From 868be00e578ee548402dec79d913d5634185f767 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: May 15 2015 20:59:31 +0000 Subject: Start keeping track of key lifetimes and usage Start tracking the dates on which we generated a key pair (if we did it) and how many times we've sent requests to a CA using a given public key. Also track the number of times we've saved certificates to disk as an indication of how many times the CA has issued us a certificate for that public key. --- diff --git a/src/certsave-n.c b/src/certsave-n.c index f05c944..511d28d 100644 --- a/src/certsave-n.c +++ b/src/certsave-n.c @@ -688,6 +688,18 @@ cm_certsave_n_saved(struct cm_certsave_state *state) if (!WIFEXITED(status) || (WEXITSTATUS(status) != CM_CERTSAVE_STATUS_SAVED)) { return -1; } + if ((state->entry->cm_key_next_marker != NULL) && + (strlen(state->entry->cm_key_next_marker) > 0)) { + state->entry->cm_key_requested_count = + state->entry->cm_key_next_requested_count; + state->entry->cm_key_next_requested_count = 0; + state->entry->cm_key_generated_date = + state->entry->cm_key_next_generated_date; + state->entry->cm_key_next_generated_date = 0; + state->entry->cm_key_issued_count = 1; + } else { + state->entry->cm_key_issued_count++; + } state->entry->cm_key_next_marker = NULL; return 0; } diff --git a/src/certsave-o.c b/src/certsave-o.c index 9d7f82e..a4e50ce 100644 --- a/src/certsave-o.c +++ b/src/certsave-o.c @@ -405,6 +405,18 @@ cm_certsave_o_saved(struct cm_certsave_state *state) (WEXITSTATUS(status) != CM_CERTSAVE_STATUS_SAVED)) { return -1; } + if ((state->entry->cm_key_next_marker != NULL) && + (strlen(state->entry->cm_key_next_marker) > 0)) { + state->entry->cm_key_requested_count = + state->entry->cm_key_next_requested_count; + state->entry->cm_key_next_requested_count = 0; + state->entry->cm_key_generated_date = + state->entry->cm_key_next_generated_date; + state->entry->cm_key_next_generated_date = 0; + state->entry->cm_key_issued_count = 1; + } else { + state->entry->cm_key_issued_count++; + } state->entry->cm_key_next_marker = NULL; return 0; } diff --git a/src/keygen-n.c b/src/keygen-n.c index 068cdc3..040655c 100644 --- a/src/keygen-n.c +++ b/src/keygen-n.c @@ -844,12 +844,18 @@ cm_keygen_n_done(struct cm_keygen_state *state) state->entry->cm_key_next_pubkey_info = pubkey_info; state->entry->cm_key_next_pubkey = pubkey; state->entry->cm_key_next_marker = marker; + state->entry->cm_key_next_generated_date = time(NULL); + state->entry->cm_key_next_requested_count = 0; } else { state->entry->cm_key_next_pubkey_info = NULL; state->entry->cm_key_next_pubkey = NULL; state->entry->cm_key_next_marker = NULL; + state->entry->cm_key_next_generated_date = 0; state->entry->cm_key_pubkey_info = pubkey_info; state->entry->cm_key_pubkey = pubkey; + state->entry->cm_key_generated_date = time(NULL); + state->entry->cm_key_requested_count = 0; + state->entry->cm_key_issued_count = 0; } } cm_subproc_done(state->subproc); diff --git a/src/keygen-o.c b/src/keygen-o.c index 70f58b0..7695eb6 100644 --- a/src/keygen-o.c +++ b/src/keygen-o.c @@ -481,12 +481,18 @@ cm_keygen_o_done(struct cm_keygen_state *state) state->entry->cm_key_next_pubkey_info = pubkey_info; state->entry->cm_key_next_pubkey = pubkey; state->entry->cm_key_next_marker = marker; + state->entry->cm_key_next_generated_date = time(NULL); + state->entry->cm_key_next_requested_count = 0; } else { state->entry->cm_key_next_pubkey_info = NULL; state->entry->cm_key_next_pubkey = NULL; state->entry->cm_key_next_marker = NULL; + state->entry->cm_key_next_generated_date = 0; state->entry->cm_key_pubkey_info = pubkey_info; state->entry->cm_key_pubkey = pubkey; + state->entry->cm_key_generated_date = time(NULL); + state->entry->cm_key_requested_count = 0; + state->entry->cm_key_issued_count = 0; } } cm_subproc_done(state->subproc); diff --git a/src/store-files.c b/src/store-files.c index 6f2c43e..0a0e7c4 100644 --- a/src/store-files.c +++ b/src/store-files.c @@ -71,6 +71,12 @@ enum cm_store_file_field { cm_store_entry_field_key_next_pubkey, cm_store_entry_field_key_next_pubkey_info, + cm_store_entry_field_key_generated_date, + cm_store_entry_field_key_next_generated_date, + cm_store_entry_field_key_requested_count, + cm_store_entry_field_key_next_requested_count, + cm_store_entry_field_key_issued_count, + cm_store_entry_field_cert_storage_type, cm_store_entry_field_cert_storage_location, cm_store_entry_field_cert_token, @@ -219,6 +225,12 @@ static struct cm_store_file_field_list { {cm_store_entry_field_key_preserve, "key_preserve"}, {cm_store_entry_field_key_next_marker, "key_next_marker"}, + {cm_store_entry_field_key_generated_date, "key_generated_date"}, + {cm_store_entry_field_key_next_generated_date, "key_next_generated_date"}, + {cm_store_entry_field_key_requested_count, "key_requested_count"}, + {cm_store_entry_field_key_next_requested_count, "key_next_requested_count"}, + {cm_store_entry_field_key_issued_count, "key_issued_count"}, + {cm_store_entry_field_key_storage_type, "key_storage_type"}, {cm_store_entry_field_key_storage_location, "key_storage_location"}, {cm_store_entry_field_key_token, "key_token"}, @@ -876,6 +888,28 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp) case cm_store_entry_field_key_next_pubkey_info: ret->cm_key_next_pubkey_info = free_if_empty(p); break; + case cm_store_entry_field_key_generated_date: + ret->cm_key_generated_date = + cm_store_time_from_timestamp(p); + talloc_free(p); + break; + case cm_store_entry_field_key_next_generated_date: + ret->cm_key_next_generated_date = + cm_store_time_from_timestamp(p); + talloc_free(p); + break; + case cm_store_entry_field_key_requested_count: + ret->cm_key_requested_count = atoi(p); + talloc_free(p); + break; + case cm_store_entry_field_key_next_requested_count: + ret->cm_key_next_requested_count = atoi(p); + talloc_free(p); + break; + case cm_store_entry_field_key_issued_count: + ret->cm_key_issued_count = atoi(p); + talloc_free(p); + break; case cm_store_entry_field_cert_storage_type: if (strcasecmp(p, "FILE") == 0) { ret->cm_cert_storage_type = @@ -1245,6 +1279,11 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp) case cm_store_entry_field_key_pubkey_info: case cm_store_entry_field_key_next_pubkey: case cm_store_entry_field_key_next_pubkey_info: + case cm_store_entry_field_key_generated_date: + case cm_store_entry_field_key_next_generated_date: + case cm_store_entry_field_key_requested_count: + case cm_store_entry_field_key_next_requested_count: + case cm_store_entry_field_key_issued_count: case cm_store_entry_field_cert_storage_type: case cm_store_entry_field_cert_storage_location: case cm_store_entry_field_cert_token: @@ -1743,6 +1782,19 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry) cm_store_file_write_str(fp, cm_store_entry_field_key_next_pubkey_info, entry->cm_key_next_pubkey_info); + cm_store_file_write_str(fp, cm_store_entry_field_key_generated_date, + cm_store_timestamp_from_time(entry->cm_key_generated_date, + timestamp)); + cm_store_file_write_str(fp, cm_store_entry_field_key_next_generated_date, + cm_store_timestamp_from_time(entry->cm_key_next_generated_date, + timestamp)); + cm_store_file_write_int(fp, cm_store_entry_field_key_requested_count, + entry->cm_key_requested_count); + cm_store_file_write_int(fp, cm_store_entry_field_key_next_requested_count, + entry->cm_key_next_requested_count); + cm_store_file_write_int(fp, cm_store_entry_field_key_issued_count, + entry->cm_key_issued_count); + switch (entry->cm_cert_storage_type) { case cm_cert_storage_file: cm_store_file_write_str(fp, @@ -2552,6 +2604,12 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry) ret->cm_key_next_marker = cm_store_maybe_strdup(ret, entry->cm_key_next_marker); ret->cm_key_preserve = entry->cm_key_preserve; + ret->cm_key_generated_date = entry->cm_key_generated_date; + ret->cm_key_next_generated_date = entry->cm_key_next_generated_date; + ret->cm_key_requested_count = entry->cm_key_requested_count; + ret->cm_key_next_requested_count = entry->cm_key_next_requested_count; + ret->cm_key_issued_count = entry->cm_key_issued_count; + ret->cm_cert_storage_type = entry->cm_cert_storage_type; ret->cm_cert_storage_location = cm_store_maybe_strdup(ret, entry->cm_cert_storage_location); ret->cm_cert_token = cm_store_maybe_strdup(ret, entry->cm_cert_token); diff --git a/src/store-int.h b/src/store-int.h index efd588e..f15ecce 100644 --- a/src/store-int.h +++ b/src/store-int.h @@ -44,6 +44,9 @@ struct cm_store_entry { } cm_key_type, cm_key_next_type; char *cm_key_next_marker; unsigned int cm_key_preserve: 1; + time_t cm_key_generated_date, cm_key_next_generated_date; + unsigned int cm_key_issued_count; + unsigned int cm_key_requested_count, cm_key_next_requested_count; /* Location of key pair [use-once default] NSS,/etc/pki/nssdb */ enum cm_key_storage_type { cm_key_storage_none = 0, diff --git a/src/submit-e.c b/src/submit-e.c index bdfd0ec..86536cf 100644 --- a/src/submit-e.c +++ b/src/submit-e.c @@ -706,6 +706,12 @@ cm_submit_e_start(struct cm_store_ca *ca, struct cm_store_entry *entry) ret = cm_submit_e_start_or_resume(ca, entry, spki, "POLL"); } else { ret = cm_submit_e_start_or_resume(ca, entry, spki, "SUBMIT"); + if ((entry->cm_key_next_marker != NULL) && + (strlen(entry->cm_key_next_marker) > 0)) { + entry->cm_key_next_requested_count++; + } else { + entry->cm_key_requested_count++; + } } if (spki != NULL) { talloc_free(spki); diff --git a/src/submit-sn.c b/src/submit-sn.c index ab67084..804f9d2 100644 --- a/src/submit-sn.c +++ b/src/submit-sn.c @@ -475,6 +475,12 @@ cm_submit_sn_start(struct cm_store_ca *ca, struct cm_store_entry *entry) talloc_free(state); state = NULL; } + if ((entry->cm_key_next_marker != NULL) && + (strlen(entry->cm_key_next_marker) > 0)) { + entry->cm_key_next_requested_count++; + } else { + entry->cm_key_requested_count++; + } } return state; } diff --git a/src/submit-so.c b/src/submit-so.c index d3d2cba..605f58d 100644 --- a/src/submit-so.c +++ b/src/submit-so.c @@ -269,6 +269,12 @@ cm_submit_so_start(struct cm_store_ca *ca, struct cm_store_entry *entry) talloc_free(state); state = NULL; } + if ((entry->cm_key_next_marker != NULL) && + (strlen(entry->cm_key_next_marker) > 0)) { + entry->cm_key_next_requested_count++; + } else { + entry->cm_key_requested_count++; + } } return state; } diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out