The Tor Browser / file comparison

comparison: security/nss/tests/iopr/server_scr/cert_gen.sh

security/nss/tests/iopr/server_scr/cert_gen.sh

branch
TOR_BUG_9701
changeset 15
b8a032363ba2
equal deleted inserted replaced
-1:000000000000 0:70145b5e0397
1 #!/bin/bash
2
3 # This Source Code Form is subject to the terms of the Mozilla Public
4 # License, v. 2.0. If a copy of the MPL was not distributed with this
5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
6
7 ######################################################################################
8 # Server and client certs and crl generator functions. Generated files placed in a <dir>
9 # directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
10 # This functions is used for manual webserver configuration and it is not a part of
11 # nss test run.
12 # To create certs use the following command:
13 # sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
14 # Where:
15 # dir - directory where to place created files
16 # cert name - name of created server cert(FQDN)
17 # cert req - cert request to be used for cert generation.
18 #
19 repAndExec() {
20 echo
21 if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
22 shift
23 echo certutil -s "$CU_SUBJECT" $@
24 certutil -s "$CU_SUBJECT" $@
25 RET=$?
26 else
27 echo $@
28 $@
29 RET=$?
30 fi
31
32 return $RET
33 }
34
35 setExtData() {
36 extData=$1
37
38 fldNum=0
39 extData=`echo $extData | sed 's/,/ /g'`
40 for extDT in $extData; do
41 if [ $fldNum -eq 0 ]; then
42 eval extType=$extDT
43 fldNum=1
44 continue
45 fi
46 eval data${fldNum}=$extDT
47 fldNum=`expr $fldNum + 1`
48 done
49 }
50
51 signCert() {
52 dir=$1
53 crtDir=$2
54 crtName=$3
55 crtSN=$4
56 req=$5
57 cuAddParam=$6
58 extList=$7
59
60 if [ -z "$certSigner" ]; then
61 certSigner=TestCA
62 fi
63
64 extCmdLine=""
65 extCmdFile=$dir/extInFile; rm -f $extCmdFile
66 touch $extCmdFile
67 extList=`echo $extList | sed 's/;/ /g'`
68 for ext in $extList; do
69 setExtData $ext
70 [ -z "$extType" ] && echo "incorrect extention format" && return 1
71 case $extType in
72 ocspDR)
73 extCmdLine="$extCmdLine -6"
74 cat <<EOF >> $extCmdFile
75 5
76 9
77 y
78 EOF
79 break
80 exit 1
81 ;;
82 AIA)
83 extCmdLine="$extCmdLine -9"
84 cat <<EOF >> $extCmdFile
85 2
86 7
87 $data1
88 0
89 n
90 n
91 EOF
92 break
93 ;;
94 *)
95 echo "Unsupported extension type: $extType"
96 break
97 ;;
98 esac
99 done
100 echo "cmdLine: $extCmdLine"
101 echo "cmdFile: "`cat $extCmdFile`
102 repAndExec \
103 certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
104 -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
105 return $RET
106 }
107
108 createSignedCert() {
109 dir=$1
110 certDir=$2
111 certName=$3
112 certSN=$4
113 certSubj=$5
114 keyType=$6
115 extList=$7
116
117 echo Creating cert $certName-$keyType with SN=$certSN
118
119 CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
120 repAndExec \
121 certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
122 -k $keyType -o $dir/req 2>&1
123 [ "$RET" -ne 0 ] && return $RET
124
125 signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
126 ret=$?
127 [ "$ret" -ne 0 ] && return $ret
128
129 rm -f $dir/req
130
131 repAndExec \
132 certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
133 -i "$dir/${certName}-$keyType.crt" 2>&1
134 [ "$RET" -ne 0 ] && return $RET
135
136 cp "$dir/${certName}-$keyType.crt" $certDir
137
138 repAndExec \
139 pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
140 -k ${PW_FILE} -W iopr
141 [ "$RET" -ne 0 ] && return $RET
142 return 0
143 }
144
145 generateAndExportSSLCerts() {
146 dir=$1
147 certDir=$2
148 serverName=$3
149 servCertReq=$4
150
151 if [ "$servCertReq" -a -f $servCertReq ]; then
152 grep REQUEST $servCertReq >/dev/null 2>&1
153 signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
154 ret=$?
155 [ "$ret" -ne 0 ] && return $ret
156 fi
157
158 certName=$serverName
159 createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
160 ret=$?
161 [ "$ret" -ne 0 ] && return $ret
162
163 createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
164 ret=$?
165 [ "$ret" -ne 0 ] && return $ret
166
167 certName=TestUser510
168 createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
169 ret=$?
170 [ "$ret" -ne 0 ] && return $ret
171
172 certName=TestUser511
173 createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
174 ret=$?
175 [ "$ret" -ne 0 ] && return $ret
176
177 certName=TestUser512
178 createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
179 ret=$?
180 [ "$ret" -ne 0 ] && return $ret
181
182 certName=TestUser513
183 createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
184 ret=$?
185 [ "$ret" -ne 0 ] && return $ret
186 }
187
188 generateAndExportOCSPCerts() {
189 dir=$1
190 certDir=$2
191
192 certName=ocspTrustedResponder
193 createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
194 ret=$?
195 [ "$ret" -ne 0 ] && return $ret
196
197 certName=ocspDesignatedResponder
198 createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
199 ret=$?
200 [ "$ret" -ne 0 ] && return $ret
201
202 certName=ocspTRTestUser514
203 createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
204 ret=$?
205 [ "$ret" -ne 0 ] && return $ret
206
207 certName=ocspTRTestUser516
208 createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
209 ret=$?
210 [ "$ret" -ne 0 ] && return $ret
211
212 certName=ocspRCATestUser518
213 createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
214 AIA,http://dochinups.red.iplanet.com:2561
215 ret=$?
216 [ "$ret" -ne 0 ] && return $ret
217
218 certName=ocspRCATestUser520
219 createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
220 AIA,http://dochinups.red.iplanet.com:2561
221 ret=$?
222 [ "$ret" -ne 0 ] && return $ret
223
224 certName=ocspDRTestUser522
225 createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
226 AIA,http://dochinups.red.iplanet.com:2562
227 ret=$?
228 [ "$ret" -ne 0 ] && return $ret
229
230 certName=ocspDRTestUser524
231 createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
232 AIA,http://dochinups.red.iplanet.com:2562
233 ret=$?
234 [ "$ret" -ne 0 ] && return $ret
235
236 generateAndExportCACert $dir "" TestCA-unknown
237 [ $? -ne 0 ] && return $ret
238
239 certSigner=TestCA-unknown
240
241 certName=ocspTRUnkownIssuerCert
242 createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
243 ret=$?
244 [ "$ret" -ne 0 ] && return $ret
245
246 certName=ocspRCAUnkownIssuerCert
247 createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
248 AIA,http://dochinups.red.iplanet.com:2561
249 ret=$?
250 [ "$ret" -ne 0 ] && return $ret
251
252 certName=ocspDRUnkownIssuerCert
253 createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
254 AIA,http://dochinups.red.iplanet.com:2562
255 ret=$?
256 [ "$ret" -ne 0 ] && return $ret
257
258 certSigner=""
259
260 return 0
261 }
262
263 generateAndExportCACert() {
264 dir=$1
265 certDirL=$2
266 caName=$3
267
268 certName=TestCA
269 [ "$caName" ] && certName=$caName
270 CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
271 repAndExec \
272 certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
273 -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
274 5
275 6
276 9
277 n
278 y
279 -1
280 n
281 EOF
282
283 if [ "$certDirL" ]; then
284 repAndExec \
285 certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
286 [ "$RET" -ne 0 ] && return $RET
287
288 repAndExec \
289 pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
290 [ "$RET" -ne 0 ] && return $RET
291 fi
292 }
293
294
295 generateCerts() {
296 certDir=$1
297 serverName=$2
298 reuseCACert=$3
299 servCertReq=$4
300
301 [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
302 [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
303
304 mkdir -p $certDir
305 [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
306
307
308 dir=/tmp/db.$$
309 if [ -z "$reuseCACert" ]; then
310 if [ -d "$dir" ]; then
311 rm -f $dir
312 fi
313
314 PW_FILE=$dir/nss.pwd
315 NOISE_FILE=$dir/nss.noise
316
317 mkdir -p $dir
318 [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
319
320 echo nss > $PW_FILE
321 date >> ${NOISE_FILE} 2>&1
322
323 repAndExec \
324 certutil -d $dir -N -f $PW_FILE
325 [ "$RET" -ne 0 ] && return $RET
326
327 generateAndExportCACert $dir $certDir
328 [ "$RET" -ne 0 ] && return $RET
329 else
330 dir=$reuseCACert
331 PW_FILE=$dir/nss.pwd
332 NOISE_FILE=$dir/nss.noise
333 hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
334 [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
335 return $RET;
336 fi
337
338 generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
339 [ "$RET" -ne 0 ] && return $RET
340
341 generateAndExportOCSPCerts $dir $certDir
342 [ "$RET" -ne 0 ] && return $RET
343
344 crlUpdate=`date +%Y%m%d%H%M%SZ`
345 crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
346 repAndExec \
347 crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
348 update=$crlUpdate
349 nextupdate=$crlNextUpdate
350 addcert 509-511 $crlUpdate
351 addcert 516 $crlUpdate
352 addcert 520 $crlUpdate
353 addcert 524 $crlUpdate
354 EOF_CRLINI
355 [ "$RET" -ne 0 ] && return $RET
356
357 rm -rf $dir
358 return 0
359 }
360
361
362 if [ -z "$1" -o -z "$2" ]; then
363 echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
364 exit 1
365 fi
366 generateCerts $1 $2 "$3" $4
367 exit $?

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial