1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/tests/cert/cert.sh Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1728 @@
1.4 +#! /bin/bash
1.5 +#
1.6 +# This Source Code Form is subject to the terms of the Mozilla Public
1.7 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.9 +
1.10 +########################################################################
1.11 +#
1.12 +# mozilla/security/nss/tests/cert/rcert.sh
1.13 +#
1.14 +# Certificate generating and handeling for NSS QA, can be included
1.15 +# multiple times from all.sh and the individual scripts
1.16 +#
1.17 +# needs to work on all Unix and Windows platforms
1.18 +#
1.19 +# included from (don't expect this to be up to date)
1.20 +# --------------------------------------------------
1.21 +# all.sh
1.22 +# ssl.sh
1.23 +# smime.sh
1.24 +# tools.sh
1.25 +#
1.26 +# special strings
1.27 +# ---------------
1.28 +# FIXME ... known problems, search for this string
1.29 +# NOTE .... unexpected behavior
1.30 +#
1.31 +# FIXME - Netscape - NSS
1.32 +########################################################################
1.33 +
1.34 +############################## cert_init ###############################
1.35 +# local shell function to initialize this script
1.36 +########################################################################
1.37 +cert_init()
1.38 +{
1.39 + SCRIPTNAME="cert.sh"
1.40 + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
1.41 + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
1.42 + fi
1.43 + if [ -z "${INIT_SOURCED}" ] ; then
1.44 + cd ../common
1.45 + . ./init.sh
1.46 + fi
1.47 + if [ -z "${IOPR_CERT_SOURCED}" ]; then
1.48 + . ../iopr/cert_iopr.sh
1.49 + fi
1.50 + SCRIPTNAME="cert.sh"
1.51 + CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
1.52 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.53 + html_head "Certutil and Crlutil Tests with ECC"
1.54 + else
1.55 + html_head "Certutil and Crlutil Tests"
1.56 + fi
1.57 +
1.58 + LIBDIR="${DIST}/${OBJDIR}/lib"
1.59 +
1.60 + ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
1.61 + if [ ! "${ROOTCERTSFILE}" ] ; then
1.62 + html_failed "Looking for root certs module."
1.63 + cert_log "ERROR: Root certs module not found."
1.64 + Exit 5 "Fatal - Root certs module not found."
1.65 + else
1.66 + html_passed "Looking for root certs module."
1.67 + fi
1.68 +
1.69 + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
1.70 + ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}`
1.71 + fi
1.72 +}
1.73 +
1.74 +cert_log() ###################### write the cert_status file
1.75 +{
1.76 + echo "$SCRIPTNAME $*"
1.77 + echo $* >>${CERT_LOG_FILE}
1.78 +}
1.79 +
1.80 +########################################################################
1.81 +# function wraps calls to pk12util, also: writes action and options
1.82 +# to stdout.
1.83 +# Params are the same as to pk12util.
1.84 +# Returns pk12util status
1.85 +#
1.86 +pk12u()
1.87 +{
1.88 + echo "${CU_ACTION} --------------------------"
1.89 +
1.90 + echo "pk12util $@"
1.91 + ${BINDIR}/pk12util $@
1.92 + RET=$?
1.93 +
1.94 + return $RET
1.95 +}
1.96 +
1.97 +################################ certu #################################
1.98 +# local shell function to call certutil, also: writes action and options to
1.99 +# stdout, sets variable RET and writes results to the html file results
1.100 +########################################################################
1.101 +certu()
1.102 +{
1.103 + echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
1.104 + EXPECTED=${RETEXPECTED-0}
1.105 +
1.106 + if [ -n "${CU_SUBJECT}" ]; then
1.107 + #the subject of the cert contains blanks, and the shell
1.108 + #will strip the quotes off the string, if called otherwise...
1.109 + echo "certutil -s \"${CU_SUBJECT}\" $*"
1.110 + ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $*
1.111 + RET=$?
1.112 + CU_SUBJECT=""
1.113 + else
1.114 + echo "certutil $*"
1.115 + ${PROFTOOL} ${BINDIR}/certutil $*
1.116 + RET=$?
1.117 + fi
1.118 + if [ "$RET" -ne "$EXPECTED" ]; then
1.119 + CERTFAILED=$RET
1.120 + html_failed "${CU_ACTION} ($RET=$EXPECTED) "
1.121 + cert_log "ERROR: ${CU_ACTION} failed $RET"
1.122 + else
1.123 + html_passed "${CU_ACTION}"
1.124 + fi
1.125 +
1.126 + return $RET
1.127 +}
1.128 +
1.129 +################################ crlu #################################
1.130 +# local shell function to call crlutil, also: writes action and options to
1.131 +# stdout, sets variable RET and writes results to the html file results
1.132 +########################################################################
1.133 +crlu()
1.134 +{
1.135 + echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
1.136 +
1.137 + CRLUTIL="crlutil -q"
1.138 + echo "$CRLUTIL $*"
1.139 + ${PROFTOOL} ${BINDIR}/$CRLUTIL $*
1.140 + RET=$?
1.141 + if [ "$RET" -ne 0 ]; then
1.142 + CRLFAILED=$RET
1.143 + html_failed "${CU_ACTION} ($RET) "
1.144 + cert_log "ERROR: ${CU_ACTION} failed $RET"
1.145 + else
1.146 + html_passed "${CU_ACTION}"
1.147 + fi
1.148 +
1.149 + return $RET
1.150 +}
1.151 +
1.152 +################################ ocspr ##################################
1.153 +# local shell function to call ocsresp, also: writes action and options to
1.154 +# stdout, sets variable RET and writes results to the html file results
1.155 +#########################################################################
1.156 +ocspr()
1.157 +{
1.158 + echo "$SCRIPTNAME: ${OR_ACTION} --------------------------"
1.159 +
1.160 + OCSPRESP="ocspresp"
1.161 + echo "$OCSPRESP $*"
1.162 + ${PROFTOOL} ${BINDIR}/$OCSPRESP $*
1.163 + RET=$?
1.164 + if [ "$RET" -ne 0 ]; then
1.165 + OCSPFAILED=$RET
1.166 + html_failed "${OR_ACTION} ($RET) "
1.167 + cert_log "ERROR: ${OR_ACTION} failed $RET"
1.168 + else
1.169 + html_passed "${OR_ACTION}"
1.170 + fi
1.171 +
1.172 + return $RET
1.173 +}
1.174 +
1.175 +modu()
1.176 +{
1.177 + echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
1.178 +
1.179 + MODUTIL="modutil"
1.180 + echo "$MODUTIL $*"
1.181 + # echo is used to press Enter expected by modutil
1.182 + echo | ${BINDIR}/$MODUTIL $*
1.183 + RET=$?
1.184 + if [ "$RET" -ne 0 ]; then
1.185 + MODFAILED=$RET
1.186 + html_failed "${CU_ACTION} ($RET) "
1.187 + cert_log "ERROR: ${CU_ACTION} failed $RET"
1.188 + else
1.189 + html_passed "${CU_ACTION}"
1.190 + fi
1.191 +
1.192 + return $RET
1.193 +}
1.194 +
1.195 +############################# cert_init_cert ##########################
1.196 +# local shell function to initialize creation of client and server certs
1.197 +########################################################################
1.198 +cert_init_cert()
1.199 +{
1.200 + CERTDIR="$1"
1.201 + CERTNAME="$2"
1.202 + CERTSERIAL="$3"
1.203 + DOMAIN="$4"
1.204 +
1.205 + if [ ! -d "${CERTDIR}" ]; then
1.206 + mkdir -p "${CERTDIR}"
1.207 + else
1.208 + echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
1.209 + fi
1.210 + cd "${CERTDIR}"
1.211 + CERTDIR="."
1.212 +
1.213 + PROFILEDIR=`cd ${CERTDIR}; pwd`
1.214 + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
1.215 + PROFILEDIR=`cygpath -m ${PROFILEDIR}`
1.216 + fi
1.217 + if [ -n "${MULTIACCESS_DBM}" ]; then
1.218 + PROFILEDIR="multiaccess:${DOMAIN}"
1.219 + fi
1.220 +
1.221 + noise
1.222 +}
1.223 +
1.224 +############################# hw_acc #################################
1.225 +# local shell function to add hw accelerator modules to the db
1.226 +########################################################################
1.227 +hw_acc()
1.228 +{
1.229 + HW_ACC_RET=0
1.230 + HW_ACC_ERR=""
1.231 + if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
1.232 + echo "creating $CERTNAME s cert with hwaccelerator..."
1.233 + #case $ACCELERATOR in
1.234 + #rainbow)
1.235 +
1.236 + echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
1.237 + echo " -dbdir ${PROFILEDIR} 2>&1 "
1.238 + echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
1.239 + -dbdir ${PROFILEDIR} 2>&1
1.240 + if [ "$?" -ne 0 ]; then
1.241 + echo "modutil -add rainbow failed in `pwd`"
1.242 + HW_ACC_RET=1
1.243 + HW_ACC_ERR="modutil -add rainbow"
1.244 + fi
1.245 +
1.246 + echo "modutil -add ncipher "
1.247 + echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so "
1.248 + echo " -dbdir ${PROFILEDIR} 2>&1 "
1.249 + echo | ${BINDIR}/modutil -add ncipher \
1.250 + -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \
1.251 + -dbdir ${PROFILEDIR} 2>&1
1.252 + if [ "$?" -ne 0 ]; then
1.253 + echo "modutil -add ncipher failed in `pwd`"
1.254 + HW_ACC_RET=`expr $HW_ACC_RET + 2`
1.255 + HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher"
1.256 + fi
1.257 + if [ "$HW_ACC_RET" -ne 0 ]; then
1.258 + html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) "
1.259 + else
1.260 + html_passed "Adding HW accelerators to certDB for ${CERTNAME}"
1.261 + fi
1.262 +
1.263 + fi
1.264 + return $HW_ACC_RET
1.265 +}
1.266 +
1.267 +############################# cert_create_cert #########################
1.268 +# local shell function to create client certs
1.269 +# initialize DB, import
1.270 +# root cert
1.271 +# add cert to DB
1.272 +########################################################################
1.273 +cert_create_cert()
1.274 +{
1.275 + cert_init_cert "$1" "$2" "$3" "$4"
1.276 +
1.277 + CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
1.278 + certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.279 + if [ "$RET" -ne 0 ]; then
1.280 + return $RET
1.281 + fi
1.282 +
1.283 + CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB"
1.284 + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
1.285 + if [ "$RET" -ne 0 ]; then
1.286 + return $RET
1.287 + fi
1.288 +
1.289 + hw_acc
1.290 +
1.291 + CU_ACTION="Import Root CA for $CERTNAME"
1.292 + certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
1.293 + -i "${R_CADIR}/TestCA.ca.cert" 2>&1
1.294 + if [ "$RET" -ne 0 ]; then
1.295 + return $RET
1.296 + fi
1.297 +
1.298 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.299 + CU_ACTION="Import EC Root CA for $CERTNAME"
1.300 + certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
1.301 + -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
1.302 + if [ "$RET" -ne 0 ]; then
1.303 + return $RET
1.304 + fi
1.305 + fi
1.306 +
1.307 + cert_add_cert "$5"
1.308 + return $?
1.309 +}
1.310 +
1.311 +############################# cert_add_cert ############################
1.312 +# local shell function to add client certs to an existing CERT DB
1.313 +# generate request
1.314 +# sign request
1.315 +# import Cert
1.316 +#
1.317 +########################################################################
1.318 +cert_add_cert()
1.319 +{
1.320 + CU_ACTION="Generate Cert Request for $CERTNAME"
1.321 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.322 + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
1.323 + if [ "$RET" -ne 0 ]; then
1.324 + return $RET
1.325 + fi
1.326 +
1.327 + CU_ACTION="Sign ${CERTNAME}'s Request"
1.328 + certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
1.329 + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
1.330 + if [ "$RET" -ne 0 ]; then
1.331 + return $RET
1.332 + fi
1.333 +
1.334 + CU_ACTION="Import $CERTNAME's Cert"
1.335 + certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
1.336 + -i "${CERTNAME}.cert" 2>&1
1.337 + if [ "$RET" -ne 0 ]; then
1.338 + return $RET
1.339 + fi
1.340 +
1.341 + cert_log "SUCCESS: $CERTNAME's Cert Created"
1.342 +
1.343 +#
1.344 +# Generate and add EC cert
1.345 +#
1.346 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.347 + CURVE="secp384r1"
1.348 + CU_ACTION="Generate EC Cert Request for $CERTNAME"
1.349 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.350 + certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
1.351 + -z "${R_NOISE_FILE}" -o req 2>&1
1.352 + if [ "$RET" -ne 0 ]; then
1.353 + return $RET
1.354 + fi
1.355 +
1.356 + CU_ACTION="Sign ${CERTNAME}'s EC Request"
1.357 + certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
1.358 + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
1.359 + if [ "$RET" -ne 0 ]; then
1.360 + return $RET
1.361 + fi
1.362 +
1.363 + CU_ACTION="Import $CERTNAME's EC Cert"
1.364 + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
1.365 + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
1.366 + if [ "$RET" -ne 0 ]; then
1.367 + return $RET
1.368 + fi
1.369 + cert_log "SUCCESS: $CERTNAME's EC Cert Created"
1.370 +
1.371 +# Generate EC certificate signed with RSA
1.372 + CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
1.373 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.374 + certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
1.375 + -z "${R_NOISE_FILE}" -o req 2>&1
1.376 + if [ "$RET" -ne 0 ]; then
1.377 + return $RET
1.378 + fi
1.379 +
1.380 + CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA"
1.381 +# Avoid conflicting serial numbers with TestCA issuer by keeping
1.382 +# this set far away. A smaller number risks colliding with the
1.383 +# extended ssl user certificates.
1.384 + NEWSERIAL=`expr ${CERTSERIAL} + 10000`
1.385 + certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
1.386 + -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1
1.387 + if [ "$RET" -ne 0 ]; then
1.388 + return $RET
1.389 + fi
1.390 +
1.391 + CU_ACTION="Import $CERTNAME's mixed EC Cert"
1.392 + certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
1.393 + -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
1.394 + if [ "$RET" -ne 0 ]; then
1.395 + return $RET
1.396 + fi
1.397 + cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
1.398 + fi
1.399 +
1.400 + return 0
1.401 +}
1.402 +
1.403 +################################# cert_all_CA ################################
1.404 +# local shell function to build the additional Temp. Certificate Authority (CA)
1.405 +# used for the "real life" ssl test with 2 different CA's in the
1.406 +# client and in the server's dir
1.407 +##########################################################################
1.408 +cert_all_CA()
1.409 +{
1.410 + echo nss > ${PWFILE}
1.411 +
1.412 + ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.413 + cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
1.414 +
1.415 + ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.416 + cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
1.417 + ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.418 + cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3"
1.419 + ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.420 + cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4"
1.421 +
1.422 +
1.423 +
1.424 + ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.425 + cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
1.426 + ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.427 + cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6"
1.428 + ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.429 + cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
1.430 +
1.431 + rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
1.432 +
1.433 + # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
1.434 + # in the chain
1.435 +
1.436 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.437 +#
1.438 +# Create EC version of TestCA
1.439 + CA_CURVE="secp521r1"
1.440 + ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.441 + cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
1.442 +#
1.443 +# Create EC versions of the intermediate CA certs
1.444 + ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.445 + cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
1.446 + ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.447 + cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
1.448 + ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.449 + cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
1.450 +
1.451 + ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.452 + cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
1.453 + ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.454 + cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
1.455 + ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
1.456 + cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
1.457 +
1.458 + rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
1.459 +# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
1.460 +# in the chain
1.461 +
1.462 + fi
1.463 +}
1.464 +
1.465 +################################# cert_CA ################################
1.466 +# local shell function to build the Temp. Certificate Authority (CA)
1.467 +# used for testing purposes, creating a CA Certificate and a root cert
1.468 +##########################################################################
1.469 +cert_CA()
1.470 +{
1.471 + CUR_CADIR=$1
1.472 + NICKNAME=$2
1.473 + SIGNER=$3
1.474 + TRUSTARG=$4
1.475 + DOMAIN=$5
1.476 + CERTSERIAL=$6
1.477 +
1.478 + echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
1.479 +
1.480 + if [ ! -d "${CUR_CADIR}" ]; then
1.481 + mkdir -p "${CUR_CADIR}"
1.482 + fi
1.483 + cd ${CUR_CADIR}
1.484 + pwd
1.485 +
1.486 + LPROFILE=`pwd`
1.487 + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
1.488 + LPROFILE=`cygpath -m ${LPROFILE}`
1.489 + fi
1.490 + if [ -n "${MULTIACCESS_DBM}" ]; then
1.491 + LPROFILE="multiaccess:${DOMAIN}"
1.492 + fi
1.493 +
1.494 + if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
1.495 + CU_ACTION="Creating CA Cert DB"
1.496 + certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1
1.497 + if [ "$RET" -ne 0 ]; then
1.498 + Exit 5 "Fatal - failed to create CA $NICKNAME "
1.499 + fi
1.500 +
1.501 + CU_ACTION="Loading root cert module to CA Cert DB"
1.502 + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1
1.503 + if [ "$RET" -ne 0 ]; then
1.504 + return $RET
1.505 + fi
1.506 +
1.507 + echo "$SCRIPTNAME: Certificate initialized ----------"
1.508 + fi
1.509 +
1.510 +
1.511 + ################# Creating CA Cert ######################################
1.512 + #
1.513 + CU_ACTION="Creating CA Cert $NICKNAME "
1.514 + CU_SUBJECT=$ALL_CU_SUBJECT
1.515 + certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \
1.516 + -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
1.517 +5
1.518 +6
1.519 +9
1.520 +n
1.521 +y
1.522 +-1
1.523 +n
1.524 +5
1.525 +6
1.526 +7
1.527 +9
1.528 +n
1.529 +CERTSCRIPT
1.530 +
1.531 + if [ "$RET" -ne 0 ]; then
1.532 + echo "return value is $RET"
1.533 + Exit 6 "Fatal - failed to create CA cert"
1.534 + fi
1.535 +
1.536 + ################# Exporting Root Cert ###################################
1.537 + #
1.538 + CU_ACTION="Exporting Root Cert"
1.539 + certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert
1.540 + if [ "$RET" -ne 0 ]; then
1.541 + Exit 7 "Fatal - failed to export root cert"
1.542 + fi
1.543 + cp root.cert ${NICKNAME}.ca.cert
1.544 +}
1.545 +
1.546 +################################ cert_ec_CA ##############################
1.547 +# local shell function to build the Temp. Certificate Authority (CA)
1.548 +# used for testing purposes, creating a CA Certificate and a root cert
1.549 +# This is the ECC version of cert_CA.
1.550 +##########################################################################
1.551 +cert_ec_CA()
1.552 +{
1.553 + CUR_CADIR=$1
1.554 + NICKNAME=$2
1.555 + SIGNER=$3
1.556 + TRUSTARG=$4
1.557 + DOMAIN=$5
1.558 + CERTSERIAL=$6
1.559 + CURVE=$7
1.560 +
1.561 + echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
1.562 +
1.563 + if [ ! -d "${CUR_CADIR}" ]; then
1.564 + mkdir -p "${CUR_CADIR}"
1.565 + fi
1.566 + cd ${CUR_CADIR}
1.567 + pwd
1.568 +
1.569 + LPROFILE=.
1.570 + if [ -n "${MULTIACCESS_DBM}" ]; then
1.571 + LPROFILE="multiaccess:${DOMAIN}"
1.572 + fi
1.573 +
1.574 + ################# Creating an EC CA Cert ################################
1.575 + #
1.576 + CU_ACTION="Creating EC CA Cert $NICKNAME "
1.577 + CU_SUBJECT=$ALL_CU_SUBJECT
1.578 + certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \
1.579 + -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
1.580 + -m $CERTSERIAL 2>&1 <<CERTSCRIPT
1.581 +5
1.582 +6
1.583 +9
1.584 +n
1.585 +y
1.586 +-1
1.587 +n
1.588 +5
1.589 +6
1.590 +7
1.591 +9
1.592 +n
1.593 +CERTSCRIPT
1.594 +
1.595 + if [ "$RET" -ne 0 ]; then
1.596 + echo "return value is $RET"
1.597 + Exit 6 "Fatal - failed to create EC CA cert"
1.598 + fi
1.599 +
1.600 + ################# Exporting EC Root Cert ################################
1.601 + #
1.602 + CU_ACTION="Exporting EC Root Cert"
1.603 + certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert
1.604 + if [ "$RET" -ne 0 ]; then
1.605 + Exit 7 "Fatal - failed to export ec root cert"
1.606 + fi
1.607 + cp ecroot.cert ${NICKNAME}.ca.cert
1.608 +}
1.609 +
1.610 +############################## cert_smime_client #############################
1.611 +# local shell function to create client Certificates for S/MIME tests
1.612 +##############################################################################
1.613 +cert_smime_client()
1.614 +{
1.615 + CERTFAILED=0
1.616 + echo "$SCRIPTNAME: Creating Client CA Issued Certificates =============="
1.617 +
1.618 + cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE}
1.619 + cert_create_cert ${BOBDIR} "Bob" 40 ${D_BOB}
1.620 +
1.621 + echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
1.622 + cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
1.623 +
1.624 +## XXX With this new script merging ECC and non-ECC tests, the
1.625 +## call to cert_create_cert ends up creating two separate certs
1.626 +## one for Eve and another for Eve-ec but they both end up with
1.627 +## the same Subject Alt Name Extension, i.e., both the cert for
1.628 +## Eve@bogus.com and the cert for Eve-ec@bogus.com end up
1.629 +## listing eve@bogus.net in the Certificate Subject Alt Name extension.
1.630 +## This can cause a problem later when cmsutil attempts to create
1.631 +## enveloped data and accidently picks up the ECC cert (NSS currently
1.632 +## does not support ECC for enveloped data creation). This script
1.633 +## avoids the problem by ensuring that these conflicting certs are
1.634 +## never added to the same cert database (see comment marked XXXX).
1.635 + echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
1.636 + cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
1.637 +
1.638 + #echo "************* Copying CA files to ${SERVERDIR}"
1.639 + #cp ${CADIR}/*.db .
1.640 + #hw_acc
1.641 +
1.642 + #########################################################################
1.643 + #
1.644 + #cd ${CERTDIR}
1.645 + #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
1.646 + #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
1.647 + #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
1.648 + # -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
1.649 +
1.650 + #CU_ACTION="Export Dave's Cert"
1.651 + #cd ${DAVEDIR}
1.652 + #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
1.653 +
1.654 + ################# Importing Certificates for S/MIME tests ###############
1.655 + #
1.656 + echo "$SCRIPTNAME: Importing Certificates =============================="
1.657 + CU_ACTION="Import Bob's cert into Alice's db"
1.658 + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
1.659 + -i ${R_BOBDIR}/Bob.cert 2>&1
1.660 +
1.661 + CU_ACTION="Import Dave's cert into Alice's DB"
1.662 + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
1.663 + -i ${R_DAVEDIR}/Dave.cert 2>&1
1.664 +
1.665 + CU_ACTION="Import Dave's cert into Bob's DB"
1.666 + certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
1.667 + -i ${R_DAVEDIR}/Dave.cert 2>&1
1.668 +
1.669 + CU_ACTION="Import Eve's cert into Alice's DB"
1.670 + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
1.671 + -i ${R_EVEDIR}/Eve.cert 2>&1
1.672 +
1.673 + CU_ACTION="Import Eve's cert into Bob's DB"
1.674 + certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
1.675 + -i ${R_EVEDIR}/Eve.cert 2>&1
1.676 +
1.677 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.678 + echo "$SCRIPTNAME: Importing EC Certificates =============================="
1.679 + CU_ACTION="Import Bob's EC cert into Alice's db"
1.680 + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
1.681 + -i ${R_BOBDIR}/Bob-ec.cert 2>&1
1.682 +
1.683 + CU_ACTION="Import Dave's EC cert into Alice's DB"
1.684 + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
1.685 + -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
1.686 +
1.687 + CU_ACTION="Import Dave's EC cert into Bob's DB"
1.688 + certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
1.689 + -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
1.690 +
1.691 +## XXXX Do not import Eve's EC cert until we can make sure that
1.692 +## the email addresses listed in the Subject Alt Name Extension
1.693 +## inside Eve's ECC and non-ECC certs are different.
1.694 +# CU_ACTION="Import Eve's EC cert into Alice's DB"
1.695 +# certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
1.696 +# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
1.697 +
1.698 +# CU_ACTION="Import Eve's EC cert into Bob's DB"
1.699 +# certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
1.700 +# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
1.701 + fi
1.702 +
1.703 + if [ "$CERTFAILED" != 0 ] ; then
1.704 + cert_log "ERROR: SMIME failed $RET"
1.705 + else
1.706 + cert_log "SUCCESS: SMIME passed"
1.707 + fi
1.708 +}
1.709 +
1.710 +############################## cert_extended_ssl #######################
1.711 +# local shell function to create client + server certs for extended SSL test
1.712 +########################################################################
1.713 +cert_extended_ssl()
1.714 +{
1.715 +
1.716 + ################# Creating Certs for extended SSL test ####################
1.717 + #
1.718 + CERTFAILED=0
1.719 + echo "$SCRIPTNAME: Creating Certificates, issued by the last ==============="
1.720 + echo " of a chain of CA's which are not in the same database============"
1.721 +
1.722 + echo "Server Cert"
1.723 + cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
1.724 +
1.725 + CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
1.726 + certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.727 +
1.728 + CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
1.729 + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
1.730 +
1.731 + CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
1.732 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.733 + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
1.734 +
1.735 + CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
1.736 + cp ${CERTDIR}/req ${SERVER_CADIR}
1.737 + certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
1.738 + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
1.739 +
1.740 + CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
1.741 + certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
1.742 + -i "${CERTNAME}.cert" 2>&1
1.743 +
1.744 + CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
1.745 + certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
1.746 + -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
1.747 +
1.748 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.749 +#
1.750 +# Repeat the above for EC certs
1.751 +#
1.752 + EC_CURVE="secp256r1"
1.753 + CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
1.754 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.755 + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
1.756 + -z "${R_NOISE_FILE}" -o req 2>&1
1.757 +
1.758 + CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
1.759 + cp ${CERTDIR}/req ${SERVER_CADIR}
1.760 + certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
1.761 + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
1.762 +
1.763 + CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
1.764 + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
1.765 + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
1.766 +
1.767 + CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
1.768 + certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
1.769 + -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
1.770 +#
1.771 +# done with EC certs
1.772 +#
1.773 +# Repeat again for mixed EC certs
1.774 +#
1.775 + EC_CURVE="secp256r1"
1.776 + CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
1.777 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.778 + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
1.779 + -z "${R_NOISE_FILE}" -o req 2>&1
1.780 +
1.781 + CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
1.782 + cp ${CERTDIR}/req ${SERVER_CADIR}
1.783 + certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \
1.784 + -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
1.785 +
1.786 + CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
1.787 + certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
1.788 + -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
1.789 +
1.790 +# CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)"
1.791 +# certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
1.792 +# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
1.793 +# 2>&1
1.794 + fi
1.795 +
1.796 + echo "Importing all the server's own CA chain into the servers DB"
1.797 + for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
1.798 + do
1.799 + N=`basename $CA | sed -e "s/.ca.cert//"`
1.800 + if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then
1.801 + T="-t C,C,C"
1.802 + else
1.803 + T="-t u,u,u"
1.804 + fi
1.805 + CU_ACTION="Import $N CA $T for $CERTNAME (ext.) "
1.806 + certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
1.807 + -i "${CA}" 2>&1
1.808 + done
1.809 +#============
1.810 + echo "Client Cert"
1.811 + cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
1.812 +
1.813 + CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
1.814 + certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.815 +
1.816 + CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
1.817 + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
1.818 +
1.819 + CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
1.820 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.821 + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
1.822 + -o req 2>&1
1.823 +
1.824 + CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
1.825 + cp ${CERTDIR}/req ${CLIENT_CADIR}
1.826 + certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
1.827 + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
1.828 +
1.829 + CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
1.830 + certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
1.831 + -i "${CERTNAME}.cert" 2>&1
1.832 + CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
1.833 + certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
1.834 + -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
1.835 +
1.836 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.837 +#
1.838 +# Repeat the above for EC certs
1.839 +#
1.840 + CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
1.841 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.842 + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
1.843 + -z "${R_NOISE_FILE}" -o req 2>&1
1.844 +
1.845 + CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
1.846 + cp ${CERTDIR}/req ${CLIENT_CADIR}
1.847 + certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
1.848 + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
1.849 +
1.850 + CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
1.851 + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
1.852 + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
1.853 +
1.854 + CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
1.855 + certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
1.856 + -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
1.857 +#
1.858 +# done with EC certs
1.859 +#
1.860 +#
1.861 +# Repeat the above for mixed EC certs
1.862 +#
1.863 + CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
1.864 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.865 + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
1.866 + -z "${R_NOISE_FILE}" -o req 2>&1
1.867 +
1.868 + CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
1.869 + cp ${CERTDIR}/req ${CLIENT_CADIR}
1.870 + certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \
1.871 + -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
1.872 +
1.873 + CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
1.874 + certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
1.875 + -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
1.876 +
1.877 +# CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
1.878 +# certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
1.879 +# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
1.880 +#
1.881 +# done with mixed EC certs
1.882 +#
1.883 + fi
1.884 +
1.885 + echo "Importing all the client's own CA chain into the servers DB"
1.886 + for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
1.887 + do
1.888 + N=`basename $CA | sed -e "s/.ca.cert//"`
1.889 + if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then
1.890 + T="-t T,C,C"
1.891 + else
1.892 + T="-t u,u,u"
1.893 + fi
1.894 + CU_ACTION="Import $N CA $T for $CERTNAME (ext.)"
1.895 + certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
1.896 + -i "${CA}" 2>&1
1.897 + done
1.898 + if [ "$CERTFAILED" != 0 ] ; then
1.899 + cert_log "ERROR: EXT failed $RET"
1.900 + else
1.901 + cert_log "SUCCESS: EXT passed"
1.902 + fi
1.903 +}
1.904 +
1.905 +############################## cert_ssl ################################
1.906 +# local shell function to create client + server certs for SSL test
1.907 +########################################################################
1.908 +cert_ssl()
1.909 +{
1.910 + ################# Creating Certs for SSL test ###########################
1.911 + #
1.912 + CERTFAILED=0
1.913 + echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
1.914 + cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT}
1.915 +
1.916 + echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
1.917 + echo " ${HOSTADDR} ------------------------------------"
1.918 + cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
1.919 + echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
1.920 + echo " ${HOSTADDR}-sni --------------------------------"
1.921 + CERTSERIAL=101
1.922 + CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}"
1.923 + cert_add_cert
1.924 + CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
1.925 + certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
1.926 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.927 + CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
1.928 + certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
1.929 + fi
1.930 +# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
1.931 +# echo "************* Copying CA files to ${SERVERDIR}"
1.932 +# cp ${CADIR}/*.db .
1.933 +# hw_acc
1.934 +# CU_ACTION="Creating ${CERTNAME}'s Server Cert"
1.935 +# CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
1.936 +# certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
1.937 +# -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
1.938 +
1.939 + if [ "$CERTFAILED" != 0 ] ; then
1.940 + cert_log "ERROR: SSL failed $RET"
1.941 + else
1.942 + cert_log "SUCCESS: SSL passed"
1.943 + fi
1.944 +
1.945 + echo "$SCRIPTNAME: Creating database for OCSP stapling tests ==============="
1.946 + echo "cp -r ${SERVERDIR} ${STAPLINGDIR}"
1.947 + cp -r ${R_SERVERDIR} ${R_STAPLINGDIR}
1.948 + pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
1.949 + pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
1.950 +}
1.951 +############################## cert_stresscerts ################################
1.952 +# local shell function to create client certs for SSL stresstest
1.953 +########################################################################
1.954 +cert_stresscerts()
1.955 +{
1.956 +
1.957 + ############### Creating Certs for SSL stress test #######################
1.958 + #
1.959 + CERTDIR="$CLIENTDIR"
1.960 + cd "${CERTDIR}"
1.961 +
1.962 + PROFILEDIR=`cd ${CERTDIR}; pwd`
1.963 + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
1.964 + PROFILEDIR=`cygpath -m ${PROFILEDIR}`
1.965 + fi
1.966 + if [ -n "${MULTIACCESS_DBM}" ]; then
1.967 + PROFILEDIR="multiaccess:${D_CLIENT}"
1.968 + fi
1.969 + CERTFAILED=0
1.970 + echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
1.971 +
1.972 + CONTINUE=$GLOB_MAX_CERT
1.973 + CERTSERIAL=10
1.974 +
1.975 + while [ $CONTINUE -ge $GLOB_MIN_CERT ]
1.976 + do
1.977 + CERTNAME="TestUser$CONTINUE"
1.978 +# cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL
1.979 + cert_add_cert
1.980 + CERTSERIAL=`expr $CERTSERIAL + 1 `
1.981 + CONTINUE=`expr $CONTINUE - 1 `
1.982 + done
1.983 + if [ "$CERTFAILED" != 0 ] ; then
1.984 + cert_log "ERROR: StressCert failed $RET"
1.985 + else
1.986 + cert_log "SUCCESS: StressCert passed"
1.987 + fi
1.988 +}
1.989 +
1.990 +############################## cert_fips #####################################
1.991 +# local shell function to create certificates for FIPS tests
1.992 +##############################################################################
1.993 +cert_fips()
1.994 +{
1.995 + CERTFAILED=0
1.996 + echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
1.997 + cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
1.998 +
1.999 + CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
1.1000 + certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
1.1001 +
1.1002 + CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
1.1003 + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
1.1004 +
1.1005 + echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
1.1006 + CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
1.1007 + echo "modutil -dbdir ${PROFILEDIR} -fips true "
1.1008 + ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
1.1009 +y
1.1010 +MODSCRIPT
1.1011 + RET=$?
1.1012 + if [ "$RET" -ne 0 ]; then
1.1013 + html_failed "${CU_ACTION} ($RET) "
1.1014 + cert_log "ERROR: ${CU_ACTION} failed $RET"
1.1015 + else
1.1016 + html_passed "${CU_ACTION}"
1.1017 + fi
1.1018 +
1.1019 + CU_ACTION="Generate Certificate for ${CERTNAME}"
1.1020 + CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
1.1021 + certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
1.1022 + if [ "$RET" -eq 0 ]; then
1.1023 + cert_log "SUCCESS: FIPS passed"
1.1024 + fi
1.1025 +}
1.1026 +
1.1027 +############################## cert_eccurves ###########################
1.1028 +# local shell function to create server certs for all EC curves
1.1029 +########################################################################
1.1030 +cert_eccurves()
1.1031 +{
1.1032 + ################# Creating Certs for EC curves test ########################
1.1033 + #
1.1034 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.1035 + echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
1.1036 + echo " EC Curves Test Certificates ------------------------------------"
1.1037 +
1.1038 + cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
1.1039 +
1.1040 + CU_ACTION="Initializing EC Curve's Cert DB"
1.1041 + certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1042 +
1.1043 + CU_ACTION="Loading root cert module to EC Curve's Cert DB"
1.1044 + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
1.1045 +
1.1046 + CU_ACTION="Import EC Root CA for $CERTNAME"
1.1047 + certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
1.1048 + -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
1.1049 +
1.1050 + if [ -n "${NSS_ECC_MORE_THAN_SUITE_B}" ] ; then
1.1051 + CURVE_LIST="c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 \
1.1052 + c2pnb208w1 c2pnb272w1 c2pnb304w1 c2pnb368w1 \
1.1053 + c2tnb191v1 c2tnb191v2 c2tnb191v3 c2tnb239v1 \
1.1054 + c2tnb239v2 c2tnb239v3 c2tnb359v1 c2tnb431r1 \
1.1055 + nistb163 nistb233 nistb283 nistb409 nistb571 \
1.1056 + nistk163 nistk233 nistk283 nistk409 nistk571 \
1.1057 + nistp192 nistp224 nistp256 nistp384 nistp521 \
1.1058 + prime192v1 prime192v2 prime192v3 \
1.1059 + prime239v1 prime239v2 prime239v3 \
1.1060 + secp112r1 secp112r2 secp128r1 secp128r2 secp160k1 \
1.1061 + secp160r1 secp160r2 secp192k1 secp192r1 secp224k1 \
1.1062 + secp224r1 secp256k1 secp256r1 secp384r1 secp521r1 \
1.1063 + sect113r1 sect113r2 sect131r1 sect131r2 sect163k1 sect163r1 \
1.1064 + sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 \
1.1065 + sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1"
1.1066 + else
1.1067 + CURVE_LIST="nistp256 nistp384 nistp521"
1.1068 + fi
1.1069 + CERTSERIAL=2000
1.1070 +
1.1071 + for CURVE in ${CURVE_LIST}
1.1072 + do
1.1073 + CERTFAILED=0
1.1074 + CERTNAME="Curve-${CURVE}"
1.1075 + CERTSERIAL=`expr $CERTSERIAL + 1 `
1.1076 + CU_ACTION="Generate EC Cert Request for $CERTNAME"
1.1077 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.1078 + certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
1.1079 + -z "${R_NOISE_FILE}" -o req 2>&1
1.1080 +
1.1081 + if [ $RET -eq 0 ] ; then
1.1082 + CU_ACTION="Sign ${CERTNAME}'s EC Request"
1.1083 + certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
1.1084 + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
1.1085 + fi
1.1086 +
1.1087 + if [ $RET -eq 0 ] ; then
1.1088 + CU_ACTION="Import $CERTNAME's EC Cert"
1.1089 + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
1.1090 + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
1.1091 + fi
1.1092 + done
1.1093 +
1.1094 + fi # $NSS_DISABLE_ECC
1.1095 +}
1.1096 +
1.1097 +########################### cert_extensions_test #############################
1.1098 +# local shell function to test cert extensions generation
1.1099 +##############################################################################
1.1100 +cert_extensions_test()
1.1101 +{
1.1102 + COUNT=`expr ${COUNT} + 1`
1.1103 + CERTNAME=TestExt${COUNT}
1.1104 + CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.1105 +
1.1106 + echo
1.1107 + echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
1.1108 + -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
1.1109 + -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
1.1110 + echo "certutil options:"
1.1111 + cat ${TARG_FILE}
1.1112 + ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
1.1113 + -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
1.1114 + -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE}
1.1115 + RET=$?
1.1116 + if [ "${RET}" -ne 0 ]; then
1.1117 + CERTFAILED=1
1.1118 + html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate"
1.1119 + cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed"
1.1120 + return 1
1.1121 + fi
1.1122 +
1.1123 + echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}
1.1124 + EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}`
1.1125 + RET=$?
1.1126 + echo "${EXTLIST}"
1.1127 + if [ "${RET}" -ne 0 ]; then
1.1128 + CERTFAILED=1
1.1129 + html_failed "${TESTNAME} (${COUNT}) - List Certificate"
1.1130 + cert_log "ERROR: ${TESTNAME} - List Certificate failed"
1.1131 + return 1
1.1132 + fi
1.1133 +
1.1134 + for FL in `echo ${FILTERLIST} | tr \| ' '`; do
1.1135 + FL="`echo ${FL} | tr _ ' '`"
1.1136 + EXPSTAT=0
1.1137 + if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then
1.1138 + EXPSTAT=1
1.1139 + FL=`echo ${FL} | tr -d '!'`
1.1140 + fi
1.1141 + echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1
1.1142 + RET=$?
1.1143 + if [ "${RET}" -ne "${EXPSTAT}" ]; then
1.1144 + CERTFAILED=1
1.1145 + html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}"
1.1146 + cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed"
1.1147 + return 1
1.1148 + fi
1.1149 + done
1.1150 +
1.1151 + html_passed "${TESTNAME} (${COUNT})"
1.1152 + return 0
1.1153 +}
1.1154 +
1.1155 +############################## cert_extensions ###############################
1.1156 +# local shell function to run cert extensions tests
1.1157 +##############################################################################
1.1158 +cert_extensions()
1.1159 +{
1.1160 + CERTNAME=TestExt
1.1161 + cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS}
1.1162 + TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args
1.1163 +
1.1164 + COUNT=0
1.1165 + while read ARG OPT FILTERLIST; do
1.1166 + if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then
1.1167 + continue
1.1168 + fi
1.1169 + if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then
1.1170 + TESTNAME="${FILTERLIST}"
1.1171 + continue
1.1172 + fi
1.1173 + if [ X"${ARG}" = "X=" ]; then
1.1174 + cert_extensions_test
1.1175 + rm -f ${TARG_FILE}
1.1176 + else
1.1177 + echo ${ARG} >> ${TARG_FILE}
1.1178 + fi
1.1179 + done < ${QADIR}/cert/certext.txt
1.1180 +}
1.1181 +
1.1182 +cert_make_with_param()
1.1183 +{
1.1184 + DIRPASS="$1"
1.1185 + CERTNAME="$2"
1.1186 + MAKE="$3"
1.1187 + SUBJ="$4"
1.1188 + EXTRA="$5"
1.1189 + EXPECT="$6"
1.1190 + TESTNAME="$7"
1.1191 +
1.1192 + echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
1.1193 + ${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
1.1194 +
1.1195 + RET=$?
1.1196 + if [ "${RET}" -ne "${EXPECT}" ]; then
1.1197 + # if we expected failure to create, then delete unexpected certificate
1.1198 + if [ "${EXPECT}" -ne 0 ]; then
1.1199 + ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
1.1200 + fi
1.1201 +
1.1202 + CERTFAILED=1
1.1203 + html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}"
1.1204 + cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed"
1.1205 + return 1
1.1206 + fi
1.1207 +
1.1208 + html_passed "${TESTNAME} (${COUNT})"
1.1209 + return 0
1.1210 +}
1.1211 +
1.1212 +cert_list_and_count_dns()
1.1213 +{
1.1214 + DIRPASS="$1"
1.1215 + CERTNAME="$2"
1.1216 + EXPECT="$3"
1.1217 + EXPECTCOUNT="$4"
1.1218 + TESTNAME="$5"
1.1219 +
1.1220 + echo certutil ${DIRPASS} -L ${CERTNAME}
1.1221 + ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME}
1.1222 +
1.1223 + RET=$?
1.1224 + if [ "${RET}" -ne "${EXPECT}" ]; then
1.1225 + CERTFAILED=1
1.1226 + html_failed "${TESTNAME} (${COUNT}) - list and count"
1.1227 + cert_log "ERROR: ${TESTNAME} - list and count failed"
1.1228 + return 1
1.1229 + fi
1.1230 +
1.1231 + LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS`
1.1232 + if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then
1.1233 + CERTFAILED=1
1.1234 + html_failed "${TESTNAME} (${COUNT}) - list and count"
1.1235 + cert_log "ERROR: ${TESTNAME} - list and count failed"
1.1236 + return 1
1.1237 + fi
1.1238 +
1.1239 + html_passed "${TESTNAME} (${COUNT})"
1.1240 + return 0
1.1241 +}
1.1242 +
1.1243 +cert_dump_ext_to_file()
1.1244 +{
1.1245 + DIRPASS="$1"
1.1246 + CERTNAME="$2"
1.1247 + OID="$3"
1.1248 + OUTFILE="$4"
1.1249 + EXPECT="$5"
1.1250 + TESTNAME="$6"
1.1251 +
1.1252 + echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID}
1.1253 + echo "writing output to ${OUTFILE}"
1.1254 + ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE}
1.1255 +
1.1256 + RET=$?
1.1257 + if [ "${RET}" -ne "${EXPECT}" ]; then
1.1258 + CERTFAILED=1
1.1259 + html_failed "${TESTNAME} (${COUNT}) - dump to file"
1.1260 + cert_log "ERROR: ${TESTNAME} - dump to file failed"
1.1261 + return 1
1.1262 + fi
1.1263 +
1.1264 + html_passed "${TESTNAME} (${COUNT})"
1.1265 + return 0
1.1266 +}
1.1267 +
1.1268 +cert_delete()
1.1269 +{
1.1270 + DIRPASS="$1"
1.1271 + CERTNAME="$2"
1.1272 + EXPECT="$3"
1.1273 + TESTNAME="$4"
1.1274 +
1.1275 + echo certutil ${DIRPASS} -D ${CERTNAME}
1.1276 + ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
1.1277 +
1.1278 + RET=$?
1.1279 + if [ "${RET}" -ne "${EXPECT}" ]; then
1.1280 + CERTFAILED=1
1.1281 + html_failed "${TESTNAME} (${COUNT}) - delete cert"
1.1282 + cert_log "ERROR: ${TESTNAME} - delete cert failed"
1.1283 + return 1
1.1284 + fi
1.1285 +
1.1286 + html_passed "${TESTNAME} (${COUNT})"
1.1287 + return 0
1.1288 +}
1.1289 +
1.1290 +cert_inc_count()
1.1291 +{
1.1292 + COUNT=`expr ${COUNT} + 1`
1.1293 +}
1.1294 +
1.1295 +############################## cert_crl_ssl ############################
1.1296 +# test adding subject-alt-name, dumping, and adding generic extension
1.1297 +########################################################################
1.1298 +cert_san_and_generic_extensions()
1.1299 +{
1.1300 + EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der
1.1301 +
1.1302 + DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}"
1.1303 + CERTNAME="-n WithSAN"
1.1304 + MAKE="-S -t ,, -x -z ${R_NOISE_FILE}"
1.1305 + SUBJ="CN=example.com"
1.1306 +
1.1307 + TESTNAME="san-and-generic-extensions"
1.1308 +
1.1309 + cert_inc_count
1.1310 + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1.1311 + "--extSAN example.com" 255 \
1.1312 + "create cert with invalid SAN parameter"
1.1313 +
1.1314 + cert_inc_count
1.1315 + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1.1316 + "--extSAN example.com,dns:www.example.com" 255 \
1.1317 + "create cert with invalid SAN parameter"
1.1318 +
1.1319 + TN="create cert with valid SAN parameter"
1.1320 +
1.1321 + cert_inc_count
1.1322 + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1.1323 + "--extSAN dns:example.com,dns:www.example.com" 0 \
1.1324 + "${TN}"
1.1325 +
1.1326 + cert_inc_count
1.1327 + cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
1.1328 + "${TN}"
1.1329 +
1.1330 + cert_inc_count
1.1331 + cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \
1.1332 + "dump extension 2.5.29.17 to file ${EXTDUMP}"
1.1333 +
1.1334 + cert_inc_count
1.1335 + cert_delete "${DIR}" "${CERTNAME}" 0 \
1.1336 + "${TN}"
1.1337 +
1.1338 + cert_inc_count
1.1339 + cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
1.1340 + "expect failure to list cert, because we deleted it"
1.1341 +
1.1342 + cert_inc_count
1.1343 + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1.1344 + "--extGeneric ${EXTDUMP}" 255 \
1.1345 + "create cert with invalid generic ext parameter"
1.1346 +
1.1347 + cert_inc_count
1.1348 + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1.1349 + "--extGeneric not-critical:${EXTDUMP}" 255 \
1.1350 + "create cert with invalid generic ext parameter"
1.1351 +
1.1352 + cert_inc_count
1.1353 + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1.1354 + "--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \
1.1355 + "create cert with invalid generic ext parameter"
1.1356 +
1.1357 + TN="create cert with valid generic ext parameter"
1.1358 +
1.1359 + cert_inc_count
1.1360 + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1.1361 + "--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \
1.1362 + "${TN}"
1.1363 +
1.1364 + cert_inc_count
1.1365 + cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
1.1366 + "${TN}"
1.1367 +
1.1368 + cert_inc_count
1.1369 + cert_delete "${DIR}" "${CERTNAME}" 0 \
1.1370 + "${TN}"
1.1371 +
1.1372 + cert_inc_count
1.1373 + cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
1.1374 + "expect failure to list cert, because we deleted it"
1.1375 +}
1.1376 +
1.1377 +############################## cert_crl_ssl ############################
1.1378 +# local shell function to generate certs and crls for SSL tests
1.1379 +########################################################################
1.1380 +cert_crl_ssl()
1.1381 +{
1.1382 +
1.1383 + ################# Creating Certs ###################################
1.1384 + #
1.1385 + CERTFAILED=0
1.1386 + CERTSERIAL=${CRL_GRP_1_BEGIN}
1.1387 +
1.1388 + cd $CADIR
1.1389 +
1.1390 + PROFILEDIR=`cd ${CLIENTDIR}; pwd`
1.1391 + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
1.1392 + PROFILEDIR=`cygpath -m ${PROFILEDIR}`
1.1393 + fi
1.1394 + CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1`
1.1395 + echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ==="
1.1396 + CU_ACTION="Creating client test certs"
1.1397 +
1.1398 + while [ $CERTSERIAL -le $CRL_GRPS_END ]
1.1399 + do
1.1400 + CERTNAME="TestUser$CERTSERIAL"
1.1401 + cert_add_cert
1.1402 + CERTSERIAL=`expr $CERTSERIAL + 1 `
1.1403 + done
1.1404 +
1.1405 + #################### CRL Creation ##############################
1.1406 + CRL_GEN_RES=0
1.1407 + echo "$SCRIPTNAME: Creating CA CRL ====================================="
1.1408 +
1.1409 + CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1`
1.1410 + CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END}
1.1411 + CRL_FILE=${CRL_FILE_GRP_1}
1.1412 +
1.1413 + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
1.1414 + CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority"
1.1415 + CRL_GRP_END_=`expr ${CRL_GRP_END} - 1`
1.1416 + crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \
1.1417 + -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
1.1418 +update=$CRLUPDATE
1.1419 +addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
1.1420 +addext reasonCode 0 4
1.1421 +addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA"
1.1422 +EOF_CRLINI
1.1423 +# This extension should be added to the list, but currently nss has bug
1.1424 +#addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1
1.1425 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1.1426 + chmod 600 ${CRL_FILE_GRP_1}_or
1.1427 +
1.1428 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.1429 + CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
1.1430 +
1.1431 +# Until Bug 292285 is resolved, do not encode x400 Addresses. After
1.1432 +# the bug is resolved, reintroduce "x400Address:x400Address" within
1.1433 +# addext issuerAltNames ...
1.1434 + crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
1.1435 + -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
1.1436 +update=$CRLUPDATE
1.1437 +addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
1.1438 +addext reasonCode 0 4
1.1439 +addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
1.1440 +EOF_CRLINI
1.1441 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1.1442 + chmod 600 ${CRL_FILE_GRP_1}_or-ec
1.1443 + fi
1.1444 +
1.1445 + echo test > file
1.1446 + ############################# Modification ##################################
1.1447 +
1.1448 + echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
1.1449 + sleep 2
1.1450 + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
1.1451 + CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
1.1452 + CU_ACTION="Modify CRL by adding one more cert"
1.1453 + crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \
1.1454 + -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
1.1455 +update=$CRLUPDATE
1.1456 +addcert ${CRL_GRP_END} $CRL_GRP_DATE
1.1457 +EOF_CRLINI
1.1458 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1.1459 + chmod 600 ${CRL_FILE_GRP_1}_or1
1.1460 + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
1.1461 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.1462 + CU_ACTION="Modify CRL (ECC) by adding one more cert"
1.1463 + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
1.1464 + -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
1.1465 +update=$CRLUPDATE
1.1466 +addcert ${CRL_GRP_END} $CRL_GRP_DATE
1.1467 +EOF_CRLINI
1.1468 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1.1469 + chmod 600 ${CRL_FILE_GRP_1}_or1-ec
1.1470 + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
1.1471 + fi
1.1472 +
1.1473 + ########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
1.1474 + echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
1.1475 + CU_ACTION="Modify CRL by removing one cert"
1.1476 + sleep 2
1.1477 + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
1.1478 + crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
1.1479 + -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
1.1480 +update=$CRLUPDATE
1.1481 +rmcert ${UNREVOKED_CERT_GRP_1}
1.1482 +EOF_CRLINI
1.1483 + chmod 600 ${CRL_FILE_GRP_1}
1.1484 + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
1.1485 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.1486 + CU_ACTION="Modify CRL (ECC) by removing one cert"
1.1487 + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
1.1488 + -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
1.1489 +update=$CRLUPDATE
1.1490 +rmcert ${UNREVOKED_CERT_GRP_1}
1.1491 +EOF_CRLINI
1.1492 + chmod 600 ${CRL_FILE_GRP_1}-ec
1.1493 + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
1.1494 + fi
1.1495 +
1.1496 + ########### Creating second CRL which includes groups 1 and 2 ##############
1.1497 + CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
1.1498 + CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END}
1.1499 +
1.1500 + echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ==============="
1.1501 + sleep 2
1.1502 + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
1.1503 + CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
1.1504 + CU_ACTION="Creating CRL for groups 1 and 2"
1.1505 + crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2} \
1.1506 + -i ${CRL_FILE_GRP_1} <<EOF_CRLINI
1.1507 +update=$CRLUPDATE
1.1508 +addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1.1509 +addext invalidityDate 0 $CRLUPDATE
1.1510 +rmcert ${UNREVOKED_CERT_GRP_2}
1.1511 +EOF_CRLINI
