The Tor Browser / annotate

security/nss/tests/merge/merge.sh@b8a032363ba2 (annotated)

security/nss/tests/merge/merge.sh

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 #! /bin/bash
michael@0 2 #
michael@0 3 # This Source Code Form is subject to the terms of the Mozilla Public
michael@0 4 # License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0 6
michael@0 7 ########################################################################
michael@0 8 #
michael@0 9 # mozilla/security/nss/tests/merge/merge.sh
michael@0 10 #
michael@0 11 # Script to test NSS merge
michael@0 12 #
michael@0 13 # needs to work on all Unix and Windows platforms
michael@0 14 #
michael@0 15 # special strings
michael@0 16 # ---------------
michael@0 17 # FIXME ... known problems, search for this string
michael@0 18 # NOTE .... unexpected behavior
michael@0 19 #
michael@0 20 ########################################################################
michael@0 21
michael@0 22 ############################## merge_init ##############################
michael@0 23 # local shell function to initialize this script
michael@0 24 ########################################################################
michael@0 25 merge_init()
michael@0 26 {
michael@0 27 SCRIPTNAME=merge.sh # sourced - $0 would point to all.sh
michael@0 28 HAS_EXPLICIT_DB=0
michael@0 29 if [ ! -z "${NSS_DEFAULT_DB_TYPE}" ]; then
michael@0 30 HAS_EXPLICIT_DB=1
michael@0 31 fi
michael@0 32
michael@0 33
michael@0 34 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
michael@0 35 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
michael@0 36 fi
michael@0 37
michael@0 38 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
michael@0 39 cd ../common
michael@0 40 . ./init.sh
michael@0 41 fi
michael@0 42 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
michael@0 43 cd ${QADIR}/cert
michael@0 44 . ./cert.sh
michael@0 45 fi
michael@0 46
michael@0 47 if [ ! -d ${HOSTDIR}/SDR ]; then
michael@0 48 cd ${QADIR}/sdr
michael@0 49 . ./sdr.sh
michael@0 50 fi
michael@0 51 SCRIPTNAME=merge.sh
michael@0 52
michael@0 53 html_head "Merge Tests"
michael@0 54
michael@0 55 # need the SSL & SMIME directories from cert.sh
michael@0 56 grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
michael@0 57 Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
michael@0 58 }
michael@0 59 grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
michael@0 60 Exit 8 "Fatal - SSL of cert.sh needs to pass first"
michael@0 61 }
michael@0 62
michael@0 63 #temporary files for SDR tests
michael@0 64 VALUE1=$HOSTDIR/tests.v1.$$
michael@0 65 VALUE3=$HOSTDIR/tests.v3.$$
michael@0 66
michael@0 67 # local directories used in this test.
michael@0 68 MERGEDIR=${HOSTDIR}/merge
michael@0 69 R_MERGEDIR=../merge
michael@0 70 D_MERGE="merge.$version"
michael@0 71 # SDR not initialized in common/init
michael@0 72 P_R_SDR=../SDR
michael@0 73 D_SDR="SDR.$version"
michael@0 74 mkdir -p ${MERGEDIR}
michael@0 75
michael@0 76 PROFILE=.
michael@0 77 if [ -n "${MULTIACCESS_DBM}" ]; then
michael@0 78 PROFILE="multiaccess:${D_MERGE}"
michael@0 79 P_R_SDR="multiaccess:${D_SDR}"
michael@0 80 fi
michael@0 81
michael@0 82 cd ${MERGEDIR}
michael@0 83
michael@0 84 # clear out any existing databases, potentially from a previous run.
michael@0 85 rm -f *.db
michael@0 86
michael@0 87 # copy alicedir over as a seed database.
michael@0 88 cp ${R_ALICEDIR}/* .
michael@0 89 # copy the smime text samples
michael@0 90 cp ${QADIR}/smime/*.txt .
michael@0 91
michael@0 92 # create a set of conflicting names.
michael@0 93 CONFLICT1DIR=conflict1
michael@0 94 CONFLICT2DIR=conflict2
michael@0 95 mkdir ${CONFLICT1DIR}
michael@0 96 mkdir ${CONFLICT2DIR}
michael@0 97 # in the upgrade mode (dbm->sql), make sure our test databases
michael@0 98 # are dbm databases.
michael@0 99 if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
michael@0 100 save=${NSS_DEFAULT_DB_TYPE}
michael@0 101 NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
michael@0 102 fi
michael@0 103
michael@0 104 certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
michael@0 105 certutil -N -d ${CONFLICT2DIR} -f ${R_PWFILE}
michael@0 106 certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser41.cert -d ${CONFLICT1DIR}
michael@0 107 certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser42.cert -d ${CONFLICT1DIR}
michael@0 108 certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser43.cert -d ${CONFLICT1DIR}
michael@0 109 certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser44.cert -d ${CONFLICT2DIR}
michael@0 110 certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser45.cert -d ${CONFLICT2DIR}
michael@0 111 certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser46.cert -d ${CONFLICT2DIR}
michael@0 112 if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
michael@0 113 NSS_DEFAULT_DB_TYPE=${save}; export NSS_DEFAULT_DB_TYPE
michael@0 114 fi
michael@0 115
michael@0 116 #
michael@0 117 # allow all the tests to run in standalone mode.
michael@0 118 # in standalone mode, TEST_MODE is not set.
michael@0 119 # if NSS_DEFAULT_DB_TYPE is dbm, then test merge with dbm
michael@0 120 # if NSS_DEFAULT_DB_TYPE is sql, then test merge with sql
michael@0 121 # if NSS_DEFAULT_DB_TYPE is not set, then test database upgrade merge
michael@0 122 # from dbm databases (created above) into a new sql db.
michael@0 123 if [ -z "${TEST_MODE}" ] && [ ${HAS_EXPLICIT_DB} -eq 0 ]; then
michael@0 124 echo "*** Using Standalone Upgrade DB mode"
michael@0 125 NSS_DEFAULT_DB_TYPE=sql; export NSS_DEFAULT_DB_TYPE
michael@0 126 echo certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
michael@0 127 ${BINDIR}/certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
michael@0 128 TEST_MODE=UPGRADE_DB
michael@0 129
michael@0 130 fi
michael@0 131
michael@0 132 }
michael@0 133
michael@0 134 #
michael@0 135 # this allows us to run this test for both merge and upgrade-merge cases.
michael@0 136 # merge_cmd takes the potential upgrade-id and the rest of the certutil
michael@0 137 # arguments.
michael@0 138 #
michael@0 139 merge_cmd()
michael@0 140 {
michael@0 141 MERGE_CMD=--merge
michael@0 142 if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
michael@0 143 MERGE_CMD="--upgrade-merge --upgrade-token-name OldDB --upgrade-id ${1}"
michael@0 144 fi
michael@0 145 shift
michael@0 146 echo certutil ${MERGE_CMD} $*
michael@0 147 ${PROFTOOL} ${BINDIR}/certutil ${MERGE_CMD} $*
michael@0 148 }
michael@0 149
michael@0 150
michael@0 151 merge_main()
michael@0 152 {
michael@0 153 # first create a local sdr key and encrypt some data with it
michael@0 154 # This will cause a colision with the SDR key in ../SDR.
michael@0 155 echo "$SCRIPTNAME: Creating an SDR key & Encrypt"
michael@0 156 echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}"
michael@0 157 ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}
michael@0 158 html_msg $? 0 "Creating SDR Key"
michael@0 159
michael@0 160 # Now merge in Dave
michael@0 161 # Dave's cert is already in alicedir, but his key isn't. This will make
michael@0 162 # sure we are updating the keys and CKA_ID's on the certificate properly.
michael@0 163 MERGE_ID=dave
michael@0 164 echo "$SCRIPTNAME: Merging in Key for Existing user"
michael@0 165 merge_cmd dave --source-dir ${P_R_DAVEDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
michael@0 166 html_msg $? 0 "Merging Dave"
michael@0 167
michael@0 168 # Merge in server
michael@0 169 # contains a CRL and new user certs
michael@0 170 MERGE_ID=server
michael@0 171 echo "$SCRIPTNAME: Merging in new user "
michael@0 172 merge_cmd server --source-dir ${P_R_SERVERDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
michael@0 173 html_msg $? 0 "Merging server"
michael@0 174
michael@0 175 # Merge in ext_client
michael@0 176 # contains a new certificate chain and additional trust flags
michael@0 177 MERGE_ID=ext_client
michael@0 178 echo "$SCRIPTNAME: Merging in new chain "
michael@0 179 merge_cmd ext_client --source-dir ${P_R_EXT_CLIENTDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
michael@0 180 html_msg $? 0 "Merging ext_client"
michael@0 181
michael@0 182 # Merge conflicting nicknames in conflict1dir
michael@0 183 # contains several certificates with nicknames that conflict with the target
michael@0 184 # database
michael@0 185 MERGE_ID=conflict1
michael@0 186 echo "$SCRIPTNAME: Merging in conflicting nicknames 1"
michael@0 187 merge_cmd conflict1 --source-dir ${CONFLICT1DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
michael@0 188
michael@0 189 html_msg $? 0 "Merging conflicting nicknames 1"
michael@0 190
michael@0 191 # Merge conflicting nicknames in conflict2dir
michael@0 192 # contains several certificates with nicknames that conflict with the target
michael@0 193 # database
michael@0 194 MERGE_ID=conflict2
michael@0 195 echo "$SCRIPTNAME: Merging in conflicting nicknames 1"
michael@0 196 merge_cmd conflict2 --source-dir ${CONFLICT2DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
michael@0 197 html_msg $? 0 "Merging conflicting nicknames 2"
michael@0 198
michael@0 199 # Make sure conflicted names were properly sorted out.
michael@0 200 echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #4)"
michael@0 201 certutil -L -n "Alice #4" -d ${PROFILE}
michael@0 202 html_msg $? 0 "Verify nicknames were deconflicted (Alice #4)"
michael@0 203
michael@0 204 # Make sure conflicted names were properly sorted out.
michael@0 205 echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #100)"
michael@0 206 certutil -L -n "Alice #100" -d ${PROFILE}
michael@0 207 html_msg $? 0 "Verify nicknames were deconflicted (Alice #100)"
michael@0 208
michael@0 209 # Merge in SDR
michael@0 210 # contains a secret SDR key
michael@0 211 MERGE_ID=SDR
michael@0 212 echo "$SCRIPTNAME: Merging in SDR "
michael@0 213 merge_cmd sdr --source-dir ${P_R_SDR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
michael@0 214 html_msg $? 0 "Merging SDR"
michael@0 215
michael@0 216 # insert a listing of the database into the log for diagonic purposes
michael@0 217 ${BINDIR}/certutil -L -d ${PROFILE}
michael@0 218 ${BINDIR}/crlutil -L -d ${PROFILE}
michael@0 219
michael@0 220 # Make sure we can decrypt with our original SDR key generated above
michael@0 221 echo "$SCRIPTNAME: Decrypt - With Original SDR Key"
michael@0 222 echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}"
michael@0 223 ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}
michael@0 224 html_msg $? 0 "Decrypt - Value 3"
michael@0 225
michael@0 226 # Make sure we can decrypt with our the SDR key merged in from ../SDR
michael@0 227 echo "$SCRIPTNAME: Decrypt - With Merged SDR Key"
michael@0 228 echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}"
michael@0 229 ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}
michael@0 230 html_msg $? 0 "Decrypt - Value 1"
michael@0 231
michael@0 232 # Make sure we can sign with merge certificate
michael@0 233 echo "$SCRIPTNAME: Signing with merged key ------------------"
michael@0 234 echo "cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig"
michael@0 235 ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig
michael@0 236 html_msg $? 0 "Create Detached Signature Dave" "."
michael@0 237
michael@0 238 echo "cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} "
michael@0 239 ${PROFTOOL} ${BINDIR}/cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE}
michael@0 240 html_msg $? 0 "Verifying Dave's Detached Signature"
michael@0 241
michael@0 242 # Make sure that trust objects were properly merged
michael@0 243 echo "$SCRIPTNAME: verifying merged cert ------------------"
michael@0 244 echo "certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}"
michael@0 245 ${PROFTOOL} ${BINDIR}/certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}
michael@0 246 html_msg $? 0 "Verifying ExtendedSSL User Cert"
michael@0 247
michael@0 248 # Make sure that the crl got properly copied in
michael@0 249 echo "$SCRIPTNAME: verifying merged crl ------------------"
michael@0 250 echo "crlutil -L -n TestCA -d ${PROFILE}"
michael@0 251 ${PROFTOOL} ${BINDIR}/crlutil -L -n TestCA -d ${PROFILE}
michael@0 252 html_msg $? 0 "Verifying TestCA CRL"
michael@0 253
michael@0 254 }
michael@0 255
michael@0 256 ############################## smime_cleanup ###########################
michael@0 257 # local shell function to finish this script (no exit since it might be
michael@0 258 # sourced)
michael@0 259 ########################################################################
michael@0 260 merge_cleanup()
michael@0 261 {
michael@0 262 html "</TABLE><BR>"
michael@0 263 cd ${QADIR}
michael@0 264 . common/cleanup.sh
michael@0 265 }
michael@0 266
michael@0 267 ################## main #################################################
michael@0 268
michael@0 269 merge_init
michael@0 270 merge_main
michael@0 271 merge_cleanup
michael@0 272

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial