From 58f60a80613235a01bf34237b4fe3b33d9c266c1 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Feb 26 2015 19:07:12 +0000 Subject: Test rekey saving with encrypted keys, too --- diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out index ab13d34..46ff501 100644 --- a/tests/030-rekey/expected.out +++ b/tests/030-rekey/expected.out @@ -1,105 +1,201 @@ -2048 OK. -NSS keys before keygen (preserve=1) +[ Begin pass (preserve=1,pin=""). ] +First round certificates OK. +NSS keys before re-keygen (preserve=1,pin=""): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 OK. -NSS keys after keygen (preserve=1) +NSS keys after re-keygen (preserve=1,pin=""): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 <-> rsa hexhexhexhexhex i2048 (candidate (next)) -NSS certs before saving (preserve=1) +NSS certs before saving (preserve=1,pin=""): i2048 u,u,u -NSS keys before saving (preserve=1) +serial=1234 +NSS keys before saving (preserve=1,pin=""): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 <-> rsa hexhexhexhexhex i2048 (candidate (next)) -NSS Signing -NSS Verify -This is the plaintext. -OpenSSL Signing -OpenSSL Verify +NSS Signing: +NSS Verify: This is the plaintext. -NSS certs after saving (preserve=1) +NSS certs after saving (preserve=1,pin=""): i2048 u,u,u -NSS keys after saving (preserve=1) +serial=1235 +NSS keys after saving (preserve=1,pin=""): <-> rsa hexhexhexhexhex i2048 <-> rsa hexhexhexhexhex i2048 (serial 1234) -PEM keys before keygen (preserve=1) +NSS Signing: +NSS Verify: +This is the plaintext. +PEM keys before re-keygen (preserve=1,pin=""): ${tmpdir}/keyi2048 OK. -PEM keys after keygen (preserve=1) +PEM keys after re-keygen (preserve=1,pin=""): ${tmpdir}/keyi2048 ${tmpdir}/keyi2048.(next).key -PEM certs before saving (preserve=1) +PEM certs before saving (preserve=1,pin=""): ${tmpdir}/certi2048 serial=1234 -PEM keys before saving (preserve=1) +PEM keys before saving (preserve=1,pin=""): ${tmpdir}/keyi2048 ${tmpdir}/keyi2048.(next).key -NSS Signing -NSS Verify +OpenSSL Signing: +OpenSSL Verify: This is the plaintext. -OpenSSL Signing -OpenSSL Verify -This is the plaintext. -PEM certs after saving (preserve=1) +PEM certs after saving (preserve=1,pin=""): ${tmpdir}/certi2048 serial=1235 -PEM keys after saving (preserve=1) +PEM keys after saving (preserve=1,pin=""): ${tmpdir}/keyi2048 ${tmpdir}/keyi2048.1234.key -NSS Signing -NSS Verify -This is the plaintext. -OpenSSL Signing -OpenSSL Verify +OpenSSL Signing: +OpenSSL Verify: This is the plaintext. -2048 OK. -NSS keys before keygen (preserve=0) +[ End pass (preserve=1,pin=""). ] +[ Begin pass (preserve=1,pin="password"). ] +First round certificates OK. +NSS keys before re-keygen (preserve=1,pin="password"): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 OK. -NSS keys after keygen (preserve=0) +NSS keys after re-keygen (preserve=1,pin="password"): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 <-> rsa hexhexhexhexhex i2048 (candidate (next)) -NSS certs before saving (preserve=0) +NSS certs before saving (preserve=1,pin="password"): i2048 u,u,u -NSS keys before saving (preserve=0) +serial=1234 +NSS keys before saving (preserve=1,pin="password"): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 <-> rsa hexhexhexhexhex i2048 (candidate (next)) -NSS Signing -NSS Verify -This is the plaintext. -OpenSSL Signing -OpenSSL Verify +NSS Signing: +NSS Verify: This is the plaintext. -NSS certs after saving (preserve=0) +NSS certs after saving (preserve=1,pin="password"): i2048 u,u,u -NSS keys after saving (preserve=0) +serial=1235 +NSS keys after saving (preserve=1,pin="password"): <-> rsa hexhexhexhexhex i2048 -PEM keys before keygen (preserve=0) +<-> rsa hexhexhexhexhex i2048 (serial 1234) +NSS Signing: +NSS Verify: +This is the plaintext. +PEM keys before re-keygen (preserve=1,pin="password"): ${tmpdir}/keyi2048 OK. -PEM keys after keygen (preserve=0) +PEM keys after re-keygen (preserve=1,pin="password"): ${tmpdir}/keyi2048 ${tmpdir}/keyi2048.(next).key -PEM certs before saving (preserve=0) +PEM certs before saving (preserve=1,pin="password"): ${tmpdir}/certi2048 serial=1234 -PEM keys before saving (preserve=0) +PEM keys before saving (preserve=1,pin="password"): ${tmpdir}/keyi2048 ${tmpdir}/keyi2048.(next).key -NSS Signing -NSS Verify +OpenSSL Signing: +OpenSSL Verify: +This is the plaintext. +PEM certs after saving (preserve=1,pin="password"): +${tmpdir}/certi2048 +serial=1235 +PEM keys after saving (preserve=1,pin="password"): +${tmpdir}/keyi2048 +${tmpdir}/keyi2048.1234.key +OpenSSL Signing: +OpenSSL Verify: This is the plaintext. -OpenSSL Signing -OpenSSL Verify +[ End pass (preserve=1,pin="password"). ] +[ Begin pass (preserve=0,pin=""). ] +First round certificates OK. +NSS keys before re-keygen (preserve=0,pin=""): +<-> rsa hexhexhexhexhex NSS Certificate DB:i2048 +OK. +NSS keys after re-keygen (preserve=0,pin=""): +<-> rsa hexhexhexhexhex NSS Certificate DB:i2048 +<-> rsa hexhexhexhexhex i2048 (candidate (next)) +NSS certs before saving (preserve=0,pin=""): +i2048 u,u,u +serial=1234 +NSS keys before saving (preserve=0,pin=""): +<-> rsa hexhexhexhexhex NSS Certificate DB:i2048 +<-> rsa hexhexhexhexhex i2048 (candidate (next)) +NSS Signing: +NSS Verify: +This is the plaintext. +NSS certs after saving (preserve=0,pin=""): +i2048 u,u,u +serial=1235 +NSS keys after saving (preserve=0,pin=""): +<-> rsa hexhexhexhexhex i2048 +NSS Signing: +NSS Verify: +This is the plaintext. +PEM keys before re-keygen (preserve=0,pin=""): +${tmpdir}/keyi2048 +OK. +PEM keys after re-keygen (preserve=0,pin=""): +${tmpdir}/keyi2048 +${tmpdir}/keyi2048.(next).key +PEM certs before saving (preserve=0,pin=""): +${tmpdir}/certi2048 +serial=1234 +PEM keys before saving (preserve=0,pin=""): +${tmpdir}/keyi2048 +${tmpdir}/keyi2048.(next).key +OpenSSL Signing: +OpenSSL Verify: This is the plaintext. -PEM certs after saving (preserve=0) +PEM certs after saving (preserve=0,pin=""): ${tmpdir}/certi2048 serial=1235 -PEM keys after saving (preserve=0) +PEM keys after saving (preserve=0,pin=""): ${tmpdir}/keyi2048 -NSS Signing -NSS Verify +OpenSSL Signing: +OpenSSL Verify: +This is the plaintext. +[ End pass (preserve=0,pin=""). ] +[ Begin pass (preserve=0,pin="password"). ] +First round certificates OK. +NSS keys before re-keygen (preserve=0,pin="password"): +<-> rsa hexhexhexhexhex NSS Certificate DB:i2048 +OK. +NSS keys after re-keygen (preserve=0,pin="password"): +<-> rsa hexhexhexhexhex NSS Certificate DB:i2048 +<-> rsa hexhexhexhexhex i2048 (candidate (next)) +NSS certs before saving (preserve=0,pin="password"): +i2048 u,u,u +serial=1234 +NSS keys before saving (preserve=0,pin="password"): +<-> rsa hexhexhexhexhex NSS Certificate DB:i2048 +<-> rsa hexhexhexhexhex i2048 (candidate (next)) +NSS Signing: +NSS Verify: This is the plaintext. -OpenSSL Signing -OpenSSL Verify +NSS certs after saving (preserve=0,pin="password"): +i2048 u,u,u +serial=1235 +NSS keys after saving (preserve=0,pin="password"): +<-> rsa hexhexhexhexhex i2048 +NSS Signing: +NSS Verify: +This is the plaintext. +PEM keys before re-keygen (preserve=0,pin="password"): +${tmpdir}/keyi2048 +OK. +PEM keys after re-keygen (preserve=0,pin="password"): +${tmpdir}/keyi2048 +${tmpdir}/keyi2048.(next).key +PEM certs before saving (preserve=0,pin="password"): +${tmpdir}/certi2048 +serial=1234 +PEM keys before saving (preserve=0,pin="password"): +${tmpdir}/keyi2048 +${tmpdir}/keyi2048.