1.1512 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1.1513 + chmod 600 ${CRL_FILE_GRP_2}
1.1514 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.1515 + CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
1.1516 + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
1.1517 + -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
1.1518 +update=$CRLUPDATE
1.1519 +addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1.1520 +addext invalidityDate 0 $CRLUPDATE
1.1521 +rmcert ${UNREVOKED_CERT_GRP_2}
1.1522 +EOF_CRLINI
1.1523 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1.1524 + chmod 600 ${CRL_FILE_GRP_2}-ec
1.1525 + fi
1.1526 +
1.1527 + ########### Creating second CRL which includes groups 1, 2 and 3 ##############
1.1528 + CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
1.1529 + CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END}
1.1530 +
1.1531 +
1.1532 +
1.1533 + echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3 ==============="
1.1534 + sleep 2
1.1535 + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
1.1536 + CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
1.1537 + CU_ACTION="Creating CRL for groups 1, 2 and 3"
1.1538 + crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3} \
1.1539 + -i ${CRL_FILE_GRP_2} <<EOF_CRLINI
1.1540 +update=$CRLUPDATE
1.1541 +addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1.1542 +rmcert ${UNREVOKED_CERT_GRP_3}
1.1543 +addext crlNumber 0 2
1.1544 +EOF_CRLINI
1.1545 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1.1546 + chmod 600 ${CRL_FILE_GRP_3}
1.1547 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.1548 + CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
1.1549 + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
1.1550 + -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
1.1551 +update=$CRLUPDATE
1.1552 +addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1.1553 +rmcert ${UNREVOKED_CERT_GRP_3}
1.1554 +addext crlNumber 0 2
1.1555 +EOF_CRLINI
1.1556 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1.1557 + chmod 600 ${CRL_FILE_GRP_3}-ec
1.1558 + fi
1.1559 +
1.1560 + ############ Importing Server CA Issued CRL for certs of first group #######
1.1561 +
1.1562 + echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
1.1563 + CU_ACTION="Importing CRL for groups 1"
1.1564 + crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}"
1.1565 + crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
1.1566 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1.1567 + if [ -z "$NSS_DISABLE_ECC" ] ; then
1.1568 + CU_ACTION="Importing CRL (ECC) for groups 1"
1.1569 + crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}"
1.1570 + crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
1.1571 + -d "${R_SERVERDIR}"
1.1572 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1.1573 + fi
1.1574 +
1.1575 + if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
1.1576 + cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
1.1577 + else
1.1578 + cert_log "SUCCESS: SSL CRL prep passed"
1.1579 + fi
1.1580 +}
1.1581 +
1.1582 +#################
1.1583 +# Verify the we can successfully change the password on the database
1.1584 +#
1.1585 +cert_test_password()
1.1586 +{
1.1587 + CERTFAILED=0
1.1588 + echo "$SCRIPTNAME: Create A Password Test Cert =============="
1.1589 + cert_init_cert "${DBPASSDIR}" "Password Test Cert" 1000 "${D_DBPASSDIR}"
1.1590 +
1.1591 + echo "$SCRIPTNAME: Create A Password Test Ca --------"
1.1592 + ALL_CU_SUBJECT="CN=NSS Password Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.1593 + cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1"
1.1594 +
1.1595 + # now change the password
1.1596 + CU_ACTION="Changing password on ${CERTNAME}'s Cert DB"
1.1597 + certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1
1.1598 +
1.1599 + # finally make sure we can use the old key with the new password
1.1600 + CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
1.1601 + CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.1602 + certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
1.1603 + if [ "$RET" -eq 0 ]; then
1.1604 + cert_log "SUCCESS: PASSWORD passed"
1.1605 + fi
1.1606 + CU_ACTION="Verify Certificate for ${CERTNAME} with new password"
1.1607 + certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
1.1608 +}
1.1609 +
1.1610 +###############################
1.1611 +# test if we can distrust a certificate.
1.1612 +#
1.1613 +# we create 3 new certs:
1.1614 +# 1 leaf signed by the trusted root.
1.1615 +# 1 intermediate signed by the trusted root.
1.1616 +# 1 leaf signed by the intermediate.
1.1617 +#
1.1618 +# we mark the first leaf and the intermediate as explicitly untrusted.
1.1619 +# we then try to verify the two leaf certs for our possible usages.
1.1620 +# All verification should fail.
1.1621 +#
1.1622 +cert_test_distrust()
1.1623 +{
1.1624 + echo "$SCRIPTNAME: Creating Distrusted Certificate"
1.1625 + cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST}
1.1626 + CU_ACTION="Mark CERT as unstrusted"
1.1627 + certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1
1.1628 + echo "$SCRIPTNAME: Creating Distrusted Intermediate"
1.1629 + CERTNAME="DistrustedCA"
1.1630 + ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.1631 + cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1
1.1632 + CU_ACTION="Import Distrusted Intermediate"
1.1633 + certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
1.1634 + -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1
1.1635 +
1.1636 + # now create the last leaf signed by our distrusted CA
1.1637 + # since it's not signed by TestCA it requires more steps.
1.1638 + CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA"
1.1639 + CERTNAME="LeafChainedToDistrustedCA"
1.1640 + CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.1641 + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
1.1642 +
1.1643 + CU_ACTION="Sign ${CERTNAME}'s Request"
1.1644 + cp ${CERTDIR}/req ${CADIR}
1.1645 + certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \
1.1646 + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
1.1647 +
1.1648 + CU_ACTION="Import $CERTNAME's Cert -t u,u,u"
1.1649 + certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
1.1650 + -i "${CERTNAME}.cert" 2>&1
1.1651 +
1.1652 + RETEXPECTED=255
1.1653 + CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
1.1654 + certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1655 + CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
1.1656 + certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1657 + CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
1.1658 + certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1659 + CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
1.1660 + certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1661 + CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
1.1662 + certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1663 + CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
1.1664 + certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1665 +
1.1666 + CERTNAME="Distrusted"
1.1667 + CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
1.1668 + certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1669 + CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
1.1670 + certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1671 + CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
1.1672 + certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1673 + CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
1.1674 + certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1675 + CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
1.1676 + certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1677 + CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
1.1678 + certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1.1679 + RETEXPECTED=0
1.1680 +}
1.1681 +
1.1682 +cert_test_ocspresp()
1.1683 +{
1.1684 + echo "$SCRIPTNAME: OCSP response creation selftest"
1.1685 + OR_ACTION="perform selftest"
1.1686 + RETEXPECTED=0
1.1687 + ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
1.1688 +}
1.1689 +
1.1690 +############################## cert_cleanup ############################
1.1691 +# local shell function to finish this script (no exit since it might be
1.1692 +# sourced)
1.1693 +########################################################################
1.1694 +cert_cleanup()
1.1695 +{
1.1696 + cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
1.1697 + html "</TABLE><BR>"
1.1698 + cd ${QADIR}
1.1699 + . common/cleanup.sh
1.1700 +}
1.1701 +
1.1702 +################## main #################################################
1.1703 +
1.1704 +cert_init
1.1705 +cert_all_CA
1.1706 +cert_extended_ssl
1.1707 +cert_ssl
1.1708 +cert_smime_client
1.1709 +if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
1.1710 + cert_fips
1.1711 +fi
1.1712 +cert_eccurves
1.1713 +cert_extensions
1.1714 +cert_san_and_generic_extensions
1.1715 +cert_test_password
1.1716 +cert_test_distrust
1.1717 +cert_test_ocspresp
1.1718 +
1.1719 +if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
1.1720 + cert_crl_ssl
1.1721 +else
1.1722 + echo "$SCRIPTNAME: Skipping CRL Tests"
1.1723 +fi
1.1724 +
1.1725 +if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
1.1726 + cert_stresscerts
1.1727 +fi
1.1728 +
1.1729 +cert_iopr_setup
1.1730 +
1.1731 +cert_cleanup
