readme

PGP.Corporation.PGP.SDK.v3.7.2.rar 此前从本站下载的那个缺少几个lib文件

PGP Software Development Kit Cryptographic Module 
 Operational Test Notes


WHAT IS IT?
----------

The optest program is used as part of the FIPS 140-2 validation process.
In particular, section  TE03.14.02  which requires that the tester shall
perform each of the specified services and observe that that they have
been implemented  properly.   As a side benefit to clients of the  SDK
this code can also be used a good example of how to perform a number
of commonly used functions, whether or not the developer intends to run
in FIPS mode.  

Depending on what option is chosen from the command line the following tests
will be run:

FIPS MODE SPECIFIC TESTS
------------------

- Invoke the Approved mode of operation (optest.c)

	This involves Initializing the SDK, checking Module status
	and features, and Enabling FIPS Mode. 

- Test FIPS mode self-test fail/reset (optest.c)
	
	Primary used for FIPS testing, it will cause the SDK to enter 
	into an erronous state (by performing a invalid self-test) and 
	then demonstrate that crypto operations are disabled until 
	the module is reset.  
 
- Command the module to perform the self-tests (optest.c)
	
	Also used a part of FIPS testings, this section invokes the SDK's
	internal self-test routines and verfies that they function.
 
GENERAL SDK TESTS
------------------

	This section is of the most interest to SDK users. The optest will
	create a sdk context and perform all the cryptographic operations
	available. These can include the following tests. 
	
- Random number Generation (RNGtest.c). 
	Allocates a 64 byte buffer of secure (non-pageable) memory, acquires 
	sufficent entropy and fills the buffer with random data. After display
	it securely frees the buffer.
	
- SHA Hash  (SHAtest.c)
	Hash and compare against known answers a number of patterns for 
	SHA-1, SHA-256, SHA-384 and SHA-512.
	
- HMAC   (HMACtest.c)
	HMAC athenticate and  compare against known answers a number 
	of patterns and keys using SHA-1, SHA-256, SHA-384 and SHA-512.
  
-  Level crypto. (CipherTest.c)
  	Demonstrate  the various low Level encryption functions. It runs 
  	a known-answer test of symmetric cipher algorithms in ECB, CBC, and CFB
	modes and then  decrypt the block and tests against orginal plain-text.

- Public Key Certificate (Keytest.c)
	Run pair-wise consistancy self test for Key Certificates.  This
	test will use the low level public key functions to Sign/Verify
	and Encrypt/Decrypt with RSA, DSA and ElGamal keys as appropriate.
 	
- Public Key Generation (keygen.c)
	After acquiring sufficent entropy for the random number generator
	this test will attempt to generate a PGP DSA/DH keypair, extract 
	status information, test and change the passphrase,  export the
	keypair to an ascii armored string.
 	
- High Level Encode/Decode (Encode.c)
	Import an ascii armored key to an in memory key database,  search
	the database for specific keys. Use the High Level SDK PGPEncode 				
 	encrypt and sign a known plaintext message in OpenPGP format.  
 	Decode that message with PGPDecode()  check signature status, 
 	and compare against orginal  plaintext. Take a cleartext message
 	and create an ascii armored detached signature string. Validate
 	the data using the signature.

- Key Management (keymgmt.c)
	Using a disk based keyset (optest.skr/optest.pkr) this test begins by 
	securely file wiping the private key database found in optest.skr using 
	the PGPWipeFile API, and deleting the public key database with 
	PGPDeleteFile.  It then creates a new empty database in it's place
	and populates it with three predefined key pairs. It then filters the 
	key database using email address as a search criteria and enumerates
	the filtered keys displaying some key properties.  The test then 
	performs a number of key management tasks including, key signing, adding 	
	photos,  additional user IDs and revokation keys.  Writing out and 
	closing the  key database.
 
- Expired Keys (ExpiredKey.c)
	A pre-generated PGP key with three encryption subkeys, at least one 
	of which  is currently expired is scanned to find a  key usable for
	encryption.  This test also attempts to decode a pre-encrypted message
	for which one of the expired subkeys can decode.  

-  Key Usage (KeyUsage.c)
	Using a set of pregenerated keys, filter out for keys that can be 
	used to sign and keys that can be used to encrypt with.
	
 - Secret Sharing (ShamirTest.c)
	Perform both low level and high level key spliting functions. In the low
	level test a 32 Byte binary passphrase is split into n shares, m of which 
	are needed to reconstruct with. The shares are then displayed and checked 
	for data leakage against know original message.  The passphrase is then 
	reconstructed with only m of the required shares and the test is compared 
	against the  orginal message.  In the high level API test, a private key
	locking passphrase is split up to multiple share files, and then unlocked
	using only the specified quorum of shares.

- X9.31 PRNG (RNGtest.c)
	This example shows how to build an FIPS compliant X9.31 PRNG using the low
	level Symmetric Cipher API calls.
	 
- Cleanup and Error Display (optest.c) 
	Release connections to PGPSDK libraries and report any errors.

- Token/SmartCard (Tokentest.c)
	Check if any token modules are available, and perform operations
	on that token. These includes Formatting, Wiping, Checking passcode,
	Generating new key, exporting a PGP key pair to the device.  The 
	Keypair available are then enumerated and tested for Sign/Verify and
	Encrypt/Decrypt operations.

 - X509 Function Test (X509test.c)
    Perform various hgh level ky management functions specific to X.509.
	
- PGP Zip/TAR/Archive (PGPTar.c)
	Encode a directory into a signed encrypted PGP message and then Decode
	and verify the signature. Perform several archive operations such as
	adding, removing and enumerating indivual files from an encrypted tar
	cache. Re-encode the tar cache file into a signed and encrypted 
	PGP message and decode it.
  
NON FIPS TESTS
-----------------

 	In addition to the FIPS required tests, there are some other modules
	sample that might be of interest to users of the PGP SDK. 
	
- Keyserver Communications (Keyserver.c)
	Connect to remote keyserver and perform key lookup.

 - Key Reconstruction (ReconTest.c)
	Split a key passphrase into 5 part that can be reconstructed by
	three correct answers to user defined prompts. Remove the Secret
	Key and reconstruct it using the PGP Key Reconstruction system
	described in "Inside PGP Key Reconstruction" white paper.

-----------

HOW TO BUILD

Windows:

* Open up the optest_sample.sln in Visual Studio .NET

Mac OSX:

* Copy the PGP.framework and PGPui.framework to /Library/Frameworks/
* Open up the optest.xcode/project.pbxproj in XCode or from terminal 
   xcodebuild -project "optest.xcode" -target "optest" -buildstyle "Deployment"


AIX / Solaris / HPUX / Linux:

% autoconf
% ./configure
% make

------------

HOW TO RUN

For your specific platform optest is output into the appropriate directory.
Run it from the command line.  

usage: optest [options] ..
Options: 
 	Tests:
	--fipsmode        Test Enable FIPS 140-2 mode
	--fail            Test FIPS 140-2 mode self-test fail/reset
	--selftest        Test Module self-tests
	--RNG             Test Random Number Generator
	--SHA             Test Secure Hash Algorithm
	--HMAC            Test Keyed-Hashing for Message Authentication
	--ciphers         Test Low Level Encryption
	--keycert         Test Key Certificate
	--keygen          Test Key Generation
	--encode          Test High Level Encryption
	--expire          Test Key Expiration
	--usage           Test Key Usage
	--tar             Test PGP Zip
	--mgmt            Test Key Management
	--share           Test Secret Sharing / Key Split
	--x931            Test X.931 RNG 
	--token           Test List Token/Smartcard
	--keyserver       Test Key Server
	--x509            Test X.509 functionality
	--recon           Test Key Reconstruction

	Test Sets:
	--FIPS            FIPS-140-2 operational test set
	                    fipsmode  fail      selftest  RNG       
	                    SHA       HMAC      ciphers   keycert   
	                    keygen    encode    expire    usage     
	                    mgmt      tar       share     x931      
	                    x509      

	--default         Default test set
	                    RNG       SHA       HMAC      ciphers   
	                    keycert   keygen    encode    expire    
	                    usage     mgmt      share     x931      
	                    tar       keyserver x509      recon     

	Options:
	--verbose         Enables verbose output
	--debug           Enables debug output
	--out             Output directory for test results
	--local           local SDK only
	--agent           pgp-agent backend enabled
	--cache           Enable passphrase cache thread
	--nocache         Disable passphrase cache thread
	--token-keys      Token/Smartcard Crypto Key
	--token-format    Token/Smartcard Format
	--token-gen       Token/Smartcard Generate Key
	--token-export    Token/Smartcard Export Key
	--token-delete    Token/Smartcard Delete Keys
	--token-wipe      Token/Smartcard Wipe Keys
	--p11             pkcs11 module for Token/Smartcard tests
	--pin             user PIN for Token/Smartcard tests
	--SO              SO PIN for Token/Smartcard tests

Examples:
optest --keygen
optest --usage --verbose
optest  --x509 --verbose
 
FIPS 140-2 test suite
	optest --FIPS
	
list all keys on token
	optest --token --P11 /usr/libexec/SmartCardServices/pkcs11/libASEPKCS11.dylib --PIN 11111111 

Test crypto on all token keys
	optest --token-keys --verbose  --PIN 11111111  --P11 /usr/libexec/SmartCardServices/pkcs11/libASEPKCS11.dylib

Generate key on token and export key to token 
	optest --token-gen --token-export --PIN 11111111  --P11 /usr/libexec/SmartCardServices/pkcs11/libASEPKCS11.dylib
 
Format Token
	optest --token-format  --PIN 11111111  --SO 00000000 --P11 /usr/libexec/SmartCardServices/pkcs11/libASEPKCS11.dylib