1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/tests/fips/fips.sh Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,293 @@
1.4 +#! /bin/bash
1.5 +#
1.6 +# This Source Code Form is subject to the terms of the Mozilla Public
1.7 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.9 +
1.10 +########################################################################
1.11 +# mozilla/security/nss/tests/fips/fips.sh
1.12 +#
1.13 +# Script to test basic functionallity of NSS in FIPS-compliant mode
1.14 +#
1.15 +# needs to work on all Unix and Windows platforms
1.16 +#
1.17 +# tests implemented:
1.18 +#
1.19 +# special strings
1.20 +# ---------------
1.21 +#
1.22 +########################################################################
1.23 +
1.24 +############################## fips_init ##############################
1.25 +# local shell function to initialize this script
1.26 +########################################################################
1.27 +fips_init()
1.28 +{
1.29 + SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh
1.30 +
1.31 + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
1.32 + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
1.33 + fi
1.34 +
1.35 + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
1.36 + cd ../common
1.37 + . ./init.sh
1.38 + fi
1.39 + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
1.40 + cd ../cert
1.41 + . ./cert.sh
1.42 + fi
1.43 + SCRIPTNAME=fips.sh
1.44 + html_head "FIPS 140 Compliance Tests"
1.45 +
1.46 + grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
1.47 + Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
1.48 + }
1.49 +
1.50 + COPYDIR=${FIPSDIR}/copydir
1.51 +
1.52 + R_FIPSDIR=../fips
1.53 + P_R_FIPSDIR=../fips
1.54 + R_COPYDIR=../fips/copydir
1.55 +
1.56 + if [ -n "${MULTIACCESS_DBM}" ]; then
1.57 + P_R_FIPSDIR="multiaccess:${D_FIPS}"
1.58 + fi
1.59 +
1.60 + mkdir -p ${FIPSDIR}
1.61 + mkdir -p ${COPYDIR}
1.62 +
1.63 + cd ${FIPSDIR}
1.64 +}
1.65 +
1.66 +############################## fips_140 ##############################
1.67 +# local shell function to test basic functionality of NSS while in
1.68 +# FIPS 140 compliant mode
1.69 +########################################################################
1.70 +fips_140()
1.71 +{
1.72 + echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------"
1.73 + echo "modutil -dbdir ${P_R_FIPSDIR} -list"
1.74 + ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
1.75 + ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
1.76 + html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
1.77 +
1.78 + echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
1.79 + echo "certutil -d ${P_R_FIPSDIR} -L"
1.80 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1
1.81 + html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
1.82 +
1.83 + echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
1.84 + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
1.85 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
1.86 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
1.87 +
1.88 + echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
1.89 + echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
1.90 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
1.91 + RET=$?
1.92 + html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
1.93 + echo "certutil -K returned $RET"
1.94 +
1.95 + echo "$SCRIPTNAME: Validate the certificate --------------------------"
1.96 + echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
1.97 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
1.98 + html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
1.99 +
1.100 + echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
1.101 + echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
1.102 + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
1.103 + html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
1.104 +
1.105 + echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
1.106 + echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
1.107 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
1.108 + html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
1.109 +
1.110 + echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
1.111 + echo "certutil -d ${P_R_FIPSDIR} -L"
1.112 + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
1.113 + ret=$?
1.114 + echo "${certs}"
1.115 + if [ ${ret} -eq 0 ]; then
1.116 + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
1.117 + ret=$?
1.118 + fi
1.119 + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
1.120 +
1.121 +
1.122 + echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
1.123 + echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
1.124 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
1.125 + html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
1.126 +
1.127 + echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
1.128 + echo "certutil -d ${P_R_FIPSDIR} -L"
1.129 + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
1.130 + ret=$?
1.131 + echo "${certs}"
1.132 + if [ ${ret} -eq 0 ]; then
1.133 + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
1.134 + if [ $? -eq 0 ]; then
1.135 + ret=255
1.136 + fi
1.137 + fi
1.138 + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
1.139 +
1.140 + echo "$SCRIPTNAME: List the FIPS module keys."
1.141 + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
1.142 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
1.143 + # certutil -K now returns a failure if no keys are found. This verifies that
1.144 + # our delete succeded.
1.145 + html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
1.146 +
1.147 +
1.148 + echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
1.149 + echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
1.150 + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
1.151 + html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
1.152 +
1.153 + echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
1.154 + echo "certutil -d ${P_R_FIPSDIR} -L"
1.155 + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
1.156 + ret=$?
1.157 + echo "${certs}"
1.158 + if [ ${ret} -eq 0 ]; then
1.159 + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
1.160 + ret=$?
1.161 + fi
1.162 + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
1.163 +
1.164 + echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
1.165 + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
1.166 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
1.167 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
1.168 +
1.169 +
1.170 + echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
1.171 + echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
1.172 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
1.173 + html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
1.174 +
1.175 + echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
1.176 + echo "certutil -d ${P_R_FIPSDIR} -L"
1.177 + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
1.178 + ret=$?
1.179 + echo "${certs}"
1.180 + if [ ${ret} -eq 0 ]; then
1.181 + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
1.182 + if [ $? -eq 0 ]; then
1.183 + ret=255
1.184 + fi
1.185 + fi
1.186 + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
1.187 +
1.188 +
1.189 + echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
1.190 + echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
1.191 + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
1.192 + html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
1.193 +
1.194 + echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
1.195 + echo "certutil -d ${P_R_FIPSDIR} -L"
1.196 + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
1.197 + ret=$?
1.198 + echo "${certs}"
1.199 + if [ ${ret} -eq 0 ]; then
1.200 + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
1.201 + ret=$?
1.202 + fi
1.203 + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
1.204 +
1.205 + echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
1.206 + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
1.207 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
1.208 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
1.209 +
1.210 +
1.211 + echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------"
1.212 + echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
1.213 + ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1
1.214 + html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
1.215 +
1.216 + echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------"
1.217 + echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
1.218 + ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
1.219 + html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
1.220 +
1.221 + LIBDIR="${DIST}/${OBJDIR}/lib"
1.222 + MANGLEDIR="${FIPSDIR}/mangle"
1.223 +
1.224 + # There are different versions of cp command on different systems, some of them
1.225 + # copies only symlinks, others doesn't have option to disable links, so there
1.226 + # is needed to copy files one by one.
1.227 + echo "mkdir ${MANGLEDIR}"
1.228 + mkdir ${MANGLEDIR}
1.229 + for lib in `ls ${LIBDIR}`; do
1.230 + echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
1.231 + cp ${LIBDIR}/${lib} ${MANGLEDIR}
1.232 + done
1.233 +
1.234 + echo "$SCRIPTNAME: Detect mangled softoken--------------------------"
1.235 + SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
1.236 +
1.237 + echo "mangling ${SOFTOKEN}"
1.238 + echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
1.239 + # If nss was built without softoken use the system installed one.
1.240 + # It's location must be specified by the package maintainer.
1.241 + if [ ! -e ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then
1.242 + echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}"
1.243 + cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}
1.244 + fi
1.245 + ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
1.246 + if [ $? -eq 0 ]; then
1.247 + if [ "${OS_ARCH}" = "WINNT" ]; then
1.248 + DBTEST=`which dbtest`
1.249 + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
1.250 + DBTEST=`cygpath -m ${DBTEST}`
1.251 + MANGLEDIR=`cygpath -u ${MANGLEDIR}`
1.252 + fi
1.253 + echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
1.254 + PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
1.255 + RESULT=$?
1.256 + elif [ "${OS_ARCH}" = "HP-UX" ]; then
1.257 + echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
1.258 + LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
1.259 + RESULT=$?
1.260 + elif [ "${OS_ARCH}" = "AIX" ]; then
1.261 + echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
1.262 + LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
1.263 + RESULT=$?
1.264 + elif [ "${OS_ARCH}" = "Darwin" ]; then
1.265 + echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
1.266 + DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
1.267 + RESULT=$?
1.268 + else
1.269 + echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
1.270 + LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
1.271 + RESULT=$?
1.272 + fi
1.273 +
1.274 + html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
1.275 + else
1.276 + html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
1.277 + fi
1.278 +}
1.279 +
1.280 +############################## fips_cleanup ############################
1.281 +# local shell function to finish this script (no exit since it might be
1.282 +# sourced)
1.283 +########################################################################
1.284 +fips_cleanup()
1.285 +{
1.286 + html "</TABLE><BR>"
1.287 + cd ${QADIR}
1.288 + . common/cleanup.sh
1.289 +}
1.290 +
1.291 +################## main #################################################
1.292 +
1.293 +fips_init
1.294 +fips_140
1.295 +fips_cleanup
1.296 +echo "fips.sh done"
