The Tor Browser / annotate

security/manager/ssl/tests/unit/tlsserver/generate_certs.sh@b8a032363ba2 (annotated)

security/manager/ssl/tests/unit/tlsserver/generate_certs.sh

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 #!/bin/bash
michael@0 2 #
michael@0 3 # This Source Code Form is subject to the terms of the Mozilla Public
michael@0 4 # License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0 6 #
michael@0 7 # Usage: ./generate_certs.sh <path to objdir> <output directory>
michael@0 8 # e.g. (from the root of mozilla-central)
michael@0 9 # `./security/manager/ssl/tests/unit/tlsserver/generate_certs.sh \
michael@0 10 # obj-x86_64-unknown-linux-gnu/ \
michael@0 11 # security/manager/ssl/tests/unit/tlsserver/`
michael@0 12 #
michael@0 13 # NB: This will cause the following files to be overwritten if they are in
michael@0 14 # the output directory:
michael@0 15 # cert8.db, key3.db, secmod.db, ocsp-ca.der, ocsp-other-ca.der, default-ee.der
michael@0 16 # NB: You must run genHPKPStaticPins.js after running this file, since its
michael@0 17 # output (StaticHPKPins.h) depends on default-ee.der
michael@0 18
michael@0 19 set -x
michael@0 20 set -e
michael@0 21
michael@0 22 if [ $# -ne 2 ]; then
michael@0 23 echo "Usage: `basename ${0}` <path to objdir> <output directory>"
michael@0 24 exit $E_BADARGS
michael@0 25 fi
michael@0 26
michael@0 27 OBJDIR=${1}
michael@0 28 OUTPUT_DIR=${2}
michael@0 29 RUN_MOZILLA="$OBJDIR/dist/bin/run-mozilla.sh"
michael@0 30 CERTUTIL="$OBJDIR/dist/bin/certutil"
michael@0 31 # On BSD, mktemp requires either a template or a prefix.
michael@0 32 MKTEMP="mktemp temp.XXXX"
michael@0 33
michael@0 34 NOISE_FILE=`$MKTEMP`
michael@0 35 # Make a good effort at putting something unique in the noise file.
michael@0 36 date +%s%N > "$NOISE_FILE"
michael@0 37 PASSWORD_FILE=`$MKTEMP`
michael@0 38
michael@0 39 function cleanup {
michael@0 40 rm -f "$NOISE_FILE" "$PASSWORD_FILE"
michael@0 41 }
michael@0 42
michael@0 43 if [ ! -f "$RUN_MOZILLA" ]; then
michael@0 44 echo "Could not find run-mozilla.sh at \'$RUN_MOZILLA\' - I'll try without it"
michael@0 45 RUN_MOZILLA=""
michael@0 46 fi
michael@0 47
michael@0 48 if [ ! -f "$CERTUTIL" ]; then
michael@0 49 echo "Could not find certutil at \'$CERTUTIL\'"
michael@0 50 exit $E_BADARGS
michael@0 51 fi
michael@0 52
michael@0 53 if [ ! -d "$OUTPUT_DIR" ]; then
michael@0 54 echo "Could not find output directory at \'$OUTPUT_DIR\'"
michael@0 55 exit $E_BADARGS
michael@0 56 fi
michael@0 57
michael@0 58 if [ -f "$OUTPUT_DIR/cert8.db" -o -f "$OUTPUT_DIR/key3.db" -o -f "$OUTPUT_DIR/secmod.db" ]; then
michael@0 59 echo "Found pre-existing NSS DBs. Clobbering old OCSP certs."
michael@0 60 rm -f "$OUTPUT_DIR/cert8.db" "$OUTPUT_DIR/key3.db" "$OUTPUT_DIR/secmod.db"
michael@0 61 fi
michael@0 62 $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -N -f $PASSWORD_FILE
michael@0 63
michael@0 64 COMMON_ARGS="-v 360 -w -1 -2 -z $NOISE_FILE"
michael@0 65
michael@0 66 function make_CA {
michael@0 67 CA_RESPONSES="y\n1\ny"
michael@0 68 NICKNAME="${1}"
michael@0 69 SUBJECT="${2}"
michael@0 70 DERFILE="${3}"
michael@0 71
michael@0 72 echo -e "$CA_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
michael@0 73 -n $NICKNAME \
michael@0 74 -s "$SUBJECT" \
michael@0 75 -t "CT,," \
michael@0 76 -x $COMMON_ARGS
michael@0 77 $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n $NICKNAME -r > $OUTPUT_DIR/$DERFILE
michael@0 78 }
michael@0 79
michael@0 80 SERIALNO=1
michael@0 81
michael@0 82 function make_INT {
michael@0 83 INT_RESPONSES="y\n0\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
michael@0 84 NICKNAME="${1}"
michael@0 85 SUBJECT="${2}"
michael@0 86 CA="${3}"
michael@0 87 EXTRA_ARGS="${4}"
michael@0 88
michael@0 89 echo -e "$INT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
michael@0 90 -n $NICKNAME \
michael@0 91 -s "$SUBJECT" \
michael@0 92 -c $CA \
michael@0 93 -t ",," \
michael@0 94 -m $SERIALNO \
michael@0 95 --extAIA \
michael@0 96 $COMMON_ARGS \
michael@0 97 $EXTRA_ARGS
michael@0 98 SERIALNO=$(($SERIALNO + 1))
michael@0 99 }
michael@0 100
michael@0 101 function make_EE {
michael@0 102 CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
michael@0 103 NICKNAME="${1}"
michael@0 104 SUBJECT="${2}"
michael@0 105 CA="${3}"
michael@0 106 SUBJECT_ALT_NAME="${4}"
michael@0 107 EXTRA_ARGS="${5} ${6}"
michael@0 108
michael@0 109 echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
michael@0 110 -n $NICKNAME \
michael@0 111 -s "$SUBJECT" \
michael@0 112 -8 $SUBJECT_ALT_NAME \
michael@0 113 -c $CA \
michael@0 114 -t ",," \
michael@0 115 -m $SERIALNO \
michael@0 116 --extAIA \
michael@0 117 $COMMON_ARGS \
michael@0 118 $EXTRA_ARGS
michael@0 119 SERIALNO=$(($SERIALNO + 1))
michael@0 120 }
michael@0 121
michael@0 122 function make_delegated {
michael@0 123 CERT_RESPONSES="n\n\ny\n"
michael@0 124 NICKNAME="${1}"
michael@0 125 SUBJECT="${2}"
michael@0 126 CA="${3}"
michael@0 127 EXTRA_ARGS="${4}"
michael@0 128
michael@0 129 echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
michael@0 130 -n $NICKNAME \
michael@0 131 -s "$SUBJECT" \
michael@0 132 -c $CA \
michael@0 133 -t ",," \
michael@0 134 -m $SERIALNO \
michael@0 135 $COMMON_ARGS \
michael@0 136 $EXTRA_ARGS
michael@0 137 SERIALNO=$(($SERIALNO + 1))
michael@0 138 }
michael@0 139
michael@0 140 make_CA testCA 'CN=Test CA' test-ca.der
michael@0 141 make_CA otherCA 'CN=Other test CA' other-test-ca.der
michael@0 142
michael@0 143 make_EE localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com"
michael@0 144 # Make an EE cert issued by otherCA
michael@0 145 make_EE otherIssuerEE 'CN=Wrong CA Pin Test End-Entity' otherCA "*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com,*.pinning.example.com"
michael@0 146
michael@0 147 $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n localhostAndExampleCom -r > $OUTPUT_DIR/default-ee.der
michael@0 148 # A cert that is like localhostAndExampleCom, but with a different serial number for
michael@0 149 # testing the "OCSP response is from the right issuer, but it is for the wrong cert"
michael@0 150 # case.
michael@0 151 make_EE ocspOtherEndEntity 'CN=Other Cert' testCA "localhost,*.example.com"
michael@0 152
michael@0 153 make_INT testINT 'CN=Test Intermediate' testCA
michael@0 154 make_EE ocspEEWithIntermediate 'CN=Test End-entity with Intermediate' testINT "localhost,*.example.com"
michael@0 155 make_EE expired 'CN=Expired Test End-entity' testCA "expired.example.com" "-w -400"
michael@0 156 make_EE mismatch 'CN=Mismatch Test End-entity' testCA "doesntmatch.example.com"
michael@0 157 make_EE selfsigned 'CN=Self-signed Test End-entity' testCA "selfsigned.example.com" "-x"
michael@0 158 # If the certificate 'CN=Test Intermediate' isn't loaded into memory,
michael@0 159 # this certificate will have an unknown issuer.
michael@0 160 make_INT deletedINT 'CN=Test Intermediate to delete' testCA
michael@0 161 make_EE unknownissuer 'CN=Test End-entity from unknown issuer' deletedINT "unknownissuer.example.com"
michael@0 162 $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -D -n deletedINT
michael@0 163 make_INT expiredINT 'CN=Expired Test Intermediate' testCA "-w -400"
michael@0 164 make_EE expiredissuer 'CN=Test End-entity with expired issuer' expiredINT "expiredissuer.example.com"
michael@0 165 NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature 'CN=Test End-entity with MD5 signature' testCA "md5signature.example.com" "-Z MD5"
michael@0 166 make_EE untrustedissuer 'CN=Test End-entity with untrusted issuer' otherCA "untrustedissuer.example.com"
michael@0 167
michael@0 168 make_EE mismatch-expired 'CN=Mismatch-Expired Test End-entity' testCA "doesntmatch.example.com" "-w -400"
michael@0 169 make_EE mismatch-untrusted 'CN=Mismatch-Untrusted Test End-entity' otherCA "doesntmatch.example.com"
michael@0 170 make_EE untrusted-expired 'CN=Untrusted-Expired Test End-entity' otherCA "untrusted-expired.example.com" "-w -400"
michael@0 171 make_EE mismatch-untrusted-expired 'CN=Mismatch-Untrusted-Expired Test End-entity' otherCA "doesntmatch.example.com" "-w -400"
michael@0 172 NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature-expired 'CN=Test MD5Signature-Expired End-entity' testCA "md5signature-expired.example.com" "-Z MD5" "-w -400"
michael@0 173
michael@0 174 make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
michael@0 175 make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
michael@0 176
michael@0 177 make_delegated delegatedSigner 'CN=Test Delegated Responder' testCA "--extKeyUsage ocspResponder"
michael@0 178 make_delegated invalidDelegatedSignerNoExtKeyUsage 'CN=Test Invalid Delegated Responder No extKeyUsage' testCA
michael@0 179 make_delegated invalidDelegatedSignerFromIntermediate 'CN=Test Invalid Delegated Responder From Intermediate' testINT "--extKeyUsage ocspResponder"
michael@0 180 make_delegated invalidDelegatedSignerKeyUsageCrlSigning 'CN=Test Invalid Delegated Responder keyUsage crlSigning' testCA "--keyUsage crlSigning"
michael@0 181 make_delegated invalidDelegatedSignerWrongExtKeyUsage 'CN=Test Invalid Delegated Responder Wrong extKeyUsage' testCA "--extKeyUsage codeSigning"
michael@0 182
michael@0 183 make_INT self-signed-EE-with-cA-true 'CN=Test Self-signed End-entity with CA true' unused "-x -8 self-signed-end-entity-with-cA-true.example.com"
michael@0 184
michael@0 185 cleanup

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial