From 56c5fd3bc131bf54dfd0f83b0a15ebb6b319b5c3 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 17 Jul 2024 17:46:47 +0200 Subject: [PATCH] tests: Check CA cert in TLS test Signed-off-by: Jakub Jelen --- tests/setup-kryoptic.sh | 14 ++++++++++---- tests/setup-softhsm.sh | 14 ++++++++++---- tests/setup-softokn.sh | 9 ++++++++- tests/ttls | 2 +- 4 files changed, 29 insertions(+), 10 deletions(-) diff --git a/tests/setup-kryoptic.sh b/tests/setup-kryoptic.sh index c90ebb4d..b62ca822 100755 --- a/tests/setup-kryoptic.sh +++ b/tests/setup-kryoptic.sh @@ -118,7 +118,8 @@ SERIAL=1 title LINE "Creating new Self Sign CA" KEYID='0000' URIKEYID="%00%00" -CACRT="${TMPPDIR}/CAcert" +CACRT="${TMPPDIR}/CAcert.crt" +CACRT_PEM="${TMPPDIR}/CAcert.pem" CACRTN="caCert" @@ -126,14 +127,17 @@ CACRTN="caCert" # shellcheck disable=SC2086 pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="RSA:2048" \ --label="${CACRTN}" --id="${KEYID}" 2>&1 -"${certtool}" --generate-self-signed --outfile="${CACRT}.crt" \ +"${certtool}" --generate-self-signed --outfile="${CACRT}" \ --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \ --load-privkey "pkcs11:object=$CACRTN;type=private" \ --load-pubkey "pkcs11:object=$CACRTN;type=public" --outder 2>&1 # shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --write-object "${CACRT}.crt" --type=cert \ +pkcs11-tool ${P11DEFARGS} --write-object "${CACRT}" --type=cert \ --id=$KEYID --label="$CACRTN" 2>&1 +# convert the DER cert to PEM +openssl x509 -inform DER -in "$CACRT" -outform PEM > "$CACRT_PEM" + # the organization identification is not in the CA echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg" # the cert_signing_key and "ca" should be only on the CA @@ -155,7 +159,7 @@ ca_sign() { --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \ --load-privkey "pkcs11:object=$LABEL;type=private" \ --load-pubkey "pkcs11:object=$LABEL;type=public" --outder \ - --load-ca-certificate "${CACRT}.crt" --inder \ + --load-ca-certificate "${CACRT}" --inder \ --load-ca-privkey="pkcs11:object=$CACRTN;type=private" 2>&1 # shellcheck disable=SC2086 pkcs11-tool ${P11DEFARGS} --write-object "${CRT}.crt" --type=cert \ @@ -405,6 +409,8 @@ export KRYOPTIC_CONF="${TMPPDIR}/tokens/kryoptic.sql" export TESTSSRCDIR="${TESTSSRCDIR}" export TESTBLDDIR="${TESTBLDDIR}" +export CACRT="${CACRT_PEM}" + export TOKDIR="${TOKDIR}" export TMPPDIR="${TMPPDIR}" export PINVALUE="${PINVALUE}" diff --git a/tests/setup-softhsm.sh b/tests/setup-softhsm.sh index 62639b85..d117591a 100755 --- a/tests/setup-softhsm.sh +++ b/tests/setup-softhsm.sh @@ -127,18 +127,22 @@ softhsm2-util --init-token --label "token_name" --free --pin $PINVALUE --so-pin title LINE "Creating new Self Sign CA" KEYID='0000' URIKEYID="%00%00" -CACRT="${TMPPDIR}/CAcert" +CACRT="${TMPPDIR}/CAcert.crt" +CACRT_PEM="${TMPPDIR}/CAcert.pem" CACRTN="caCert" ((SERIAL+=1)) pkcs11-tool --keypairgen --key-type="RSA:2048" --login --pin=$PINVALUE \ --module="$P11LIB" --label="${CACRTN}" --id="$KEYID" -"${certtool}" --generate-self-signed --outfile="${CACRT}.crt" \ +"${certtool}" --generate-self-signed --outfile="${CACRT}" \ --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \ --load-privkey "pkcs11:object=$CACRTN;type=private" \ --load-pubkey "pkcs11:object=$CACRTN;type=public" --outder -pkcs11-tool --write-object "${CACRT}.crt" --type=cert --id=$KEYID \ +pkcs11-tool --write-object "${CACRT}" --type=cert --id=$KEYID \ --label="$CACRTN" --module="$P11LIB" +# convert the DER cert to PEM +openssl x509 -inform DER -in "$CACRT" -outform PEM > "$CACRT_PEM" + # the organization identification is not in the CA echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg" # the cert_signing_key and "ca" should be only on the CA @@ -159,7 +163,7 @@ ca_sign() { --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \ --load-privkey "pkcs11:object=$LABEL;type=private" \ --load-pubkey "pkcs11:object=$LABEL;type=public" --outder \ - --load-ca-certificate "${CACRT}.crt" --inder \ + --load-ca-certificate "${CACRT}" --inder \ --load-ca-privkey="pkcs11:object=$CACRTN;type=private" pkcs11-tool --write-object "${CRT}.crt" --type=cert --id="$KEYID" \ --label="$LABEL" --module="$P11LIB" @@ -403,6 +407,8 @@ export PINVALUE="${PINVALUE}" export SEEDFILE="${TMPPDIR}/noisefile.bin" export RAND64FILE="${TMPPDIR}/64krandom.bin" +export CACRT="${CACRT_PEM}" + export BASEURIWITHPINVALUE="${BASEURIWITHPINVALUE}" export BASEURIWITHPINSOURCE="${BASEURIWITHPINSOURCE}" export BASEURI="${BASEURI}" diff --git a/tests/setup-softokn.sh b/tests/setup-softokn.sh index 5ec75f92..1a25eca2 100755 --- a/tests/setup-softokn.sh +++ b/tests/setup-softokn.sh @@ -42,7 +42,8 @@ certutil -N -d "${TOKDIR}" -f "${PINFILE}" title LINE "Creating new Self Sign CA" ((SERIAL+=1)) -certutil -S -s "CN=Issuer" -n selfCA -x -t "C,C,C" \ +CACRTN="selfCA" +certutil -S -s "CN=Issuer" -n "${CACRTN}" -x -t "C,C,C" \ -m "${SERIAL}" -1 -2 -5 --keyUsage certSigning,crlSigning \ --nsCertType sslCA,smimeCA,objectSigningCA \ -f "${PINFILE}" -d "${TOKDIR}" -z "${SEEDFILE}" >/dev/null 2>&1 <