102
102
echo "modutil -dbdir ${P_R_FIPSDIR} -list"
103
103
modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
104
104
modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
105
html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)"
105
html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
107
107
echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
108
108
echo "certutil -d ${P_R_FIPSDIR} -L"
109
109
certutil -d ${P_R_FIPSDIR} -L 2>&1
110
html_msg $? 0 "List the FIPS module certificates (certutil -L)"
110
html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
112
112
echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
113
113
echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
114
114
certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
115
html_msg $? 0 "List the FIPS module keys (certutil -K)"
115
html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
117
117
echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
118
118
echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
119
119
certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
121
html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)"
121
html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
122
122
echo "certutil -K returned $RET"
124
124
echo "$SCRIPTNAME: Validate the certificate --------------------------"
125
125
echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
126
126
certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
127
html_msg $? 0 "Validate the certificate (certutil -V -e)"
127
html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
129
129
echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
130
130
echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
131
131
pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
132
html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)"
132
html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
134
134
echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
135
135
echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
136
136
certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
137
html_msg $? 0 "Export the certificate as a DER (certutil -L -r)"
137
html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
139
139
echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
140
140
echo "certutil -d ${P_R_FIPSDIR} -L"
141
certutil -d ${P_R_FIPSDIR} -L 2>&1
142
html_msg $? 0 "List the FIPS module certificates (certutil -L)"
141
certs=`certutil -d ${P_R_FIPSDIR} -L 2>&1`
144
if [ ${ret} -eq 0 ]; then
145
echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
148
html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
144
151
echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
145
152
echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
146
153
certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
147
html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -D)"
154
html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
150
156
echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
151
157
echo "certutil -d ${P_R_FIPSDIR} -L"
152
certutil -d ${P_R_FIPSDIR} -L 2>&1
153
html_msg $? 0 "List the FIPS module certificates (certutil -L)"
158
certs=`certutil -d ${P_R_FIPSDIR} -L 2>&1`
161
if [ ${ret} -eq 0 ]; then
162
echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
163
if [ $? -eq 0 ]; then
167
html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
155
169
echo "$SCRIPTNAME: List the FIPS module keys."
156
170
echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
157
171
certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
158
172
# certutil -K now returns a failure if no keys are found. This verifies that
159
173
# our delete succeded.
160
html_msg $? 255 "List the FIPS module keys (certutil -K)"
162
echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
163
echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
164
pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
165
html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)"
167
echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
168
echo "certutil -d ${P_R_FIPSDIR} -L"
169
certutil -d ${P_R_FIPSDIR} -L 2>&1
170
html_msg $? 0 "List the FIPS module certificates (certutil -L)"
172
echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
173
echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
174
certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
175
html_msg $? 0 "List the FIPS module keys (certutil -K)"
178
# This test was interfering with QA running on more than one machine pointing
179
# to the same binary file. Turn it off for now.
181
# echo "$SCRIPTNAME: Detect mangled database --------------------------"
182
# SOFTOKEN=${DIST}/${OBJDIR}/lib/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
183
# echo "cp ${SOFTOKEN} ${TMP}/softokn3.sav"
184
# cp ${SOFTOKEN} ${TMP}/softokn3.sav
185
# echo "mangling ${SOFTOKEN}"
186
# echo "mangle -i ${SOFTOKEN} -o 60000 -b 5"
187
# mangle -i ${SOFTOKEN} -o 60000 -b 5 2>&1
188
# if [ $? -eq 0 ]; then
189
# echo "dbtest -r -d ${P_R_FIPSDIR} "
190
# suppress the expected failure message
191
# dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
192
# html_msg $? 46 "Init NSS with a corrupted library (dbtest -r)"
193
# echo "cp ${TMP}/softokn3.sav ${SOFTOKEN}"
194
# cp ${TMP}/softokn3.sav ${SOFTOKEN}
196
# html_msg 0 0 "Skipping corruption test, can't open ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
198
# echo "rm ${TMP}/softokn3.sav"
199
# rm ${TMP}/softokn3.sav
174
html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
177
echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
178
echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
179
pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
180
html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
182
echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
183
echo "certutil -d ${P_R_FIPSDIR} -L"
184
certs=`certutil -d ${P_R_FIPSDIR} -L 2>&1`
187
if [ ${ret} -eq 0 ]; then
188
echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
191
html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
193
echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
194
echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
195
certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
196
html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
199
echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
200
echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
201
certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
202
html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
204
echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
205
echo "certutil -d ${P_R_FIPSDIR} -L"
206
certs=`certutil -d ${P_R_FIPSDIR} -L 2>&1`
209
if [ ${ret} -eq 0 ]; then
210
echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
211
if [ $? -eq 0 ]; then
215
html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
218
echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
219
echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
220
pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
221
html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
223
echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
224
echo "certutil -d ${P_R_FIPSDIR} -L"
225
certs=`certutil -d ${P_R_FIPSDIR} -L 2>&1`
228
if [ ${ret} -eq 0 ]; then
229
echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
232
html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
234
echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
235
echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
236
certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
237
html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
240
echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------"
241
echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
242
pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1
243
html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
245
echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------"
246
echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
247
pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
248
html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
250
LIBDIR="${DIST}/${OBJDIR}/lib"
251
MANGLEDIR="${FIPSDIR}/mangle"
253
# There are different versions of cp command on different systems, some of them
254
# copies only symlinks, others doesn't have option to disable links, so there
255
# is needed to copy files one by one.
256
echo "mkdir ${MANGLEDIR}"
258
for lib in `ls ${LIBDIR}`; do
259
echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
260
cp ${LIBDIR}/${lib} ${MANGLEDIR}
263
echo "$SCRIPTNAME: Detect mangled database --------------------------"
264
SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
266
echo "mangling ${SOFTOKEN}"
267
echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
268
mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
269
if [ $? -eq 0 ]; then
270
if [ "${OS_ARCH}" = "WINNT" ]; then
271
DBTEST=`which dbtest`
272
if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
273
DBTEST=`cygpath -m ${DBTEST}`
274
MANGLEDIR=`cygpath -u ${MANGLEDIR}`
276
echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
277
PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
279
elif [ "${OS_ARCH}" = "HP-UX" ]; then
280
echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
281
LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
283
elif [ "${OS_ARCH}" = "AIX" ]; then
284
echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
285
LIBPATH="${MANGLEDIR}" dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
287
elif [ "${OS_ARCH}" = "Darwin" ]; then
288
echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
289
DYLD_LIBRARY_PATH="${MANGLEDIR}" dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
292
echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
293
LD_LIBRARY_PATH="${MANGLEDIR}" dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
297
html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
299
html_msg 0 0 "Skipping corruption test, can't open ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
202
303
############################## fips_cleanup ############################