index 6bd4e02..ac5704d 100644 --- a/tests/010-iterate/expected.out +++ b/tests/010-iterate/expected.out @@ -5,6 +5,9 @@ GENERATING_KEY_PAIR HAVE_KEY_PAIR NEED_KEYINFO -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 [Reading back key info.] NEED_KEYINFO @@ -14,6 +17,9 @@ HAVE_KEYINFO NEED_CSR -STOP- key_size=2048 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 [Generating CSR.] NEED_CSR @@ -24,6 +30,9 @@ NEED_CSR GENERATING_CSR HAVE_CSR -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 [Getting CSR signed.] HAVE_CSR @@ -32,6 +41,9 @@ NEED_TO_SUBMIT SUBMITTING NEED_TO_SAVE_CERT -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 [Saving certificate.] NEED_TO_SAVE_CERT @@ -51,6 +63,9 @@ NOTIFYING_ISSUED_SAVED Certificate in file "$tmpdir/certfile" issued by CA and saved. MONITORING -STOP- +key_issued_count=1 +key_next_requested_count=0 +key_requested_count=1 [From-scratch enrollment scenario OK.] @@ -158,6 +173,9 @@ READING_KEYINFO HAVE_KEYINFO NEED_CSR -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 NEED_CSR -(RESET)- HAVE_KEYINFO @@ -166,18 +184,27 @@ NEED_CSR GENERATING_CSR HAVE_CSR -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 HAVE_CSR -START- NEED_TO_SUBMIT SUBMITTING NEED_TO_SAVE_CERT -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 NEED_TO_SAVE_CERT -START- START_SAVING_CERT SAVING_CERT SAVED_CERT -STOP- +key_issued_count=1 +key_next_requested_count=0 +key_requested_count=1 [Enroll, helper produces noise before.] HAVE_KEY_PAIR @@ -385,6 +412,9 @@ READING_KEYINFO HAVE_KEYINFO NEED_CSR -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 NEED_CSR -(RESET)- HAVE_KEYINFO @@ -393,22 +423,34 @@ NEED_CSR GENERATING_CSR HAVE_CSR -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 HAVE_CSR -START- NEED_TO_SUBMIT SUBMITTING NEED_TO_NOTIFY_REJECTION -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 NEED_TO_NOTIFY_REJECTION -START- NOTIFYING_REJECTION Request for certificate to be stored in file "$tmpdir/certfile3" rejected by CA. CA_REJECTED -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 CA_REJECTED -START- CA_REJECTED -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 [Enroll until the CA rejects us after poll.] HAVE_KEY_PAIR @@ -597,6 +639,9 @@ READING_KEYINFO HAVE_KEYINFO NEED_CSR -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 NEED_CSR -(RESET)- HAVE_KEYINFO @@ -605,18 +650,27 @@ NEED_CSR GENERATING_CSR HAVE_CSR -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 HAVE_CSR -START- NEED_TO_SUBMIT SUBMITTING NEED_SCEP_DATA -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 NEED_SCEP_DATA -START- GENERATING_SCEP_DATA HAVE_SCEP_DATA NEED_TO_SUBMIT -STOP- +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 [CA poll timeout remaining=0.] HAVE_CSR diff --git a/tests/010-iterate/run.sh b/tests/010-iterate/run.sh index 027395d..f067de3 100755 --- a/tests/010-iterate/run.sh +++ b/tests/010-iterate/run.sh @@ -163,6 +163,7 @@ if test "`grep ^state entry`" != state=NEED_KEYINFO ; then grep ^state entry exit 1 fi +grep ^key.\*count= entry | LANG=C sort echo echo '[Reading back key info.]' @@ -173,6 +174,7 @@ if test "`grep ^state entry`" != state=NEED_CSR ; then exit 1 fi grep ^key_size entry +grep ^key.\*count= entry | LANG=C sort echo echo '[Generating CSR.]' @@ -182,6 +184,7 @@ if test "`grep ^state entry`" != state=HAVE_CSR ; then grep ^state entry exit 1 fi +grep ^key.\*count= entry | LANG=C sort echo echo '[Getting CSR signed.]' @@ -191,6 +194,7 @@ if test "`grep ^state entry`" != state=NEED_TO_SAVE_CERT ; then grep ^state entry exit 1 fi +grep ^key.\*count= entry | LANG=C sort echo echo '[Saving certificate.]' @@ -200,6 +204,7 @@ if test "`grep ^state entry`" != state=MONITORING ; then grep ^state entry exit 1 fi +grep ^key.\*count= entry | LANG=C sort echo echo '[From-scratch enrollment scenario OK.]' @@ -324,9 +329,13 @@ ca_external_helper=$tmpdir/ca-issued EOF : > $tmpdir/certfile4 $toolsdir/iterate ca3 entry3 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO +grep ^key.\*count= entry3 | LANG=C sort $toolsdir/iterate ca3 entry3 NEED_CSR,GENERATING_CSR +grep ^key.\*count= entry3 | LANG=C sort $toolsdir/iterate ca3 entry3 NEED_TO_SUBMIT,SUBMITTING +grep ^key.\*count= entry3 | LANG=C sort $toolsdir/iterate ca3 entry3 NEED_TO_SAVE_CERT,SAVING_CERT,START_SAVING_CERT +grep ^key.\*count= entry3 | LANG=C sort echo echo '[Enroll, helper produces noise before.]' @@ -500,10 +509,15 @@ ca_type=EXTERNAL ca_external_helper=$tmpdir/ca-reject EOF $toolsdir/iterate ca5 entry5 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO +grep ^key.\*count= entry5 | LANG=C sort $toolsdir/iterate ca5 entry5 NEED_CSR,GENERATING_CSR +grep ^key.\*count= entry5 | LANG=C sort $toolsdir/iterate ca5 entry5 NEED_TO_SUBMIT,SUBMITTING +grep ^key.\*count= entry5 | LANG=C sort $toolsdir/iterate ca5 entry5 NEED_TO_NOTIFY_REJECTION,NOTIFYING_REJECTION | sed 's@'"$tmpdir"'@$tmpdir@g' +grep ^key.\*count= entry5 | LANG=C sort $toolsdir/iterate ca5 entry5 "" | sed 's@'"$tmpdir"'@$tmpdir@g' +grep ^key.\*count= entry5 | LANG=C sort echo echo '[Enroll until the CA rejects us after poll.]' @@ -658,9 +672,13 @@ ca_encryption_cert=-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- EOF $toolsdir/iterate ca9 entry9 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO +grep ^key.\*count= entry9 | LANG=C sort $toolsdir/iterate ca9 entry9 NEED_CSR,GENERATING_CSR +grep ^key.\*count= entry9 | LANG=C sort $toolsdir/iterate ca9 entry9 NEED_TO_SUBMIT,SUBMITTING +grep ^key.\*count= entry9 | LANG=C sort $toolsdir/iterate ca9 entry9 NEED_SCEP_DATA,GENERATING_SCEP_DATA,HAVE_SCEP_DATA +grep ^key.\*count= entry9 | LANG=C sort # Note! The "iterate" harness rounds delay times up to the next multiple of 50. for interval in 0 30 1800 3600 7200 86000 86500 604800 1000000 2000000; do diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out index 46ff501..faa1d28 100644 --- a/tests/030-rekey/expected.out +++ b/tests/030-rekey/expected.out @@ -1,11 +1,35 @@ [ Begin pass (preserve=1,pin=""). ] +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 +(submit NSS) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 +(submit OpenSSL) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 First round certificates OK. NSS keys before re-keygen (preserve=1,pin=""): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 OK. NSS keys after re-keygen (preserve=1,pin=""): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 <-> rsa hexhexhexhexhex i2048 (candidate (next)) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +(submit NSS) +key_issued_count=0 +key_next_requested_count=1 +key_requested_count=1 NSS certs before saving (preserve=1,pin=""): i2048 u,u,u serial=1234 @@ -15,6 +39,10 @@ NSS keys before saving (preserve=1,pin=""): NSS Signing: NSS Verify: This is the plaintext. +(saving) +key_issued_count=1 +key_next_requested_count=0 +key_requested_count=1 NSS certs after saving (preserve=1,pin=""): i2048 u,u,u serial=1235 @@ -26,10 +54,20 @@ NSS Verify: This is the plaintext. PEM keys before re-keygen (preserve=1,pin=""): ${tmpdir}/keyi2048 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 OK. PEM keys after re-keygen (preserve=1,pin=""): ${tmpdir}/keyi2048 ${tmpdir}/keyi2048.(next).key +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +(submit OpenSSL) +key_issued_count=0 +key_next_requested_count=1 +key_requested_count=1 PEM certs before saving (preserve=1,pin=""): ${tmpdir}/certi2048 serial=1234 @@ -39,6 +77,10 @@ ${tmpdir}/keyi2048.(next).key OpenSSL Signing: OpenSSL Verify: This is the plaintext. +(saving) +key_issued_count=1 +key_next_requested_count=0 +key_requested_count=1 PEM certs after saving (preserve=1,pin=""): ${tmpdir}/certi2048 serial=1235 @@ -50,13 +92,37 @@ OpenSSL Verify: This is the plaintext. [ End pass (preserve=1,pin=""). ] [ Begin pass (preserve=1,pin="password"). ] +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 +(submit NSS) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 +(submit OpenSSL) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 First round certificates OK. NSS keys before re-keygen (preserve=1,pin="password"): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 OK. NSS keys after re-keygen (preserve=1,pin="password"): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 <-> rsa hexhexhexhexhex i2048 (candidate (next)) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +(submit NSS) +key_issued_count=0 +key_next_requested_count=1 +key_requested_count=1 NSS certs before saving (preserve=1,pin="password"): i2048 u,u,u serial=1234 @@ -66,6 +132,10 @@ NSS keys before saving (preserve=1,pin="password"): NSS Signing: NSS Verify: This is the plaintext. +(saving) +key_issued_count=1 +key_next_requested_count=0 +key_requested_count=1 NSS certs after saving (preserve=1,pin="password"): i2048 u,u,u serial=1235 @@ -77,10 +147,20 @@ NSS Verify: This is the plaintext. PEM keys before re-keygen (preserve=1,pin="password"): ${tmpdir}/keyi2048 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 OK. PEM keys after re-keygen (preserve=1,pin="password"): ${tmpdir}/keyi2048 ${tmpdir}/keyi2048.(next).key +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +(submit OpenSSL) +key_issued_count=0 +key_next_requested_count=1 +key_requested_count=1 PEM certs before saving (preserve=1,pin="password"): ${tmpdir}/certi2048 serial=1234 @@ -90,6 +170,10 @@ ${tmpdir}/keyi2048.(next).key OpenSSL Signing: OpenSSL Verify: This is the plaintext. +(saving) +key_issued_count=1 +key_next_requested_count=0 +key_requested_count=1 PEM certs after saving (preserve=1,pin="password"): ${tmpdir}/certi2048 serial=1235 @@ -101,13 +185,37 @@ OpenSSL Verify: This is the plaintext. [ End pass (preserve=1,pin="password"). ] [ Begin pass (preserve=0,pin=""). ] +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 +(submit NSS) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 +(submit OpenSSL) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 First round certificates OK. NSS keys before re-keygen (preserve=0,pin=""): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 OK. NSS keys after re-keygen (preserve=0,pin=""): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 <-> rsa hexhexhexhexhex i2048 (candidate (next)) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +(submit NSS) +key_issued_count=0 +key_next_requested_count=1 +key_requested_count=1 NSS certs before saving (preserve=0,pin=""): i2048 u,u,u serial=1234 @@ -117,6 +225,10 @@ NSS keys before saving (preserve=0,pin=""): NSS Signing: NSS Verify: This is the plaintext. +(saving) +key_issued_count=1 +key_next_requested_count=0 +key_requested_count=1 NSS certs after saving (preserve=0,pin=""): i2048 u,u,u serial=1235 @@ -127,10 +239,20 @@ NSS Verify: This is the plaintext. PEM keys before re-keygen (preserve=0,pin=""): ${tmpdir}/keyi2048 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 OK. PEM keys after re-keygen (preserve=0,pin=""): ${tmpdir}/keyi2048 ${tmpdir}/keyi2048.(next).key +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +(submit OpenSSL) +key_issued_count=0 +key_next_requested_count=1 +key_requested_count=1 PEM certs before saving (preserve=0,pin=""): ${tmpdir}/certi2048 serial=1234 @@ -140,6 +262,10 @@ ${tmpdir}/keyi2048.(next).key OpenSSL Signing: OpenSSL Verify: This is the plaintext. +(saving) +key_issued_count=1 +key_next_requested_count=0 +key_requested_count=1 PEM certs after saving (preserve=0,pin=""): ${tmpdir}/certi2048 serial=1235 @@ -150,13 +276,37 @@ OpenSSL Verify: This is the plaintext. [ End pass (preserve=0,pin=""). ] [ Begin pass (preserve=0,pin="password"). ] +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 +(submit NSS) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=0 +(submit OpenSSL) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 First round certificates OK. NSS keys before re-keygen (preserve=0,pin="password"): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 OK. NSS keys after re-keygen (preserve=0,pin="password"): <-> rsa hexhexhexhexhex NSS Certificate DB:i2048 <-> rsa hexhexhexhexhex i2048 (candidate (next)) +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +(submit NSS) +key_issued_count=0 +key_next_requested_count=1 +key_requested_count=1 NSS certs before saving (preserve=0,pin="password"): i2048 u,u,u serial=1234 @@ -166,6 +316,10 @@ NSS keys before saving (preserve=0,pin="password"): NSS Signing: NSS Verify: This is the plaintext. +(saving) +key_issued_count=1 +key_next_requested_count=0 +key_requested_count=1 NSS certs after saving (preserve=0,pin="password"): i2048 u,u,u serial=1235 @@ -176,10 +330,20 @@ NSS Verify: This is the plaintext. PEM keys before re-keygen (preserve=0,pin="password"): ${tmpdir}/keyi2048 +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 OK. PEM keys after re-keygen (preserve=0,pin="password"): ${tmpdir}/keyi2048 ${tmpdir}/keyi2048.(next).key +key_issued_count=0 +key_next_requested_count=0 +key_requested_count=1 +(submit OpenSSL) +key_issued_count=0 +key_next_requested_count=1 +key_requested_count=1 PEM certs before saving (preserve=0,pin="password"): ${tmpdir}/certi2048 serial=1234 @@ -189,6 +353,10 @@ ${tmpdir}/keyi2048.(next).key OpenSSL Signing: OpenSSL Verify: This is the plaintext. +(saving) +key_issued_count=1 +key_next_requested_count=0 +key_requested_count=1 PEM certs after saving (preserve=0,pin="password"): ${tmpdir}/certi2048 serial=1235 diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh index a278ec0..078e1e8 100755 --- a/tests/030-rekey/run.sh +++ b/tests/030-rekey/run.sh @@ -77,7 +77,10 @@ for preserve in 1 0 ; do $toolsdir/keyiread entry.nss.$size > /dev/null 2>&1 $toolsdir/csrgen entry.nss.$size > csr.nss.$size setupca + grep ^key.\*count= entry.nss.$size | LANG=C sort + echo '(submit NSS)' $toolsdir/submit ca.self entry.nss.$size > cert.nss.$size + grep ^key.\*count= entry.nss.$size | LANG=C sort # Use that OpenSSL key to generate a self-signed certificate. cat > entry.openssl.$size <<- EOF ca_name=self_signer @@ -92,7 +95,10 @@ for preserve in 1 0 ; do $toolsdir/keyiread entry.openssl.$size > /dev/null 2>&1 $toolsdir/csrgen entry.openssl.$size > csr.openssl.$size setupca + grep ^key.\*count= entry.openssl.$size | LANG=C sort + echo '(submit OpenSSL)' $toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size + grep ^key.\*count= entry.openssl.$size | LANG=C sort # Now compare the self-signed certificates built from the keys. if ! cmp cert.nss.$size cert.openssl.$size ; then echo First round certificates differ: @@ -106,6 +112,7 @@ for preserve in 1 0 ; do echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.nss.$size | cut -f2- -d=` run_certutil -K -d $tmpdir -f pinfile | grep -v 'Checking token' | sed -e s,"${marker:-////////}","(next)", | sed -r -e 's,[0123456789abcdef]{8},hex,g' -e 's,< 0>,<->,g' -e 's,< 1>,<->,g' | env LANG=C sort + grep ^key.\*count= entry.nss.$size | LANG=C sort $toolsdir/keygen entry.nss.$size echo "NSS keys after re-keygen (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.nss.$size | cut -f2- -d=` @@ -113,7 +120,10 @@ for preserve in 1 0 ; do $toolsdir/keyiread entry.nss.$size > /dev/null 2>&1 $toolsdir/csrgen entry.nss.$size > csr.nss.$size setupca + grep ^key.\*count= entry.nss.$size | LANG=C sort + echo '(submit NSS)' $toolsdir/submit ca.self entry.nss.$size > cert.nss.$size + grep ^key.\*count= entry.nss.$size | LANG=C sort # Verify that we can still sign using the old key and cert using the right name (NSS). echo "NSS certs before saving (preserve=$preserve,pin=\"$pin\"):" @@ -132,7 +142,9 @@ for preserve in 1 0 ; do certutil -M -d $tmpdir -n i$size -t ,, # Go and save the new certs and keys (NSS). + echo '(saving)' $toolsdir/certsave entry.nss.$size + grep ^key.\*count= entry.nss.$size | LANG=C sort # Grab a copy of the public key (NSS). certutil -L -d $tmpdir -n i$size -a | openssl x509 -pubkey -noout > "$tmpdir"/pubkey.nss @@ -156,6 +168,7 @@ for preserve in 1 0 ; do echo "PEM keys before re-keygen (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.openssl.$size | cut -f2- -d=` find $tmpdir -name "keyi${size}*" -print | sed -e s,"${marker:-////////}","(next)", | env LANG=C sort + grep ^key.\*count= entry.openssl.$size | LANG=C sort $toolsdir/keygen entry.openssl.$size echo "PEM keys after re-keygen (preserve=$preserve,pin=\"$pin\"):" marker=`grep ^key_next_marker= entry.openssl.$size | cut -f2- -d=` @@ -163,7 +176,10 @@ for preserve in 1 0 ; do $toolsdir/keyiread entry.openssl.$size > /dev/null 2>&1 $toolsdir/csrgen entry.openssl.$size > csr.openssl.$size setupca + grep ^key.\*count= entry.openssl.$size | LANG=C sort + echo '(submit OpenSSL)' $toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size + grep ^key.\*count= entry.openssl.$size | LANG=C sort # Verify that we can still sign using the old key and cert (OpenSSL). echo "PEM certs before saving (preserve=$preserve,pin=\"$pin\"):" @@ -180,7 +196,9 @@ for preserve in 1 0 ; do openssl smime -verify -CAfile certi$size -inform PEM -in signed # Go and save the new certs and keys (OpenSSL). + echo '(saving)' $toolsdir/certsave entry.openssl.$size + grep ^key.\*count= entry.openssl.$size | LANG=C sort # Grab a copy of the public key (OpenSSL). openssl x509 -pubkey -noout -in "$tmpdir"/certi$size > "$tmpdir"/pubkey.openssl