1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,185 @@
1.4 +#!/bin/bash
1.5 +#
1.6 +# This Source Code Form is subject to the terms of the Mozilla Public
1.7 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.9 +#
1.10 +# Usage: ./generate_certs.sh <path to objdir> <output directory>
1.11 +# e.g. (from the root of mozilla-central)
1.12 +# `./security/manager/ssl/tests/unit/tlsserver/generate_certs.sh \
1.13 +# obj-x86_64-unknown-linux-gnu/ \
1.14 +# security/manager/ssl/tests/unit/tlsserver/`
1.15 +#
1.16 +# NB: This will cause the following files to be overwritten if they are in
1.17 +# the output directory:
1.18 +# cert8.db, key3.db, secmod.db, ocsp-ca.der, ocsp-other-ca.der, default-ee.der
1.19 +# NB: You must run genHPKPStaticPins.js after running this file, since its
1.20 +# output (StaticHPKPins.h) depends on default-ee.der
1.21 +
1.22 +set -x
1.23 +set -e
1.24 +
1.25 +if [ $# -ne 2 ]; then
1.26 + echo "Usage: `basename ${0}` <path to objdir> <output directory>"
1.27 + exit $E_BADARGS
1.28 +fi
1.29 +
1.30 +OBJDIR=${1}
1.31 +OUTPUT_DIR=${2}
1.32 +RUN_MOZILLA="$OBJDIR/dist/bin/run-mozilla.sh"
1.33 +CERTUTIL="$OBJDIR/dist/bin/certutil"
1.34 +# On BSD, mktemp requires either a template or a prefix.
1.35 +MKTEMP="mktemp temp.XXXX"
1.36 +
1.37 +NOISE_FILE=`$MKTEMP`
1.38 +# Make a good effort at putting something unique in the noise file.
1.39 +date +%s%N > "$NOISE_FILE"
1.40 +PASSWORD_FILE=`$MKTEMP`
1.41 +
1.42 +function cleanup {
1.43 + rm -f "$NOISE_FILE" "$PASSWORD_FILE"
1.44 +}
1.45 +
1.46 +if [ ! -f "$RUN_MOZILLA" ]; then
1.47 + echo "Could not find run-mozilla.sh at \'$RUN_MOZILLA\' - I'll try without it"
1.48 + RUN_MOZILLA=""
1.49 +fi
1.50 +
1.51 +if [ ! -f "$CERTUTIL" ]; then
1.52 + echo "Could not find certutil at \'$CERTUTIL\'"
1.53 + exit $E_BADARGS
1.54 +fi
1.55 +
1.56 +if [ ! -d "$OUTPUT_DIR" ]; then
1.57 + echo "Could not find output directory at \'$OUTPUT_DIR\'"
1.58 + exit $E_BADARGS
1.59 +fi
1.60 +
1.61 +if [ -f "$OUTPUT_DIR/cert8.db" -o -f "$OUTPUT_DIR/key3.db" -o -f "$OUTPUT_DIR/secmod.db" ]; then
1.62 + echo "Found pre-existing NSS DBs. Clobbering old OCSP certs."
1.63 + rm -f "$OUTPUT_DIR/cert8.db" "$OUTPUT_DIR/key3.db" "$OUTPUT_DIR/secmod.db"
1.64 +fi
1.65 +$RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -N -f $PASSWORD_FILE
1.66 +
1.67 +COMMON_ARGS="-v 360 -w -1 -2 -z $NOISE_FILE"
1.68 +
1.69 +function make_CA {
1.70 + CA_RESPONSES="y\n1\ny"
1.71 + NICKNAME="${1}"
1.72 + SUBJECT="${2}"
1.73 + DERFILE="${3}"
1.74 +
1.75 + echo -e "$CA_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
1.76 + -n $NICKNAME \
1.77 + -s "$SUBJECT" \
1.78 + -t "CT,," \
1.79 + -x $COMMON_ARGS
1.80 + $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n $NICKNAME -r > $OUTPUT_DIR/$DERFILE
1.81 +}
1.82 +
1.83 +SERIALNO=1
1.84 +
1.85 +function make_INT {
1.86 + INT_RESPONSES="y\n0\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
1.87 + NICKNAME="${1}"
1.88 + SUBJECT="${2}"
1.89 + CA="${3}"
1.90 + EXTRA_ARGS="${4}"
1.91 +
1.92 + echo -e "$INT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
1.93 + -n $NICKNAME \
1.94 + -s "$SUBJECT" \
1.95 + -c $CA \
1.96 + -t ",," \
1.97 + -m $SERIALNO \
1.98 + --extAIA \
1.99 + $COMMON_ARGS \
1.100 + $EXTRA_ARGS
1.101 + SERIALNO=$(($SERIALNO + 1))
1.102 +}
1.103 +
1.104 +function make_EE {
1.105 + CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
1.106 + NICKNAME="${1}"
1.107 + SUBJECT="${2}"
1.108 + CA="${3}"
1.109 + SUBJECT_ALT_NAME="${4}"
1.110 + EXTRA_ARGS="${5} ${6}"
1.111 +
1.112 + echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
1.113 + -n $NICKNAME \
1.114 + -s "$SUBJECT" \
1.115 + -8 $SUBJECT_ALT_NAME \
1.116 + -c $CA \
1.117 + -t ",," \
1.118 + -m $SERIALNO \
1.119 + --extAIA \
1.120 + $COMMON_ARGS \
1.121 + $EXTRA_ARGS
1.122 + SERIALNO=$(($SERIALNO + 1))
1.123 +}
1.124 +
1.125 +function make_delegated {
1.126 + CERT_RESPONSES="n\n\ny\n"
1.127 + NICKNAME="${1}"
1.128 + SUBJECT="${2}"
1.129 + CA="${3}"
1.130 + EXTRA_ARGS="${4}"
1.131 +
1.132 + echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
1.133 + -n $NICKNAME \
1.134 + -s "$SUBJECT" \
1.135 + -c $CA \
1.136 + -t ",," \
1.137 + -m $SERIALNO \
1.138 + $COMMON_ARGS \
1.139 + $EXTRA_ARGS
1.140 + SERIALNO=$(($SERIALNO + 1))
1.141 +}
1.142 +
1.143 +make_CA testCA 'CN=Test CA' test-ca.der
1.144 +make_CA otherCA 'CN=Other test CA' other-test-ca.der
1.145 +
1.146 +make_EE localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com"
1.147 +# Make an EE cert issued by otherCA
1.148 +make_EE otherIssuerEE 'CN=Wrong CA Pin Test End-Entity' otherCA "*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com,*.pinning.example.com"
1.149 +
1.150 +$RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n localhostAndExampleCom -r > $OUTPUT_DIR/default-ee.der
1.151 +# A cert that is like localhostAndExampleCom, but with a different serial number for
1.152 +# testing the "OCSP response is from the right issuer, but it is for the wrong cert"
1.153 +# case.
1.154 +make_EE ocspOtherEndEntity 'CN=Other Cert' testCA "localhost,*.example.com"
1.155 +
1.156 +make_INT testINT 'CN=Test Intermediate' testCA
1.157 +make_EE ocspEEWithIntermediate 'CN=Test End-entity with Intermediate' testINT "localhost,*.example.com"
1.158 +make_EE expired 'CN=Expired Test End-entity' testCA "expired.example.com" "-w -400"
1.159 +make_EE mismatch 'CN=Mismatch Test End-entity' testCA "doesntmatch.example.com"
1.160 +make_EE selfsigned 'CN=Self-signed Test End-entity' testCA "selfsigned.example.com" "-x"
1.161 +# If the certificate 'CN=Test Intermediate' isn't loaded into memory,
1.162 +# this certificate will have an unknown issuer.
1.163 +make_INT deletedINT 'CN=Test Intermediate to delete' testCA
1.164 +make_EE unknownissuer 'CN=Test End-entity from unknown issuer' deletedINT "unknownissuer.example.com"
1.165 +$RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -D -n deletedINT
1.166 +make_INT expiredINT 'CN=Expired Test Intermediate' testCA "-w -400"
1.167 +make_EE expiredissuer 'CN=Test End-entity with expired issuer' expiredINT "expiredissuer.example.com"
1.168 +NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature 'CN=Test End-entity with MD5 signature' testCA "md5signature.example.com" "-Z MD5"
1.169 +make_EE untrustedissuer 'CN=Test End-entity with untrusted issuer' otherCA "untrustedissuer.example.com"
1.170 +
1.171 +make_EE mismatch-expired 'CN=Mismatch-Expired Test End-entity' testCA "doesntmatch.example.com" "-w -400"
1.172 +make_EE mismatch-untrusted 'CN=Mismatch-Untrusted Test End-entity' otherCA "doesntmatch.example.com"
1.173 +make_EE untrusted-expired 'CN=Untrusted-Expired Test End-entity' otherCA "untrusted-expired.example.com" "-w -400"
1.174 +make_EE mismatch-untrusted-expired 'CN=Mismatch-Untrusted-Expired Test End-entity' otherCA "doesntmatch.example.com" "-w -400"
1.175 +NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature-expired 'CN=Test MD5Signature-Expired End-entity' testCA "md5signature-expired.example.com" "-Z MD5" "-w -400"
1.176 +
1.177 +make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
1.178 +make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
1.179 +
1.180 +make_delegated delegatedSigner 'CN=Test Delegated Responder' testCA "--extKeyUsage ocspResponder"
1.181 +make_delegated invalidDelegatedSignerNoExtKeyUsage 'CN=Test Invalid Delegated Responder No extKeyUsage' testCA
1.182 +make_delegated invalidDelegatedSignerFromIntermediate 'CN=Test Invalid Delegated Responder From Intermediate' testINT "--extKeyUsage ocspResponder"
1.183 +make_delegated invalidDelegatedSignerKeyUsageCrlSigning 'CN=Test Invalid Delegated Responder keyUsage crlSigning' testCA "--keyUsage crlSigning"
1.184 +make_delegated invalidDelegatedSignerWrongExtKeyUsage 'CN=Test Invalid Delegated Responder Wrong extKeyUsage' testCA "--extKeyUsage codeSigning"
1.185 +
1.186 +make_INT self-signed-EE-with-cA-true 'CN=Test Self-signed End-entity with CA true' unused "-x -8 self-signed-end-entity-with-cA-true.example.com"
1.187 +
1.188 +cleanup
