The Tor Browser / file comparison
comparison: security/nss/tests/fips/fips.sh
security/nss/tests/fips/fips.sh
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
equal
deleted
inserted
replaced
| -1:000000000000 | 0:9d52966dd00f |
|---|---|
| 1 #! /bin/bash | |
| 2 # | |
| 3 # This Source Code Form is subject to the terms of the Mozilla Public | |
| 4 # License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/. | |
| 6 | |
| 7 ######################################################################## | |
| 8 # mozilla/security/nss/tests/fips/fips.sh | |
| 9 # | |
| 10 # Script to test basic functionallity of NSS in FIPS-compliant mode | |
| 11 # | |
| 12 # needs to work on all Unix and Windows platforms | |
| 13 # | |
| 14 # tests implemented: | |
| 15 # | |
| 16 # special strings | |
| 17 # --------------- | |
| 18 # | |
| 19 ######################################################################## | |
| 20 | |
| 21 ############################## fips_init ############################## | |
| 22 # local shell function to initialize this script | |
| 23 ######################################################################## | |
| 24 fips_init() | |
| 25 { | |
| 26 SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh | |
| 27 | |
| 28 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for | |
| 29 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it | |
| 30 fi | |
| 31 | |
| 32 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then | |
| 33 cd ../common | |
| 34 . ./init.sh | |
| 35 fi | |
| 36 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here | |
| 37 cd ../cert | |
| 38 . ./cert.sh | |
| 39 fi | |
| 40 SCRIPTNAME=fips.sh | |
| 41 html_head "FIPS 140 Compliance Tests" | |
| 42 | |
| 43 grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || { | |
| 44 Exit 15 "Fatal - FIPS of cert.sh needs to pass first" | |
| 45 } | |
| 46 | |
| 47 COPYDIR=${FIPSDIR}/copydir | |
| 48 | |
| 49 R_FIPSDIR=../fips | |
| 50 P_R_FIPSDIR=../fips | |
| 51 R_COPYDIR=../fips/copydir | |
| 52 | |
| 53 if [ -n "${MULTIACCESS_DBM}" ]; then | |
| 54 P_R_FIPSDIR="multiaccess:${D_FIPS}" | |
| 55 fi | |
| 56 | |
| 57 mkdir -p ${FIPSDIR} | |
| 58 mkdir -p ${COPYDIR} | |
| 59 | |
| 60 cd ${FIPSDIR} | |
| 61 } | |
| 62 | |
| 63 ############################## fips_140 ############################## | |
| 64 # local shell function to test basic functionality of NSS while in | |
| 65 # FIPS 140 compliant mode | |
| 66 ######################################################################## | |
| 67 fips_140() | |
| 68 { | |
| 69 echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------" | |
| 70 echo "modutil -dbdir ${P_R_FIPSDIR} -list" | |
| 71 ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1 | |
| 72 ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1 | |
| 73 html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "." | |
| 74 | |
| 75 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" | |
| 76 echo "certutil -d ${P_R_FIPSDIR} -L" | |
| 77 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1 | |
| 78 html_msg $? 0 "List the FIPS module certificates (certutil -L)" "." | |
| 79 | |
| 80 echo "$SCRIPTNAME: List the FIPS module keys -------------------------" | |
| 81 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" | |
| 82 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 | |
| 83 html_msg $? 0 "List the FIPS module keys (certutil -K)" "." | |
| 84 | |
| 85 echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password" | |
| 86 echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}" | |
| 87 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1 | |
| 88 RET=$? | |
| 89 html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "." | |
| 90 echo "certutil -K returned $RET" | |
| 91 | |
| 92 echo "$SCRIPTNAME: Validate the certificate --------------------------" | |
| 93 echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}" | |
| 94 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE} | |
| 95 html_msg $? 0 "Validate the certificate (certutil -V -e)" "." | |
| 96 | |
| 97 echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --" | |
| 98 echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" | |
| 99 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 | |
| 100 html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "." | |
| 101 | |
| 102 echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------" | |
| 103 echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt" | |
| 104 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1 | |
| 105 html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "." | |
| 106 | |
| 107 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" | |
| 108 echo "certutil -d ${P_R_FIPSDIR} -L" | |
| 109 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` | |
| 110 ret=$? | |
| 111 echo "${certs}" | |
| 112 if [ ${ret} -eq 0 ]; then | |
| 113 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null | |
| 114 ret=$? | |
| 115 fi | |
| 116 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." | |
| 117 | |
| 118 | |
| 119 echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module" | |
| 120 echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}" | |
| 121 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1 | |
| 122 html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "." | |
| 123 | |
| 124 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" | |
| 125 echo "certutil -d ${P_R_FIPSDIR} -L" | |
| 126 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` | |
| 127 ret=$? | |
| 128 echo "${certs}" | |
| 129 if [ ${ret} -eq 0 ]; then | |
| 130 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null | |
| 131 if [ $? -eq 0 ]; then | |
| 132 ret=255 | |
| 133 fi | |
| 134 fi | |
| 135 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." | |
| 136 | |
| 137 echo "$SCRIPTNAME: List the FIPS module keys." | |
| 138 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" | |
| 139 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 | |
| 140 # certutil -K now returns a failure if no keys are found. This verifies that | |
| 141 # our delete succeded. | |
| 142 html_msg $? 255 "List the FIPS module keys (certutil -K)" "." | |
| 143 | |
| 144 | |
| 145 echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" | |
| 146 echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" | |
| 147 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 | |
| 148 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." | |
| 149 | |
| 150 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" | |
| 151 echo "certutil -d ${P_R_FIPSDIR} -L" | |
| 152 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` | |
| 153 ret=$? | |
| 154 echo "${certs}" | |
| 155 if [ ${ret} -eq 0 ]; then | |
| 156 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null | |
| 157 ret=$? | |
| 158 fi | |
| 159 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." | |
| 160 | |
| 161 echo "$SCRIPTNAME: List the FIPS module keys --------------------------" | |
| 162 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" | |
| 163 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 | |
| 164 html_msg $? 0 "List the FIPS module keys (certutil -K)" "." | |
| 165 | |
| 166 | |
| 167 echo "$SCRIPTNAME: Delete the certificate from the FIPS module" | |
| 168 echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}" | |
| 169 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1 | |
| 170 html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "." | |
| 171 | |
| 172 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" | |
| 173 echo "certutil -d ${P_R_FIPSDIR} -L" | |
| 174 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` | |
| 175 ret=$? | |
| 176 echo "${certs}" | |
| 177 if [ ${ret} -eq 0 ]; then | |
| 178 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null | |
| 179 if [ $? -eq 0 ]; then | |
| 180 ret=255 | |
| 181 fi | |
| 182 fi | |
| 183 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." | |
| 184 | |
| 185 | |
| 186 echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" | |
| 187 echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" | |
| 188 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 | |
| 189 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." | |
| 190 | |
| 191 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" | |
| 192 echo "certutil -d ${P_R_FIPSDIR} -L" | |
| 193 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` | |
| 194 ret=$? | |
| 195 echo "${certs}" | |
| 196 if [ ${ret} -eq 0 ]; then | |
| 197 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null | |
| 198 ret=$? | |
| 199 fi | |
| 200 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." | |
| 201 | |
| 202 echo "$SCRIPTNAME: List the FIPS module keys --------------------------" | |
| 203 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" | |
| 204 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 | |
| 205 html_msg $? 0 "List the FIPS module keys (certutil -K)" "." | |
| 206 | |
| 207 | |
| 208 echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------" | |
| 209 echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}" | |
| 210 ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1 | |
| 211 html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "." | |
| 212 | |
| 213 echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------" | |
| 214 echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n" | |
| 215 ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1 | |
| 216 html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "." | |
| 217 | |
| 218 LIBDIR="${DIST}/${OBJDIR}/lib" | |
| 219 MANGLEDIR="${FIPSDIR}/mangle" | |
| 220 | |
| 221 # There are different versions of cp command on different systems, some of them | |
| 222 # copies only symlinks, others doesn't have option to disable links, so there | |
| 223 # is needed to copy files one by one. | |
| 224 echo "mkdir ${MANGLEDIR}" | |
| 225 mkdir ${MANGLEDIR} | |
| 226 for lib in `ls ${LIBDIR}`; do | |
| 227 echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}" | |
| 228 cp ${LIBDIR}/${lib} ${MANGLEDIR} | |
| 229 done | |
| 230 | |
| 231 echo "$SCRIPTNAME: Detect mangled softoken--------------------------" | |
| 232 SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} | |
| 233 | |
| 234 echo "mangling ${SOFTOKEN}" | |
| 235 echo "mangle -i ${SOFTOKEN} -o -8 -b 5" | |
| 236 # If nss was built without softoken use the system installed one. | |
| 237 # It's location must be specified by the package maintainer. | |
| 238 if [ ! -e ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then | |
| 239 echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}" | |
| 240 cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR} | |
| 241 fi | |
| 242 ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1 | |
| 243 if [ $? -eq 0 ]; then | |
| 244 if [ "${OS_ARCH}" = "WINNT" ]; then | |
| 245 DBTEST=`which dbtest` | |
| 246 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then | |
| 247 DBTEST=`cygpath -m ${DBTEST}` | |
| 248 MANGLEDIR=`cygpath -u ${MANGLEDIR}` | |
| 249 fi | |
| 250 echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}" | |
| 251 PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 | |
| 252 RESULT=$? | |
| 253 elif [ "${OS_ARCH}" = "HP-UX" ]; then | |
| 254 echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" | |
| 255 LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 | |
| 256 RESULT=$? | |
| 257 elif [ "${OS_ARCH}" = "AIX" ]; then | |
| 258 echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" | |
| 259 LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 | |
| 260 RESULT=$? | |
| 261 elif [ "${OS_ARCH}" = "Darwin" ]; then | |
| 262 echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" | |
| 263 DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 | |
| 264 RESULT=$? | |
| 265 else | |
| 266 echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" | |
| 267 LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 | |
| 268 RESULT=$? | |
| 269 fi | |
| 270 | |
| 271 html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "." | |
| 272 else | |
| 273 html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}" | |
| 274 fi | |
| 275 } | |
| 276 | |
| 277 ############################## fips_cleanup ############################ | |
| 278 # local shell function to finish this script (no exit since it might be | |
| 279 # sourced) | |
| 280 ######################################################################## | |
| 281 fips_cleanup() | |
| 282 { | |
| 283 html "</TABLE><BR>" | |
| 284 cd ${QADIR} | |
| 285 . common/cleanup.sh | |
| 286 } | |
| 287 | |
| 288 ################## main ################################################# | |
| 289 | |
| 290 fips_init | |
| 291 fips_140 | |
| 292 fips_cleanup | |
| 293 echo "fips.sh done" |
