The Tor Browser / annotate

security/nss/tests/iopr/server_scr/cert_gen.sh@b8a032363ba2 (annotated)

security/nss/tests/iopr/server_scr/cert_gen.sh

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 #!/bin/bash
michael@0 2
michael@0 3 # This Source Code Form is subject to the terms of the Mozilla Public
michael@0 4 # License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0 6
michael@0 7 ######################################################################################
michael@0 8 # Server and client certs and crl generator functions. Generated files placed in a <dir>
michael@0 9 # directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
michael@0 10 # This functions is used for manual webserver configuration and it is not a part of
michael@0 11 # nss test run.
michael@0 12 # To create certs use the following command:
michael@0 13 # sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
michael@0 14 # Where:
michael@0 15 # dir - directory where to place created files
michael@0 16 # cert name - name of created server cert(FQDN)
michael@0 17 # cert req - cert request to be used for cert generation.
michael@0 18 #
michael@0 19 repAndExec() {
michael@0 20 echo
michael@0 21 if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
michael@0 22 shift
michael@0 23 echo certutil -s "$CU_SUBJECT" $@
michael@0 24 certutil -s "$CU_SUBJECT" $@
michael@0 25 RET=$?
michael@0 26 else
michael@0 27 echo $@
michael@0 28 $@
michael@0 29 RET=$?
michael@0 30 fi
michael@0 31
michael@0 32 return $RET
michael@0 33 }
michael@0 34
michael@0 35 setExtData() {
michael@0 36 extData=$1
michael@0 37
michael@0 38 fldNum=0
michael@0 39 extData=`echo $extData | sed 's/,/ /g'`
michael@0 40 for extDT in $extData; do
michael@0 41 if [ $fldNum -eq 0 ]; then
michael@0 42 eval extType=$extDT
michael@0 43 fldNum=1
michael@0 44 continue
michael@0 45 fi
michael@0 46 eval data${fldNum}=$extDT
michael@0 47 fldNum=`expr $fldNum + 1`
michael@0 48 done
michael@0 49 }
michael@0 50
michael@0 51 signCert() {
michael@0 52 dir=$1
michael@0 53 crtDir=$2
michael@0 54 crtName=$3
michael@0 55 crtSN=$4
michael@0 56 req=$5
michael@0 57 cuAddParam=$6
michael@0 58 extList=$7
michael@0 59
michael@0 60 if [ -z "$certSigner" ]; then
michael@0 61 certSigner=TestCA
michael@0 62 fi
michael@0 63
michael@0 64 extCmdLine=""
michael@0 65 extCmdFile=$dir/extInFile; rm -f $extCmdFile
michael@0 66 touch $extCmdFile
michael@0 67 extList=`echo $extList | sed 's/;/ /g'`
michael@0 68 for ext in $extList; do
michael@0 69 setExtData $ext
michael@0 70 [ -z "$extType" ] && echo "incorrect extention format" && return 1
michael@0 71 case $extType in
michael@0 72 ocspDR)
michael@0 73 extCmdLine="$extCmdLine -6"
michael@0 74 cat <<EOF >> $extCmdFile
michael@0 75 5
michael@0 76 9
michael@0 77 y
michael@0 78 EOF
michael@0 79 break
michael@0 80 exit 1
michael@0 81 ;;
michael@0 82 AIA)
michael@0 83 extCmdLine="$extCmdLine -9"
michael@0 84 cat <<EOF >> $extCmdFile
michael@0 85 2
michael@0 86 7
michael@0 87 $data1
michael@0 88 0
michael@0 89 n
michael@0 90 n
michael@0 91 EOF
michael@0 92 break
michael@0 93 ;;
michael@0 94 *)
michael@0 95 echo "Unsupported extension type: $extType"
michael@0 96 break
michael@0 97 ;;
michael@0 98 esac
michael@0 99 done
michael@0 100 echo "cmdLine: $extCmdLine"
michael@0 101 echo "cmdFile: "`cat $extCmdFile`
michael@0 102 repAndExec \
michael@0 103 certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
michael@0 104 -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
michael@0 105 return $RET
michael@0 106 }
michael@0 107
michael@0 108 createSignedCert() {
michael@0 109 dir=$1
michael@0 110 certDir=$2
michael@0 111 certName=$3
michael@0 112 certSN=$4
michael@0 113 certSubj=$5
michael@0 114 keyType=$6
michael@0 115 extList=$7
michael@0 116
michael@0 117 echo Creating cert $certName-$keyType with SN=$certSN
michael@0 118
michael@0 119 CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 120 repAndExec \
michael@0 121 certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
michael@0 122 -k $keyType -o $dir/req 2>&1
michael@0 123 [ "$RET" -ne 0 ] && return $RET
michael@0 124
michael@0 125 signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
michael@0 126 ret=$?
