search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Import 1.9b4 NSS tag from cvs
[mozilla-nss.git] / security / nss / tests / fips / fips.sh
blob1950d76b0adb84d401c6997e057c4dfb8a6e18db
1 #! /bin/sh
2 #
3 # ***** BEGIN LICENSE BLOCK *****
4 # Version: MPL 1.1/GPL 2.0/LGPL 2.1
5 #
6 # The contents of this file are subject to the Mozilla Public License Version
7 # 1.1 (the "License"); you may not use this file except in compliance with
8 # the License. You may obtain a copy of the License at
9 # http://www.mozilla.org/MPL/
10 #
11 # Software distributed under the License is distributed on an "AS IS" basis,
12 # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13 # for the specific language governing rights and limitations under the
14 # License.
15 #
16 # The Original Code is the Netscape security libraries.
17 #
18 # The Initial Developer of the Original Code is
19 # Netscape Communications Corporation.
20 # Portions created by the Initial Developer are Copyright (C) 1994-2000
21 # the Initial Developer. All Rights Reserved.
22 #
23 # Contributor(s):
24 #
25 # Alternatively, the contents of this file may be used under the terms of
26 # either the GNU General Public License Version 2 or later (the "GPL"), or
27 # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
28 # in which case the provisions of the GPL or the LGPL are applicable instead
29 # of those above. If you wish to allow use of your version of this file only
30 # under the terms of either the GPL or the LGPL, and not to allow others to
31 # use your version of this file under the terms of the MPL, indicate your
32 # decision by deleting the provisions above and replace them with the notice
33 # and other provisions required by the GPL or the LGPL. If you do not delete
34 # the provisions above, a recipient may use your version of this file under
35 # the terms of any one of the MPL, the GPL or the LGPL.
36 #
37 # ***** END LICENSE BLOCK *****
38
39 ########################################################################
40 # mozilla/security/nss/tests/fips/fips.sh
41 #
42 # Script to test basic functionallity of NSS in FIPS-compliant mode
43 #
44 # needs to work on all Unix and Windows platforms
45 #
46 # tests implemented:
47 #
48 # special strings
49 # ---------------
50 #
51 ########################################################################
52
53 ############################## fips_init ##############################
54 # local shell function to initialize this script
55 ########################################################################
56 fips_init()
57 {
58 SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh
59
60 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
61 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
62 fi
63
64 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
65 cd ../common
66 . ./init.sh
67 fi
68 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
69 cd ../cert
70 . ./cert.sh
71 fi
72 SCRIPTNAME=fips.sh
73 html_head "FIPS 140 Compliance Tests"
74
75 grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
76 Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
77 }
78
79 COPYDIR=${FIPSDIR}/copydir
80
81 R_FIPSDIR=../fips
82 P_R_FIPSDIR=../fips
83 R_COPYDIR=../fips/copydir
84
85 if [ -n "${MULTIACCESS_DBM}" ]; then
86 P_R_FIPSDIR="multiaccess:${D_FIPS}"
87 fi
88
89 mkdir -p ${FIPSDIR}
90 mkdir -p ${COPYDIR}
91
92 cd ${FIPSDIR}
93 }
94
95 ############################## fips_140 ##############################
96 # local shell function to test basic functionality of NSS while in
97 # FIPS 140 compliant mode
98 ########################################################################
99 fips_140()
100 {
101 echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------"
102 echo "modutil -dbdir ${P_R_FIPSDIR} -list"
103 ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
104 ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
105 html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
106
107 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
108 echo "certutil -d ${P_R_FIPSDIR} -L"
109 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1
110 html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
111
112 echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
113 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
114 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
115 html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
116
117 echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
118 echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
119 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
120 RET=$?
121 html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
122 echo "certutil -K returned $RET"
123
124 echo "$SCRIPTNAME: Validate the certificate --------------------------"
125 echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
126 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
127 html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
128
129 echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
130 echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
131 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
132 html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
133
134 echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
135 echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
136 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
137 html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
138
139 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
140 echo "certutil -d ${P_R_FIPSDIR} -L"
141 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
142 ret=$?
143 echo "${certs}"
144 if [ ${ret} -eq 0 ]; then
145 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
146 ret=$?
147 fi
148 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
149
150
151 echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
152 echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
153 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
154 html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
155
156 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
157 echo "certutil -d ${P_R_FIPSDIR} -L"
158 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
159 ret=$?
160 echo "${certs}"
161 if [ ${ret} -eq 0 ]; then
162 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
163 if [ $? -eq 0 ]; then
164 ret=255
165 fi
166 fi
167 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
168
169 echo "$SCRIPTNAME: List the FIPS module keys."
170 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
171 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
172 # certutil -K now returns a failure if no keys are found. This verifies that
173 # our delete succeded.
174 html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
175
176
177 echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
178 echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
179 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
180 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
181
182 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
183 echo "certutil -d ${P_R_FIPSDIR} -L"
184 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
185 ret=$?
186 echo "${certs}"
187 if [ ${ret} -eq 0 ]; then
188 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
189 ret=$?
190 fi
191 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
192
193 echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
194 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
195 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
196 html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
197
198
199 echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
200 echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
201 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
202 html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
203
204 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
205 echo "certutil -d ${P_R_FIPSDIR} -L"
206 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
207 ret=$?
208 echo "${certs}"
209 if [ ${ret} -eq 0 ]; then
210 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
211 if [ $? -eq 0 ]; then
212 ret=255
213 fi
214 fi
215 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
216
217
218 echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
219 echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
220 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
221 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
222
223 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
224 echo "certutil -d ${P_R_FIPSDIR} -L"
225 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
226 ret=$?
227 echo "${certs}"
228 if [ ${ret} -eq 0 ]; then
229 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
230 ret=$?
231 fi
232 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
233
234 echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
235 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
236 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
237 html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
238
239
240 echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------"
241 echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
242 ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1
243 html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
244
245 echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------"
246 echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
247 ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
248 html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
249
250 LIBDIR="${DIST}/${OBJDIR}/lib"
251 MANGLEDIR="${FIPSDIR}/mangle"
252
253 # There are different versions of cp command on different systems, some of them
254 # copies only symlinks, others doesn't have option to disable links, so there
255 # is needed to copy files one by one.
256 echo "mkdir ${MANGLEDIR}"
257 mkdir ${MANGLEDIR}
258 for lib in `ls ${LIBDIR}`; do
259 echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
260 cp ${LIBDIR}/${lib} ${MANGLEDIR}
261 done
262
263 echo "$SCRIPTNAME: Detect mangled database --------------------------"
264 SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
265
266 echo "mangling ${SOFTOKEN}"
267 echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
268 ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
269 if [ $? -eq 0 ]; then
270 if [ "${OS_ARCH}" = "WINNT" ]; then
271 DBTEST=`which dbtest`
272 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
273 DBTEST=`cygpath -m ${DBTEST}`
274 MANGLEDIR=`cygpath -u ${MANGLEDIR}`
275 fi
276 echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
277 PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
278 RESULT=$?
279 elif [ "${OS_ARCH}" = "HP-UX" ]; then
280 echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
281 LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
282 RESULT=$?
283 elif [ "${OS_ARCH}" = "AIX" ]; then
284 echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
285 LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
286 RESULT=$?
287 elif [ "${OS_ARCH}" = "Darwin" ]; then
288 echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
289 DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
290 RESULT=$?
291 else
292 echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
293 LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
294 RESULT=$?
295 fi
296
297 html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
298 else
299 html_msg 0 0 "Skipping corruption test, can't open ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
300 fi
301 }
302
303 ############################## fips_cleanup ############################
304 # local shell function to finish this script (no exit since it might be
305 # sourced)
306 ########################################################################
307 fips_cleanup()
308 {
309 html "</TABLE><BR>"
310 cd ${QADIR}
311 . common/cleanup.sh
312 }
313
314 ################## main #################################################
315
316 fips_init
317 fips_140
318 fips_cleanup
319 echo "fips.sh done"
Mozilla NSS module