security/nss/tests/fips/fips.sh@6474c204b198
security/nss/tests/fips/fips.sh
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rwxr-xr-x
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 #! /bin/bash
2 #
3 # This Source Code Form is subject to the terms of the Mozilla Public
4 # License, v. 2.0. If a copy of the MPL was not distributed with this
5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 ########################################################################
8 # mozilla/security/nss/tests/fips/fips.sh
9 #
10 # Script to test basic functionallity of NSS in FIPS-compliant mode
11 #
12 # needs to work on all Unix and Windows platforms
13 #
14 # tests implemented:
15 #
16 # special strings
17 # ---------------
18 #
19 ########################################################################
21 ############################## fips_init ##############################
22 # local shell function to initialize this script
23 ########################################################################
24 fips_init()
25 {
26 SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh
28 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
29 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
30 fi
32 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
33 cd ../common
34 . ./init.sh
35 fi
36 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
37 cd ../cert
38 . ./cert.sh
39 fi
40 SCRIPTNAME=fips.sh
41 html_head "FIPS 140 Compliance Tests"
43 grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
44 Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
45 }
47 COPYDIR=${FIPSDIR}/copydir
49 R_FIPSDIR=../fips
50 P_R_FIPSDIR=../fips
51 R_COPYDIR=../fips/copydir
53 if [ -n "${MULTIACCESS_DBM}" ]; then
54 P_R_FIPSDIR="multiaccess:${D_FIPS}"
55 fi
57 mkdir -p ${FIPSDIR}
58 mkdir -p ${COPYDIR}
60 cd ${FIPSDIR}
61 }
63 ############################## fips_140 ##############################
64 # local shell function to test basic functionality of NSS while in
65 # FIPS 140 compliant mode
66 ########################################################################
67 fips_140()
68 {
69 echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------"
70 echo "modutil -dbdir ${P_R_FIPSDIR} -list"
71 ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
72 ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
73 html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
75 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
76 echo "certutil -d ${P_R_FIPSDIR} -L"
77 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1
78 html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
80 echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
81 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
82 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
83 html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
85 echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
86 echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
87 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
88 RET=$?
89 html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
90 echo "certutil -K returned $RET"
92 echo "$SCRIPTNAME: Validate the certificate --------------------------"
93 echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
94 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
95 html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
97 echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
98 echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
99 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
100 html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
102 echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
103 echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
104 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
105 html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
107 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
108 echo "certutil -d ${P_R_FIPSDIR} -L"
109 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
110 ret=$?
111 echo "${certs}"
112 if [ ${ret} -eq 0 ]; then
113 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
114 ret=$?
115 fi
116 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
119 echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
120 echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
121 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
122 html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
124 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
125 echo "certutil -d ${P_R_FIPSDIR} -L"
126 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
127 ret=$?
128 echo "${certs}"
129 if [ ${ret} -eq 0 ]; then
130 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
131 if [ $? -eq 0 ]; then
132 ret=255
133 fi
134 fi
135 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
137 echo "$SCRIPTNAME: List the FIPS module keys."
138 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
139 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
140 # certutil -K now returns a failure if no keys are found. This verifies that
141 # our delete succeded.
142 html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
145 echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
146 echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
147 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
148 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
150 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
151 echo "certutil -d ${P_R_FIPSDIR} -L"
152 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
153 ret=$?
154 echo "${certs}"
155 if [ ${ret} -eq 0 ]; then
156 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
157 ret=$?
158 fi
159 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
161 echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
162 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
163 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
164 html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
167 echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
168 echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
169 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
170 html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
172 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
173 echo "certutil -d ${P_R_FIPSDIR} -L"
174 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
175 ret=$?
176 echo "${certs}"
177 if [ ${ret} -eq 0 ]; then
178 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
179 if [ $? -eq 0 ]; then
180 ret=255
181 fi
182 fi
183 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
186 echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
187 echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
188 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
189 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
191 echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
192 echo "certutil -d ${P_R_FIPSDIR} -L"
193 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
194 ret=$?
195 echo "${certs}"
196 if [ ${ret} -eq 0 ]; then
197 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
198 ret=$?
199 fi
200 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
202 echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
203 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
204 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
205 html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
208 echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------"
209 echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
210 ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1
211 html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
213 echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------"
214 echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
215 ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
216 html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
218 LIBDIR="${DIST}/${OBJDIR}/lib"
219 MANGLEDIR="${FIPSDIR}/mangle"
221 # There are different versions of cp command on different systems, some of them
222 # copies only symlinks, others doesn't have option to disable links, so there
223 # is needed to copy files one by one.
224 echo "mkdir ${MANGLEDIR}"
225 mkdir ${MANGLEDIR}
226 for lib in `ls ${LIBDIR}`; do
227 echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
228 cp ${LIBDIR}/${lib} ${MANGLEDIR}
229 done
231 echo "$SCRIPTNAME: Detect mangled softoken--------------------------"
232 SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
234 echo "mangling ${SOFTOKEN}"
235 echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
236 # If nss was built without softoken use the system installed one.
237 # It's location must be specified by the package maintainer.
238 if [ ! -e ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then
239 echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}"
240 cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}
241 fi
242 ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
243 if [ $? -eq 0 ]; then
244 if [ "${OS_ARCH}" = "WINNT" ]; then
245 DBTEST=`which dbtest`
246 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
247 DBTEST=`cygpath -m ${DBTEST}`
248 MANGLEDIR=`cygpath -u ${MANGLEDIR}`
249 fi
250 echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
251 PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
252 RESULT=$?
253 elif [ "${OS_ARCH}" = "HP-UX" ]; then
254 echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
255 LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
256 RESULT=$?
257 elif [ "${OS_ARCH}" = "AIX" ]; then
258 echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
259 LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
260 RESULT=$?
261 elif [ "${OS_ARCH}" = "Darwin" ]; then
262 echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
263 DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
264 RESULT=$?
265 else
266 echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
267 LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
268 RESULT=$?
269 fi
271 html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
272 else
273 html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
274 fi
275 }
277 ############################## fips_cleanup ############################
278 # local shell function to finish this script (no exit since it might be
279 # sourced)
280 ########################################################################
281 fips_cleanup()
282 {
283 html "</TABLE><BR>"
284 cd ${QADIR}
285 . common/cleanup.sh
286 }
288 ################## main #################################################
290 fips_init
291 fips_140
292 fips_cleanup
293 echo "fips.sh done"