michael@0 127 [ "$ret" -ne 0 ] && return $ret
michael@0 128
michael@0 129 rm -f $dir/req
michael@0 130
michael@0 131 repAndExec \
michael@0 132 certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
michael@0 133 -i "$dir/${certName}-$keyType.crt" 2>&1
michael@0 134 [ "$RET" -ne 0 ] && return $RET
michael@0 135
michael@0 136 cp "$dir/${certName}-$keyType.crt" $certDir
michael@0 137
michael@0 138 repAndExec \
michael@0 139 pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
michael@0 140 -k ${PW_FILE} -W iopr
michael@0 141 [ "$RET" -ne 0 ] && return $RET
michael@0 142 return 0
michael@0 143 }
michael@0 144
michael@0 145 generateAndExportSSLCerts() {
michael@0 146 dir=$1
michael@0 147 certDir=$2
michael@0 148 serverName=$3
michael@0 149 servCertReq=$4
michael@0 150
michael@0 151 if [ "$servCertReq" -a -f $servCertReq ]; then
michael@0 152 grep REQUEST $servCertReq >/dev/null 2>&1
michael@0 153 signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
michael@0 154 ret=$?
michael@0 155 [ "$ret" -ne 0 ] && return $ret
michael@0 156 fi
michael@0 157
michael@0 158 certName=$serverName
michael@0 159 createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
michael@0 160 ret=$?
michael@0 161 [ "$ret" -ne 0 ] && return $ret
michael@0 162
michael@0 163 createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
michael@0 164 ret=$?
michael@0 165 [ "$ret" -ne 0 ] && return $ret
michael@0 166
michael@0 167 certName=TestUser510
michael@0 168 createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
michael@0 169 ret=$?
michael@0 170 [ "$ret" -ne 0 ] && return $ret
michael@0 171
michael@0 172 certName=TestUser511
michael@0 173 createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
michael@0 174 ret=$?
michael@0 175 [ "$ret" -ne 0 ] && return $ret
michael@0 176
michael@0 177 certName=TestUser512
michael@0 178 createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
michael@0 179 ret=$?
michael@0 180 [ "$ret" -ne 0 ] && return $ret
michael@0 181
michael@0 182 certName=TestUser513
michael@0 183 createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
michael@0 184 ret=$?
michael@0 185 [ "$ret" -ne 0 ] && return $ret
michael@0 186 }
michael@0 187
michael@0 188 generateAndExportOCSPCerts() {
michael@0 189 dir=$1
michael@0 190 certDir=$2
michael@0 191
michael@0 192 certName=ocspTrustedResponder
michael@0 193 createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
michael@0 194 ret=$?
michael@0 195 [ "$ret" -ne 0 ] && return $ret
michael@0 196
michael@0 197 certName=ocspDesignatedResponder
michael@0 198 createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
michael@0 199 ret=$?
michael@0 200 [ "$ret" -ne 0 ] && return $ret
michael@0 201
michael@0 202 certName=ocspTRTestUser514
michael@0 203 createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
michael@0 204 ret=$?
michael@0 205 [ "$ret" -ne 0 ] && return $ret
michael@0 206
michael@0 207 certName=ocspTRTestUser516
michael@0 208 createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
michael@0 209 ret=$?
michael@0 210 [ "$ret" -ne 0 ] && return $ret
michael@0 211
michael@0 212 certName=ocspRCATestUser518
michael@0 213 createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
michael@0 214 AIA,http://dochinups.red.iplanet.com:2561
michael@0 215 ret=$?
michael@0 216 [ "$ret" -ne 0 ] && return $ret
michael@0 217
michael@0 218 certName=ocspRCATestUser520
michael@0 219 createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
michael@0 220 AIA,http://dochinups.red.iplanet.com:2561
michael@0 221 ret=$?
michael@0 222 [ "$ret" -ne 0 ] && return $ret
michael@0 223
michael@0 224 certName=ocspDRTestUser522
michael@0 225 createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
michael@0 226 AIA,http://dochinups.red.iplanet.com:2562
michael@0 227 ret=$?
michael@0 228 [ "$ret" -ne 0 ] && return $ret
michael@0 229
michael@0 230 certName=ocspDRTestUser524
michael@0 231 createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
michael@0 232 AIA,http://dochinups.red.iplanet.com:2562
michael@0 233 ret=$?
michael@0 234 [ "$ret" -ne 0 ] && return $ret
michael@0 235
michael@0 236 generateAndExportCACert $dir "" TestCA-unknown
michael@0 237 [ $? -ne 0 ] && return $ret
michael@0 238
michael@0 239 certSigner=TestCA-unknown
michael@0 240
michael@0 241 certName=ocspTRUnkownIssuerCert
michael@0 242 createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
michael@0 243 ret=$?
michael@0 244 [ "$ret" -ne 0 ] && return $ret
michael@0 245
michael@0 246 certName=ocspRCAUnkownIssuerCert
michael@0 247 createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
michael@0 248 AIA,http://dochinups.red.iplanet.com:2561
michael@0 249 ret=$?
michael@0 250 [ "$ret" -ne 0 ] && return $ret
michael@0 251
michael@0 252 certName=ocspDRUnkownIssuerCert
michael@0 253 createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
michael@0 254 AIA,http://dochinups.red.iplanet.com:2562
michael@0 255 ret=$?
michael@0 256 [ "$ret" -ne 0 ] && return $ret
michael@0 257
michael@0 258 certSigner=""
michael@0 259
michael@0 260 return 0
michael@0 261 }
michael@0 262
michael@0 263 generateAndExportCACert() {
michael@0 264 dir=$1
michael@0 265 certDirL=$2
michael@0 266 caName=$3
michael@0 267
michael@0 268 certName=TestCA
michael@0 269 [ "$caName" ] && certName=$caName
michael@0 270 CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0 271 repAndExec \
michael@0 272 certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
michael@0 273 -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
michael@0 274 5
michael@0 275 6
michael@0 276 9
michael@0 277 n
michael@0 278 y
michael@0 279 -1
michael@0 280 n
michael@0 281 EOF
michael@0 282
michael@0 283 if [ "$certDirL" ]; then
michael@0 284 repAndExec \
michael@0 285 certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
michael@0 286 [ "$RET" -ne 0 ] && return $RET
michael@0 287
michael@0 288 repAndExec \
michael@0 289 pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
michael@0 290 [ "$RET" -ne 0 ] && return $RET
michael@0 291 fi
michael@0 292 }
michael@0 293
michael@0 294
michael@0 295 generateCerts() {
michael@0 296 certDir=$1
michael@0 297 serverName=$2
michael@0 298 reuseCACert=$3
michael@0 299 servCertReq=$4
michael@0 300
michael@0 301 [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
michael@0 302 [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
michael@0 303
michael@0 304 mkdir -p $certDir
michael@0 305 [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
michael@0 306
michael@0 307
michael@0 308 dir=/tmp/db.$$
michael@0 309 if [ -z "$reuseCACert" ]; then
michael@0 310 if [ -d "$dir" ]; then
michael@0 311 rm -f $dir
michael@0 312 fi
michael@0 313
michael@0 314 PW_FILE=$dir/nss.pwd
michael@0 315 NOISE_FILE=$dir/nss.noise
michael@0 316
michael@0 317 mkdir -p $dir
michael@0 318 [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
michael@0 319
michael@0 320 echo nss > $PW_FILE
michael@0 321 date >> ${NOISE_FILE} 2>&1
michael@0 322
michael@0 323 repAndExec \
michael@0 324 certutil -d $dir -N -f $PW_FILE
michael@0 325 [ "$RET" -ne 0 ] && return $RET
michael@0 326
michael@0 327 generateAndExportCACert $dir $certDir
michael@0 328 [ "$RET" -ne 0 ] && return $RET
michael@0 329 else
michael@0 330 dir=$reuseCACert
michael@0 331 PW_FILE=$dir/nss.pwd
michael@0 332 NOISE_FILE=$dir/nss.noise
michael@0 333 hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
michael@0 334 [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
michael@0 335 return $RET;
michael@0 336 fi
michael@0 337
michael@0 338 generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
michael@0 339 [ "$RET" -ne 0 ] && return $RET
michael@0 340
michael@0 341 generateAndExportOCSPCerts $dir $certDir
michael@0 342 [ "$RET" -ne 0 ] && return $RET
michael@0 343
michael@0 344 crlUpdate=`date +%Y%m%d%H%M%SZ`
michael@0 345 crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
michael@0 346 repAndExec \
michael@0 347 crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
michael@0 348 update=$crlUpdate
michael@0 349 nextupdate=$crlNextUpdate
michael@0 350 addcert 509-511 $crlUpdate
michael@0 351 addcert 516 $crlUpdate
michael@0 352 addcert 520 $crlUpdate
michael@0 353 addcert 524 $crlUpdate
michael@0 354 EOF_CRLINI
michael@0 355 [ "$RET" -ne 0 ] && return $RET
michael@0 356
michael@0 357 rm -rf $dir
michael@0 358 return 0
michael@0 359 }
michael@0 360
michael@0 361
michael@0 362 if [ -z "$1" -o -z "$2" ]; then
michael@0 363 echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
michael@0 364 exit 1
michael@0 365 fi
michael@0 366 generateCerts $1 $2 "$3" $4
michael@0 367 exit $?

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial