importExportPkcs8   [plain text]

#! /bin/csh -f
#
# Run PKCS8 import/export tests.
#
# Run this from SecurityTests/clxutils/importExport. The 
# kcImport and kcExport programs must exist in the location
# specified by the LOCAL_BUILD_DIR env var.
#

source setupCommon

set PKCS8SUBTOOL=./importExportPkcs8Tool
set PKCS8EXPORTTOOL=./exportPkcs8Tool

set P8_PASSWORD=foobar

# RSA private key, PEM, generated by openssl
set RSA_PRIV_KEY=${BUILD_DIR}/rsapriv.clear.pem

# DSA private key, PEM, generated by openssl
set DSA_PRIV_KEY=${BUILD_DIR}/dsapriv.clear.pem

# DSA parameters
set DSA_PARAMS=dsaParamOpenssl.pem

# PKCS8 blob, generated by openssl
set PKCS8_KEY_OS=${BUILD_DIR}/pkcs8.p8

# PKCS8 blob, generated by kcExport
set PKCS8_KEY_EXP=${BUILD_DIR}/pkcs8_exp.p8

# raw key, generated by openssl after parsing our p8
set PKCS8_KEY_PARSE_OS=${BUILD_DIR}/pkcs8_parse

# DSA parameters
set DSA_PARAMS_512_DER=dsaParams_512.der
set DSA_PARAMS_512_PEM=dsaParamOpenssl.pem

# user specified variables
set QUIET=NO
set QUIET_ARG=
set KEYSIZE=512
set NOACL=NO
set NOACL_ARG=
set SECURE_PHRASE=NO
set SECURE_PHRASE_ARG=
set NOCLEAN=NO

# user options

while ( $#argv > 0 )
    switch ( "$argv[1]" )
        case q:
            set QUIET=YES
			set QUIET_ARG=-q
            shift
            breaksw
        case n:
            set NOACL=YES
			set NOACL_ARG=-n
            shift
            breaksw
        case s:
            set SECURE_PHRASE=YES
			set SECURE_PHRASE_ARG=-Z
            shift
            breaksw
		case N:
			set NOCLEAN=YES
            shift
            breaksw
        default:
            echo Usage: importExportPkcs8 \[q\(uiet\)\] \[n\(oACL\)\] \[s\(ecurePassphrase\)\]  \[N\(oClean\)\]
            exit(1)
    endsw
end

echo === Begin PKCS8 test ===
if ($QUIET == NO) then
	echo $CLEANKC
endif
$CLEANKC || exit(1)

###
### RSA testing
###

# Create RSA key pair using openssl
# private keys are only generated in PEM format
if ($QUIET == NO) then
	echo ...RSA key testing, openssl generated 
	echo Creating RSA private key using openssl...
endif
set cmd="$RM -f $RSA_PRIV_KEY"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)
set cmd="$OPENSSL genrsa -out $RSA_PRIV_KEY $KEYSIZE"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd >& /dev/null|| exit(1)

#############
#
# PKCS5 v1.5 algorithms:
#
if ($QUIET == NO) then
	echo ...testing PKCS5 v1.5 PBE with RSA keys
endif
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-MD5-DES rsa 512 $QUIET $NOACL DER $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-MD2-DES rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC2-64 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-MD2-RC2-64 rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-MD5-RC2-64 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-DES rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE"
$cmd || exit(1)

#
# PKCS5 v2.0 PBE algorithms
#
if ($QUIET == NO) then
	echo ...testing PKCS5 v2.0 PBE with RSA keys
endif
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v2 des3 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v2 des rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v2 rc2 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE"
$cmd || exit(1)

#
# PKCS12 PBE algorithms
# NOTE we do not support PBE-SHA1-2DES (no double DES in the CSP)
#
if ($QUIET == NO) then
	echo ...testing PKCS12 PBE with RSA keys
endif
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC4-128 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC4-40 rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-3DES rsa 512 $QUIET $NOACL DER $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC2-128 rsa 512 $QUIET $NOACL PEM $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $RSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC2-40 rsa 512 $QUIET $NOACL DER $SECURE_PHRASE"
$cmd || exit(1)

#
# PKCS8 import, DSA form.
# The PKCS8 logic is (mostly) algorithm independent so we'll just do a few of these
# to make sure the CSP can import and export correctly.
#
if ($QUIET == NO) then
	echo ...testing PKCS8 import with DSA keys
endif
set cmd="$RM -f $DSA_PRIV_KEY"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)
set cmd="$OPENSSL gendsa -out $DSA_PRIV_KEY $DSA_PARAMS"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd >& /dev/null || exit(1)
set cmd="$PKCS8SUBTOOL $DSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v1 PBE-SHA1-RC2-40 dsa 512 $QUIET $NOACL DER $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8SUBTOOL $DSA_PRIV_KEY $PKCS8_KEY_OS $KEYCHAIN -v2 des3 dsa 512 $QUIET $NOACL PEM $SECURE_PHRASE"
$cmd || exit(1)

#
# PKCS8 Export
#
if ($QUIET == NO) then
	echo ...testing PKCS8 Export of RSA private key
endif
set cmd="$PKCS8EXPORTTOOL $RSA_PRIV_KEY $PKCS8_KEY_EXP $PKCS8_KEY_PARSE_OS $KEYCHAIN PEM rsa 512 $QUIET $NOACL $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8EXPORTTOOL $RSA_PRIV_KEY $PKCS8_KEY_EXP $PKCS8_KEY_PARSE_OS $KEYCHAIN DER rsa 512 $QUIET $NOACL $SECURE_PHRASE"
$cmd || exit(1)

if ($QUIET == NO) then
	echo ...testing PKCS8 Export of DSA private key
endif
set cmd="$PKCS8EXPORTTOOL $DSA_PRIV_KEY $PKCS8_KEY_EXP $PKCS8_KEY_PARSE_OS $KEYCHAIN PEM dsa 512 $QUIET $NOACL $SECURE_PHRASE"
$cmd || exit(1)
set cmd="$PKCS8EXPORTTOOL $DSA_PRIV_KEY $PKCS8_KEY_EXP $PKCS8_KEY_PARSE_OS $KEYCHAIN DER dsa 512 $QUIET $NOACL $SECURE_PHRASE"
$cmd || exit(1)

# cleanup
if($NOCLEAN == NO) then
	set cmd="rm -f $RSA_PRIV_KEY $DSA_PRIV_KEY $PKCS8_KEY_OS $PKCS8_KEY_EXP $PKCS8_KEY_PARSE_OS"
	if ($QUIET == NO) then
		echo $cmd
	endif
	$cmd || exit(1)
endif

if ($QUIET == NO) then
	echo === PKCS8 test complete ===
endif