(next).key +OpenSSL Signing: +OpenSSL Verify: +This is the plaintext. +PEM certs after saving (preserve=0,pin="password"): +${tmpdir}/certi2048 +serial=1235 +PEM keys after saving (preserve=0,pin="password"): +${tmpdir}/keyi2048 +OpenSSL Signing: +OpenSSL Verify: This is the plaintext. +[ End pass (preserve=0,pin="password"). ] Test complete. diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh index 3789320..553edb1 100755 --- a/tests/030-rekey/run.sh +++ b/tests/030-rekey/run.sh @@ -17,20 +17,24 @@ function setupca() { } for preserve in 1 0 ; do + for pin in "" password ; do + echo "[ Begin pass (preserve=$preserve,pin=\"$pin\"). ]" + size=2048 rm -f "$tmpdir"/*.db touch "$tmpdir"/keyi "$tmpdir"/certi rm -f "$tmpdir"/keyi* "$tmpdir"/certi* - initnssdb "$tmpdir" + initnssdb "$tmpdir" $pin + echo "$pin" > pinfile # Build a self-signed certificate. run_certutil -d "$tmpdir" -S -g $size -n "i$size" \ -s "cn=T$size" -c "cn=T$size" \ - -x -t u -m 4660 + -x -t u -m 4660 -f pinfile # Export the certificate and key. - pk12util -d "$tmpdir" -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1 - openssl pkcs12 -in $size.p12 -passin pass: -nocerts -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size + pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1 + openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size openssl pkcs12 -in $size.p12 -passin pass: -nokeys -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size - # Read that NSS key. + # Read info about that key using NSS cat > entry.nss.$size <<- EOF ca_name=self_signer key_storage_type=NSSDB @@ -42,8 +46,9 @@ for preserve in 1 0 ; do cert_nickname=i$size template_subject=CN=T$size EOF + echo key_pin_file=`pwd`/pinfile >> entry.nss.$size $toolsdir/keyiread entry.nss.$size > /dev/null 2>&1 - # Read that OpenSSL key. + # Read info about that key using OpenSSL cat > entry.openssl.$size <<- EOF ca_name=self_signer key_storage_type=FILE @@ -52,8 +57,9 @@ for preserve in 1 0 ; do cert_storage_type=FILE cert_storage_location=$tmpdir/certi$size EOF + echo key_pin_file=`pwd`/pinfile >> entry.openssl.$size $toolsdir/keyiread entry.openssl.$size > /dev/null 2>&1 - # Use that NSS key. + # Use that NSS key to generate a self-signed certificate. cat > entry.nss.$size <<- EOF ca_name=self_signer key_storage_type=NSSDB @@ -65,11 +71,12 @@ for preserve in 1 0 ; do cert_nickname=i$size template_subject=CN=T$size EOF + echo key_pin_file=`pwd`/pinfile >> entry.nss.$size $toolsdir/keyiread entry.nss.$size > /dev/null 2>&1 $toolsdir/csrgen entry.nss.$size > csr.nss.$size setupca $toolsdir/submit ca.self entry.nss.$size > cert.nss.$size - # Use that OpenSSL key. + # Use that OpenSSL key to generate a self-signed certificate. cat > entry.openssl.$size <<- EOF ca_name=self_signer key_storage_type=FILE @@ -79,63 +86,74 @@ for preserve in 1 0 ; do cert_storage_location=$tmpdir/certi$size template_subject=CN=T$size EOF + echo key_pin_file=`pwd`/pinfile >> entry.openssl.$size $toolsdir/keyiread entry.openssl.$size > /dev/null 2>&1 $toolsdir/csrgen entry.openssl.$size > csr.openssl.$size setupca $toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size - # Now compare them. + # Now compare the self-signed certificates built from the keys. if ! cmp cert.nss.$size cert.openssl.$size ; then - echo Certificates differ: + echo First round certificates differ: cat cert.nss.$size cert.openssl.$size exit 1 else - echo $size OK. + echo First round certificates OK. fi + # Now generate new keys, CSRs, and certificates. - echo "NSS keys before keygen (preserve=$preserve)" + echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.nss.$size | cut -f2- -d=` - run_certutil -K -d $tmpdir | grep -v 'Checking token' | sed -e s,"${marker:-////////}","(next)", | sed -r -e 's,[0123456789abcdef]{8},hex,g' -e 's,< 0>,<->,g' -e 's,< 1>,<->,g' | env LANG=C sort + run_certutil -K -d $tmpdir -f pinfile | grep -v 'Checking token' | sed -e s,"${marker:-////////}","(next)", | sed -r -e 's,[0123456789abcdef]{8},hex,g' -e 's,< 0>,<->,g' -e 's,< 1>,<->,g' | env LANG=C sort $toolsdir/keygen entry.nss.$size - echo "NSS keys after keygen (preserve=$preserve)" + echo "NSS keys after re-keygen (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.nss.$size | cut -f2- -d=` - run_certutil -K -d $tmpdir | grep -v 'Checking token' | sed -e s,"${marker:-////////}","(next)", | sed -r -e 's,[0123456789abcdef]{8},hex,g' -e 's,< 0>,<->,g' -e 's,< 1>,<->,g' | env LANG=C sort + run_certutil -K -d $tmpdir -f pinfile | grep -v 'Checking token' | sed -e s,"${marker:-////////}","(next)", | sed -r -e 's,[0123456789abcdef]{8},hex,g' -e 's,< 0>,<->,g' -e 's,< 1>,<->,g' | env LANG=C sort $toolsdir/keyiread entry.nss.$size > /dev/null 2>&1 $toolsdir/csrgen entry.nss.$size > csr.nss.$size setupca $toolsdir/submit ca.self entry.nss.$size > cert.nss.$size - echo "NSS certs before saving (preserve=$preserve)" + # Verify that we can still sign using the old key and cert using the right name. + echo "NSS certs before saving (preserve=$preserve,pin=\"$pin\"):" run_certutil -L -d $tmpdir | grep -v SSL,S/MIME | grep -v '^$' | grep -v 'Trust' - echo "NSS keys before saving (preserve=$preserve)" + run_certutil -L -d $tmpdir -n i$size -a | openssl x509 -noout -serial + echo "NSS keys before saving (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.nss.$size | cut -f2- -d=` - run_certutil -K -d $tmpdir | grep -v 'Checking token' | sed -e s,"${marker:-////////}","(next)", | sed -r -e 's,[0123456789abcdef]{8},hex,g' -e 's,< 0>,<->,g' -e 's,< 1>,<->,g' | env LANG=C sort + run_certutil -K -d $tmpdir -f pinfile | grep -v 'Checking token' | sed -e s,"${marker:-////////}","(next)", | sed -r -e 's,[0123456789abcdef]{8},hex,g' -e 's,< 0>,<->,g' -e 's,< 1>,<->,g' | env LANG=C sort echo "This is the plaintext." > plain.txt - echo "NSS Signing" + echo "NSS Signing:" certutil -M -d $tmpdir -n i$size -t P,P,P - cmsutil -S -d $tmpdir -N i$size -i plain.txt -o signed - echo "NSS Verify" - cmsutil -D -d $tmpdir -i signed - certutil -M -d $tmpdir -n i$size -t ,, - echo "OpenSSL Signing" - openssl smime -sign -signer certi$size -binary -nodetach -inkey keyi$size -in plain.txt -outform PEM -out signed - echo "OpenSSL Verify" - openssl smime -verify -CAfile certi$size -inform PEM -in signed + cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed + echo "NSS Verify:" + cmsutil -D -d $tmpdir -f pinfile -i signed certutil -M -d $tmpdir -n i$size -t ,, + # Go and save the new certs and keys. $toolsdir/certsave entry.nss.$size - echo "NSS certs after saving (preserve=$preserve)" + # Verify that we can sign using the new key and cert using the right name. + echo "NSS certs after saving (preserve=$preserve,pin=\"$pin\"):" run_certutil -L -d $tmpdir | grep -v SSL,S/MIME | grep -v '^$' | grep -v 'Trust' - echo "NSS keys after saving (preserve=$preserve)" + run_certutil -L -d $tmpdir -n i$size -a | openssl x509 -noout -serial + echo "NSS keys after saving (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.nss.$size | cut -f2- -d=` - run_certutil -K -d $tmpdir | grep -v 'Checking token' | sed -e s,"${marker:-////////}","(next)", | sed -r -e 's,[0123456789abcdef]{8},hex,g' -e 's,< 0>,<->,g' -e 's,< 1>,<->,g' | env LANG=C sort + run_certutil -K -d $tmpdir -f pinfile | grep -v 'Checking token' | sed -e s,"${marker:-////////}","(next)", | sed -r -e 's,[0123456789abcdef]{8},hex,g' -e 's,< 0>,<->,g' -e 's,< 1>,<->,g' | env LANG=C sort + + echo "This is the plaintext." > plain.txt + echo "NSS Signing:" + certutil -M -d $tmpdir -n i$size -t P,P,P + cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed + echo "NSS Verify:" + cmsutil -D -d $tmpdir -f pinfile -i signed + certutil -M -d $tmpdir -n i$size -t ,, - echo "PEM keys before keygen (preserve=$preserve)" + # Now generate new keys, CSRs, and certificates. + echo "PEM keys before re-keygen (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.openssl.$size | cut -f2- -d=` find $tmpdir -name "keyi${size}*" -print | sed -e s,"${marker:-////////}","(next)", | env LANG=C sort $toolsdir/keygen entry.openssl.$size - echo "PEM keys after keygen (preserve=$preserve)" + echo "PEM keys after re-keygen (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.openssl.$size | cut -f2- -d=` find $tmpdir -name "keyi${size}*" -print | sed -e s,"${marker:-////////}","(next)", | env LANG=C sort $toolsdir/keyiread entry.openssl.$size > /dev/null 2>&1 @@ -143,44 +161,38 @@ for preserve in 1 0 ; do setupca $toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size - echo "PEM certs before saving (preserve=$preserve)" + # Verify that we can still sign using the old key and cert. + echo "PEM certs before saving (preserve=$preserve,pin=\"$pin\"):" find $tmpdir -name "certi${size}*" -print | env LANG=C sort find $tmpdir -name "certi${size}*" -print | xargs -n 1 openssl x509 -noout -serial -in - echo "PEM keys before saving (preserve=$preserve)" + echo "PEM keys before saving (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.openssl.$size | cut -f2- -d=` find $tmpdir -name "keyi${size}*" -print | sed -e s,"${marker:-////////}","(next)", | env LANG=C sort echo "This is the plaintext." > plain.txt - echo "NSS Signing" - certutil -M -d $tmpdir -n i$size -t P,P,P - cmsutil -S -d $tmpdir -N i$size -i plain.txt -o signed - echo "NSS Verify" - cmsutil -D -d $tmpdir -i signed - certutil -M -d $tmpdir -n i$size -t ,, - echo "OpenSSL Signing" - openssl smime -sign -signer certi$size -binary -nodetach -inkey keyi$size -in plain.txt -outform PEM -out signed - echo "OpenSSL Verify" + echo "OpenSSL Signing:" + openssl smime -sign -signer certi$size -binary -nodetach -inkey keyi$size -passin pass:$pin -in plain.txt -outform PEM -out signed + echo "OpenSSL Verify:" openssl smime -verify -CAfile certi$size -inform PEM -in signed + # Go and save the new certs and keys. $toolsdir/certsave entry.openssl.$size - echo "PEM certs after saving (preserve=$preserve)" + # Verify that we can sign using the new key and cert. + echo "PEM certs after saving (preserve=$preserve,pin=\"$pin\"):" find $tmpdir -name "certi${size}*" -print | env LANG=C sort find $tmpdir -name "certi${size}*" -print | xargs -n 1 openssl x509 -noout -serial -in - echo "PEM keys after saving (preserve=$preserve)" + echo "PEM keys after saving (preserve=$preserve,pin=\"$pin\"):" find $tmpdir -name "keyi${size}*" -print | env LANG=C sort echo "This is the plaintext." > plain.txt - echo "NSS Signing" - certutil -M -d $tmpdir -n i$size -t P,P,P - cmsutil -S -d $tmpdir -N i$size -i plain.txt -o signed - echo "NSS Verify" - cmsutil -D -d $tmpdir -i signed - certutil -M -d $tmpdir -n i$size -t ,, - echo "OpenSSL Signing" - openssl smime -sign -signer certi$size -binary -nodetach -inkey keyi$size -in plain.txt -outform PEM -out signed - echo "OpenSSL Verify" + echo "OpenSSL Signing:" + openssl smime -sign -signer certi$size -binary -nodetach -inkey keyi$size -passin pass:$pin -in plain.txt -outform PEM -out signed + echo "OpenSSL Verify:" openssl smime -verify -CAfile certi$size -inform PEM -in signed + + echo "[ End pass (preserve=$preserve,pin=\"$pin\"). ]" + done done cat cert.nss.$size 1>&2 echo Test complete.