testdev.c

提供了很多种加密算法和CA认证及相关服务如CMP、OCSP等的开发

	cryptCreateCert( &cryptCert, CRYPT_UNUSED, CRYPT_CERTTYPE_CERTIFICATE );
	status = cryptSetAttribute( cryptCert,
						CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO, signContext );
	if( cryptStatusOK( status ) && \
		!addCertFields( cryptCert, paaCertData ) )
		return( FALSE );
	if( cryptStatusOK( status ) )
		status = cryptSignCert( cryptCert, signContext );
	cryptDestroyContext( signContext );
	if( cryptStatusError( status ) )
		{
		cryptDestroyCert( cryptCert );
		printf( "\nCreation of certificate failed with error code %d, "
				"line %d.\n", status, __LINE__ );
		return( FALSE );
		}
	status = cryptAddPublicKey( cryptDevice, cryptCert );
	cryptDestroyCert( cryptCert );
	if( cryptStatusError( status ) )
		{
		printf( "\ncryptAddPublicKey() failed with error code %d, line %d.\n",
				status, __LINE__ );
		return( FALSE );
		}
	puts( "succeeded." );

	/* Set the user PIN */
	printf( "Setting user PIN... " );
	status = cryptDeviceControlEx( cryptDevice,
					CRYPT_DEVINFO_SET_AUTHENT_USER,
					FORTEZZA_USER_PIN, strlen( FORTEZZA_USER_PIN ),
					FORTEZZA_USER_PIN, strlen( FORTEZZA_USER_PIN ) );
	if( cryptStatusError( status ) )
		{
		printf( "\ncryptDeviceControlEx() failed with error code %d, line %d.\n",
				status, __LINE__ );
		return( FALSE );
		}
	puts( "set to " FORTEZZA_USER_PIN "." );

	/* Clean up */
	cryptDeviceClose( cryptDevice );
	return( TRUE );
	}

/* General device test routine */

static int testCryptoDevice( const CRYPT_DEVICE_TYPE deviceType,
							 const char *deviceName,
							 const DEVICE_INFO *deviceInfo )
	{
	CRYPT_DEVICE cryptDevice;
	BOOLEAN isWriteProtected = FALSE;
	BOOLEAN testResult = FALSE, partialSuccess = FALSE;
	int status;

	/* Open a connection to the device */
	if( deviceType == CRYPT_DEVICE_PKCS11 )
		{
		printf( "\nTesting %s %s...\n", deviceInfo->name, deviceName );
		status = cryptDeviceOpen( &cryptDevice, CRYPT_UNUSED, deviceType,
								  deviceInfo->name );
		}
	else
		{
		printf( "\nTesting %s...\n", deviceName );
		status = cryptDeviceOpen( &cryptDevice, CRYPT_UNUSED, deviceType,
								  deviceName );
		}
	if( status == CRYPT_ERROR_PARAM2 )
		{
		puts( "Support for this device type isn't enabled in this build of "
			  "cryptlib." );
		return( CRYPT_ERROR_NOTAVAIL );	/* Device access not available */
		}
	if( cryptStatusError( status ) )
		{
		if( status == CRYPT_ERROR_PARAM3 )
			puts( "Crypto device not detected, skipping test." );
		else
			printf( "cryptDeviceOpen() failed with error code %d, line %d.\n",
					status, __LINE__ );
		return( FALSE );
		}

	/* If it's one of the smarter classes of device, authenticate ourselves to
	   the device, which is usually required in order to allow it to be used
	   fully */
	if( deviceType == CRYPT_DEVICE_PKCS11 || deviceType == CRYPT_DEVICE_FORTEZZA )
		{
		char tokenLabel[ CRYPT_MAX_TEXTSIZE + 1 ];
		int loggedOn, tokenLabelSize;

		status = cryptGetAttribute( cryptDevice, CRYPT_DEVINFO_LOGGEDIN,
									&loggedOn );
		if( cryptStatusError( status ) )
			{
			puts( "Couldn't obtain device login status." );
			return( FALSE );
			}
		if( loggedOn )
			/* Device may not require a login, or has already been logged in 
			   via a keypad or similar mechanism */
			puts( "Device is already logged in, skipping login. " );
		else
			if( !deviceLogin( cryptDevice, deviceType, deviceInfo ) )
				return( FALSE );
		status = cryptGetAttributeString( cryptDevice, CRYPT_DEVINFO_LABEL,
										  tokenLabel, &tokenLabelSize );
		if( cryptStatusError( status ) )
			puts( "(Device doesn't appear to have a label)." );
		else
			{
			tokenLabel[ tokenLabelSize ] = '\0';
			printf( "Device label is '%s'.\n", tokenLabel );
			}
		}

	/* Write-protected devices won't allow contexts to be created in them,
	   before we try the general device capabilities test we make sure we
	   can actually perform the operation */
	if( deviceType == CRYPT_DEVICE_PKCS11 )
		{
		CRYPT_CONTEXT cryptContext;

		/* Try and create a DES object.  The following check for read-only
		   devices always works because the device object ACL is applied at
		   a much higher level than any device capability checking, the
		   device will never even see the create object message if it's
		   write-protected so all we have to do is make sure that whatever
		   we create is ephemeral */
		status = cryptDeviceCreateContext( cryptDevice, &cryptContext,
										   CRYPT_ALGO_DES );
		if( cryptStatusOK( status ) )
			cryptDestroyContext( cryptContext );
		if( status == CRYPT_ERROR_PERMISSION )
			isWriteProtected = TRUE;
		}

	/* To force the code not to try to create keys and certs in a writeable
	   device, uncomment the following line of code.  This requires that keys/
	   certs of the required type are already present in the device */
/*	KLUDGE_WARN( "write-protect status" );
	isWriteProtected = TRUE;				/**/

	/* There may be test keys lying around from an earlier run, in which case
	   we try to delete them to make sure they won't interfere with the
	   current one */
	if( !isWriteProtected )
		{
		deleteTestKey( cryptDevice, "Test CA key", "CA" );
		deleteTestKey( cryptDevice, deviceInfo->keyLabel, "user" );
		if( deviceType == CRYPT_DEVICE_PKCS11 )
			{
			deleteTestKey( cryptDevice, RSA_PUBKEY_LABEL, "RSA public" );
			deleteTestKey( cryptDevice, RSA_PRIVKEY_LABEL, "RSA private" );
			deleteTestKey( cryptDevice, DSA_PUBKEY_LABEL, "DSA public" );
			deleteTestKey( cryptDevice, DSA_PRIVKEY_LABEL, "DSA private" );
			}
		if( deviceType == CRYPT_DEVICE_FORTEZZA )
			deleteTestKey( cryptDevice, "Test KEA key", "KEA" );
		}

	/* Report what the device can do.  This is intended mostly for simple
	   crypto accelerators and may fail with for devices which work only
	   with the higher-level functions centered around certificates,
	   signatures,and key wrapping, so we skip the tests for devices which
	   allow only high-level access */
	if( deviceType != CRYPT_DEVICE_FORTEZZA )
		testResult = testDeviceCapabilities( cryptDevice, deviceName,
											 isWriteProtected );

	/* If it's a smart device, try various device-specific operations */
	if( deviceType == CRYPT_DEVICE_FORTEZZA || \
		deviceType == CRYPT_DEVICE_PKCS11 )
		partialSuccess = testDeviceHighlevel( cryptDevice, deviceType,
							deviceInfo->keyLabel, deviceInfo->password,
							isWriteProtected );

	/* Clean up */
	status = cryptDeviceClose( cryptDevice );
	if( cryptStatusError( status ) )
		{
		printf( "cryptDeviceClose() failed with error code %d, line %d.\n",
				status, __LINE__ );
		return( FALSE );
		}
	if( !testResult && !partialSuccess )
		return( FALSE );
	if( testResult && partialSuccess )
		printf( "%s tests succeeded.\n\n", deviceName );
	else
		printf( "Some %s tests succeeded.\n\n", deviceName );
	return( TRUE );
	}

int testDevices( void )
	{
	int i, status;

#ifdef TEST_DEVICE_FORTEZZA
  #ifdef TEST_CAW_FUNCTIONALITY
	/* If testing of CAW functionality is enabled, test the full card
	   initialisation process */
	status = testCAW();
	if( cryptStatusError( status ) && status != CRYPT_ERROR_NOTAVAIL )
		return( status );
  #else
	puts( "Skipping CAW functionality test (uncomment the "
		  "TEST_CAW_FUNCTIONALITY #define\n  in " __FILE__ " to enable
		  this)." );
  #endif /* TEST_CAW_FUNCTIONALITY */
	status = testCryptoDevice( CRYPT_DEVICE_FORTEZZA, "Fortezza card",
							   &fortezzaDeviceInfo );
	if( cryptStatusError( status ) && status != CRYPT_ERROR_NOTAVAIL )
		return( status );
#endif /* TEST_DEVICE_FORTEZZA */
	for( i = 0; pkcs11DeviceInfo[ i ].name != NULL; i++ )
		{
		status = testCryptoDevice( CRYPT_DEVICE_PKCS11, "PKCS #11 crypto token",
								   &pkcs11DeviceInfo[ i ] );
		if( cryptStatusError( status ) && status != CRYPT_ERROR_NOTAVAIL )
			return( status );
		}
	putchar( '\n' );
	return( TRUE );
	}
#endif /* TEST_DEVICE */

/****************************************************************************
*																			*
*							User Management Routines Test					*
*																			*
****************************************************************************/

#ifdef TEST_USER

int testUser( void )
	{
	CRYPT_USER cryptUser;
	int status;

	puts( "Testing (minimal) user management functions..." );

	/* Perform a zeroise.  This currently isn't done because (a) it would
	   zeroise all user data whenever anyone runs the self-test and (b) the
	   external API to trigger this isn't defined yet */
/*	status = cryptZeroise( ... ); */

	/* Log in as primary SO using the zeroisation password.  Because of the
	   above situation this currently performs an implicit zeroise */
	status = cryptLogin( &cryptUser, "Security officer", "zeroised" );
	if( cryptStatusError( status ) )
		{
		printf( "cryptLogin() failed with error code %d, line %d.\n",
				status, __LINE__ );
		return( FALSE );
		}

	/* Set the SO password */
	status = cryptSetAttributeString( cryptUser, CRYPT_USERINFO_PASSWORD,
									  "password", 8 );
	if( cryptStatusError( status ) )
		{
		printf( "cryptSetAttributeString() failed with error code %d, "
				"line %d.\n", status, __LINE__ );
		return( FALSE );
		}

	/* Log out and log in again with the new password.  At the moment it's
	   possible to use any password until the PKCS #15 attribute situation
	   is resolved */
	status = cryptLogout( cryptUser );
	if( cryptStatusError( status ) )
		{
		printf( "cryptLogout() failed with error code %d, line %d.\n",
				status, __LINE__ );
		return( FALSE );
		}
	status = cryptLogin( &cryptUser, "Security officer", "password" );
	if( cryptStatusError( status ) )
		{
		printf( "cryptLogin() failed with error code %d, line %d.\n",
				status, __LINE__ );
		return( FALSE );
		}

	/* Clean up */
	cryptLogout( cryptUser );
	puts( "User management tests succeeded.\n" );
	return( TRUE );
	}
#endif /* TEST_USER */