The Tor Browser / annotate

security/nss/tests/cert/cert.sh@b8a032363ba2 (annotated)

security/nss/tests/cert/cert.sh

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 #! /bin/bash
michael@0 2 #
michael@0 3 # This Source Code Form is subject to the terms of the Mozilla Public
michael@0 4 # License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0 6
michael@0 7 ########################################################################
michael@0 8 #
michael@0 9 # mozilla/security/nss/tests/cert/rcert.sh
michael@0 10 #
michael@0 11 # Certificate generating and handeling for NSS QA, can be included
michael@0 12 # multiple times from all.sh and the individual scripts
michael@0 13 #
michael@0 14 # needs to work on all Unix and Windows platforms
michael@0 15 #
michael@0 16 # included from (don't expect this to be up to date)
michael@0 17 # --------------------------------------------------
michael@0 18 # all.sh
michael@0 19 # ssl.sh
michael@0 20 # smime.sh
michael@0 21 # tools.sh
michael@0 22 #
michael@0 23 # special strings
michael@0 24 # ---------------
michael@0 25 # FIXME ... known problems, search for this string
michael@0 26 # NOTE .... unexpected behavior
michael@0 27 #
michael@0 28 # FIXME - Netscape - NSS
michael@0 29 ########################################################################
michael@0 30
michael@0 31 ############################## cert_init ###############################
michael@0 32 # local shell function to initialize this script
michael@0 33 ########################################################################
michael@0 34 cert_init()
michael@0 35 {
michael@0 36 SCRIPTNAME="cert.sh"
michael@0 37 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
michael@0 38 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
michael@0 39 fi
michael@0 40 if [ -z "${INIT_SOURCED}" ] ; then
michael@0 41 cd ../common
michael@0 42 . ./init.sh
michael@0 43 fi
michael@0 44 if [ -z "${IOPR_CERT_SOURCED}" ]; then
michael@0 45 . ../iopr/cert_iopr.sh
michael@0 46 fi
michael@0 47 SCRIPTNAME="cert.sh"
michael@0 48 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0 49 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 50 html_head "Certutil and Crlutil Tests with ECC"
michael@0 51 else
michael@0 52 html_head "Certutil and Crlutil Tests"
michael@0 53 fi
michael@0 54
michael@0 55 LIBDIR="${DIST}/${OBJDIR}/lib"
michael@0 56
michael@0 57 ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
michael@0 58 if [ ! "${ROOTCERTSFILE}" ] ; then
michael@0 59 html_failed "Looking for root certs module."
michael@0 60 cert_log "ERROR: Root certs module not found."
michael@0 61 Exit 5 "Fatal - Root certs module not found."
michael@0 62 else
michael@0 63 html_passed "Looking for root certs module."
michael@0 64 fi
michael@0 65
michael@0 66 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0 67 ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}`
michael@0 68 fi
michael@0 69 }
michael@0 70
michael@0 71 cert_log() ###################### write the cert_status file
michael@0 72 {
michael@0 73 echo "$SCRIPTNAME $*"
michael@0 74 echo $* >>${CERT_LOG_FILE}
michael@0 75 }
michael@0 76
michael@0 77 ########################################################################
michael@0 78 # function wraps calls to pk12util, also: writes action and options
michael@0 79 # to stdout.
michael@0 80 # Params are the same as to pk12util.
michael@0 81 # Returns pk12util status
michael@0 82 #
michael@0 83 pk12u()
michael@0 84 {
michael@0 85 echo "${CU_ACTION} --------------------------"
michael@0 86
michael@0 87 echo "pk12util $@"
michael@0 88 ${BINDIR}/pk12util $@
michael@0 89 RET=$?
michael@0 90
michael@0 91 return $RET
michael@0 92 }
michael@0 93
michael@0 94 ################################ certu #################################
michael@0 95 # local shell function to call certutil, also: writes action and options to
michael@0 96 # stdout, sets variable RET and writes results to the html file results
michael@0 97 ########################################################################
michael@0 98 certu()
michael@0 99 {
michael@0 100 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
michael@0 101 EXPECTED=${RETEXPECTED-0}
michael@0 102
michael@0 103 if [ -n "${CU_SUBJECT}" ]; then
michael@0 104 #the subject of the cert contains blanks, and the shell
michael@0 105 #will strip the quotes off the string, if called otherwise...
michael@0 106 echo "certutil -s \"${CU_SUBJECT}\" $*"
michael@0 107 ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $*
michael@0 108 RET=$?
michael@0 109 CU_SUBJECT=""
michael@0 110 else
michael@0 111 echo "certutil $*"
michael@0 112 ${PROFTOOL} ${BINDIR}/certutil $*
michael@0 113 RET=$?
michael@0 114 fi
michael@0 115 if [ "$RET" -ne "$EXPECTED" ]; then
michael@0 116 CERTFAILED=$RET
michael@0 117 html_failed "${CU_ACTION} ($RET=$EXPECTED) "
michael@0 118 cert_log "ERROR: ${CU_ACTION} failed $RET"
michael@0 119 else
michael@0 120 html_passed "${CU_ACTION}"
michael@0 121 fi
michael@0 122
michael@0 123 return $RET
michael@0 124 }
michael@0 125
michael@0 126 ################################ crlu #################################
michael@0 127 # local shell function to call crlutil, also: writes action and options to
michael@0 128 # stdout, sets variable RET and writes results to the html file results
michael@0 129 ########################################################################
michael@0 130 crlu()
michael@0 131 {
michael@0 132 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
michael@0 133
michael@0 134 CRLUTIL="crlutil -q"
michael@0 135 echo "$CRLUTIL $*"
michael@0 136 ${PROFTOOL} ${BINDIR}/$CRLUTIL $*
michael@0 137 RET=$?
michael@0 138 if [ "$RET" -ne 0 ]; then
michael@0 139 CRLFAILED=$RET
michael@0 140 html_failed "${CU_ACTION} ($RET) "
michael@0 141 cert_log "ERROR: ${CU_ACTION} failed $RET"
michael@0 142 else
michael@0 143 html_passed "${CU_ACTION}"
michael@0 144 fi
michael@0 145
michael@0 146 return $RET
michael@0 147 }
michael@0 148
michael@0 149 ################################ ocspr ##################################
michael@0 150 # local shell function to call ocsresp, also: writes action and options to
michael@0 151 # stdout, sets variable RET and writes results to the html file results
michael@0 152 #########################################################################
michael@0 153 ocspr()
michael@0 154 {
michael@0 155 echo "$SCRIPTNAME: ${OR_ACTION} --------------------------"
michael@0 156
michael@0 157 OCSPRESP="ocspresp"
michael@0 158 echo "$OCSPRESP $*"
michael@0 159 ${PROFTOOL} ${BINDIR}/$OCSPRESP $*
michael@0 160 RET=$?
michael@0 161 if [ "$RET" -ne 0 ]; then
michael@0 162 OCSPFAILED=$RET
michael@0 163 html_failed "${OR_ACTION} ($RET) "
michael@0 164 cert_log "ERROR: ${OR_ACTION} failed $RET"
michael@0 165 else
michael@0 166 html_passed "${OR_ACTION}"
michael@0 167 fi
michael@0 168
michael@0 169 return $RET
michael@0 170 }
michael@0 171
michael@0 172 modu()
michael@0 173 {
michael@0 174 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
michael@0 175
michael@0 176 MODUTIL="modutil"
michael@0 177 echo "$MODUTIL $*"
michael@0 178 # echo is used to press Enter expected by modutil
michael@0 179 echo | ${BINDIR}/$MODUTIL $*
michael@0 180 RET=$?
michael@0 181 if [ "$RET" -ne 0 ]; then
michael@0 182 MODFAILED=$RET
michael@0 183 html_failed "${CU_ACTION} ($RET) "
michael@0 184 cert_log "ERROR: ${CU_ACTION} failed $RET"
michael@0 185 else
michael@0 186 html_passed "${CU_ACTION}"
michael@0 187 fi
michael@0 188
michael@0 189 return $RET
michael@0 190 }
michael@0 191
michael@0 192 ############################# cert_init_cert ##########################
michael@0 193 # local shell function to initialize creation of client and server certs
michael@0 194 ########################################################################
michael@0 195 cert_init_cert()
michael@0 196 {
michael@0 197 CERTDIR="$1"
michael@0 198 CERTNAME="$2"
michael@0 199 CERTSERIAL="$3"
michael@0 200 DOMAIN="$4"
michael@0 201
michael@0 202 if [ ! -d "${CERTDIR}" ]; then
michael@0 203 mkdir -p "${CERTDIR}"
michael@0 204 else
michael@0 205 echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
michael@0 206 fi
michael@0 207 cd "${CERTDIR}"
michael@0 208 CERTDIR="."
michael@0 209
michael@0 210 PROFILEDIR=`cd ${CERTDIR}; pwd`
michael@0 211 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0 212 PROFILEDIR=`cygpath -m ${PROFILEDIR}`
michael@0 213 fi
michael@0 214 if [ -n "${MULTIACCESS_DBM}" ]; then
michael@0 215 PROFILEDIR="multiaccess:${DOMAIN}"
michael@0 216 fi
michael@0 217
michael@0 218 noise
michael@0 219 }
michael@0 220
michael@0 221 ############################# hw_acc #################################
michael@0 222 # local shell function to add hw accelerator modules to the db
michael@0 223 ########################################################################
michael@0 224 hw_acc()
michael@0 225 {
michael@0 226 HW_ACC_RET=0
michael@0 227 HW_ACC_ERR=""
michael@0 228 if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
michael@0 229 echo "creating $CERTNAME s cert with hwaccelerator..."
michael@0 230 #case $ACCELERATOR in
michael@0 231 #rainbow)
michael@0 232
michael@0 233 echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
michael@0 234 echo " -dbdir ${PROFILEDIR} 2>&1 "
michael@0 235 echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
michael@0 236 -dbdir ${PROFILEDIR} 2>&1
michael@0 237 if [ "$?" -ne 0 ]; then
michael@0 238 echo "modutil -add rainbow failed in `pwd`"
michael@0 239 HW_ACC_RET=1
michael@0 240 HW_ACC_ERR="modutil -add rainbow"
michael@0 241 fi
michael@0 242
michael@0 243 echo "modutil -add ncipher "
michael@0 244 echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so "
michael@0 245 echo " -dbdir ${PROFILEDIR} 2>&1 "
michael@0 246 echo | ${BINDIR}/modutil -add ncipher \
michael@0 247 -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \
michael@0 248 -dbdir ${PROFILEDIR} 2>&1
michael@0 249 if [ "$?" -ne 0 ]; then
michael@0 250 echo "modutil -add ncipher failed in `pwd`"
michael@0 251 HW_ACC_RET=`expr $HW_ACC_RET + 2`
michael@0 252 HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher"
michael@0 253 fi
michael@0 254 if [ "$HW_ACC_RET" -ne 0 ]; then
michael@0 255 html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) "
michael@0 256 else
michael@0 257 html_passed "Adding HW accelerators to certDB for ${CERTNAME}"
michael@0 258 fi
michael@0 259
michael@0 260 fi
michael@0 261 return $HW_ACC_RET
michael@0 262 }
michael@0 263
michael@0 264 ############################# cert_create_cert #########################
michael@0 265 # local shell function to create client certs
michael@0 266 # initialize DB, import
michael@0 267 # root cert
michael@0 268 # add cert to DB
michael@0 269 ########################################################################
michael@0 270 cert_create_cert()
michael@0 271 {
michael@0 272 cert_init_cert "$1" "$2" "$3" "$4"
michael@0 273
michael@0 274 CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
michael@0 275 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 276 if [ "$RET" -ne 0 ]; then
michael@0 277 return $RET
michael@0 278 fi
michael@0 279
michael@0 280 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB"
michael@0 281 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
michael@0 282 if [ "$RET" -ne 0 ]; then
michael@0 283 return $RET
michael@0 284 fi
michael@0 285
michael@0 286 hw_acc
michael@0 287
michael@0 288 CU_ACTION="Import Root CA for $CERTNAME"
michael@0 289 certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0 290 -i "${R_CADIR}/TestCA.ca.cert" 2>&1
michael@0 291 if [ "$RET" -ne 0 ]; then
michael@0 292 return $RET
michael@0 293 fi
michael@0 294
michael@0 295 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 296 CU_ACTION="Import EC Root CA for $CERTNAME"
michael@0 297 certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
michael@0 298 -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
michael@0 299 if [ "$RET" -ne 0 ]; then
michael@0 300 return $RET
michael@0 301 fi
michael@0 302 fi
michael@0 303
michael@0 304 cert_add_cert "$5"
michael@0 305 return $?
michael@0 306 }
michael@0 307
michael@0 308 ############################# cert_add_cert ############################
michael@0 309 # local shell function to add client certs to an existing CERT DB
michael@0 310 # generate request
michael@0 311 # sign request
michael@0 312 # import Cert
michael@0 313 #
michael@0 314 ########################################################################
michael@0 315 cert_add_cert()
michael@0 316 {
michael@0 317 CU_ACTION="Generate Cert Request for $CERTNAME"
michael@0 318 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 319 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
michael@0 320 if [ "$RET" -ne 0 ]; then
michael@0 321 return $RET
michael@0 322 fi
michael@0 323
michael@0 324 CU_ACTION="Sign ${CERTNAME}'s Request"
michael@0 325 certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
michael@0 326 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
michael@0 327 if [ "$RET" -ne 0 ]; then
michael@0 328 return $RET
michael@0 329 fi
michael@0 330
michael@0 331 CU_ACTION="Import $CERTNAME's Cert"
michael@0 332 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0 333 -i "${CERTNAME}.cert" 2>&1
michael@0 334 if [ "$RET" -ne 0 ]; then
michael@0 335 return $RET
michael@0 336 fi
michael@0 337
michael@0 338 cert_log "SUCCESS: $CERTNAME's Cert Created"
michael@0 339
michael@0 340 #
michael@0 341 # Generate and add EC cert
michael@0 342 #
michael@0 343 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 344 CURVE="secp384r1"
michael@0 345 CU_ACTION="Generate EC Cert Request for $CERTNAME"
michael@0 346 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 347 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0 348 -z "${R_NOISE_FILE}" -o req 2>&1
michael@0 349 if [ "$RET" -ne 0 ]; then
michael@0 350 return $RET
michael@0 351 fi
michael@0 352
michael@0 353 CU_ACTION="Sign ${CERTNAME}'s EC Request"
michael@0 354 certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
michael@0 355 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
michael@0 356 if [ "$RET" -ne 0 ]; then
michael@0 357 return $RET
michael@0 358 fi
michael@0 359
michael@0 360 CU_ACTION="Import $CERTNAME's EC Cert"
michael@0 361 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0 362 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
michael@0 363 if [ "$RET" -ne 0 ]; then
michael@0 364 return $RET
michael@0 365 fi
michael@0 366 cert_log "SUCCESS: $CERTNAME's EC Cert Created"
michael@0 367
michael@0 368 # Generate EC certificate signed with RSA
michael@0 369 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
michael@0 370 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 371 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0 372 -z "${R_NOISE_FILE}" -o req 2>&1
michael@0 373 if [ "$RET" -ne 0 ]; then
michael@0 374 return $RET
michael@0 375 fi
michael@0 376
michael@0 377 CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA"
michael@0 378 # Avoid conflicting serial numbers with TestCA issuer by keeping
michael@0 379 # this set far away. A smaller number risks colliding with the
michael@0 380 # extended ssl user certificates.
michael@0 381 NEWSERIAL=`expr ${CERTSERIAL} + 10000`
michael@0 382 certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
michael@0 383 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1
michael@0 384 if [ "$RET" -ne 0 ]; then
michael@0 385 return $RET
michael@0 386 fi
michael@0 387
michael@0 388 CU_ACTION="Import $CERTNAME's mixed EC Cert"
michael@0 389 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0 390 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
michael@0 391 if [ "$RET" -ne 0 ]; then
michael@0 392 return $RET
michael@0 393 fi
michael@0 394 cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
michael@0 395 fi
michael@0 396
michael@0 397 return 0
michael@0 398 }
michael@0 399
michael@0 400 ################################# cert_all_CA ################################
michael@0 401 # local shell function to build the additional Temp. Certificate Authority (CA)
michael@0 402 # used for the "real life" ssl test with 2 different CA's in the
michael@0 403 # client and in the server's dir
michael@0 404 ##########################################################################
michael@0 405 cert_all_CA()
michael@0 406 {
michael@0 407 echo nss > ${PWFILE}
michael@0 408
michael@0 409 ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 410 cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
michael@0 411
michael@0 412 ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 413 cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
michael@0 414 ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 415 cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3"
michael@0 416 ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 417 cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4"
michael@0 418
michael@0 419
michael@0 420
michael@0 421 ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 422 cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
michael@0 423 ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 424 cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6"
michael@0 425 ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 426 cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
michael@0 427
michael@0 428 rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
michael@0 429
michael@0 430 # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
michael@0 431 # in the chain
michael@0 432
michael@0 433 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 434 #
michael@0 435 # Create EC version of TestCA
michael@0 436 CA_CURVE="secp521r1"
michael@0 437 ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 438 cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
michael@0 439 #
michael@0 440 # Create EC versions of the intermediate CA certs
michael@0 441 ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 442 cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
michael@0 443 ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 444 cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
michael@0 445 ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 446 cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
michael@0 447
michael@0 448 ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 449 cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
michael@0 450 ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 451 cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
michael@0 452 ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0 453 cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
michael@0 454
michael@0 455 rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
michael@0 456 # ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
michael@0 457 # in the chain
michael@0 458
michael@0 459 fi
michael@0 460 }
michael@0 461
michael@0 462 ################################# cert_CA ################################
michael@0 463 # local shell function to build the Temp. Certificate Authority (CA)
michael@0 464 # used for testing purposes, creating a CA Certificate and a root cert
michael@0 465 ##########################################################################
michael@0 466 cert_CA()
michael@0 467 {
michael@0 468 CUR_CADIR=$1
michael@0 469 NICKNAME=$2
michael@0 470 SIGNER=$3
michael@0 471 TRUSTARG=$4
michael@0 472 DOMAIN=$5
michael@0 473 CERTSERIAL=$6
michael@0 474
michael@0 475 echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
michael@0 476
michael@0 477 if [ ! -d "${CUR_CADIR}" ]; then
michael@0 478 mkdir -p "${CUR_CADIR}"
michael@0 479 fi
michael@0 480 cd ${CUR_CADIR}
michael@0 481 pwd
michael@0 482
michael@0 483 LPROFILE=`pwd`
michael@0 484 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0 485 LPROFILE=`cygpath -m ${LPROFILE}`
michael@0 486 fi
michael@0 487 if [ -n "${MULTIACCESS_DBM}" ]; then
michael@0 488 LPROFILE="multiaccess:${DOMAIN}"
michael@0 489 fi
michael@0 490
michael@0 491 if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
michael@0 492 CU_ACTION="Creating CA Cert DB"
michael@0 493 certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1
michael@0 494 if [ "$RET" -ne 0 ]; then
michael@0 495 Exit 5 "Fatal - failed to create CA $NICKNAME "
michael@0 496 fi
michael@0 497
michael@0 498 CU_ACTION="Loading root cert module to CA Cert DB"
michael@0 499 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1
michael@0 500 if [ "$RET" -ne 0 ]; then
michael@0 501 return $RET
michael@0 502 fi
michael@0 503
michael@0 504 echo "$SCRIPTNAME: Certificate initialized ----------"
michael@0 505 fi
michael@0 506
michael@0 507
michael@0 508 ################# Creating CA Cert ######################################
michael@0 509 #
michael@0 510 CU_ACTION="Creating CA Cert $NICKNAME "
michael@0 511 CU_SUBJECT=$ALL_CU_SUBJECT
michael@0 512 certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \
michael@0 513 -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
michael@0 514 5
michael@0 515 6
michael@0 516 9
michael@0 517 n
michael@0 518 y
michael@0 519 -1
michael@0 520 n
michael@0 521 5
michael@0 522 6
michael@0 523 7
michael@0 524 9
michael@0 525 n
michael@0 526 CERTSCRIPT
michael@0 527
michael@0 528 if [ "$RET" -ne 0 ]; then
michael@0 529 echo "return value is $RET"
michael@0 530 Exit 6 "Fatal - failed to create CA cert"
michael@0 531 fi
michael@0 532
michael@0 533 ################# Exporting Root Cert ###################################
michael@0 534 #
michael@0 535 CU_ACTION="Exporting Root Cert"
michael@0 536 certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert
michael@0 537 if [ "$RET" -ne 0 ]; then
michael@0 538 Exit 7 "Fatal - failed to export root cert"
michael@0 539 fi
michael@0 540 cp root.cert ${NICKNAME}.ca.cert
michael@0 541 }
michael@0 542
michael@0 543 ################################ cert_ec_CA ##############################
michael@0 544 # local shell function to build the Temp. Certificate Authority (CA)
michael@0 545 # used for testing purposes, creating a CA Certificate and a root cert
michael@0 546 # This is the ECC version of cert_CA.
michael@0 547 ##########################################################################
michael@0 548 cert_ec_CA()
michael@0 549 {
michael@0 550 CUR_CADIR=$1
michael@0 551 NICKNAME=$2
michael@0 552 SIGNER=$3
michael@0 553 TRUSTARG=$4
michael@0 554 DOMAIN=$5
michael@0 555 CERTSERIAL=$6
michael@0 556 CURVE=$7
michael@0 557
michael@0 558 echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
michael@0 559
michael@0 560 if [ ! -d "${CUR_CADIR}" ]; then
michael@0 561 mkdir -p "${CUR_CADIR}"
michael@0 562 fi
michael@0 563 cd ${CUR_CADIR}
michael@0 564 pwd
michael@0 565
michael@0 566 LPROFILE=.
michael@0 567 if [ -n "${MULTIACCESS_DBM}" ]; then
michael@0 568 LPROFILE="multiaccess:${DOMAIN}"
michael@0 569 fi
michael@0 570
michael@0 571 ################# Creating an EC CA Cert ################################
michael@0 572 #
michael@0 573 CU_ACTION="Creating EC CA Cert $NICKNAME "
michael@0 574 CU_SUBJECT=$ALL_CU_SUBJECT
michael@0 575 certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \
michael@0 576 -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
michael@0 577 -m $CERTSERIAL 2>&1 <<CERTSCRIPT
michael@0 578 5
michael@0 579 6
michael@0 580 9
michael@0 581 n
michael@0 582 y
michael@0 583 -1
michael@0 584 n
michael@0 585 5
michael@0 586 6
michael@0 587 7
michael@0 588 9
michael@0 589 n
michael@0 590 CERTSCRIPT
michael@0 591
michael@0 592 if [ "$RET" -ne 0 ]; then
michael@0 593 echo "return value is $RET"
michael@0 594 Exit 6 "Fatal - failed to create EC CA cert"
michael@0 595 fi
michael@0 596
michael@0 597 ################# Exporting EC Root Cert ################################
michael@0 598 #
michael@0 599 CU_ACTION="Exporting EC Root Cert"
michael@0 600 certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert
michael@0 601 if [ "$RET" -ne 0 ]; then
michael@0 602 Exit 7 "Fatal - failed to export ec root cert"
michael@0 603 fi
michael@0 604 cp ecroot.cert ${NICKNAME}.ca.cert
michael@0 605 }
michael@0 606
michael@0 607 ############################## cert_smime_client #############################
michael@0 608 # local shell function to create client Certificates for S/MIME tests
michael@0 609 ##############################################################################
michael@0 610 cert_smime_client()
michael@0 611 {
michael@0 612 CERTFAILED=0
michael@0 613 echo "$SCRIPTNAME: Creating Client CA Issued Certificates =============="
michael@0 614
michael@0 615 cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE}
michael@0 616 cert_create_cert ${BOBDIR} "Bob" 40 ${D_BOB}
michael@0 617
michael@0 618 echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
michael@0 619 cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
michael@0 620
michael@0 621 ## XXX With this new script merging ECC and non-ECC tests, the
michael@0 622 ## call to cert_create_cert ends up creating two separate certs
michael@0 623 ## one for Eve and another for Eve-ec but they both end up with
michael@0 624 ## the same Subject Alt Name Extension, i.e., both the cert for
michael@0 625 ## Eve@bogus.com and the cert for Eve-ec@bogus.com end up
michael@0 626 ## listing eve@bogus.net in the Certificate Subject Alt Name extension.
michael@0 627 ## This can cause a problem later when cmsutil attempts to create
michael@0 628 ## enveloped data and accidently picks up the ECC cert (NSS currently
michael@0 629 ## does not support ECC for enveloped data creation). This script
michael@0 630 ## avoids the problem by ensuring that these conflicting certs are
michael@0 631 ## never added to the same cert database (see comment marked XXXX).
michael@0 632 echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
michael@0 633 cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
michael@0 634
michael@0 635 #echo "************* Copying CA files to ${SERVERDIR}"
michael@0 636 #cp ${CADIR}/*.db .
michael@0 637 #hw_acc
michael@0 638
michael@0 639 #########################################################################
michael@0 640 #
michael@0 641 #cd ${CERTDIR}
michael@0 642 #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
michael@0 643 #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
michael@0 644 #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
michael@0 645 # -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
michael@0 646
michael@0 647 #CU_ACTION="Export Dave's Cert"
michael@0 648 #cd ${DAVEDIR}
michael@0 649 #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
michael@0 650
michael@0 651 ################# Importing Certificates for S/MIME tests ###############
michael@0 652 #
michael@0 653 echo "$SCRIPTNAME: Importing Certificates =============================="
michael@0 654 CU_ACTION="Import Bob's cert into Alice's db"
michael@0 655 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0 656 -i ${R_BOBDIR}/Bob.cert 2>&1
michael@0 657
michael@0 658 CU_ACTION="Import Dave's cert into Alice's DB"
michael@0 659 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0 660 -i ${R_DAVEDIR}/Dave.cert 2>&1
michael@0 661
michael@0 662 CU_ACTION="Import Dave's cert into Bob's DB"
michael@0 663 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
michael@0 664 -i ${R_DAVEDIR}/Dave.cert 2>&1
michael@0 665
michael@0 666 CU_ACTION="Import Eve's cert into Alice's DB"
michael@0 667 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0 668 -i ${R_EVEDIR}/Eve.cert 2>&1
michael@0 669
michael@0 670 CU_ACTION="Import Eve's cert into Bob's DB"
michael@0 671 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
michael@0 672 -i ${R_EVEDIR}/Eve.cert 2>&1
michael@0 673
michael@0 674 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 675 echo "$SCRIPTNAME: Importing EC Certificates =============================="
michael@0 676 CU_ACTION="Import Bob's EC cert into Alice's db"
michael@0 677 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0 678 -i ${R_BOBDIR}/Bob-ec.cert 2>&1
michael@0 679
michael@0 680 CU_ACTION="Import Dave's EC cert into Alice's DB"
michael@0 681 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0 682 -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
michael@0 683
michael@0 684 CU_ACTION="Import Dave's EC cert into Bob's DB"
michael@0 685 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
michael@0 686 -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
michael@0 687
michael@0 688 ## XXXX Do not import Eve's EC cert until we can make sure that
michael@0 689 ## the email addresses listed in the Subject Alt Name Extension
michael@0 690 ## inside Eve's ECC and non-ECC certs are different.
michael@0 691 # CU_ACTION="Import Eve's EC cert into Alice's DB"
michael@0 692 # certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0 693 # -i ${R_EVEDIR}/Eve-ec.cert 2>&1
michael@0 694
michael@0 695 # CU_ACTION="Import Eve's EC cert into Bob's DB"
michael@0 696 # certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
michael@0 697 # -i ${R_EVEDIR}/Eve-ec.cert 2>&1
michael@0 698 fi
michael@0 699
michael@0 700 if [ "$CERTFAILED" != 0 ] ; then
michael@0 701 cert_log "ERROR: SMIME failed $RET"
michael@0 702 else
michael@0 703 cert_log "SUCCESS: SMIME passed"
michael@0 704 fi
michael@0 705 }
michael@0 706
michael@0 707 ############################## cert_extended_ssl #######################
michael@0 708 # local shell function to create client + server certs for extended SSL test
michael@0 709 ########################################################################
michael@0 710 cert_extended_ssl()
michael@0 711 {
michael@0 712
michael@0 713 ################# Creating Certs for extended SSL test ####################
michael@0 714 #
michael@0 715 CERTFAILED=0
michael@0 716 echo "$SCRIPTNAME: Creating Certificates, issued by the last ==============="
michael@0 717 echo " of a chain of CA's which are not in the same database============"
michael@0 718
michael@0 719 echo "Server Cert"
michael@0 720 cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
michael@0 721
michael@0 722 CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
michael@0 723 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 724
michael@0 725 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
michael@0 726 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
michael@0 727
michael@0 728 CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
michael@0 729 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 730 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
michael@0 731
michael@0 732 CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
michael@0 733 cp ${CERTDIR}/req ${SERVER_CADIR}
michael@0 734 certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
michael@0 735 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
michael@0 736
michael@0 737 CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
michael@0 738 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0 739 -i "${CERTNAME}.cert" 2>&1
michael@0 740
michael@0 741 CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
michael@0 742 certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0 743 -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
michael@0 744
michael@0 745 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 746 #
michael@0 747 # Repeat the above for EC certs
michael@0 748 #
michael@0 749 EC_CURVE="secp256r1"
michael@0 750 CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
michael@0 751 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 752 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
michael@0 753 -z "${R_NOISE_FILE}" -o req 2>&1
michael@0 754
michael@0 755 CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
michael@0 756 cp ${CERTDIR}/req ${SERVER_CADIR}
michael@0 757 certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
michael@0 758 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
michael@0 759
michael@0 760 CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
michael@0 761 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0 762 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
michael@0 763
michael@0 764 CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
michael@0 765 certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0 766 -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
michael@0 767 #
michael@0 768 # done with EC certs
michael@0 769 #
michael@0 770 # Repeat again for mixed EC certs
michael@0 771 #
michael@0 772 EC_CURVE="secp256r1"
michael@0 773 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
michael@0 774 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 775 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
michael@0 776 -z "${R_NOISE_FILE}" -o req 2>&1
michael@0 777
michael@0 778 CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
michael@0 779 cp ${CERTDIR}/req ${SERVER_CADIR}
michael@0 780 certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \
michael@0 781 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
michael@0 782
michael@0 783 CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
michael@0 784 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0 785 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
michael@0 786
michael@0 787 # CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)"
michael@0 788 # certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
michael@0 789 # -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
michael@0 790 # 2>&1
michael@0 791 fi
michael@0 792
michael@0 793 echo "Importing all the server's own CA chain into the servers DB"
michael@0 794 for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
michael@0 795 do
michael@0 796 N=`basename $CA | sed -e "s/.ca.cert//"`
michael@0 797 if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then
michael@0 798 T="-t C,C,C"
michael@0 799 else
michael@0 800 T="-t u,u,u"
michael@0 801 fi
michael@0 802 CU_ACTION="Import $N CA $T for $CERTNAME (ext.) "
michael@0 803 certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0 804 -i "${CA}" 2>&1
michael@0 805 done
michael@0 806 #============
michael@0 807 echo "Client Cert"
michael@0 808 cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
michael@0 809
michael@0 810 CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
michael@0 811 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 812
michael@0 813 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
michael@0 814 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
michael@0 815
michael@0 816 CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
michael@0 817 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 818 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
michael@0 819 -o req 2>&1
michael@0 820
michael@0 821 CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
michael@0 822 cp ${CERTDIR}/req ${CLIENT_CADIR}
michael@0 823 certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
michael@0 824 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
michael@0 825
michael@0 826 CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
michael@0 827 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0 828 -i "${CERTNAME}.cert" 2>&1
michael@0 829 CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
michael@0 830 certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0 831 -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
michael@0 832
michael@0 833 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 834 #
michael@0 835 # Repeat the above for EC certs
michael@0 836 #
michael@0 837 CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
michael@0 838 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 839 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
michael@0 840 -z "${R_NOISE_FILE}" -o req 2>&1
michael@0 841
michael@0 842 CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
michael@0 843 cp ${CERTDIR}/req ${CLIENT_CADIR}
michael@0 844 certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
michael@0 845 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
michael@0 846
michael@0 847 CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
michael@0 848 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0 849 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
michael@0 850
michael@0 851 CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
michael@0 852 certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
michael@0 853 -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
michael@0 854 #
michael@0 855 # done with EC certs
michael@0 856 #
michael@0 857 #
michael@0 858 # Repeat the above for mixed EC certs
michael@0 859 #
michael@0 860 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
michael@0 861 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 862 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
michael@0 863 -z "${R_NOISE_FILE}" -o req 2>&1
michael@0 864
michael@0 865 CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
michael@0 866 cp ${CERTDIR}/req ${CLIENT_CADIR}
michael@0 867 certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \
michael@0 868 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
michael@0 869
michael@0 870 CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
michael@0 871 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0 872 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
michael@0 873
michael@0 874 # CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
michael@0 875 # certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
michael@0 876 # -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
michael@0 877 #
michael@0 878 # done with mixed EC certs
michael@0 879 #
michael@0 880 fi
michael@0 881
michael@0 882 echo "Importing all the client's own CA chain into the servers DB"
michael@0 883 for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
michael@0 884 do
michael@0 885 N=`basename $CA | sed -e "s/.ca.cert//"`
michael@0 886 if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then
michael@0 887 T="-t T,C,C"
michael@0 888 else
michael@0 889 T="-t u,u,u"
michael@0 890 fi
michael@0 891 CU_ACTION="Import $N CA $T for $CERTNAME (ext.)"
michael@0 892 certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0 893 -i "${CA}" 2>&1
michael@0 894 done
michael@0 895 if [ "$CERTFAILED" != 0 ] ; then
michael@0 896 cert_log "ERROR: EXT failed $RET"
michael@0 897 else
michael@0 898 cert_log "SUCCESS: EXT passed"
michael@0 899 fi
michael@0 900 }
michael@0 901
michael@0 902 ############################## cert_ssl ################################
michael@0 903 # local shell function to create client + server certs for SSL test
michael@0 904 ########################################################################
michael@0 905 cert_ssl()
michael@0 906 {
michael@0 907 ################# Creating Certs for SSL test ###########################
michael@0 908 #
michael@0 909 CERTFAILED=0
michael@0 910 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
michael@0 911 cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT}
michael@0 912
michael@0 913 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
michael@0 914 echo " ${HOSTADDR} ------------------------------------"
michael@0 915 cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
michael@0 916 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
michael@0 917 echo " ${HOSTADDR}-sni --------------------------------"
michael@0 918 CERTSERIAL=101
michael@0 919 CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}"
michael@0 920 cert_add_cert
michael@0 921 CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
michael@0 922 certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
michael@0 923 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 924 CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
michael@0 925 certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
michael@0 926 fi
michael@0 927 # cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
michael@0 928 # echo "************* Copying CA files to ${SERVERDIR}"
michael@0 929 # cp ${CADIR}/*.db .
michael@0 930 # hw_acc
michael@0 931 # CU_ACTION="Creating ${CERTNAME}'s Server Cert"
michael@0 932 # CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
michael@0 933 # certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
michael@0 934 # -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
michael@0 935
michael@0 936 if [ "$CERTFAILED" != 0 ] ; then
michael@0 937 cert_log "ERROR: SSL failed $RET"
michael@0 938 else
michael@0 939 cert_log "SUCCESS: SSL passed"
michael@0 940 fi
michael@0 941
michael@0 942 echo "$SCRIPTNAME: Creating database for OCSP stapling tests ==============="
michael@0 943 echo "cp -r ${SERVERDIR} ${STAPLINGDIR}"
michael@0 944 cp -r ${R_SERVERDIR} ${R_STAPLINGDIR}
michael@0 945 pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
michael@0 946 pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
michael@0 947 }
michael@0 948 ############################## cert_stresscerts ################################
michael@0 949 # local shell function to create client certs for SSL stresstest
michael@0 950 ########################################################################
michael@0 951 cert_stresscerts()
michael@0 952 {
michael@0 953
michael@0 954 ############### Creating Certs for SSL stress test #######################
michael@0 955 #
michael@0 956 CERTDIR="$CLIENTDIR"
michael@0 957 cd "${CERTDIR}"
michael@0 958
michael@0 959 PROFILEDIR=`cd ${CERTDIR}; pwd`
michael@0 960 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0 961 PROFILEDIR=`cygpath -m ${PROFILEDIR}`
michael@0 962 fi
michael@0 963 if [ -n "${MULTIACCESS_DBM}" ]; then
michael@0 964 PROFILEDIR="multiaccess:${D_CLIENT}"
michael@0 965 fi
michael@0 966 CERTFAILED=0
michael@0 967 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
michael@0 968
michael@0 969 CONTINUE=$GLOB_MAX_CERT
michael@0 970 CERTSERIAL=10
michael@0 971
michael@0 972 while [ $CONTINUE -ge $GLOB_MIN_CERT ]
michael@0 973 do
michael@0 974 CERTNAME="TestUser$CONTINUE"
michael@0 975 # cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL
michael@0 976 cert_add_cert
michael@0 977 CERTSERIAL=`expr $CERTSERIAL + 1 `
michael@0 978 CONTINUE=`expr $CONTINUE - 1 `
michael@0 979 done
michael@0 980 if [ "$CERTFAILED" != 0 ] ; then
michael@0 981 cert_log "ERROR: StressCert failed $RET"
michael@0 982 else
michael@0 983 cert_log "SUCCESS: StressCert passed"
michael@0 984 fi
michael@0 985 }
michael@0 986
michael@0 987 ############################## cert_fips #####################################
michael@0 988 # local shell function to create certificates for FIPS tests
michael@0 989 ##############################################################################
michael@0 990 cert_fips()
michael@0 991 {
michael@0 992 CERTFAILED=0
michael@0 993 echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
michael@0 994 cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
michael@0 995
michael@0 996 CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
michael@0 997 certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
michael@0 998
michael@0 999 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
michael@0 1000 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
michael@0 1001
michael@0 1002 echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
michael@0 1003 CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
michael@0 1004 echo "modutil -dbdir ${PROFILEDIR} -fips true "
michael@0 1005 ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
michael@0 1006 y
michael@0 1007 MODSCRIPT
michael@0 1008 RET=$?
michael@0 1009 if [ "$RET" -ne 0 ]; then
michael@0 1010 html_failed "${CU_ACTION} ($RET) "
michael@0 1011 cert_log "ERROR: ${CU_ACTION} failed $RET"
michael@0 1012 else
michael@0 1013 html_passed "${CU_ACTION}"
michael@0 1014 fi
michael@0 1015
michael@0 1016 CU_ACTION="Generate Certificate for ${CERTNAME}"
michael@0 1017 CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
michael@0 1018 certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
michael@0 1019 if [ "$RET" -eq 0 ]; then
michael@0 1020 cert_log "SUCCESS: FIPS passed"
michael@0 1021 fi
michael@0 1022 }
michael@0 1023
michael@0 1024 ############################## cert_eccurves ###########################
michael@0 1025 # local shell function to create server certs for all EC curves
michael@0 1026 ########################################################################
michael@0 1027 cert_eccurves()
michael@0 1028 {
michael@0 1029 ################# Creating Certs for EC curves test ########################
michael@0 1030 #
michael@0 1031 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 1032 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
michael@0 1033 echo " EC Curves Test Certificates ------------------------------------"
michael@0 1034
michael@0 1035 cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
michael@0 1036
michael@0 1037 CU_ACTION="Initializing EC Curve's Cert DB"
michael@0 1038 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1039
michael@0 1040 CU_ACTION="Loading root cert module to EC Curve's Cert DB"
michael@0 1041 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
michael@0 1042
michael@0 1043 CU_ACTION="Import EC Root CA for $CERTNAME"
michael@0 1044 certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
michael@0 1045 -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
michael@0 1046
michael@0 1047 if [ -n "${NSS_ECC_MORE_THAN_SUITE_B}" ] ; then
michael@0 1048 CURVE_LIST="c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 \
michael@0 1049 c2pnb208w1 c2pnb272w1 c2pnb304w1 c2pnb368w1 \
michael@0 1050 c2tnb191v1 c2tnb191v2 c2tnb191v3 c2tnb239v1 \
michael@0 1051 c2tnb239v2 c2tnb239v3 c2tnb359v1 c2tnb431r1 \
michael@0 1052 nistb163 nistb233 nistb283 nistb409 nistb571 \
michael@0 1053 nistk163 nistk233 nistk283 nistk409 nistk571 \
michael@0 1054 nistp192 nistp224 nistp256 nistp384 nistp521 \
michael@0 1055 prime192v1 prime192v2 prime192v3 \
michael@0 1056 prime239v1 prime239v2 prime239v3 \
michael@0 1057 secp112r1 secp112r2 secp128r1 secp128r2 secp160k1 \
michael@0 1058 secp160r1 secp160r2 secp192k1 secp192r1 secp224k1 \
michael@0 1059 secp224r1 secp256k1 secp256r1 secp384r1 secp521r1 \
michael@0 1060 sect113r1 sect113r2 sect131r1 sect131r2 sect163k1 sect163r1 \
michael@0 1061 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 \
michael@0 1062 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1"
michael@0 1063 else
michael@0 1064 CURVE_LIST="nistp256 nistp384 nistp521"
michael@0 1065 fi
michael@0 1066 CERTSERIAL=2000
michael@0 1067
michael@0 1068 for CURVE in ${CURVE_LIST}
michael@0 1069 do
michael@0 1070 CERTFAILED=0
michael@0 1071 CERTNAME="Curve-${CURVE}"
michael@0 1072 CERTSERIAL=`expr $CERTSERIAL + 1 `
michael@0 1073 CU_ACTION="Generate EC Cert Request for $CERTNAME"
michael@0 1074 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 1075 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0 1076 -z "${R_NOISE_FILE}" -o req 2>&1
michael@0 1077
michael@0 1078 if [ $RET -eq 0 ] ; then
michael@0 1079 CU_ACTION="Sign ${CERTNAME}'s EC Request"
michael@0 1080 certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
michael@0 1081 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
michael@0 1082 fi
michael@0 1083
michael@0 1084 if [ $RET -eq 0 ] ; then
michael@0 1085 CU_ACTION="Import $CERTNAME's EC Cert"
michael@0 1086 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0 1087 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
michael@0 1088 fi
michael@0 1089 done
michael@0 1090
michael@0 1091 fi # $NSS_DISABLE_ECC
michael@0 1092 }
michael@0 1093
michael@0 1094 ########################### cert_extensions_test #############################
michael@0 1095 # local shell function to test cert extensions generation
michael@0 1096 ##############################################################################
michael@0 1097 cert_extensions_test()
michael@0 1098 {
michael@0 1099 COUNT=`expr ${COUNT} + 1`
michael@0 1100 CERTNAME=TestExt${COUNT}
michael@0 1101 CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 1102
michael@0 1103 echo
michael@0 1104 echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
michael@0 1105 -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
michael@0 1106 -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
michael@0 1107 echo "certutil options:"
michael@0 1108 cat ${TARG_FILE}
michael@0 1109 ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
michael@0 1110 -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
michael@0 1111 -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE}
michael@0 1112 RET=$?
michael@0 1113 if [ "${RET}" -ne 0 ]; then
michael@0 1114 CERTFAILED=1
michael@0 1115 html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate"
michael@0 1116 cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed"
michael@0 1117 return 1
michael@0 1118 fi
michael@0 1119
michael@0 1120 echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}
michael@0 1121 EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}`
michael@0 1122 RET=$?
michael@0 1123 echo "${EXTLIST}"
michael@0 1124 if [ "${RET}" -ne 0 ]; then
michael@0 1125 CERTFAILED=1
michael@0 1126 html_failed "${TESTNAME} (${COUNT}) - List Certificate"
michael@0 1127 cert_log "ERROR: ${TESTNAME} - List Certificate failed"
michael@0 1128 return 1
michael@0 1129 fi
michael@0 1130
michael@0 1131 for FL in `echo ${FILTERLIST} | tr \| ' '`; do
michael@0 1132 FL="`echo ${FL} | tr _ ' '`"
michael@0 1133 EXPSTAT=0
michael@0 1134 if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then
michael@0 1135 EXPSTAT=1
michael@0 1136 FL=`echo ${FL} | tr -d '!'`
michael@0 1137 fi
michael@0 1138 echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1
michael@0 1139 RET=$?
michael@0 1140 if [ "${RET}" -ne "${EXPSTAT}" ]; then
michael@0 1141 CERTFAILED=1
michael@0 1142 html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}"
michael@0 1143 cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed"
michael@0 1144 return 1
michael@0 1145 fi
michael@0 1146 done
michael@0 1147
michael@0 1148 html_passed "${TESTNAME} (${COUNT})"
michael@0 1149 return 0
michael@0 1150 }
michael@0 1151
michael@0 1152 ############################## cert_extensions ###############################
michael@0 1153 # local shell function to run cert extensions tests
michael@0 1154 ##############################################################################
michael@0 1155 cert_extensions()
michael@0 1156 {
michael@0 1157 CERTNAME=TestExt
michael@0 1158 cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS}
michael@0 1159 TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args
michael@0 1160
michael@0 1161 COUNT=0
michael@0 1162 while read ARG OPT FILTERLIST; do
michael@0 1163 if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then
michael@0 1164 continue
michael@0 1165 fi
michael@0 1166 if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then
michael@0 1167 TESTNAME="${FILTERLIST}"
michael@0 1168 continue
michael@0 1169 fi
michael@0 1170 if [ X"${ARG}" = "X=" ]; then
michael@0 1171 cert_extensions_test
michael@0 1172 rm -f ${TARG_FILE}
michael@0 1173 else
michael@0 1174 echo ${ARG} >> ${TARG_FILE}
michael@0 1175 fi
michael@0 1176 done < ${QADIR}/cert/certext.txt
michael@0 1177 }
michael@0 1178
michael@0 1179 cert_make_with_param()
michael@0 1180 {
michael@0 1181 DIRPASS="$1"
michael@0 1182 CERTNAME="$2"
michael@0 1183 MAKE="$3"
michael@0 1184 SUBJ="$4"
michael@0 1185 EXTRA="$5"
michael@0 1186 EXPECT="$6"
michael@0 1187 TESTNAME="$7"
michael@0 1188
michael@0 1189 echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
michael@0 1190 ${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
michael@0 1191
michael@0 1192 RET=$?
michael@0 1193 if [ "${RET}" -ne "${EXPECT}" ]; then
michael@0 1194 # if we expected failure to create, then delete unexpected certificate
michael@0 1195 if [ "${EXPECT}" -ne 0 ]; then
michael@0 1196 ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
michael@0 1197 fi
michael@0 1198
michael@0 1199 CERTFAILED=1
michael@0 1200 html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}"
michael@0 1201 cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed"
michael@0 1202 return 1
michael@0 1203 fi
michael@0 1204
michael@0 1205 html_passed "${TESTNAME} (${COUNT})"
michael@0 1206 return 0
michael@0 1207 }
michael@0 1208
michael@0 1209 cert_list_and_count_dns()
michael@0 1210 {
michael@0 1211 DIRPASS="$1"
michael@0 1212 CERTNAME="$2"
michael@0 1213 EXPECT="$3"
michael@0 1214 EXPECTCOUNT="$4"
michael@0 1215 TESTNAME="$5"
michael@0 1216
michael@0 1217 echo certutil ${DIRPASS} -L ${CERTNAME}
michael@0 1218 ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME}
michael@0 1219
michael@0 1220 RET=$?
michael@0 1221 if [ "${RET}" -ne "${EXPECT}" ]; then
michael@0 1222 CERTFAILED=1
michael@0 1223 html_failed "${TESTNAME} (${COUNT}) - list and count"
michael@0 1224 cert_log "ERROR: ${TESTNAME} - list and count failed"
michael@0 1225 return 1
michael@0 1226 fi
michael@0 1227
michael@0 1228 LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS`
michael@0 1229 if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then
michael@0 1230 CERTFAILED=1
michael@0 1231 html_failed "${TESTNAME} (${COUNT}) - list and count"
michael@0 1232 cert_log "ERROR: ${TESTNAME} - list and count failed"
michael@0 1233 return 1
michael@0 1234 fi
michael@0 1235
michael@0 1236 html_passed "${TESTNAME} (${COUNT})"
michael@0 1237 return 0
michael@0 1238 }
michael@0 1239
michael@0 1240 cert_dump_ext_to_file()
michael@0 1241 {
michael@0 1242 DIRPASS="$1"
michael@0 1243 CERTNAME="$2"
michael@0 1244 OID="$3"
michael@0 1245 OUTFILE="$4"
michael@0 1246 EXPECT="$5"
michael@0 1247 TESTNAME="$6"
michael@0 1248
michael@0 1249 echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID}
michael@0 1250 echo "writing output to ${OUTFILE}"
michael@0 1251 ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE}
michael@0 1252
michael@0 1253 RET=$?
michael@0 1254 if [ "${RET}" -ne "${EXPECT}" ]; then
michael@0 1255 CERTFAILED=1
michael@0 1256 html_failed "${TESTNAME} (${COUNT}) - dump to file"
michael@0 1257 cert_log "ERROR: ${TESTNAME} - dump to file failed"
michael@0 1258 return 1
michael@0 1259 fi
michael@0 1260
michael@0 1261 html_passed "${TESTNAME} (${COUNT})"
michael@0 1262 return 0
michael@0 1263 }
michael@0 1264
michael@0 1265 cert_delete()
michael@0 1266 {
michael@0 1267 DIRPASS="$1"
michael@0 1268 CERTNAME="$2"
michael@0 1269 EXPECT="$3"
michael@0 1270 TESTNAME="$4"
michael@0 1271
michael@0 1272 echo certutil ${DIRPASS} -D ${CERTNAME}
michael@0 1273 ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
michael@0 1274
michael@0 1275 RET=$?
michael@0 1276 if [ "${RET}" -ne "${EXPECT}" ]; then
michael@0 1277 CERTFAILED=1
michael@0 1278 html_failed "${TESTNAME} (${COUNT}) - delete cert"
michael@0 1279 cert_log "ERROR: ${TESTNAME} - delete cert failed"
michael@0 1280 return 1
michael@0 1281 fi
michael@0 1282
michael@0 1283 html_passed "${TESTNAME} (${COUNT})"
michael@0 1284 return 0
michael@0 1285 }
michael@0 1286
michael@0 1287 cert_inc_count()
michael@0 1288 {
michael@0 1289 COUNT=`expr ${COUNT} + 1`
michael@0 1290 }
michael@0 1291
michael@0 1292 ############################## cert_crl_ssl ############################
michael@0 1293 # test adding subject-alt-name, dumping, and adding generic extension
michael@0 1294 ########################################################################
michael@0 1295 cert_san_and_generic_extensions()
michael@0 1296 {
michael@0 1297 EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der
michael@0 1298
michael@0 1299 DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}"
michael@0 1300 CERTNAME="-n WithSAN"
michael@0 1301 MAKE="-S -t ,, -x -z ${R_NOISE_FILE}"
michael@0 1302 SUBJ="CN=example.com"
michael@0 1303
michael@0 1304 TESTNAME="san-and-generic-extensions"
michael@0 1305
michael@0 1306 cert_inc_count
michael@0 1307 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0 1308 "--extSAN example.com" 255 \
michael@0 1309 "create cert with invalid SAN parameter"
michael@0 1310
michael@0 1311 cert_inc_count
michael@0 1312 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0 1313 "--extSAN example.com,dns:www.example.com" 255 \
michael@0 1314 "create cert with invalid SAN parameter"
michael@0 1315
michael@0 1316 TN="create cert with valid SAN parameter"
michael@0 1317
michael@0 1318 cert_inc_count
michael@0 1319 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0 1320 "--extSAN dns:example.com,dns:www.example.com" 0 \
michael@0 1321 "${TN}"
michael@0 1322
michael@0 1323 cert_inc_count
michael@0 1324 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
michael@0 1325 "${TN}"
michael@0 1326
michael@0 1327 cert_inc_count
michael@0 1328 cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \
michael@0 1329 "dump extension 2.5.29.17 to file ${EXTDUMP}"
michael@0 1330
michael@0 1331 cert_inc_count
michael@0 1332 cert_delete "${DIR}" "${CERTNAME}" 0 \
michael@0 1333 "${TN}"
michael@0 1334
michael@0 1335 cert_inc_count
michael@0 1336 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
michael@0 1337 "expect failure to list cert, because we deleted it"
michael@0 1338
michael@0 1339 cert_inc_count
michael@0 1340 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0 1341 "--extGeneric ${EXTDUMP}" 255 \
michael@0 1342 "create cert with invalid generic ext parameter"
michael@0 1343
michael@0 1344 cert_inc_count
michael@0 1345 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0 1346 "--extGeneric not-critical:${EXTDUMP}" 255 \
michael@0 1347 "create cert with invalid generic ext parameter"
michael@0 1348
michael@0 1349 cert_inc_count
michael@0 1350 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0 1351 "--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \
michael@0 1352 "create cert with invalid generic ext parameter"
michael@0 1353
michael@0 1354 TN="create cert with valid generic ext parameter"
michael@0 1355
michael@0 1356 cert_inc_count
michael@0 1357 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0 1358 "--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \
michael@0 1359 "${TN}"
michael@0 1360
michael@0 1361 cert_inc_count
michael@0 1362 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
michael@0 1363 "${TN}"
michael@0 1364
michael@0 1365 cert_inc_count
michael@0 1366 cert_delete "${DIR}" "${CERTNAME}" 0 \
michael@0 1367 "${TN}"
michael@0 1368
michael@0 1369 cert_inc_count
michael@0 1370 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
michael@0 1371 "expect failure to list cert, because we deleted it"
michael@0 1372 }
michael@0 1373
michael@0 1374 ############################## cert_crl_ssl ############################
michael@0 1375 # local shell function to generate certs and crls for SSL tests
michael@0 1376 ########################################################################
michael@0 1377 cert_crl_ssl()
michael@0 1378 {
michael@0 1379
michael@0 1380 ################# Creating Certs ###################################
michael@0 1381 #
michael@0 1382 CERTFAILED=0
michael@0 1383 CERTSERIAL=${CRL_GRP_1_BEGIN}
michael@0 1384
michael@0 1385 cd $CADIR
michael@0 1386
michael@0 1387 PROFILEDIR=`cd ${CLIENTDIR}; pwd`
michael@0 1388 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0 1389 PROFILEDIR=`cygpath -m ${PROFILEDIR}`
michael@0 1390 fi
michael@0 1391 CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1`
michael@0 1392 echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ==="
michael@0 1393 CU_ACTION="Creating client test certs"
michael@0 1394
michael@0 1395 while [ $CERTSERIAL -le $CRL_GRPS_END ]
michael@0 1396 do
michael@0 1397 CERTNAME="TestUser$CERTSERIAL"
michael@0 1398 cert_add_cert
michael@0 1399 CERTSERIAL=`expr $CERTSERIAL + 1 `
michael@0 1400 done
michael@0 1401
michael@0 1402 #################### CRL Creation ##############################
michael@0 1403 CRL_GEN_RES=0
michael@0 1404 echo "$SCRIPTNAME: Creating CA CRL ====================================="
michael@0 1405
michael@0 1406 CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1`
michael@0 1407 CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END}
michael@0 1408 CRL_FILE=${CRL_FILE_GRP_1}
michael@0 1409
michael@0 1410 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0 1411 CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority"
michael@0 1412 CRL_GRP_END_=`expr ${CRL_GRP_END} - 1`
michael@0 1413 crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \
michael@0 1414 -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
michael@0 1415 update=$CRLUPDATE
michael@0 1416 addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
michael@0 1417 addext reasonCode 0 4
michael@0 1418 addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA"
michael@0 1419 EOF_CRLINI
michael@0 1420 # This extension should be added to the list, but currently nss has bug
michael@0 1421 #addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1
michael@0 1422 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0 1423 chmod 600 ${CRL_FILE_GRP_1}_or
michael@0 1424
michael@0 1425 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 1426 CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
michael@0 1427
michael@0 1428 # Until Bug 292285 is resolved, do not encode x400 Addresses. After
michael@0 1429 # the bug is resolved, reintroduce "x400Address:x400Address" within
michael@0 1430 # addext issuerAltNames ...
michael@0 1431 crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
michael@0 1432 -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
michael@0 1433 update=$CRLUPDATE
michael@0 1434 addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
michael@0 1435 addext reasonCode 0 4
michael@0 1436 addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
michael@0 1437 EOF_CRLINI
michael@0 1438 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0 1439 chmod 600 ${CRL_FILE_GRP_1}_or-ec
michael@0 1440 fi
michael@0 1441
michael@0 1442 echo test > file
michael@0 1443 ############################# Modification ##################################
michael@0 1444
michael@0 1445 echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
michael@0 1446 sleep 2
michael@0 1447 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0 1448 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0 1449 CU_ACTION="Modify CRL by adding one more cert"
michael@0 1450 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \
michael@0 1451 -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
michael@0 1452 update=$CRLUPDATE
michael@0 1453 addcert ${CRL_GRP_END} $CRL_GRP_DATE
michael@0 1454 EOF_CRLINI
michael@0 1455 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0 1456 chmod 600 ${CRL_FILE_GRP_1}_or1
michael@0 1457 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
michael@0 1458 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 1459 CU_ACTION="Modify CRL (ECC) by adding one more cert"
michael@0 1460 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
michael@0 1461 -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
michael@0 1462 update=$CRLUPDATE
michael@0 1463 addcert ${CRL_GRP_END} $CRL_GRP_DATE
michael@0 1464 EOF_CRLINI
michael@0 1465 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0 1466 chmod 600 ${CRL_FILE_GRP_1}_or1-ec
michael@0 1467 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
michael@0 1468 fi
michael@0 1469
michael@0 1470 ########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
michael@0 1471 echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
michael@0 1472 CU_ACTION="Modify CRL by removing one cert"
michael@0 1473 sleep 2
michael@0 1474 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0 1475 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
michael@0 1476 -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
michael@0 1477 update=$CRLUPDATE
michael@0 1478 rmcert ${UNREVOKED_CERT_GRP_1}
michael@0 1479 EOF_CRLINI
michael@0 1480 chmod 600 ${CRL_FILE_GRP_1}
michael@0 1481 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
michael@0 1482 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 1483 CU_ACTION="Modify CRL (ECC) by removing one cert"
michael@0 1484 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
michael@0 1485 -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
michael@0 1486 update=$CRLUPDATE
michael@0 1487 rmcert ${UNREVOKED_CERT_GRP_1}
michael@0 1488 EOF_CRLINI
michael@0 1489 chmod 600 ${CRL_FILE_GRP_1}-ec
michael@0 1490 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
michael@0 1491 fi
michael@0 1492
michael@0 1493 ########### Creating second CRL which includes groups 1 and 2 ##############
michael@0 1494 CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
michael@0 1495 CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END}
michael@0 1496
michael@0 1497 echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ==============="
michael@0 1498 sleep 2
michael@0 1499 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0 1500 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0 1501 CU_ACTION="Creating CRL for groups 1 and 2"
michael@0 1502 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2} \
michael@0 1503 -i ${CRL_FILE_GRP_1} <<EOF_CRLINI
michael@0 1504 update=$CRLUPDATE
michael@0 1505 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
michael@0 1506 addext invalidityDate 0 $CRLUPDATE
michael@0 1507 rmcert ${UNREVOKED_CERT_GRP_2}
michael@0 1508 EOF_CRLINI
michael@0 1509 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0 1510 chmod 600 ${CRL_FILE_GRP_2}
michael@0 1511 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 1512 CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
michael@0 1513 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
michael@0 1514 -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
michael@0 1515 update=$CRLUPDATE
michael@0 1516 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
michael@0 1517 addext invalidityDate 0 $CRLUPDATE
michael@0 1518 rmcert ${UNREVOKED_CERT_GRP_2}
michael@0 1519 EOF_CRLINI
michael@0 1520 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0 1521 chmod 600 ${CRL_FILE_GRP_2}-ec
michael@0 1522 fi
michael@0 1523
michael@0 1524 ########### Creating second CRL which includes groups 1, 2 and 3 ##############
michael@0 1525 CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
michael@0 1526 CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END}
michael@0 1527
michael@0 1528
michael@0 1529
michael@0 1530 echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3 ==============="
michael@0 1531 sleep 2
michael@0 1532 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0 1533 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0 1534 CU_ACTION="Creating CRL for groups 1, 2 and 3"
michael@0 1535 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3} \
michael@0 1536 -i ${CRL_FILE_GRP_2} <<EOF_CRLINI
michael@0 1537 update=$CRLUPDATE
michael@0 1538 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
michael@0 1539 rmcert ${UNREVOKED_CERT_GRP_3}
michael@0 1540 addext crlNumber 0 2
michael@0 1541 EOF_CRLINI
michael@0 1542 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0 1543 chmod 600 ${CRL_FILE_GRP_3}
michael@0 1544 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 1545 CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
michael@0 1546 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
michael@0 1547 -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
michael@0 1548 update=$CRLUPDATE
michael@0 1549 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
michael@0 1550 rmcert ${UNREVOKED_CERT_GRP_3}
michael@0 1551 addext crlNumber 0 2
michael@0 1552 EOF_CRLINI
michael@0 1553 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0 1554 chmod 600 ${CRL_FILE_GRP_3}-ec
michael@0 1555 fi
michael@0 1556
michael@0 1557 ############ Importing Server CA Issued CRL for certs of first group #######
michael@0 1558
michael@0 1559 echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
michael@0 1560 CU_ACTION="Importing CRL for groups 1"
michael@0 1561 crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}"
michael@0 1562 crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
michael@0 1563 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0 1564 if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0 1565 CU_ACTION="Importing CRL (ECC) for groups 1"
michael@0 1566 crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}"
michael@0 1567 crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
michael@0 1568 -d "${R_SERVERDIR}"
michael@0 1569 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0 1570 fi
michael@0 1571
michael@0 1572 if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
michael@0 1573 cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
michael@0 1574 else
michael@0 1575 cert_log "SUCCESS: SSL CRL prep passed"
michael@0 1576 fi
michael@0 1577 }
michael@0 1578
michael@0 1579 #################
michael@0 1580 # Verify the we can successfully change the password on the database
michael@0 1581 #
michael@0 1582 cert_test_password()
michael@0 1583 {
michael@0 1584 CERTFAILED=0
michael@0 1585 echo "$SCRIPTNAME: Create A Password Test Cert =============="
michael@0 1586 cert_init_cert "${DBPASSDIR}" "Password Test Cert" 1000 "${D_DBPASSDIR}"
michael@0 1587
michael@0 1588 echo "$SCRIPTNAME: Create A Password Test Ca --------"
michael@0 1589 ALL_CU_SUBJECT="CN=NSS Password Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 1590 cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1"
michael@0 1591
michael@0 1592 # now change the password
michael@0 1593 CU_ACTION="Changing password on ${CERTNAME}'s Cert DB"
michael@0 1594 certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1
michael@0 1595
michael@0 1596 # finally make sure we can use the old key with the new password
michael@0 1597 CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
michael@0 1598 CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 1599 certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
michael@0 1600 if [ "$RET" -eq 0 ]; then
michael@0 1601 cert_log "SUCCESS: PASSWORD passed"
michael@0 1602 fi
michael@0 1603 CU_ACTION="Verify Certificate for ${CERTNAME} with new password"
michael@0 1604 certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
michael@0 1605 }
michael@0 1606
michael@0 1607 ###############################
michael@0 1608 # test if we can distrust a certificate.
michael@0 1609 #
michael@0 1610 # we create 3 new certs:
michael@0 1611 # 1 leaf signed by the trusted root.
michael@0 1612 # 1 intermediate signed by the trusted root.
michael@0 1613 # 1 leaf signed by the intermediate.
michael@0 1614 #
michael@0 1615 # we mark the first leaf and the intermediate as explicitly untrusted.
michael@0 1616 # we then try to verify the two leaf certs for our possible usages.
michael@0 1617 # All verification should fail.
michael@0 1618 #
michael@0 1619 cert_test_distrust()
michael@0 1620 {
michael@0 1621 echo "$SCRIPTNAME: Creating Distrusted Certificate"
michael@0 1622 cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST}
michael@0 1623 CU_ACTION="Mark CERT as unstrusted"
michael@0 1624 certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1
michael@0 1625 echo "$SCRIPTNAME: Creating Distrusted Intermediate"
michael@0 1626 CERTNAME="DistrustedCA"
michael@0 1627 ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 1628 cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1
michael@0 1629 CU_ACTION="Import Distrusted Intermediate"
michael@0 1630 certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0 1631 -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1
michael@0 1632
michael@0 1633 # now create the last leaf signed by our distrusted CA
michael@0 1634 # since it's not signed by TestCA it requires more steps.
michael@0 1635 CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA"
michael@0 1636 CERTNAME="LeafChainedToDistrustedCA"
michael@0 1637 CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 1638 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
michael@0 1639
michael@0 1640 CU_ACTION="Sign ${CERTNAME}'s Request"
michael@0 1641 cp ${CERTDIR}/req ${CADIR}
michael@0 1642 certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \
michael@0 1643 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
michael@0 1644
michael@0 1645 CU_ACTION="Import $CERTNAME's Cert -t u,u,u"
michael@0 1646 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0 1647 -i "${CERTNAME}.cert" 2>&1
michael@0 1648
michael@0 1649 RETEXPECTED=255
michael@0 1650 CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
michael@0 1651 certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1652 CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
michael@0 1653 certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1654 CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
michael@0 1655 certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1656 CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
michael@0 1657 certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1658 CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
michael@0 1659 certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1660 CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
michael@0 1661 certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1662
michael@0 1663 CERTNAME="Distrusted"
michael@0 1664 CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
michael@0 1665 certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1666 CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
michael@0 1667 certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1668 CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
michael@0 1669 certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1670 CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
michael@0 1671 certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1672 CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
michael@0 1673 certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1674 CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
michael@0 1675 certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0 1676 RETEXPECTED=0
michael@0 1677 }
michael@0 1678
michael@0 1679 cert_test_ocspresp()
michael@0 1680 {
michael@0 1681 echo "$SCRIPTNAME: OCSP response creation selftest"
michael@0 1682 OR_ACTION="perform selftest"
michael@0 1683 RETEXPECTED=0
michael@0 1684 ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
michael@0 1685 }
michael@0 1686
michael@0 1687 ############################## cert_cleanup ############################
michael@0 1688 # local shell function to finish this script (no exit since it might be
michael@0 1689 # sourced)
michael@0 1690 ########################################################################
michael@0 1691 cert_cleanup()
michael@0 1692 {
michael@0 1693 cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
michael@0 1694 html "</TABLE><BR>"
michael@0 1695 cd ${QADIR}
michael@0 1696 . common/cleanup.sh
michael@0 1697 }
michael@0 1698
michael@0 1699 ################## main #################################################
michael@0 1700
michael@0 1701 cert_init
michael@0 1702 cert_all_CA
michael@0 1703 cert_extended_ssl
michael@0 1704 cert_ssl
michael@0 1705 cert_smime_client
michael@0 1706 if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
michael@0 1707 cert_fips
michael@0 1708 fi
michael@0 1709 cert_eccurves
michael@0 1710 cert_extensions
michael@0 1711 cert_san_and_generic_extensions
michael@0 1712 cert_test_password
michael@0 1713 cert_test_distrust
michael@0 1714 cert_test_ocspresp
michael@0 1715
michael@0 1716 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
michael@0 1717 cert_crl_ssl
michael@0 1718 else
michael@0 1719 echo "$SCRIPTNAME: Skipping CRL Tests"
michael@0 1720 fi
michael@0 1721
michael@0 1722 if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
michael@0 1723 cert_stresscerts
michael@0 1724 fi
michael@0 1725
michael@0 1726 cert_iopr_setup
michael@0 1727
michael@0 1728 cert_cleanup

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial