#! /bin/csh -f # # Run PKCS8 import/export tests. # # Run this from SecurityTests/clxutils/importExport. The # kcImport and kcExport programs must exist in the location # specified by the LOCAL_BUILD_DIR env var. # source setupCommon set PKCS8SUBTOOL=./importExportPkcs8Tool set PKCS8EXPORTTOOL=./exportPkcs8Tool set P8_PASSWORD=foobar # RSA private key, PEM, generated by openssl set RSA_PRIV_KEY=${BUILD_DIR}/rsapriv.clear.pem # DSA private key, PEM, generated by openssl set DSA_PRIV_KEY=${BUILD_DIR}/dsapriv.clear.pem # DSA parameters set DSA_PARAMS=dsaParamOpenssl.pem # PKCS8 blob, generated by openssl set PKCS8_KEY_OS=${BUILD_DIR}/pkcs8.p8 # PKCS8 blob, generated by kcExport set PKCS8_KEY_EXP=${BUILD_DIR}/pkcs8_exp.p8 # raw key, generated by openssl after parsing our p8 set PKCS8_KEY_PARSE_OS=${BUILD_DIR}/pkcs8_parse # DSA parameters set DSA_PARAMS_512_DER=dsaParams_512.der set DSA_PARAMS_512_PEM=dsaParamOpenssl.pem # user specified variables set QUIET=NO set QUIET_ARG= set KEYSIZE=512 set NOACL=NO set NOACL_ARG= set SECURE_PHRASE=NO set SECURE_PHRASE_ARG= set NOCLEAN=NO # user options while ( $#argv > 0 ) switch ( "$argv[1]" ) case q: set QUIET=YES set QUIET_ARG=-q shift breaksw case n: set NOACL=YES set NOACL_ARG=-n shift breaksw case s: set SECURE_PHRASE=YES set SECURE_PHRASE_ARG=-Z shift breaksw case N: set NOCLEAN=YES shift breaksw default: echo Usage: importExportPkcs8 \[q\(uiet\)\] \[n\(oACL\)\] \[s\(ecurePassphrase\)\] \[N\(oClean\)\] exit(1) endsw end echo === Begin PKCS8 test === if ($QUIET == NO) then echo $CLEANKC endif $CLEANKC || exit(1) ### ### RSA testing ### # Create RSA key pair using openssl # private keys are only generated in PEM format if ($QUIET == NO) then echo ...RSA key testing, openssl generated echo Creating RSA private key using openssl... endif set cmd="$RM -f $RSA_PRIV_KEY" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) set cmd="$OPENSSL genrsa -out $RSA_PRIV_KEY $KEYSIZE" if ($QUIET == NO) then echo $cmd endif $cmd >& /dev/null|| exit(1) ############# # # PKCS5 v1.5 algorithms: # if ($QUIET == NO) then echo ...testing PKCS5 v1.5 PBE with RSA keys endif set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-MD5-DES rsa 512 $QUIET $NOACL DER $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-MD2-DES rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC2-64 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-MD2-RC2-64 rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-MD5-RC2-64 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-DES rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE" $cmd || exit(1) # # PKCS5 v2.0 PBE algorithms # if ($QUIET == NO) then echo ...testing PKCS5 v2.0 PBE with RSA keys endif set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v2 des3 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v2 des rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v2 rc2 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE" $cmd || exit(1) # # PKCS12 PBE algorithms # NOTE we do not support PBE-SHA1-2DES (no double DES in the CSP) # if ($QUIET == NO) then echo ...testing PKCS12 PBE with RSA keys endif set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC4-128 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC4-40 rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-3DES rsa 512 $QUIET $NOACL DER $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC2-128 rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC2-40 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE" $cmd || exit(1) # # PKCS8 import, DSA form. # The PKCS8 logic is (mostly) algorithm independent so we'll just do a few of these # to make sure the CSP can import and export correctly. # if ($QUIET == NO) then echo ...testing PKCS8 import with DSA keys endif set cmd="$RM -f $DSA_PRIV_KEY" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) set cmd="$OPENSSL gendsa -out $DSA_PRIV_KEY $DSA_PARAMS" if ($QUIET == NO) then echo $cmd endif $cmd >& /dev/null || exit(1) set cmd="$PKCS8SUBTOOL $DSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC2-40 dsa 512 $QUIET $NOACL DER $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8SUBTOOL $DSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v2 des3 dsa 512 $QUIET $NOACL PEM $SECURE_PHRASE" $cmd || exit(1) # # PKCS8 Export # if ($QUIET == NO) then echo ...testing PKCS8 Export of RSA private key endif set cmd="$PKCS8EXPORTTOOL $RSA_PRIV_KEY $PKCS8_KEY_EXP $PKCS8_KEY_PARSE_OS $KEYCHAIN PEM rsa 512 $QUIET $NOACL $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8EXPORTTOOL $RSA_PRIV_KEY $PKCS8_KEY_EXP $PKCS8_KEY_PARSE_OS $KEYCHAIN DER rsa 512 $QUIET $NOACL $SECURE_PHRASE" $cmd || exit(1) if ($QUIET == NO) then echo ...testing PKCS8 Export of DSA private key endif set cmd="$PKCS8EXPORTTOOL $DSA_PRIV_KEY $PKCS8_KEY_EXP $PKCS8_KEY_PARSE_OS $KEYCHAIN PEM dsa 512 $QUIET $NOACL $SECURE_PHRASE" $cmd || exit(1) set cmd="$PKCS8EXPORTTOOL $DSA_PRIV_KEY $PKCS8_KEY_EXP $PKCS8_KEY_PARSE_OS $KEYCHAIN DER dsa 512 $QUIET $NOACL $SECURE_PHRASE" $cmd || exit(1) # cleanup if($NOCLEAN == NO) then set cmd="rm -f $RSA_PRIV_KEY $DSA_PRIV_KEY $PKCS8_KEY_OS $PKCS8_KEY_EXP $PKCS8_KEY_PARSE_OS" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) endif if ($QUIET == NO) then echo === PKCS8 test complete === endif