The Tor Browser / annotate

security/nss/tests/fips/fips.sh@b8a032363ba2 (annotated)

security/nss/tests/fips/fips.sh

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 #! /bin/bash
michael@0 2 #
michael@0 3 # This Source Code Form is subject to the terms of the Mozilla Public
michael@0 4 # License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0 6
michael@0 7 ########################################################################
michael@0 8 # mozilla/security/nss/tests/fips/fips.sh
michael@0 9 #
michael@0 10 # Script to test basic functionallity of NSS in FIPS-compliant mode
michael@0 11 #
michael@0 12 # needs to work on all Unix and Windows platforms
michael@0 13 #
michael@0 14 # tests implemented:
michael@0 15 #
michael@0 16 # special strings
michael@0 17 # ---------------
michael@0 18 #
michael@0 19 ########################################################################
michael@0 20
michael@0 21 ############################## fips_init ##############################
michael@0 22 # local shell function to initialize this script
michael@0 23 ########################################################################
michael@0 24 fips_init()
michael@0 25 {
michael@0 26 SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh
michael@0 27
michael@0 28 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
michael@0 29 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
michael@0 30 fi
michael@0 31
michael@0 32 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
michael@0 33 cd ../common
michael@0 34 . ./init.sh
michael@0 35 fi
michael@0 36 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
michael@0 37 cd ../cert
michael@0 38 . ./cert.sh
michael@0 39 fi
michael@0 40 SCRIPTNAME=fips.sh
michael@0 41 html_head "FIPS 140 Compliance Tests"
michael@0 42
michael@0 43 grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
michael@0 44 Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
michael@0 45 }
michael@0 46
michael@0 47 COPYDIR=${FIPSDIR}/copydir
michael@0 48
michael@0 49 R_FIPSDIR=../fips
michael@0 50 P_R_FIPSDIR=../fips
michael@0 51 R_COPYDIR=../fips/copydir
michael@0 52
michael@0 53 if [ -n "${MULTIACCESS_DBM}" ]; then
michael@0 54 P_R_FIPSDIR="multiaccess:${D_FIPS}"
michael@0 55 fi
michael@0 56
michael@0 57 mkdir -p ${FIPSDIR}
michael@0 58 mkdir -p ${COPYDIR}
michael@0 59
michael@0 60 cd ${FIPSDIR}
michael@0 61 }
michael@0 62
michael@0 63 ############################## fips_140 ##############################
michael@0 64 # local shell function to test basic functionality of NSS while in
michael@0 65 # FIPS 140 compliant mode
michael@0 66 ########################################################################
michael@0 67 fips_140()
michael@0 68 {
michael@0 69 echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------"
michael@0 70 echo "modutil -dbdir ${P_R_FIPSDIR} -list"
michael@0 71 ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
michael@0 72 ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
michael@0 73 html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
michael@0 74
michael@0 75 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
michael@0 76 echo "certutil -d ${P_R_FIPSDIR} -L"
michael@0 77 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1
michael@0 78 html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
michael@0 79
michael@0 80 echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
michael@0 81 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
michael@0 82 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
michael@0 83 html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
michael@0 84
michael@0 85 echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
michael@0 86 echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
michael@0 87 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
michael@0 88 RET=$?
michael@0 89 html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
michael@0 90 echo "certutil -K returned $RET"
michael@0 91
michael@0 92 echo "$SCRIPTNAME: Validate the certificate --------------------------"
michael@0 93 echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
michael@0 94 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
michael@0 95 html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
michael@0 96
michael@0 97 echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
michael@0 98 echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
michael@0 99 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
michael@0 100 html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
michael@0 101
michael@0 102 echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
michael@0 103 echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
michael@0 104 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
michael@0 105 html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
michael@0 106
michael@0 107 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
michael@0 108 echo "certutil -d ${P_R_FIPSDIR} -L"
michael@0 109 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
michael@0 110 ret=$?
michael@0 111 echo "${certs}"
michael@0 112 if [ ${ret} -eq 0 ]; then
michael@0 113 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
michael@0 114 ret=$?
michael@0 115 fi
michael@0 116 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
michael@0 117
michael@0 118
michael@0 119 echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
michael@0 120 echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
michael@0 121 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
michael@0 122 html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
michael@0 123
michael@0 124 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
michael@0 125 echo "certutil -d ${P_R_FIPSDIR} -L"
michael@0 126 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
michael@0 127 ret=$?
michael@0 128 echo "${certs}"
michael@0 129 if [ ${ret} -eq 0 ]; then
michael@0 130 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
michael@0 131 if [ $? -eq 0 ]; then
michael@0 132 ret=255
michael@0 133 fi
michael@0 134 fi
michael@0 135 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
michael@0 136
michael@0 137 echo "$SCRIPTNAME: List the FIPS module keys."
michael@0 138 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
michael@0 139 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
michael@0 140 # certutil -K now returns a failure if no keys are found. This verifies that
michael@0 141 # our delete succeded.
michael@0 142 html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
michael@0 143
michael@0 144
michael@0 145 echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
michael@0 146 echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
michael@0 147 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
michael@0 148 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
michael@0 149
michael@0 150 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
michael@0 151 echo "certutil -d ${P_R_FIPSDIR} -L"
michael@0 152 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
michael@0 153 ret=$?
michael@0 154 echo "${certs}"
michael@0 155 if [ ${ret} -eq 0 ]; then
michael@0 156 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
michael@0 157 ret=$?
michael@0 158 fi
michael@0 159 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
michael@0 160
michael@0 161 echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
michael@0 162 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
michael@0 163 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
michael@0 164 html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
michael@0 165
michael@0 166
michael@0 167 echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
michael@0 168 echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
michael@0 169 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
michael@0 170 html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
michael@0 171
michael@0 172 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
michael@0 173 echo "certutil -d ${P_R_FIPSDIR} -L"
michael@0 174 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
michael@0 175 ret=$?
michael@0 176 echo "${certs}"
michael@0 177 if [ ${ret} -eq 0 ]; then
michael@0 178 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
michael@0 179 if [ $? -eq 0 ]; then
michael@0 180 ret=255
michael@0 181 fi
michael@0 182 fi
michael@0 183 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
michael@0 184
michael@0 185
michael@0 186 echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
michael@0 187 echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
michael@0 188 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
michael@0 189 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
michael@0 190
michael@0 191 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
michael@0 192 echo "certutil -d ${P_R_FIPSDIR} -L"
michael@0 193 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
michael@0 194 ret=$?
michael@0 195 echo "${certs}"
michael@0 196 if [ ${ret} -eq 0 ]; then
michael@0 197 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
michael@0 198 ret=$?
michael@0 199 fi
michael@0 200 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
michael@0 201
michael@0 202 echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
michael@0 203 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
michael@0 204 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
michael@0 205 html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
michael@0 206
michael@0 207
michael@0 208 echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------"
michael@0 209 echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
michael@0 210 ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1
michael@0 211 html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
michael@0 212
michael@0 213 echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------"
michael@0 214 echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
michael@0 215 ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
michael@0 216 html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
michael@0 217
michael@0 218 LIBDIR="${DIST}/${OBJDIR}/lib"
michael@0 219 MANGLEDIR="${FIPSDIR}/mangle"
michael@0 220
michael@0 221 # There are different versions of cp command on different systems, some of them
michael@0 222 # copies only symlinks, others doesn't have option to disable links, so there
michael@0 223 # is needed to copy files one by one.
michael@0 224 echo "mkdir ${MANGLEDIR}"
michael@0 225 mkdir ${MANGLEDIR}
michael@0 226 for lib in `ls ${LIBDIR}`; do
michael@0 227 echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
michael@0 228 cp ${LIBDIR}/${lib} ${MANGLEDIR}
michael@0 229 done
michael@0 230
michael@0 231 echo "$SCRIPTNAME: Detect mangled softoken--------------------------"
michael@0 232 SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
michael@0 233
michael@0 234 echo "mangling ${SOFTOKEN}"
michael@0 235 echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
michael@0 236 # If nss was built without softoken use the system installed one.
michael@0 237 # It's location must be specified by the package maintainer.
michael@0 238 if [ ! -e ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then
michael@0 239 echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}"
michael@0 240 cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}
michael@0 241 fi
michael@0 242 ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
michael@0 243 if [ $? -eq 0 ]; then
michael@0 244 if [ "${OS_ARCH}" = "WINNT" ]; then
michael@0 245 DBTEST=`which dbtest`
michael@0 246 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0 247 DBTEST=`cygpath -m ${DBTEST}`
michael@0 248 MANGLEDIR=`cygpath -u ${MANGLEDIR}`
michael@0 249 fi
michael@0 250 echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
michael@0 251 PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
michael@0 252 RESULT=$?
michael@0 253 elif [ "${OS_ARCH}" = "HP-UX" ]; then
michael@0 254 echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
michael@0 255 LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
michael@0 256 RESULT=$?
michael@0 257 elif [ "${OS_ARCH}" = "AIX" ]; then
michael@0 258 echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
michael@0 259 LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
michael@0 260 RESULT=$?
michael@0 261 elif [ "${OS_ARCH}" = "Darwin" ]; then
michael@0 262 echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
michael@0 263 DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
michael@0 264 RESULT=$?
michael@0 265 else
michael@0 266 echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
michael@0 267 LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
michael@0 268 RESULT=$?
michael@0 269 fi
michael@0 270
michael@0 271 html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
michael@0 272 else
michael@0 273 html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
michael@0 274 fi
michael@0 275 }
michael@0 276
michael@0 277 ############################## fips_cleanup ############################
michael@0 278 # local shell function to finish this script (no exit since it might be
michael@0 279 # sourced)
michael@0 280 ########################################################################
michael@0 281 fips_cleanup()
michael@0 282 {
michael@0 283 html "</TABLE><BR>"
michael@0 284 cd ${QADIR}
michael@0 285 . common/cleanup.sh
michael@0 286 }
michael@0 287
michael@0 288 ################## main #################################################
michael@0 289
michael@0 290 fips_init
michael@0 291 fips_140
michael@0 292 fips_cleanup
michael@0 293 echo "fips.sh done"

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial