The Tor Browser: security/nss/tests/iopr/cert_iopr.sh@b8a032363ba2 (annotated)

security/nss/tests/iopr/cert_iopr.sh@b8a032363ba2 (annotated)

security/nss/tests/iopr/cert_iopr.sh

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 #! /bin/bash
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ########################################################################
 #
 # mozilla/security/nss/tests/iopr/cert_iopr.sh
 #
 # Certificate generating and handeling for NSS interoperability QA. This file
 # is included from cert.sh
 #
 # needs to work on all Unix and Windows platforms
 #
 # special strings
 # ---------------
 #   FIXME ... known problems, search for this string
 #   NOTE .... unexpected behavior
 ########################################################################
 IOPR_CERT_SOURCED=1
 ########################################################################
 # function wraps calls to pk12util, also: writes action and options
 # to stdout.
 # Params are the same as to pk12util.
 # Returns pk12util status
 #
 pk12u()
 {
     echo "${CU_ACTION} --------------------------"
     echo "pk12util $@"
     ${BINDIR}/pk12util $@
     RET=$?
     return $RET
 }
 ########################################################################
 # Initializes nss db directory and files if they don't exists
 # Params:
 #      $1 - directory location
 #
 createDBDir() {
     trgDir=$1
     if [ -z "`ls $trgDir | grep db`" ]; then
         trgDir=`cd ${trgDir}; pwd`
         if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
 			trgDir=`cygpath -m ${trgDir}`
         fi
         CU_ACTION="Initializing DB at ${trgDir}"
         certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1
         if [ "$RET" -ne 0 ]; then
             return $RET
         fi
         CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"
         modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1
         if [ "$RET" -ne 0 ]; then
             return $RET
         fi
     fi
 }
 ########################################################################
 # takes care of downloading config, cert and crl files from remote
 # location.
 # Params:
 #      $1 - name of the host file will be downloaded from
 #      $2 - path to the file as it appeared in url
 #      $3 - target directory the file will be saved at.
 # Returns tstclnt status.
 #
 download_file() {
     host=$1
     filePath=$2
     trgDir=$3
     file=$trgDir/`basename $filePath`
     createDBDir $trgDir || return $RET
 #    echo wget -O $file http://${host}${filePath}
 #    wget -O $file http://${host}${filePath}
 #    ret=$?
     req=$file.$$
     echo "GET $filePath HTTP/1.0" > $req
     echo >> $req
     echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
         -v -w ${R_PWFILE} -o
     ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
         -v -w ${R_PWFILE} -o < $req > $file
     ret=$?
     rm -f $_tmp;
     return $ret
 }
 ########################################################################
 # Uses pk12util, certutil of cerlutil to import files to an nss db located
 # at <dir>(the value of $1 parameter). Chooses a utility to use based on
 # a file extension. Initializing a db if it does not exists.
 # Params:
 #      $1 - db location directory
 #      $2 - file name to import
 #      $3 - nick name an object in the file will be associated with
 #      $4 - trust arguments
 # Returns status of import
 #
 importFile() {
     dir=$1\
     file=$2
     certName=$3
     certTrust=$4
     [ ! -d $dir ] && mkdir -p $dir;
     createDBDir $dir || return $RET
     case `basename $file | sed 's/^.*\.//'` in
         p12)
             CU_ACTION="Importing p12 $file to DB at $dir"
             pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr
             [ $? -ne 0 ] && return 1
             CU_ACTION="Modifying trust for cert $certName at $dir"
             certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}"
             return $?
             ;;
         crl)
             CU_ACTION="Importing crl $file to DB at $dir"
             crlu -d ${dir} -I -n TestCA -i $file
             return $?
             ;;
         crt | cert)
             CU_ACTION="Importing cert $certName with trust $certTrust to $dir"
             certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \
                 -i "$file"
             return $?
             ;;
         *)
             echo "Unknown file extension: $file:"
             return 1
             ;;
     esac
 }
 #########################################################################
 # Downloads and installs test certs and crl from a remote webserver.
 # Generates server cert for reverse testing if reverse test run is turned on.
 # Params:
 #      $1 - host name to download files from.
 #      $2 - directory at which CA cert will be installed and used for
 #           signing a server cert.
 #      $3 - path to a config file in webserver context.
 #      $4 - ssl server db location
 #      $5 - ssl client db location
 #      $5 - ocsp client db location
 #
 # Returns 0 upon success, otherwise, failed command error code.
 #
 download_install_certs() {
     host=$1
     caDir=$2
     confPath=$3
     sslServerDir=$4
     sslClientDir=$5
     ocspClientDir=$6
     [ ! -d "$caDir" ] && mkdir -p $caDir;
     #=======================================================
     # Getting config file
     #
     download_file $host "$confPath/iopr_server.cfg" $caDir
     RET=$?
     if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then
         html_failed "Fail to download website config file(ws: $host)"
         return 1
     fi
     . $caDir/iopr_server.cfg
     RET=$?
     if [ $RET -ne 0 ]; then
         html_failed "Fail to source config file(ws: $host)"
         return $RET
     fi
     #=======================================================
     # Getting CA file
     #
     #----------------- !!!WARNING!!! -----------------------
     # Do NOT copy this scenario. CA should never accompany its
     # cert with the private key when deliver cert to a customer.
     #----------------- !!!WARNING!!! -----------------------
     download_file $host $certDir/$caCertName.p12 $caDir
     RET=$?
     if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then
         html_failed "Fail to download $caCertName cert(ws: $host)"
         return 1
     fi
     tmpFiles="$caDir/$caCertName.p12"
     importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C"
     RET=$?
     if [ $RET -ne 0 ]; then
         html_failed "Fail to import $caCertName cert to CA DB(ws: $host)"
         return $RET
     fi
     CU_ACTION="Exporting Root CA cert(ws: $host)"
     certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert
     if [ "$RET" -ne 0 ]; then
         Exit 7 "Fatal - failed to export $caCertName cert"
     fi
     #=======================================================
     # Check what tests we want to run
     #
     doSslTests=0; doOcspTests=0
     # XXX remove "_new" from variables below
     [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
     [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
     if [ $doSslTests -eq 1 ]; then
         if [ "$reverseRunCGIScript" ]; then
             [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
             #=======================================================
             # Import CA cert to server DB
             #
             importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
                         "TC,C,C"
             RET=$?
             if [ $RET -ne 0 ]; then
                 html_failed "Fail to import server-client-CA cert to \
                              server DB(ws: $host)"
                 return $RET
             fi
             #=======================================================
             # Creating server cert
             #
             CERTNAME=$HOSTADDR
             CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
             CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
                         L=Mountain View, ST=California, C=US"
             certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
                 -o $sslServerDir/req 2>&1
             tmpFiles="$tmpFiles $sslServerDir/req"
             # NOTE:
             # For possible time synchronization problems (bug 444308) we generate
             # certificates valid also some time in past (-w -1)
             CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
             certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \
                 -d "${caDir}" \
                 -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
                 -f "${R_PWFILE}" 2>&1
             importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
             RET=$?
             if [ $RET -ne 0 ]; then
                 html_failed "Fail to import $CERTNAME cert to server\
                              DB(ws: $host)"
                 return $RET
             fi
             tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
             #=======================================================
             # Download and import CA crl to server DB
             #
             download_file $host "$certDir/$caCrlName.crl" $sslServerDir
             RET=$?
             if [ $? -ne 0 ]; then
                 html_failed "Fail to download $caCertName crl\
                              (ws: $host)"
                 return $RET
             fi
             tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
             importFile $sslServerDir $sslServerDir/TestCA.crl
             RET=$?
             if [ $RET -ne 0 ]; then
                 html_failed "Fail to import TestCA crt to server\
                              DB(ws: $host)"
                 return $RET
             fi
         fi # if [ "$reverseRunCGIScript" ]
         [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
         #=======================================================
         # Import CA cert to ssl client DB
         #
         importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
                    "TC,C,C"
         RET=$?
         if [ $RET -ne 0 ]; then
             html_failed "Fail to import server-client-CA cert to \
                          server DB(ws: $host)"
             return $RET
         fi
     fi
     if [ $doOcspTests -eq 1 ]; then
         [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
         #=======================================================
         # Import CA cert to ocsp client DB
         #
         importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
                    "TC,C,C"
         RET=$?
         if [ $RET -ne 0 ]; then
             html_failed "Fail to import server-client-CA cert to \
                          server DB(ws: $host)"
             return $RET
         fi
     fi
     #=======================================================
     # Import client certs to client DB
     #
     for fileName in $downloadFiles; do
         certName=`echo $fileName | sed 's/\..*//'`
         if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
             clientDir=$ocspClientDir
         elif [ $doSslTests -eq 1 ]; then
             clientDir=$sslClientDir
         else
             continue
         fi
         download_file $host "$certDir/$fileName" $clientDir
         RET=$?
         if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
             html_failed "Fail to download $certName cert(ws: $host)"
             return $RET
         fi
         tmpFiles="$tmpFiles $clientDir/$fileName"
         importFile $clientDir $clientDir/$fileName $certName ",,"
         RET=$?
         if [ $RET -ne 0 ]; then
             html_failed "Fail to import $certName cert to client DB\
                         (ws: $host)"
             return $RET
         fi
     done
     rm -f $tmpFiles
     return 0
 }
 #########################################################################
 # Initial point for downloading config, cert, crl files for multiple hosts
 # involved in interoperability testing. Called from nss/tests/cert/cert.sh
 # It will only proceed with downloading if environment variable
 # IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.
 #
 # Returns 1 if interoperability testing is off, 0 otherwise.
 #
 cert_iopr_setup() {
     if [ "$IOPR" -ne 1 ]; then
         return 1
     fi
     num=1
     IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '`
     while [ "$IOPR_HOST_PARAM" ]; do
         IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
         IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
         [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443
         IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
         [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
         echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
               $IOPR_CONF_PATH"
         download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
             ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
             ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
             ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
         if [ $? -ne 0 ]; then
             echo "wsFlags=\"NOIOPR $wsParam\"" >> \
                 ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
         fi
         num=`expr $num + 1`
         IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
     done
     return 0
 }

The Tor Browser / annotate

security/nss/tests/iopr/cert_iopr.sh@b8a032363ba2 (annotated)

security/nss/tests/iopr/cert_iopr.sh