#! /bin/csh -f # # Run import/export tests for PKCS12. # # Run this from SecurityTests/clxutils/importExport. The # kcImport and kcExport programs must exist in the location # specified by the LOCAL_BUILD_DIR env var. # source setupCommon # PKCS12 blob, we generate set GEN_PKCS12_PFX=${BUILD_DIR}/generated.p12 # parsed PEM sequence generated by openssl (parsing $GEN_PKCS12_PFX) set PKCS12_PARSED_PEM=${BUILD_DIR}/parsed.p12.pem # PKCS12 blob, openssl generates set GEN_OPENSSL_PKCS12_PFX=${BUILD_DIR}/generatedOpenssl.p12 # PKCS12 passphrase set PKCS12_PASSPHRASE=somePassphrase # user specified variables set QUIET=NO set QUIET_ARG= set KEYSIZE=512 set NOACL=NO set NOACL_ARG= set SECURE_PASSPHR= set NOCLEAN=NO # # Verify existence of a few crucial things before we start. # if( ( ! -e $KCIMPORT ) || \ ( ! -e $KCEXPORT ) ) then echo === You do not seem to have all of the required executables. echo === Please build all of cspxutils and clxutils. echo === See the README files in those directories for info. exit(1) endif # user options while ( $#argv > 0 ) switch ( "$argv[1]" ) case q: set QUIET=YES set QUIET_ARG=-q shift breaksw case n: set NOACL=YES set NOACL_ARG=-n shift breaksw case s: set SECURE_PASSPHR=-Z shift breaksw case N: set NOCLEAN=YES shift breaksw default: echo Usage: importExportPkcs12 \[q\(uiet\)\] \[n\(oACL\)\] \[s\(ecurePassphrase\)\] \[N\(oClean\)\] exit(1) endsw end # Create keypair and cert using certtool echo === Begin PKCS12 test === if ($QUIET == NO) then echo Creating keypair and cert with certtool... echo $CLEANKC endif $CLEANKC || exit(1) set cmd="$CERTTOOL c k=$KEYCHAIN_PATH Z" if ($QUIET == NO) then echo $cmd endif $cmd > /dev/null || exit(1) # export as P12 if ($QUIET == NO) then echo ...Exporting private key and cert as PKCS12... endif # note we export Identities, not All, since pub keys can't go in a P12 set cmd="$KCEXPORT $KEYCHAIN -t identities -f pkcs12 -o $GEN_PKCS12_PFX -z $PKCS12_PASSPHRASE $SECURE_PASSPHR -q" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) # import and verify if ($QUIET == NO) then echo ...Importing PKCS12, explicit format... endif if ($QUIET == NO) then echo $CLEANKC endif $CLEANKC || exit(1) set cmd="$KCIMPORT $GEN_PKCS12_PFX -k $KEYCHAIN -f pkcs12 -z $PKCS12_PASSPHRASE -C 0 -K 0 -I 1 -T agg -F pkcs12 -q $NOACL_ARG $SECURE_PASSPHR" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) if ($QUIET == NO) then echo ...Importing PKCS12, format inferred from filename... endif if ($QUIET == NO) then echo $CLEANKC endif $CLEANKC || exit(1) set cmd="$KCIMPORT $GEN_PKCS12_PFX -k $KEYCHAIN -z $PKCS12_PASSPHRASE -C 0 -K 0 -I 1 -T agg -F pkcs12 -q $NOACL_ARG $SECURE_PASSPHR" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) if ($QUIET == NO) then echo $CLEANKC endif $CLEANKC || exit(1) # # Exchange with openssl. # if ($QUIET == NO) then echo ...parsing our P12 PFX with openssl... endif set cmd="$RM -f $PKCS12_PARSED_PEM" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) set cmd="$OPENSSL pkcs12 -in $GEN_PKCS12_PFX -passin pass:$PKCS12_PASSPHRASE -nodes -out $PKCS12_PARSED_PEM" if ($QUIET == NO) then echo $cmd endif $cmd >& /dev/null|| exit(1) if ($QUIET == NO) then echo ...parsing openssl PEM sequence echo $CLEANKC endif $CLEANKC || exit(1) set cmd="$KCIMPORT $PKCS12_PARSED_PEM -k $KEYCHAIN -z $PKCS12_PASSPHRASE -q $NOACL_ARG $SECURE_PASSPHR" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) if ($QUIET == NO) then echo ...creating PKCS12 with openssl, import to empty keychain endif set cmd="$OPENSSL pkcs12 -in $PKCS12_PARSED_PEM -out $GEN_OPENSSL_PKCS12_PFX -passout pass:$PKCS12_PASSPHRASE -export" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) if ($QUIET == NO) then echo $CLEANKC endif $CLEANKC || exit(1) set cmd="$KCIMPORT $GEN_OPENSSL_PKCS12_PFX -z $PKCS12_PASSPHRASE -k $KEYCHAIN -K 0 -C 0 -I 1 -q $SECURE_PASSPHR" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) set cmd="$DBVERIFY $KEYCHAIN_PATH rsa priv $KEYSIZE $QUIET_ARG" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) # cleanup if ($NOCLEAN == NO) then set cmd="rm -f $GEN_PKCS12_PFX $PKCS12_PARSED_PEM $GEN_OPENSSL_PKCS12_PFX" if ($QUIET == NO) then echo $cmd endif $cmd || exit(1) endif if ($QUIET == NO) then echo === PKCS12 test complete === endif