Netscape PKCS #11 Test Suites

Newsgroup: mozilla.dev.tech.crypto

The Netscape PKCS #11 Test Suites are designed to help vendors of PKCS #11-compliant cryptographic hardware verify compatibility with Netscape software.

Status

Please read the following notices on the status of the Netscape test suites first.
  • Tools: The tools regress, reporter, and replacer have yet to be released.
  • The tests suite: The test source code was written to use NSS 2.x, not NSS 3.x, and would take a lot of work to make it build and run with the current NSS 3.x. Volunteers for this work are welcome.
  • Other tests : NSS has two other programs that are used for PKCS#11 testing. They are pk11mode and pk11util. The sources to both are in nss/cmd.

Test Suites

The following Netscape test suites will soon be available in the Mozilla CVS tree (the trivial test is already checked in):
  • PKCS #11 Test Suite. Uses the regress tool to exercise the PKCS #11 operations most commonly accessed from Netscape products through the PKCS #11 interface.
  • SSL Test Suite. Uses the regress tool to run a series of test programs (up to 8000). Each test opens a client and server SSL socket and transfers data between the two. By default, the suite runs on the NSS libraries, but it can be configured to run over any PKCS #11 cryptographic provider.
  • Trivial. A simple test that loads a cryptoki module and performs some basic excercises, such as querying information and opening sessions.
Running these tests against your PKCS #11 implementation will help expose incompatibilities that could otherwise be found by manual testing only.

Testing Tools

The Netscape PKCS #11 test suites make use of two testing tools whose source is available with the source for the test suites (links bring you to each tool's documentation):
  • Regress. Regress is a test suite automation and reporting tool that runs a parameterized test program over a number of variables. It is controlled by a specification file that lists the variable combinations to be executed. Test result tables are output to an HTML file, which can be organized with the reporter tool.
  • Reporter. Reporter automates the web indexing of regression results generated by the regress tool. Reporter uses a specification file that defines the Component/Test Suite/Platform topology of the report directory structure. The tool then parses all the individual regress summary files found at the lowest level of the reporting hierarchy and updates all the intermediate index.htm files. The reporter tool is expected to automate the routine maintenance of updating web content to form an orderly and predictable testing results web that can be reindexed automatically.

A third tool, replacer, is designed to produce a larger number of programs that are nearly identical, differing by only a few variables. This program is ideal for creating regression test suites on APIs or programs that have large numbers of variables. It is not explicitly used by the Netscape PKCS #11 test suites.

Detailed design specifications for all three testing tools--regress, reporter, and replacer--are available at Test Tool Specifications.

Related Documentation

General pointers for getting PKCS #11 drivers working with Netscape software can be found in these documents: