- more tests
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@1129 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
fa123c4b75
commit
e396ff5c95
|
@ -5,3 +5,46 @@ work in progress, hopefully we will add more scripts by and by.
|
|||
|
||||
Run the test scripts from this directory. You need to have
|
||||
OpenSC fully built in order for them to do anything useful.
|
||||
|
||||
All test scripts accept the following set of arguments
|
||||
|
||||
--use-default-transport-keys
|
||||
if your card requires a transport key in pkcs15-init (for
|
||||
instance, the GPK and Cryptoflex do), and the default transport
|
||||
key as determined by OpenSC works fine. [If it doesn't please
|
||||
get in contact with us!]
|
||||
|
||||
--split-key
|
||||
For CardOS/M4 - when creating or installing a key intended for
|
||||
both signing and decryption, pkcs15-init must install a the same
|
||||
key twice, with different usage labels: one for each usage. This
|
||||
is called a "split key".
|
||||
|
||||
--reader N
|
||||
Use the specified reader
|
||||
|
||||
|
||||
*** ATTENTION ***
|
||||
|
||||
Some cards require that you present one or several PINs when erasing
|
||||
them. That is because these cards to not support a native mechanism
|
||||
for erasing the card. In this case, OpenSC will perform a recursive
|
||||
removal of files, pretty much like a "rm -rf" in Unix.
|
||||
|
||||
As some of these files are PIN protected against deletion, we have
|
||||
to present the PIN before being allowed to do so. For this reason,
|
||||
the tests may ask you for various PINs.
|
||||
|
||||
When asking for the SO PIN, the prompt will always refer to the
|
||||
"Security Officer PIN". Any other prompts (Test User PIN, etc)
|
||||
refer to the user PIN.
|
||||
|
||||
All tests use the same PINs:
|
||||
|
||||
999999 as the SO PIN, if one is used
|
||||
888888 as the SO PUK, if one is used
|
||||
0000 as the user PIN, if one is used
|
||||
111111 as the user PUK, if one is used
|
||||
|
||||
Some tests will install more than one user PIN, but they will
|
||||
all have the same value.
|
||||
|
|
|
@ -27,12 +27,20 @@ if [ -z "$__p15init__" ]; then
|
|||
# Eat any arguments given on the command line
|
||||
while [ $# -ne 0 ]; do
|
||||
case $1 in
|
||||
--use-default-transport-key|--split-key)
|
||||
--*) var=`expr "$1" : '--\(.*\)'|tr - _`
|
||||
eval opt_$var=true;;
|
||||
esac
|
||||
|
||||
case $1 in
|
||||
--use-default-transport-keys|\
|
||||
--split-key|\
|
||||
--no-prompt)
|
||||
p15init="$p15init $1";;
|
||||
--reader)
|
||||
P15_READER=$2
|
||||
shift;;
|
||||
*) fatal "Unexpected option $1";;
|
||||
*) echo "Unexpected option $1" >&2
|
||||
exit 1;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
@ -125,7 +133,8 @@ function run_display_output {
|
|||
|
||||
function run_check_status {
|
||||
|
||||
echo ":::::: run_check_status $*"
|
||||
echo ":::::: run_check_status $*" >&3
|
||||
cp /dev/null $p15log
|
||||
"$@" || fail "Command failed (status code $?): $*"
|
||||
}
|
||||
|
||||
|
@ -134,7 +143,8 @@ function run_check_output {
|
|||
msg=$1
|
||||
shift
|
||||
|
||||
echo ":::::: run_check_output \"$1\" $*"
|
||||
echo ":::::: run_check_output \"$1\" $*" >&3
|
||||
cp /dev/null $p15log
|
||||
out=`eval "$@" 2>&1`
|
||||
|
||||
# Make sure output makes it to log file
|
||||
|
@ -145,3 +155,100 @@ function run_check_output {
|
|||
*) fail "Command failed (expected $msg): $*";;
|
||||
esac
|
||||
}
|
||||
|
||||
##################################################################
|
||||
#
|
||||
# Common pkcs15 functions
|
||||
#
|
||||
##################################################################
|
||||
function p15_init {
|
||||
|
||||
msg <<-EOF
|
||||
:::
|
||||
::: Testing pkcs15-init
|
||||
:::
|
||||
::: The PINs used by this test script (if applicable) are
|
||||
::: Test SO PIN abcdef
|
||||
::: Test User PIN 0000
|
||||
:::
|
||||
EOF
|
||||
|
||||
msg <<-EOF
|
||||
:::
|
||||
::: The following test will erase your card, if possible,
|
||||
::: and create a new pkcs15 structure on it.
|
||||
:::
|
||||
EOF
|
||||
|
||||
if [ -z $opt_no_prompt ] &&
|
||||
! yesno "Erase and re-initialize card?"; then
|
||||
msg "Aborting test"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
msg "Initializing card ($*)"
|
||||
run_display_output $p15init -EC \
|
||||
--label "OpenSC Test Card" \
|
||||
--serial DEADBEEF \
|
||||
$* >&3 >&4
|
||||
success
|
||||
}
|
||||
|
||||
function p15_erase {
|
||||
|
||||
msg "Erasing card ($*)"
|
||||
run_display_output $p15init --erase
|
||||
"$@" >&3 >&4
|
||||
success
|
||||
}
|
||||
|
||||
function p15_set_pin {
|
||||
|
||||
msg "Setting user PIN ($*)"
|
||||
run_display_output $p15init -P \
|
||||
--label "Test User PIN" \
|
||||
--pin "0000" --puk "111111" \
|
||||
"$@"
|
||||
success
|
||||
|
||||
}
|
||||
|
||||
function p15_gen_key {
|
||||
|
||||
type=$1
|
||||
shift
|
||||
|
||||
msg "Generating key ($*)"
|
||||
run_display_output $p15init -G $type \
|
||||
--split-key \
|
||||
--pin 0000 \
|
||||
--id 45 \
|
||||
--label "Test User Key" \
|
||||
"$@"
|
||||
success
|
||||
}
|
||||
|
||||
function p15_store_key {
|
||||
|
||||
keyfile=$1
|
||||
shift
|
||||
|
||||
msg "Storing private key $keyfile ($*)"
|
||||
run_display_output $p15init -S $keyfile \
|
||||
--split-key \
|
||||
--pin 0000 \
|
||||
--id 45 \
|
||||
--label "Test User Key" \
|
||||
"$@"
|
||||
success
|
||||
}
|
||||
|
||||
function p15_validate {
|
||||
|
||||
msg "Validating card using pkcs11-tool"
|
||||
yes x |
|
||||
run_display_output $p11tool -t --pin 0000 \
|
||||
--slot-label "OpenSC Test Card" $*
|
||||
success
|
||||
}
|
||||
|
||||
|
|
|
@ -6,85 +6,9 @@
|
|||
|
||||
. functions
|
||||
|
||||
case $p15init in
|
||||
*" --use-default-transport-keys")
|
||||
ask_key_question=false;;
|
||||
*) ask_key_question=true;;
|
||||
esac
|
||||
|
||||
msg <<EOF
|
||||
:::
|
||||
::: Testing pkcs15-init
|
||||
:::
|
||||
::: Warning - this test assumes that the transport keys
|
||||
::: guessed by OpenSC (e.g. for the GPK, and the Cryptoflex)
|
||||
::: are correct. If OpenSC guesses wrong, you may find the
|
||||
::: card locked forever.
|
||||
:::
|
||||
EOF
|
||||
|
||||
msg <<EOF
|
||||
:::
|
||||
::: The following test will erase your card, if possible,
|
||||
::: and create a new pkcs15 structure on it.
|
||||
:::
|
||||
EOF
|
||||
|
||||
if ! yesno "Erase and re-initialize card?"; then
|
||||
msg "Aborting test"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
run_display_output $p15init -EC --no-so-pin \
|
||||
--label "OpenSC Test Card" \
|
||||
--serial DEADBEEF >&3 >&4
|
||||
success
|
||||
|
||||
if $ask_key_question; then
|
||||
msg <<-EOF
|
||||
:::
|
||||
::: If the above command asked you for a transport key
|
||||
::: (this should happen e.g. with Gemplus GPK cards and
|
||||
::: Schlumberger Cryptoflex cards), and the default key
|
||||
::: presented to you was correct, I can invoke pkcs15-init
|
||||
::: with the --use-default-transport-key option, which will
|
||||
::: make it use the default key, and skip this question.
|
||||
:::
|
||||
EOF
|
||||
|
||||
if yesno "Should I always use the default transport key?"; then
|
||||
p15init="$p15init --use-default-transport-key"
|
||||
fi
|
||||
fi
|
||||
|
||||
msg <<EOF
|
||||
:::
|
||||
::: Setting user PIN and PUK
|
||||
:::
|
||||
EOF
|
||||
run_display_output $p15init -Pa 01 \
|
||||
--label "Test User PIN" \
|
||||
--pin "0000" --puk "111111"
|
||||
success
|
||||
|
||||
msg <<EOF
|
||||
:::
|
||||
::: Generating key
|
||||
:::
|
||||
EOF
|
||||
run_display_output $p15init -G rsa/1024 -a 01 \
|
||||
--key-usage sign,decrypt \
|
||||
--pin 0000 \
|
||||
--id 45 \
|
||||
--label "Test User Key"
|
||||
success
|
||||
|
||||
msg <<EOF
|
||||
:::
|
||||
::: Using pkcs11-tool to validate card
|
||||
:::
|
||||
EOF
|
||||
yes x |
|
||||
run_display_output $p11tool --pin 0000 -t --slot-label "OpenSC Test Card"
|
||||
success
|
||||
p15_init --no-so-pin
|
||||
p15_set_pin -a 01
|
||||
p15_gen_key rsa/1024 -a 01 --key-usage sign,decrypt
|
||||
p15_validate
|
||||
p15_erase
|
||||
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Test pkcs15-init
|
||||
#
|
||||
# Run this from the regression test directory.
|
||||
|
||||
. functions
|
||||
|
||||
p15_init --so-pin 999999 --so-puk 88888888
|
||||
p15_set_pin -a 27 --so-pin 999999
|
||||
p15_gen_key rsa/1024 -a 27 --so-pin 999999 --key-usage sign,decrypt
|
||||
p15_validate
|
||||
p15_erase
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Test pkcs15-init
|
||||
#
|
||||
# Run this from the regression test directory.
|
||||
|
||||
. functions
|
||||
|
||||
p15_init --no-so-pin
|
||||
p15_gen_key rsa/1024 --key-usage decrypt --insecure
|
||||
p15_validate
|
||||
p15_erase
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Test pkcs15-init
|
||||
#
|
||||
# Run this from the regression test directory.
|
||||
|
||||
. functions
|
||||
|
||||
p15_init --no-so-pin
|
||||
p15_gen_key rsa/1024 --insecure --key-usage sign
|
||||
p15_validate
|
||||
#p15_erase
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Test pkcs15-init
|
||||
#
|
||||
# Run this from the regression test directory.
|
||||
|
||||
. functions
|
||||
|
||||
p15_init --no-so-pin
|
||||
p15_gen_key rsa/512 --insecure --key-usage sign,decrypt
|
||||
p15_validate
|
||||
p15_erase
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Test pkcs15-init
|
||||
#
|
||||
# Run this from the regression test directory.
|
||||
|
||||
. functions
|
||||
|
||||
k=$p15temp/private.pem
|
||||
|
||||
p15_init --no-so-pin
|
||||
|
||||
msg "Generating key with OpenSSL"
|
||||
run_check_status openssl genrsa -out $k -f4 1024
|
||||
success
|
||||
|
||||
p15_store_key $k --insecure
|
||||
p15_validate
|
||||
p15_erase
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Test pkcs15-init
|
||||
#
|
||||
# Run this from the regression test directory.
|
||||
|
||||
. functions
|
||||
|
||||
p15_init --no-so-pin
|
||||
p15_set_pin -a 01
|
||||
p15_set_pin -a 02 --label "User Signature PIN"
|
||||
p15_gen_key rsa/512 -a 01 --key-usage sign,decrypt
|
||||
p15_gen_key rsa/512 -a 02 --key-usage nonRepudiation \
|
||||
--id feeb \
|
||||
--label "Non-Repudiation Key"
|
||||
p15_validate
|
||||
p15_erase
|
||||
|
Loading…
Reference in New Issue