls-serv and gnutls-cli.
+use_certificate_test () {
+ export GNUTLS_PIN=$2
+ token=$1
+ certfile=$3
+ keyfile=$4
+ cafile=$5
+
+ echo -n "* Using PKCS #11 with gnutls-cli... "
+ # start server
+ launch_server $$ --echo --priority NORMAL --x509certfile="$certfile" \
+ --x509keyfile="$keyfile" --x509cafile="$cafile" \
+ --require-client-cert >>$TMPFILE 2>&1 &
+
+ PID=$!
+ wait_server $PID
+
+ # connect to server using SC
+ $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 && \
+ fail $PID "Connection should have failed!"
+
+ $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$certfile" \
+ --x509keyfile="$keyfile" --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 || \
+ fail $PID "Connection (with files) should have succeeded!"
+
+ $CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$token;object=gnutls-client;object-type=cert" \
+ --x509keyfile="$token;object=gnutls-client;object-type=private" \
+ --x509cafile="$cafile" </dev/null >>$TMPFILE 2>&1 || \
+ fail $PID "Connection (with SC) should have succeeded!"
+
+ kill $PID
+ wait
+
+ echo ok
+}
+
+
+
+echo "Testing PKCS11 support"
+
+# erase SC
+
+type=$1
+
+if test -z "$type";then
+ echo "usage: $0: [pkcs15|softhsm|sc-hsm]"
+ if test -x "/usr/bin/softhsm";then
+ echo "assuming 'softhsm'"
+ echo ""
+ type=softhsm
+ else
+ exit 1
+ fi
-cat tmp-client.crt $srcdir/pkcs11-certs/ca.crt|$CERTTOOL $CERTTOOL_PARAM -i >crt2.tmp
-$DIFF crt1.tmp crt2.tmp
-if test $? != 0;then
- echo "failed. Exported certificate chain differs!"
- exit 1
fi
-rm -f crt1.tmp crt2.tmp
-if test $? = 0;then
- echo ok
-else
- echo failed
- exit 1
+
+. $srcdir/testpkcs11.$type
+
+export GNUTLS_PIN=12345678
+export GNUTLS_SO_PIN=00000000
+
+init_card $GNUTLS_PIN $GNUTLS_SO_PIN
+
+# find token name
+TOKEN=`$P11TOOL $ADDITIONAL_PARAM --list-tokens pkcs11:token=Nikos|grep URL|grep token=GnuTLS-Test|sed 's/\s*URL\: //g'`
+
+echo "* Token: $TOKEN"
+if test x"$TOKEN" = x;then
+ echo "Could not find generated token"
+ exit_error
fi
-echo -n "* Trying using PKCS #11 with gnutls-cli... "
-# start server
-launch_server $$ --echo --priority NORMAL --x509certfile=$srcdir/pkcs11-certs/server.crt \
- --x509keyfile=$srcdir/pkcs11-certs/server.key --x509cafile=$srcdir/pkcs11-certs/ca.crt \
- --require-client-cert >/dev/null 2>&1 &
-PID=$!
-wait_server $PID
+#write a given privkey
+write_privkey $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/client.key"
+
+generate_ecc_privkey $TOKEN $GNUTLS_PIN 256
-# connect to server using SC
-$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 && \
- fail $PID "Connection should have failed!"
+generate_ecc_privkey $TOKEN $GNUTLS_PIN 384
-$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile=$srcdir/pkcs11-certs/client.crt \
- --x509keyfile=$srcdir/pkcs11-certs/client.key --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 || \
- fail $PID "Connection (with files) should have succeeded!"
+generate_rsa_privkey $TOKEN $GNUTLS_PIN 2048
-$CLI $ADDITIONAL_PARAM -p $PORT localhost --priority NORMAL --x509certfile="$TOKEN;object=gnutls-client;object-type=cert" \
- --x509keyfile="$TOKEN;object=gnutls-client;object-type=private" \
- --x509cafile=$srcdir/pkcs11-certs/ca.crt </dev/null >/dev/null 2>&1 || \
- fail $PID "Connection (with SC) should have succeeded!"
+generate_rsa_privkey $TOKEN $GNUTLS_PIN 1024
-kill $PID
-wait
+write_certificate_test $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/ca.key" "$srcdir/pkcs11-certs/ca.crt" tmp-client.pub
-echo ok
+use_certificate_test $TOKEN $GNUTLS_PIN "$srcdir/pkcs11-certs/server.crt" "$srcdir/pkcs11-certs/server.key" "$srcdir/pkcs11-certs/ca.crt"
-echo "* All smart cards tests succeeded"
-rm -f tmp-client.crt tmp-client.pub $SOFTHSM_CONF
+if test $RETCODE = 0;then
+ echo "* All smart cards tests succeeded"
+fi
+rm -f tmp-client.crt tmp-client.pub $TMPFILE
exit 0
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+export SOFTHSM_CONF="softhsm-testpkcs11.config"
+
+if test -f /usr/lib/softhsm/libsofthsm.so;then
+ ADDITIONAL_PARAM="--provider /usr/lib/softhsm/libsofthsm.so"
+else
+ ADDITIONAL_PARAM="--provider /usr/lib64/softhsm/libsofthsm.so"
+fi
+
+init_card () {
+ PIN=$1
+ PUK=$2
+
+ if ! test -x "/usr/bin/softhsm";then
+ echo "Could not find /usr/bin/softhsm"
+ exit 77
+ fi
+
+ rm -f ./softhsm-testpkcs11.db
+ echo "0:./softhsm-testpkcs11.db" > $SOFTHSM_CONF
+
+ echo -n "* Initializing smart card... "
+ softhsm --init-token --slot 0 --label "GnuTLS-Test" --so-pin $PUK --pin $PIN >/dev/null #2>&1
+ if test $? = 0;then
+ echo ok
+ else
+ echo failed
+ exit_error
+ fi
+}
+
projects / thirdparty / gnutls.git / commitdiff
