• file
• revisions
• annotate
• diff
• comparison
• raw

security/nss/tests/chains/chains.sh@b8a032363ba2 (annotated)

security/nss/tests/chains/chains.sh

Thu, 22 Jan 2015 13:21:57 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Thu, 22 Jan 2015 13:21:57 +0100

branch

TOR_BUG_9701

changeset 15

b8a032363ba2

permissions

-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0	1	#!/bin/bash
michael@0	2	#
michael@0	3	# This Source Code Form is subject to the terms of the Mozilla Public
michael@0	4	# License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0	5	# file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0	6
michael@0	7	########################################################################
michael@0	8	#
michael@0	9	# mozilla/security/nss/tests/cert/chains.sh
michael@0	10	#
michael@0	11	# Script to test certificate chains validity.
michael@0	12	#
michael@0	13	# needs to work on all Unix and Windows platforms
michael@0	14	#
michael@0	15	# special strings
michael@0	16	# ---------------
michael@0	17	# FIXME ... known problems, search for this string
michael@0	18	# NOTE .... unexpected behavior
michael@0	19	########################################################################
michael@0	20
michael@0	21	########################### is_httpserv_alive ##########################
michael@0	22	# local shell function to exit with a fatal error if selfserver is not
michael@0	23	# running
michael@0	24	########################################################################
michael@0	25	is_httpserv_alive()
michael@0	26	{
michael@0	27	if [ ! -f "${HTTPPID}" ]; then
michael@0	28	echo "$SCRIPTNAME: Error - httpserv PID file ${HTTPPID} doesn't exist"
michael@0	29	sleep 5
michael@0	30	if [ ! -f "${HTTPPID}" ]; then
michael@0	31	Exit 9 "Fatal - httpserv pid file ${HTTPPID} does not exist"
michael@0	32	fi
michael@0	33	fi
michael@0	34
michael@0	35	if [ "${OS_ARCH}" = "WINNT" ] && \
michael@0	36	[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
michael@0	37	PID=${SHELL_HTTPPID}
michael@0	38	else
michael@0	39	PID=`cat ${HTTPPID}`
michael@0	40	fi
michael@0	41
michael@0	42	echo "kill -0 ${PID} >/dev/null 2>/dev/null"
michael@0	43	kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
michael@0	44
michael@0	45	echo "httpserv with PID ${PID} found at `date`"
michael@0	46	}
michael@0	47
michael@0	48	########################### wait_for_httpserv ##########################
michael@0	49	# local shell function to wait until httpserver is running and initialized
michael@0	50	########################################################################
michael@0	51	wait_for_httpserv()
michael@0	52	{
michael@0	53	echo "trying to connect to httpserv at `date`"
michael@0	54	echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
michael@0	55	${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
michael@0	56	if [ $? -ne 0 ]; then
michael@0	57	sleep 5
michael@0	58	echo "retrying to connect to httpserv at `date`"
michael@0	59	echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
michael@0	60	${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
michael@0	61	if [ $? -ne 0 ]; then
michael@0	62	html_failed "Waiting for Server"
michael@0	63	fi
michael@0	64	fi
michael@0	65	is_httpserv_alive
michael@0	66	}
michael@0	67
michael@0	68	########################### kill_httpserv ##############################
michael@0	69	# local shell function to kill the httpserver after the tests are done
michael@0	70	########################################################################
michael@0	71	kill_httpserv()
michael@0	72	{
michael@0	73	if [ "${OS_ARCH}" = "WINNT" ] && \
michael@0	74	[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
michael@0	75	PID=${SHELL_HTTPPID}
michael@0	76	else
michael@0	77	PID=`cat ${HTTPPID}`
michael@0	78	fi
michael@0	79
michael@0	80	echo "trying to kill httpserv with PID ${PID} at `date`"
michael@0	81
michael@0	82	if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
michael@0	83	echo "${KILL} ${PID}"
michael@0	84	${KILL} ${PID}
michael@0	85	else
michael@0	86	echo "${KILL} -USR1 ${PID}"
michael@0	87	${KILL} -USR1 ${PID}
michael@0	88	fi
michael@0	89	wait ${PID}
michael@0	90
michael@0	91	# On Linux httpserv needs up to 30 seconds to fully die and free
michael@0	92	# the port. Wait until the port is free. (Bug 129701)
michael@0	93	if [ "${OS_ARCH}" = "Linux" ]; then
michael@0	94	echo "httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
michael@0	95	until ${BINDIR}/httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null; do
michael@0	96	echo "RETRY: httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
michael@0	97	sleep 1
michael@0	98	done
michael@0	99	fi
michael@0	100
michael@0	101	echo "httpserv with PID ${PID} killed at `date`"
michael@0	102
michael@0	103	rm ${HTTPPID}
michael@0	104	html_detect_core "kill_httpserv core detection step"
michael@0	105	}
michael@0	106
michael@0	107	########################### start_httpserv #############################
michael@0	108	# local shell function to start the httpserver with the parameters required
michael@0	109	# for this test and log information (parameters, start time)
michael@0	110	# also: wait until the server is up and running
michael@0	111	########################################################################
michael@0	112	start_httpserv()
michael@0	113	{
michael@0	114	HTTP_METHOD=$1
michael@0	115
michael@0	116	if [ -n "$testname" ] ; then
michael@0	117	echo "$SCRIPTNAME: $testname ----"
michael@0	118	fi
michael@0	119	echo "httpserv starting at `date`"
michael@0	120	ODDIR="${HOSTDIR}/chains/OCSPD"
michael@0	121	echo "httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \\"
michael@0	122	echo " -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \\"
michael@0	123	echo " -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \\"
michael@0	124	echo " -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \\"
michael@0	125	echo " -i ${HTTPPID} $verbose &"
michael@0	126	${PROFTOOL} ${BINDIR}/httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \
michael@0	127	-A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \
michael@0	128	-A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \
michael@0	129	-O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \
michael@0	130	-i ${HTTPPID} $verbose &
michael@0	131	RET=$?
michael@0	132
michael@0	133	# The PID $! returned by the MKS or Cygwin shell is not the PID of
michael@0	134	# the real background process, but rather the PID of a helper
michael@0	135	# process (sh.exe). MKS's kill command has a bug: invoking kill
michael@0	136	# on the helper process does not terminate the real background
michael@0	137	# process. Our workaround has been to have httpserv save its PID
michael@0	138	# in the ${HTTPPID} file and "kill" that PID instead. But this
michael@0	139	# doesn't work under Cygwin; its kill command doesn't recognize
michael@0	140	# the PID of the real background process, but it does work on the
michael@0	141	# PID of the helper process. So we save the value of $! in the
michael@0	142	# SHELL_HTTPPID variable, and use it instead of the ${HTTPPID}
michael@0	143	# file under Cygwin. (In fact, this should work in any shell
michael@0	144	# other than the MKS shell.)
michael@0	145	SHELL_HTTPPID=$!
michael@0	146	wait_for_httpserv
michael@0	147
michael@0	148	if [ "${OS_ARCH}" = "WINNT" ] && \
michael@0	149	[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
michael@0	150	PID=${SHELL_HTTPPID}
michael@0	151	else
michael@0	152	PID=`cat ${HTTPPID}`
michael@0	153	fi
michael@0	154
michael@0	155	echo "httpserv with PID ${PID} started at `date`"
michael@0	156	}
michael@0	157
michael@0	158	############################# chains_init ##############################
michael@0	159	# local shell function to initialize this script
michael@0	160	########################################################################
michael@0	161	chains_init()
michael@0	162	{
michael@0	163	if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
michael@0	164	CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
michael@0	165	fi
michael@0	166	if [ -z "${INIT_SOURCED}" ] ; then
michael@0	167	cd ../common
michael@0	168	. ./init.sh
michael@0	169	fi
michael@0	170
michael@0	171	SCRIPTNAME="chains.sh"
michael@0	172
michael@0	173	CHAINS_DIR="${HOSTDIR}/chains"
michael@0	174	mkdir -p ${CHAINS_DIR}
michael@0	175	cd ${CHAINS_DIR}
michael@0	176
michael@0	177	CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
michael@0	178
michael@0	179	CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
michael@0	180	CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
michael@0	181
michael@0	182	PK7_NONCE=${CERT_SN_CNT}
michael@0	183	SCEN_CNT=${CERT_SN_CNT}
michael@0	184
michael@0	185	AIA_FILES="${HOSTDIR}/aiafiles"
michael@0	186
michael@0	187	CU_DATA=${HOSTDIR}/cu_data
michael@0	188	CRL_DATA=${HOSTDIR}/crl_data
michael@0	189
michael@0	190	DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10)
michael@0	191	NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT}
michael@0	192	DEFAULT_UNUSED_PORT=$(expr ${PORT:-8631} + 11)
michael@0	193	NSS_UNUSED_PORT=${NSS_UNUSED_PORT:-$DEFAULT_UNUSED_PORT}
michael@0	194	NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"}
michael@0	195	NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp}
michael@0	196	NSS_AIA_OCSP=${NSS_AIA_OCSP:-$NSS_AIA_HTTP/ocsp}
michael@0	197	NSS_OCSP_UNUSED=${NSS_AIA_OCSP_UNUSED:-"http://${HOSTADDR}:${NSS_UNUSED_PORT}"}
michael@0	198
michael@0	199	html_head "Certificate Chains Tests"
michael@0	200	}
michael@0	201
michael@0	202	chains_run_httpserv()
michael@0	203	{
michael@0	204	HTTP_METHOD=$1
michael@0	205
michael@0	206	if [ -n "${NSS_AIA_PATH}" ]; then
michael@0	207	HTTPPID=${NSS_AIA_PATH}/http_pid.$$
michael@0	208	mkdir -p "${NSS_AIA_PATH}"
michael@0	209	SAVEPWD=`pwd`
michael@0	210	cd "${NSS_AIA_PATH}"
michael@0	211	# Start_httpserv sets environment variables, which are required for
michael@0	212	# correct cleanup. (Running it in a subshell doesn't work, the
michael@0	213	# value of $SHELL_HTTPPID wouldn't arrive in this scope.)
michael@0	214	start_httpserv ${HTTP_METHOD}
michael@0	215	cd "${SAVEPWD}"
michael@0	216	fi
michael@0	217	}
michael@0	218
michael@0	219	chains_stop_httpserv()
michael@0	220	{
michael@0	221	if [ -n "${NSS_AIA_PATH}" ]; then
michael@0	222	kill_httpserv
michael@0	223	fi
michael@0	224	}
michael@0	225
michael@0	226	############################ chains_cleanup ############################
michael@0	227	# local shell function to finish this script (no exit since it might be
michael@0	228	# sourced)
michael@0	229	########################################################################
michael@0	230	chains_cleanup()
michael@0	231	{
michael@0	232	html "</TABLE><BR>"
michael@0	233	cd ${QADIR}
michael@0	234	. common/cleanup.sh
michael@0	235	}
michael@0	236
michael@0	237	############################ print_cu_data #############################
michael@0	238	# local shell function to print certutil input data
michael@0	239	########################################################################
michael@0	240	print_cu_data()
michael@0	241	{
michael@0	242	echo "=== Certutil input data ==="
michael@0	243	cat ${CU_DATA}
michael@0	244	echo "==="
michael@0	245	}
michael@0	246
michael@0	247	set_cert_sn()
michael@0	248	{
michael@0	249	if [ -z "${SERIAL}" ]; then
michael@0	250	CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1)
michael@0	251	CERT_SN=${CERT_SN_CNT}
michael@0	252	else
michael@0	253	echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null
michael@0	254	if [ $? -eq 0 ]; then
michael@0	255	CERT_SN=$(echo ${SERIAL} | cut -b 2-)
michael@0	256	CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN})
michael@0	257	else
michael@0	258	CERT_SN=${SERIAL}
michael@0	259	fi
michael@0	260	fi
michael@0	261	}
michael@0	262
michael@0	263	############################# create_db ################################
michael@0	264	# local shell function to create certificate database
michael@0	265	########################################################################
michael@0	266	create_db()
michael@0	267	{
michael@0	268	DB=$1
michael@0	269
michael@0	270	[ -d "${DB}" ] && rm -rf ${DB}
michael@0	271	mkdir -p ${DB}
michael@0	272
michael@0	273	echo "${DB}passwd" > ${DB}/dbpasswd
michael@0	274
michael@0	275	TESTNAME="Creating DB ${DB}"
michael@0	276	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	277	echo "certutil -N -d ${DB} -f ${DB}/dbpasswd"
michael@0	278	${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd
michael@0	279	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	280	}
michael@0	281
michael@0	282	########################### create_root_ca #############################
michael@0	283	# local shell function to generate self-signed root certificate
michael@0	284	########################################################################
michael@0	285	create_root_ca()
michael@0	286	{
michael@0	287	ENTITY=$1
michael@0	288	ENTITY_DB=${ENTITY}DB
michael@0	289
michael@0	290	set_cert_sn
michael@0	291	date >> ${NOISE_FILE} 2>&1
michael@0	292
michael@0	293	CTYPE_OPT=
michael@0	294	if [ -n "${CTYPE}" ]; then
michael@0	295	CTYPE_OPT="-k ${CTYPE}"
michael@0	296	fi
michael@0	297
michael@0	298	echo "5
michael@0	299	6
michael@0	300	9
michael@0	301	n
michael@0	302	y
michael@0	303	-1
michael@0	304	n
michael@0	305	5
michael@0	306	6
michael@0	307	7
michael@0	308	9
michael@0	309	n
michael@0	310	" > ${CU_DATA}
michael@0	311
michael@0	312	TESTNAME="Creating Root CA ${ENTITY}"
michael@0	313	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	314	echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}"
michael@0	315	print_cu_data
michael@0	316	${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}
michael@0	317	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	318
michael@0	319	TESTNAME="Exporting Root CA ${ENTITY}.der"
michael@0	320	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	321	echo "certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der"
michael@0	322	${BINDIR}/certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der
michael@0	323	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	324	}
michael@0	325
michael@0	326	########################### create_cert_req ############################
michael@0	327	# local shell function to generate certificate sign request
michael@0	328	########################################################################
michael@0	329	create_cert_req()
michael@0	330	{
michael@0	331	ENTITY=$1
michael@0	332	TYPE=$2
michael@0	333
michael@0	334	ENTITY_DB=${ENTITY}DB
michael@0	335
michael@0	336	REQ=${ENTITY}Req.der
michael@0	337
michael@0	338	date >> ${NOISE_FILE} 2>&1
michael@0	339
michael@0	340	CTYPE_OPT=
michael@0	341	if [ -n "${CTYPE}" ]; then
michael@0	342	CTYPE_OPT="-k ${CTYPE}"
michael@0	343	fi
michael@0	344
michael@0	345	CA_FLAG=
michael@0	346	EXT_DATA=
michael@0	347	OPTIONS=
michael@0	348
michael@0	349	if [ "${TYPE}" != "EE" ]; then
michael@0	350	CA_FLAG="-2"
michael@0	351	EXT_DATA="y
michael@0	352	-1
michael@0	353	y
michael@0	354	"
michael@0	355	fi
michael@0	356
michael@0	357	process_crldp
michael@0	358
michael@0	359	echo "${EXT_DATA}" > ${CU_DATA}
michael@0	360
michael@0	361	TESTNAME="Creating ${TYPE} certifiate request ${REQ}"
michael@0	362	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	363	echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}"
michael@0	364	print_cu_data
michael@0	365	${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}
michael@0	366	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	367	}
michael@0	368
michael@0	369	############################ create_entity #############################
michael@0	370	# local shell function to create certificate chain entity
michael@0	371	########################################################################
michael@0	372	create_entity()
michael@0	373	{
michael@0	374	ENTITY=$1
michael@0	375	TYPE=$2
michael@0	376
michael@0	377	if [ -z "${ENTITY}" ]; then
michael@0	378	echo "Configuration error: Unnamed entity"
michael@0	379	exit 1
michael@0	380	fi
michael@0	381
michael@0	382	DB=${ENTITY}DB
michael@0	383	ENTITY_DB=${ENTITY}DB
michael@0	384
michael@0	385	case "${TYPE}" in
michael@0	386	"Root")
michael@0	387	create_db "${DB}"
michael@0	388	create_root_ca "${ENTITY}"
michael@0	389	;;
michael@0	390	"Intermediate" | "Bridge" | "EE")
michael@0	391	create_db "${DB}"
michael@0	392	create_cert_req "${ENTITY}" "${TYPE}"
michael@0	393	;;
michael@0	394	"*")
michael@0	395	echo "Configuration error: Unknown type ${TYPE}"
michael@0	396	exit 1
michael@0	397	;;
michael@0	398	esac
michael@0	399	}
michael@0	400
michael@0	401	########################################################################
michael@0	402	# List of global variables related to certificate extensions processing:
michael@0	403	#
michael@0	404	# Generated by process_extensions and functions called from it:
michael@0	405	# OPTIONS - list of command line policy extensions
michael@0	406	# DATA - list of inpud data related to policy extensions
michael@0	407	#
michael@0	408	# Generated by parse_config:
michael@0	409	# POLICY - list of certificate policies
michael@0	410	# MAPPING - list of policy mappings
michael@0	411	# INHIBIT - inhibit flag
michael@0	412	# AIA - AIA list
michael@0	413	########################################################################
michael@0	414
michael@0	415	############################ process_policy ############################
michael@0	416	# local shell function to process policy extension parameters and
michael@0	417	# generate input for certutil
michael@0	418	########################################################################
michael@0	419	process_policy()
michael@0	420	{
michael@0	421	if [ -n "${POLICY}" ]; then
michael@0	422	OPTIONS="${OPTIONS} --extCP"
michael@0	423
michael@0	424	NEXT=
michael@0	425	for ITEM in ${POLICY}; do
michael@0	426	if [ -n "${NEXT}" ]; then
michael@0	427	DATA="${DATA}y
michael@0	428	"
michael@0	429	fi
michael@0	430
michael@0	431	NEXT=1
michael@0	432	DATA="${DATA}${ITEM}
michael@0	433	1
michael@0	434
michael@0	435	n
michael@0	436	"
michael@0	437	done
michael@0	438
michael@0	439	DATA="${DATA}n
michael@0	440	n
michael@0	441	"
michael@0	442	fi
michael@0	443	}
michael@0	444
michael@0	445	########################### process_mapping ############################
michael@0	446	# local shell function to process policy mapping parameters and
michael@0	447	# generate input for certutil
michael@0	448	########################################################################
michael@0	449	process_mapping()
michael@0	450	{
michael@0	451	if [ -n "${MAPPING}" ]; then
michael@0	452	OPTIONS="${OPTIONS} --extPM"
michael@0	453
michael@0	454	NEXT=
michael@0	455	for ITEM in ${MAPPING}; do
michael@0	456	if [ -n "${NEXT}" ]; then
michael@0	457	DATA="${DATA}y
michael@0	458	"
michael@0	459	fi
michael@0	460
michael@0	461	NEXT=1
michael@0	462	IDP=`echo ${ITEM} | cut -d: -f1`
michael@0	463	SDP=`echo ${ITEM} | cut -d: -f2`
michael@0	464	DATA="${DATA}${IDP}
michael@0	465	${SDP}
michael@0	466	"
michael@0	467	done
michael@0	468
michael@0	469	DATA="${DATA}n
michael@0	470	n
michael@0	471	"
michael@0	472	fi
michael@0	473	}
michael@0	474
michael@0	475	########################### process_inhibit#############################
michael@0	476	# local shell function to process inhibit extension and generate input
michael@0	477	# for certutil
michael@0	478	########################################################################
michael@0	479	process_inhibit()
michael@0	480	{
michael@0	481	if [ -n "${INHIBIT}" ]; then
michael@0	482	OPTIONS="${OPTIONS} --extIA"
michael@0	483
michael@0	484	DATA="${DATA}${INHIBIT}
michael@0	485	n
michael@0	486	"
michael@0	487	fi
michael@0	488	}
michael@0	489
michael@0	490	############################# process_aia ##############################
michael@0	491	# local shell function to process AIA extension parameters and
michael@0	492	# generate input for certutil
michael@0	493	########################################################################
michael@0	494	process_aia()
michael@0	495	{
michael@0	496	if [ -n "${AIA}" ]; then
michael@0	497	OPTIONS="${OPTIONS} --extAIA"
michael@0	498
michael@0	499	DATA="${DATA}1
michael@0	500	"
michael@0	501
michael@0	502	for ITEM in ${AIA}; do
michael@0	503	PK7_NONCE=`expr $PK7_NONCE + 1`
michael@0	504
michael@0	505	echo ${ITEM} | grep ":" > /dev/null
michael@0	506	if [ $? -eq 0 ]; then
michael@0	507	CERT_NICK=`echo ${ITEM} | cut -d: -f1`
michael@0	508	CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
michael@0	509	CERT_LOCAL="${CERT_NICK}${CERT_ISSUER}.der"
michael@0	510	CERT_PUBLIC="${HOST}-$$-${CERT_NICK}${CERT_ISSUER}-${PK7_NONCE}.der"
michael@0	511	else
michael@0	512	CERT_LOCAL="${ITEM}.p7"
michael@0	513	CERT_PUBLIC="${HOST}-$$-${ITEM}-${PK7_NONCE}.p7"
michael@0	514	fi
michael@0	515
michael@0	516	DATA="${DATA}7
michael@0	517	${NSS_AIA_HTTP}/${CERT_PUBLIC}
michael@0	518	"
michael@0	519
michael@0	520	if [ -n "${NSS_AIA_PATH}" ]; then
michael@0	521	cp ${CERT_LOCAL} ${NSS_AIA_PATH}/${CERT_PUBLIC} 2> /dev/null
michael@0	522	chmod a+r ${NSS_AIA_PATH}/${CERT_PUBLIC}
michael@0	523	echo ${NSS_AIA_PATH}/${CERT_PUBLIC} >> ${AIA_FILES}
michael@0	524	fi
michael@0	525	done
michael@0	526
michael@0	527	DATA="${DATA}0
michael@0	528	n
michael@0	529	n"
michael@0	530	fi
michael@0	531	}
michael@0	532
michael@0	533	process_ocsp()
michael@0	534	{
michael@0	535	if [ -n "${OCSP}" ]; then
michael@0	536	OPTIONS="${OPTIONS} --extAIA"
michael@0	537
michael@0	538	if [ "${OCSP}" = "offline" ]; then
michael@0	539	MY_OCSP_URL=${NSS_OCSP_UNUSED}
michael@0	540	else
michael@0	541	MY_OCSP_URL=${NSS_AIA_OCSP}
michael@0	542	fi
michael@0	543
michael@0	544	DATA="${DATA}2
michael@0	545	7
michael@0	546	${MY_OCSP_URL}
michael@0	547	0
michael@0	548	n
michael@0	549	n
michael@0	550	"
michael@0	551	fi
michael@0	552	}
michael@0	553
michael@0	554	process_crldp()
michael@0	555	{
michael@0	556	if [ -n "${CRLDP}" ]; then
michael@0	557	OPTIONS="${OPTIONS} -4"
michael@0	558
michael@0	559	EXT_DATA="${EXT_DATA}1
michael@0	560	"
michael@0	561
michael@0	562	for ITEM in ${CRLDP}; do
michael@0	563	CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl"
michael@0	564
michael@0	565	EXT_DATA="${EXT_DATA}7
michael@0	566	${NSS_AIA_HTTP}/${CRL_PUBLIC}
michael@0	567	"
michael@0	568	done
michael@0	569
michael@0	570	EXT_DATA="${EXT_DATA}-1
michael@0	571	-1
michael@0	572	-1
michael@0	573	n
michael@0	574	n
michael@0	575	"
michael@0	576	fi
michael@0	577	}
michael@0	578
michael@0	579	process_ku_ns_eku()
michael@0	580	{
michael@0	581	if [ -n "${EXT_KU}" ]; then
michael@0	582	OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}"
michael@0	583	fi
michael@0	584	if [ -n "${EXT_NS}" ]; then
michael@0	585	EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1)
michael@0	586	EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2)
michael@0	587
michael@0	588	OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}"
michael@0	589	DATA="${DATA}${EXT_NS_CODE}
michael@0	590	-1
michael@0	591	n
michael@0	592	"
michael@0	593	fi
michael@0	594	if [ -n "${EXT_EKU}" ]; then
michael@0	595	OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}"
michael@0	596	fi
michael@0	597	}
michael@0	598
michael@0	599	copy_crl()
michael@0	600
michael@0	601	{
michael@0	602	if [ -z "${NSS_AIA_PATH}" ]; then
michael@0	603	return;
michael@0	604	fi
michael@0	605
michael@0	606	CRL_LOCAL="${COPYCRL}.crl"
michael@0	607	CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl"
michael@0	608
michael@0	609	cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
michael@0	610	chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
michael@0	611	echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES}
michael@0	612	}
michael@0	613
michael@0	614	########################## process_extension ###########################
michael@0	615	# local shell function to process entity extension parameters and
michael@0	616	# generate input for certutil
michael@0	617	########################################################################
michael@0	618	process_extensions()
michael@0	619	{
michael@0	620	OPTIONS=
michael@0	621	DATA=
michael@0	622
michael@0	623	process_policy
michael@0	624	process_mapping
michael@0	625	process_inhibit
michael@0	626	process_aia
michael@0	627	process_ocsp
michael@0	628	process_ku_ns_eku
michael@0	629	}
michael@0	630
michael@0	631	############################## sign_cert ###############################
michael@0	632	# local shell function to sign certificate sign reuqest
michael@0	633	########################################################################
michael@0	634	sign_cert()
michael@0	635	{
michael@0	636	ENTITY=$1
michael@0	637	ISSUER=$2
michael@0	638	TYPE=$3
michael@0	639
michael@0	640	[ -z "${ISSUER}" ] && return
michael@0	641
michael@0	642	ENTITY_DB=${ENTITY}DB
michael@0	643	ISSUER_DB=${ISSUER}DB
michael@0	644	REQ=${ENTITY}Req.der
michael@0	645	CERT=${ENTITY}${ISSUER}.der
michael@0	646
michael@0	647	set_cert_sn
michael@0	648
michael@0	649	EMAIL_OPT=
michael@0	650	if [ "${TYPE}" = "Bridge" ]; then
michael@0	651	EMAIL_OPT="-7 ${ENTITY}@${ISSUER}"
michael@0	652
michael@0	653	[ -n "${EMAILS}" ] && EMAILS="${EMAILS},"
michael@0	654	EMAILS="${EMAILS}${ENTITY}@${ISSUER}"
michael@0	655	fi
michael@0	656
michael@0	657	process_extensions
michael@0	658
michael@0	659	echo "${DATA}" > ${CU_DATA}
michael@0	660
michael@0	661	TESTNAME="Creating certficate ${CERT} signed by ${ISSUER}"
michael@0	662	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	663	echo "certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}"
michael@0	664	print_cu_data
michael@0	665	${BINDIR}/certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}
michael@0	666	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	667
michael@0	668	TESTNAME="Importing certificate ${CERT} to ${ENTITY_DB} database"
michael@0	669	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	670	echo "certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}"
michael@0	671	${BINDIR}/certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}
michael@0	672	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	673	}
michael@0	674
michael@0	675	############################# create_pkcs7##############################
michael@0	676	# local shell function to package bridge certificates into pkcs7
michael@0	677	# package
michael@0	678	########################################################################
michael@0	679	create_pkcs7()
michael@0	680	{
michael@0	681	ENTITY=$1
michael@0	682	ENTITY_DB=${ENTITY}DB
michael@0	683
michael@0	684	TESTNAME="Generating PKCS7 package from ${ENTITY_DB} database"
michael@0	685	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	686	echo "cmsutil -O -r \"${EMAILS}\" -d ${ENTITY_DB} > ${ENTITY}.p7"
michael@0	687	${BINDIR}/cmsutil -O -r "${EMAILS}" -d ${ENTITY_DB} > ${ENTITY}.p7
michael@0	688	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	689	}
michael@0	690
michael@0	691	############################# import_key ###############################
michael@0	692	# local shell function to import private key + cert into database
michael@0	693	########################################################################
michael@0	694	import_key()
michael@0	695	{
michael@0	696	KEY_NAME=$1.p12
michael@0	697	DB=$2
michael@0	698
michael@0	699	KEY_FILE=../OCSPD/${KEY_NAME}
michael@0	700
michael@0	701	TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database"
michael@0	702	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	703	echo "${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss"
michael@0	704	${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss
michael@0	705	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	706	}
michael@0	707
michael@0	708	export_key()
michael@0	709	{
michael@0	710	KEY_NAME=$1.p12
michael@0	711	DB=$2
michael@0	712
michael@0	713	TESTNAME="Exporting $1 as ${KEY_NAME} from ${DB} database"
michael@0	714	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	715	echo "${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss"
michael@0	716	${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss
michael@0	717	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	718	}
michael@0	719
michael@0	720	############################# import_cert ##############################
michael@0	721	# local shell function to import certificate into database
michael@0	722	########################################################################
michael@0	723	import_cert()
michael@0	724	{
michael@0	725	IMPORT=$1
michael@0	726	DB=$2
michael@0	727
michael@0	728	CERT_NICK=`echo ${IMPORT} | cut -d: -f1`
michael@0	729	CERT_ISSUER=`echo ${IMPORT} | cut -d: -f2`
michael@0	730	CERT_TRUST=`echo ${IMPORT} | cut -d: -f3`
michael@0	731
michael@0	732	if [ "${CERT_ISSUER}" = "x" ]; then
michael@0	733	CERT_ISSUER=
michael@0	734	CERT=${CERT_NICK}.cert
michael@0	735	CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
michael@0	736	elif [ "${CERT_ISSUER}" = "d" ]; then
michael@0	737	CERT_ISSUER=
michael@0	738	CERT=${CERT_NICK}.der
michael@0	739	CERT_FILE="../OCSPD/${CERT}"
michael@0	740	else
michael@0	741	CERT=${CERT_NICK}${CERT_ISSUER}.der
michael@0	742	CERT_FILE=${CERT}
michael@0	743	fi
michael@0	744
michael@0	745	IS_ASCII=`grep -c -- "-----BEGIN CERTIFICATE-----" ${CERT_FILE}`
michael@0	746
michael@0	747	ASCII_OPT=
michael@0	748	if [ "${IS_ASCII}" -gt 0 ]; then
michael@0	749	ASCII_OPT="-a"
michael@0	750	fi
michael@0	751
michael@0	752	TESTNAME="Importing certificate ${CERT} to ${DB} database"
michael@0	753	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	754	echo "certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t \"${CERT_TRUST}\" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}"
michael@0	755	${BINDIR}/certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t "${CERT_TRUST}" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}
michael@0	756	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	757	}
michael@0	758
michael@0	759	import_crl()
michael@0	760	{
michael@0	761	IMPORT=$1
michael@0	762	DB=$2
michael@0	763
michael@0	764	CRL_NICK=`echo ${IMPORT} | cut -d: -f1`
michael@0	765	CRL_FILE=${CRL_NICK}.crl
michael@0	766
michael@0	767	if [ ! -f "${CRL_FILE}" ]; then
michael@0	768	return
michael@0	769	fi
michael@0	770
michael@0	771	TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database"
michael@0	772	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	773	echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}"
michael@0	774	${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}
michael@0	775	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	776	}
michael@0	777
michael@0	778	create_crl()
michael@0	779	{
michael@0	780	ISSUER=$1
michael@0	781	ISSUER_DB=${ISSUER}DB
michael@0	782
michael@0	783	CRL=${ISSUER}.crl
michael@0	784
michael@0	785	DATE=$(date -u '+%Y%m%d%H%M%SZ')
michael@0	786	DATE_LAST="${DATE}"
michael@0	787
michael@0	788	UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ')
michael@0	789
michael@0	790	echo "update=${DATE}" > ${CRL_DATA}
michael@0	791	echo "nextupdate=${UPDATE}" >> ${CRL_DATA}
michael@0	792
michael@0	793	TESTNAME="Create CRL for ${ISSUER_DB}"
michael@0	794	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	795	echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
michael@0	796	echo "=== Crlutil input data ==="
michael@0	797	cat ${CRL_DATA}
michael@0	798	echo "==="
michael@0	799	${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
michael@0	800	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	801	}
michael@0	802
michael@0	803	revoke_cert()
michael@0	804	{
michael@0	805	ISSUER=$1
michael@0	806	ISSUER_DB=${ISSUER}DB
michael@0	807
michael@0	808	CRL=${ISSUER}.crl
michael@0	809
michael@0	810	set_cert_sn
michael@0	811
michael@0	812	DATE=$(date -u '+%Y%m%d%H%M%SZ')
michael@0	813	while [ "${DATE}" = "${DATE_LAST}" ]; do
michael@0	814	sleep 1
michael@0	815	DATE=$(date -u '+%Y%m%d%H%M%SZ')
michael@0	816	done
michael@0	817	DATE_LAST="${DATE}"
michael@0	818
michael@0	819	echo "update=${DATE}" > ${CRL_DATA}
michael@0	820	echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA}
michael@0	821
michael@0	822	TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}"
michael@0	823	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	824	echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
michael@0	825	echo "=== Crlutil input data ==="
michael@0	826	cat ${CRL_DATA}
michael@0	827	echo "==="
michael@0	828	${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
michael@0	829	html_msg $? 0 "${SCENARIO}${TESTNAME}"
michael@0	830	}
michael@0	831
michael@0	832	########################################################################
michael@0	833	# List of global variables related to certificate verification:
michael@0	834	#
michael@0	835	# Generated by parse_config:
michael@0	836	# DB - DB used for testing
michael@0	837	# FETCH - fetch flag (used with AIA extension)
michael@0	838	# POLICY - list of policies
michael@0	839	# TRUST - trust anchor
michael@0	840	# TRUST_AND_DB - Examine both trust anchors and the cert db for trust
michael@0	841	# VERIFY - list of certificates to use as vfychain parameters
michael@0	842	# EXP_RESULT - expected result
michael@0	843	# REV_OPTS - revocation options
michael@0	844	########################################################################
michael@0	845
michael@0	846	############################# verify_cert ##############################
michael@0	847	# local shell function to verify certificate validity
michael@0	848	########################################################################
michael@0	849	verify_cert()
michael@0	850	{
michael@0	851	ENGINE=$1
michael@0	852
michael@0	853	DB_OPT=
michael@0	854	FETCH_OPT=
michael@0	855	POLICY_OPT=
michael@0	856	TRUST_OPT=
michael@0	857	VFY_CERTS=
michael@0	858	VFY_LIST=
michael@0	859	TRUST_AND_DB_OPT=
michael@0	860
michael@0	861	if [ -n "${DB}" ]; then
michael@0	862	DB_OPT="-d ${DB}"
michael@0	863	fi
michael@0	864
michael@0	865	if [ -n "${FETCH}" ]; then
michael@0	866	FETCH_OPT="-f"
michael@0	867	if [ -z "${NSS_AIA_HTTP}" ]; then
michael@0	868	echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined"
michael@0	869	return
michael@0	870	fi
michael@0	871	fi
michael@0	872
michael@0	873	if [ -n "${TRUST_AND_DB}" ]; then
michael@0	874	TRUST_AND_DB_OPT="-T"
michael@0	875	fi
michael@0	876
michael@0	877	for ITEM in ${POLICY}; do
michael@0	878	POLICY_OPT="${POLICY_OPT} -o ${ITEM}"
michael@0	879	done
michael@0	880
michael@0	881	for ITEM in ${TRUST}; do
michael@0	882	echo ${ITEM} | grep ":" > /dev/null
michael@0	883	if [ $? -eq 0 ]; then
michael@0	884	CERT_NICK=`echo ${ITEM} | cut -d: -f1`
michael@0	885	CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
michael@0	886	CERT=${CERT_NICK}${CERT_ISSUER}.der
michael@0	887
michael@0	888	TRUST_OPT="${TRUST_OPT} -t ${CERT}"
michael@0	889	else
michael@0	890	TRUST_OPT="${TRUST_OPT} -t ${ITEM}"
michael@0	891	fi
michael@0	892	done
michael@0	893
michael@0	894	for ITEM in ${VERIFY}; do
michael@0	895	CERT_NICK=`echo ${ITEM} | cut -d: -f1`
michael@0	896	CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
michael@0	897
michael@0	898	if [ "${CERT_ISSUER}" = "x" ]; then
michael@0	899	CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert"
michael@0	900	VFY_CERTS="${VFY_CERTS} ${CERT}"
michael@0	901	VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
michael@0	902	elif [ "${CERT_ISSUER}" = "d" ]; then
michael@0	903	CERT="../OCSPD/${CERT_NICK}.der"
michael@0	904	VFY_CERTS="${VFY_CERTS} ${CERT}"
michael@0	905	VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
michael@0	906	else
michael@0	907	CERT=${CERT_NICK}${CERT_ISSUER}.der
michael@0	908	VFY_CERTS="${VFY_CERTS} ${CERT}"
michael@0	909	VFY_LIST="${VFY_LIST} ${CERT}"
michael@0	910	fi
michael@0	911	done
michael@0	912
michael@0	913	VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
michael@0	914	VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
michael@0	915
michael@0	916	TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
michael@0	917	echo "${SCRIPTNAME}: ${TESTNAME}"
michael@0	918	echo "vfychain ${VFY_OPTS_ALL}"
michael@0	919
michael@0	920	if [ -z "${MEMLEAK_DBG}" ]; then
michael@0	921	VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1)
michael@0	922	RESULT=$?
michael@0	923	echo "${VFY_OUT}"
michael@0	924	else
michael@0	925	VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE})
michael@0	926	RESULT=$?
michael@0	927	echo "${VFY_OUT}"
michael@0	928	fi
michael@0	929
michael@0	930	echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null
michael@0	931	E5990=$?
michael@0	932	echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null
michael@0	933	E8030=$?
michael@0	934
michael@0	935	if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then
michael@0	936	echo "Result of this test is not valid due to network time out."
michael@0	937	html_unknown "${SCENARIO}${TESTNAME}"
michael@0	938	return
michael@0	939	fi
michael@0	940
michael@0	941	echo "Returned value is ${RESULT}, expected result is ${EXP_RESULT}"
michael@0	942
michael@0	943	if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then
michael@0	944	html_passed "${SCENARIO}${TESTNAME}"
michael@0	945	elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then
michael@0	946	html_passed "${SCENARIO}${TESTNAME}"
michael@0	947	else
michael@0	948	html_failed "${SCENARIO}${TESTNAME}"
michael@0	949	fi
michael@0	950	}
michael@0	951
michael@0	952	check_ocsp()
michael@0	953	{
michael@0	954	OCSP_CERT=$1
michael@0	955
michael@0	956	CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1`
michael@0	957	CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2`
michael@0	958
michael@0	959	if [ "${CERT_ISSUER}" = "x" ]; then
michael@0	960	CERT_ISSUER=
michael@0	961	CERT=${CERT_NICK}.cert
michael@0	962	CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
michael@0	963	elif [ "${CERT_ISSUER}" = "d" ]; then
michael@0	964	CERT_ISSUER=
michael@0	965	CERT=${CERT_NICK}.der
michael@0	966	CERT_FILE="../OCSPD/${CERT}"
michael@0	967	else
michael@0	968	CERT=${CERT_NICK}${CERT_ISSUER}.der
michael@0	969	CERT_FILE=${CERT}
michael@0	970	fi
michael@0	971
michael@0	972	# sample line:
michael@0	973	# URI: "http://ocsp.server:2601"
michael@0	974	OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
michael@0	975	OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
michael@0	976
michael@0	977	echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
michael@0	978	tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
michael@0	979	return $?
michael@0	980	}
michael@0	981
michael@0	982	############################ parse_result ##############################
michael@0	983	# local shell function to process expected result value
michael@0	984	# this function was created for case that expected result depends on
michael@0	985	# some conditions - in our case type of cert DB
michael@0	986	#
michael@0	987	# default results are pass and fail
michael@0	988	# this function added parsable values in format:
michael@0	989	# type1:value1 type2:value2 .... typex:valuex
michael@0	990	#
michael@0	991	# allowed types are dbm, sql, all (all means all other cases)
michael@0	992	# allowed values are pass and fail
michael@0	993	#
michael@0	994	# if this format is not used, EXP_RESULT will stay unchanged (this also
michael@0	995	# covers pass and fail states)
michael@0	996	########################################################################
michael@0	997	parse_result()
michael@0	998	{
michael@0	999	for RES in ${EXP_RESULT}
michael@0	1000	do
michael@0	1001	RESTYPE=$(echo ${RES} | cut -d: -f1)
michael@0	1002	RESSTAT=$(echo ${RES} | cut -d: -f2)
michael@0	1003
michael@0	1004	if [ "${RESTYPE}" = "${NSS_DEFAULT_DB_TYPE}" -o "${RESTYPE}" = "all" ]; then
michael@0	1005	EXP_RESULT=${RESSTAT}
michael@0	1006	break
michael@0	1007	fi
michael@0	1008	done
michael@0	1009	}
michael@0	1010
michael@0	1011	############################ parse_config ##############################
michael@0	1012	# local shell function to parse and process file containing certificate
michael@0	1013	# chain configuration and list of tests
michael@0	1014	########################################################################
michael@0	1015	parse_config()
michael@0	1016	{
michael@0	1017	SCENARIO=
michael@0	1018	LOGNAME=
michael@0	1019
michael@0	1020	while read KEY VALUE
michael@0	1021	do
michael@0	1022	case "${KEY}" in
michael@0	1023	"entity")
michael@0	1024	ENTITY="${VALUE}"
michael@0	1025	TYPE=
michael@0	1026	ISSUER=
michael@0	1027	CTYPE=
michael@0	1028	POLICY=
michael@0	1029	MAPPING=
michael@0	1030	INHIBIT=
michael@0	1031	AIA=
michael@0	1032	CRLDP=
michael@0	1033	OCSP=
michael@0	1034	DB=
michael@0	1035	EMAILS=
michael@0	1036	EXT_KU=
michael@0	1037	EXT_NS=
michael@0	1038	EXT_EKU=
michael@0	1039	SERIAL=
michael@0	1040	EXPORT_KEY=
michael@0	1041	;;
michael@0	1042	"type")
michael@0	1043	TYPE="${VALUE}"
michael@0	1044	;;
michael@0	1045	"issuer")
michael@0	1046	if [ -n "${ISSUER}" ]; then
michael@0	1047	if [ -z "${DB}" ]; then
michael@0	1048	create_entity "${ENTITY}" "${TYPE}"
michael@0	1049	fi
michael@0	1050	sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
michael@0	1051	fi
michael@0	1052
michael@0	1053	ISSUER="${VALUE}"
michael@0	1054	POLICY=
michael@0	1055	MAPPING=
michael@0	1056	INHIBIT=
michael@0	1057	AIA=
michael@0	1058	EXT_KU=
michael@0	1059	EXT_NS=
michael@0	1060	EXT_EKU=
michael@0	1061	;;
michael@0	1062	"ctype")
michael@0	1063	CTYPE="${VALUE}"
michael@0	1064	;;
michael@0	1065	"policy")
michael@0	1066	POLICY="${POLICY} ${VALUE}"
michael@0	1067	;;
michael@0	1068	"mapping")
michael@0	1069	MAPPING="${MAPPING} ${VALUE}"
michael@0	1070	;;
michael@0	1071	"inhibit")
michael@0	1072	INHIBIT="${VALUE}"
michael@0	1073	;;
michael@0	1074	"aia")
michael@0	1075	AIA="${AIA} ${VALUE}"
michael@0	1076	;;
michael@0	1077	"crldp")
michael@0	1078	CRLDP="${CRLDP} ${VALUE}"
michael@0	1079	;;
michael@0	1080	"ocsp")
michael@0	1081	OCSP="${VALUE}"
michael@0	1082	;;
michael@0	1083	"db")
michael@0	1084	DB="${VALUE}DB"
michael@0	1085	create_db "${DB}"
michael@0	1086	;;
michael@0	1087	"import")
michael@0	1088	IMPORT="${VALUE}"
michael@0	1089	import_cert "${IMPORT}" "${DB}"
michael@0	1090	import_crl "${IMPORT}" "${DB}"
michael@0	1091	;;
michael@0	1092	"import_key")
michael@0	1093	IMPORT="${VALUE}"
michael@0	1094	import_key "${IMPORT}" "${DB}"
michael@0	1095	;;
michael@0	1096	"crl")
michael@0	1097	ISSUER="${VALUE}"
michael@0	1098	create_crl "${ISSUER}"
michael@0	1099	;;
michael@0	1100	"revoke")
michael@0	1101	REVOKE="${VALUE}"
michael@0	1102	;;
michael@0	1103	"serial")
michael@0	1104	SERIAL="${VALUE}"
michael@0	1105	;;
michael@0	1106	"export_key")
michael@0	1107	EXPORT_KEY=1
michael@0	1108	;;
michael@0	1109	"copycrl")
michael@0	1110	COPYCRL="${VALUE}"
michael@0	1111	copy_crl "${COPYCRL}"
michael@0	1112	;;
michael@0	1113	"verify")
michael@0	1114	VERIFY="${VALUE}"
michael@0	1115	TRUST=
michael@0	1116	TRUST_AND_DB=
michael@0	1117	POLICY=
michael@0	1118	FETCH=
michael@0	1119	EXP_RESULT=
michael@0	1120	REV_OPTS=
michael@0	1121	USAGE_OPT=
michael@0	1122	;;
michael@0	1123	"cert")
michael@0	1124	VERIFY="${VERIFY} ${VALUE}"
michael@0	1125	;;
michael@0	1126	"testdb")
michael@0	1127	if [ -n "${VALUE}" ]; then
michael@0	1128	DB="${VALUE}DB"
michael@0	1129	else
michael@0	1130	DB=
michael@0	1131	fi
michael@0	1132	;;
michael@0	1133	"trust")
michael@0	1134	TRUST="${TRUST} ${VALUE}"
michael@0	1135	;;
michael@0	1136	"trust_and_db")
michael@0	1137	TRUST_AND_DB=1
michael@0	1138	;;
michael@0	1139	"fetch")
michael@0	1140	FETCH=1
michael@0	1141	;;
michael@0	1142	"result")
michael@0	1143	EXP_RESULT="${VALUE}"
michael@0	1144	parse_result
michael@0	1145	;;
michael@0	1146	"rev_type")
michael@0	1147	REV_OPTS="${REV_OPTS} -g ${VALUE}"
michael@0	1148	;;
michael@0	1149	"rev_flags")
michael@0	1150	REV_OPTS="${REV_OPTS} -h ${VALUE}"
michael@0	1151	;;
michael@0	1152	"rev_mtype")
michael@0	1153	REV_OPTS="${REV_OPTS} -m ${VALUE}"
michael@0	1154	;;
michael@0	1155	"rev_mflags")
michael@0	1156	REV_OPTS="${REV_OPTS} -s ${VALUE}"
michael@0	1157	;;
michael@0	1158	"scenario")
michael@0	1159	SCENARIO="${VALUE}: "
michael@0	1160
michael@0	1161	CHAINS_DIR="${HOSTDIR}/chains/${VALUE}"
michael@0	1162	mkdir -p ${CHAINS_DIR}
michael@0	1163	cd ${CHAINS_DIR}
michael@0	1164
michael@0	1165	if [ -n "${MEMLEAK_DBG}" ]; then
michael@0	1166	LOGNAME="libpkix-${VALUE}"
michael@0	1167	LOGFILE="${LOGDIR}/${LOGNAME}"
michael@0	1168	fi
michael@0	1169
michael@0	1170	SCEN_CNT=$(expr ${SCEN_CNT} + 1)
michael@0	1171	;;
michael@0	1172	"sleep")
michael@0	1173	sleep ${VALUE}
michael@0	1174	;;
michael@0	1175	"break")
michael@0	1176	break
michael@0	1177	;;
michael@0	1178	"check_ocsp")
michael@0	1179	TESTNAME="Test that OCSP server is reachable"
michael@0	1180	check_ocsp ${VALUE}
michael@0	1181	if [ $? -ne 0 ]; then
michael@0	1182	html_failed "$TESTNAME"
michael@0	1183	break;
michael@0	1184	else
michael@0	1185	html_passed "$TESTNAME"
michael@0	1186	fi
michael@0	1187	;;
michael@0	1188	"ku")
michael@0	1189	EXT_KU="${VALUE}"
michael@0	1190	;;
michael@0	1191	"ns")
michael@0	1192	EXT_NS="${VALUE}"
michael@0	1193	;;
michael@0	1194	"eku")
michael@0	1195	EXT_EKU="${VALUE}"
michael@0	1196	;;
michael@0	1197	"usage")
michael@0	1198	USAGE_OPT="-u ${VALUE}"
michael@0	1199	;;
michael@0	1200	"")
michael@0	1201	if [ -n "${ENTITY}" ]; then
michael@0	1202	if [ -z "${DB}" ]; then
michael@0	1203	create_entity "${ENTITY}" "${TYPE}"
michael@0	1204	fi
michael@0	1205	sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
michael@0	1206	if [ "${TYPE}" = "Bridge" ]; then
michael@0	1207	create_pkcs7 "${ENTITY}"
michael@0	1208	fi
michael@0	1209	if [ -n "${EXPORT_KEY}" ]; then
michael@0	1210	export_key "${ENTITY}" "${DB}"
michael@0	1211	fi
michael@0	1212	ENTITY=
michael@0	1213	fi
michael@0	1214
michael@0	1215	if [ -n "${VERIFY}" ]; then
michael@0	1216	verify_cert "-pp"
michael@0	1217	if [ -n "${VERIFY_CLASSIC_ENGINE_TOO}" ]; then
michael@0	1218	verify_cert ""
michael@0	1219	verify_cert "-p"
michael@0	1220	fi
michael@0	1221	VERIFY=
michael@0	1222	fi
michael@0	1223
michael@0	1224	if [ -n "${REVOKE}" ]; then
michael@0	1225	revoke_cert "${REVOKE}" "${DB}"
michael@0	1226	REVOKE=
michael@0	1227	fi
michael@0	1228	;;
michael@0	1229	*)
michael@0	1230	if [ `echo ${KEY} | cut -b 1` != "#" ]; then
michael@0	1231	echo "Configuration error: Unknown keyword ${KEY}"
michael@0	1232	exit 1
michael@0	1233	fi
michael@0	1234	;;
michael@0	1235	esac
michael@0	1236	done
michael@0	1237
michael@0	1238	if [ -n "${MEMLEAK_DBG}" ]; then
michael@0	1239	log_parse
michael@0	1240	html_msg $? 0 "${SCENARIO}Memory leak checking"
michael@0	1241	fi
michael@0	1242	}
michael@0	1243
michael@0	1244	process_scenario()
michael@0	1245	{
michael@0	1246	SCENARIO_FILE=$1
michael@0	1247
michael@0	1248	> ${AIA_FILES}
michael@0	1249
michael@0	1250	parse_config < "${QADIR}/chains/scenarios/${SCENARIO_FILE}"
michael@0	1251
michael@0	1252	while read AIA_FILE
michael@0	1253	do
michael@0	1254	rm ${AIA_FILE} 2> /dev/null
michael@0	1255	done < ${AIA_FILES}
michael@0	1256	rm ${AIA_FILES}
michael@0	1257	}
michael@0	1258
michael@0	1259	# process ocspd.cfg separately
michael@0	1260	chains_ocspd()
michael@0	1261	{
michael@0	1262	process_scenario "ocspd.cfg"
michael@0	1263	}
michael@0	1264
michael@0	1265	# process ocsp.cfg separately
michael@0	1266	chains_method()
michael@0	1267	{
michael@0	1268	process_scenario "method.cfg"
michael@0	1269	}
michael@0	1270
michael@0	1271	############################# chains_main ##############################
michael@0	1272	# local shell function to process all testing scenarios
michael@0	1273	########################################################################
michael@0	1274	chains_main()
michael@0	1275	{
michael@0	1276	while read LINE
michael@0	1277	do
michael@0	1278	[ `echo ${LINE} | cut -b 1` != "#" ] || continue
michael@0	1279
michael@0	1280	[ ${LINE} != 'ocspd.cfg' ] || continue
michael@0	1281	[ ${LINE} != 'method.cfg' ] || continue
michael@0	1282
michael@0	1283	process_scenario ${LINE}
michael@0	1284	done < "${CHAINS_SCENARIOS}"
michael@0	1285	}
michael@0	1286
michael@0	1287	################################ main ##################################
michael@0	1288
michael@0	1289	chains_init
michael@0	1290	VERIFY_CLASSIC_ENGINE_TOO=
michael@0	1291	chains_ocspd
michael@0	1292	VERIFY_CLASSIC_ENGINE_TOO=1
michael@0	1293	chains_run_httpserv get
michael@0	1294	chains_method
michael@0	1295	chains_stop_httpserv
michael@0	1296	chains_run_httpserv post
michael@0	1297	chains_method
michael@0	1298	chains_stop_httpserv
michael@0	1299	VERIFY_CLASSIC_ENGINE_TOO=
michael@0	1300	chains_run_httpserv random
michael@0	1301	chains_main
michael@0	1302	chains_stop_httpserv
michael@0	1303	chains_run_httpserv get-unknown
michael@0	1304	chains_main
michael@0	1305	chains_stop_httpserv
michael@0	1306	chains_cleanup