1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/tests/chains/chains.sh Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1306 @@
1.4 +#!/bin/bash
1.5 +#
1.6 +# This Source Code Form is subject to the terms of the Mozilla Public
1.7 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.9 +
1.10 +########################################################################
1.11 +#
1.12 +# mozilla/security/nss/tests/cert/chains.sh
1.13 +#
1.14 +# Script to test certificate chains validity.
1.15 +#
1.16 +# needs to work on all Unix and Windows platforms
1.17 +#
1.18 +# special strings
1.19 +# ---------------
1.20 +# FIXME ... known problems, search for this string
1.21 +# NOTE .... unexpected behavior
1.22 +########################################################################
1.23 +
1.24 +########################### is_httpserv_alive ##########################
1.25 +# local shell function to exit with a fatal error if selfserver is not
1.26 +# running
1.27 +########################################################################
1.28 +is_httpserv_alive()
1.29 +{
1.30 + if [ ! -f "${HTTPPID}" ]; then
1.31 + echo "$SCRIPTNAME: Error - httpserv PID file ${HTTPPID} doesn't exist"
1.32 + sleep 5
1.33 + if [ ! -f "${HTTPPID}" ]; then
1.34 + Exit 9 "Fatal - httpserv pid file ${HTTPPID} does not exist"
1.35 + fi
1.36 + fi
1.37 +
1.38 + if [ "${OS_ARCH}" = "WINNT" ] && \
1.39 + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
1.40 + PID=${SHELL_HTTPPID}
1.41 + else
1.42 + PID=`cat ${HTTPPID}`
1.43 + fi
1.44 +
1.45 + echo "kill -0 ${PID} >/dev/null 2>/dev/null"
1.46 + kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
1.47 +
1.48 + echo "httpserv with PID ${PID} found at `date`"
1.49 +}
1.50 +
1.51 +########################### wait_for_httpserv ##########################
1.52 +# local shell function to wait until httpserver is running and initialized
1.53 +########################################################################
1.54 +wait_for_httpserv()
1.55 +{
1.56 + echo "trying to connect to httpserv at `date`"
1.57 + echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
1.58 + ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
1.59 + if [ $? -ne 0 ]; then
1.60 + sleep 5
1.61 + echo "retrying to connect to httpserv at `date`"
1.62 + echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
1.63 + ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
1.64 + if [ $? -ne 0 ]; then
1.65 + html_failed "Waiting for Server"
1.66 + fi
1.67 + fi
1.68 + is_httpserv_alive
1.69 +}
1.70 +
1.71 +########################### kill_httpserv ##############################
1.72 +# local shell function to kill the httpserver after the tests are done
1.73 +########################################################################
1.74 +kill_httpserv()
1.75 +{
1.76 + if [ "${OS_ARCH}" = "WINNT" ] && \
1.77 + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
1.78 + PID=${SHELL_HTTPPID}
1.79 + else
1.80 + PID=`cat ${HTTPPID}`
1.81 + fi
1.82 +
1.83 + echo "trying to kill httpserv with PID ${PID} at `date`"
1.84 +
1.85 + if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
1.86 + echo "${KILL} ${PID}"
1.87 + ${KILL} ${PID}
1.88 + else
1.89 + echo "${KILL} -USR1 ${PID}"
1.90 + ${KILL} -USR1 ${PID}
1.91 + fi
1.92 + wait ${PID}
1.93 +
1.94 + # On Linux httpserv needs up to 30 seconds to fully die and free
1.95 + # the port. Wait until the port is free. (Bug 129701)
1.96 + if [ "${OS_ARCH}" = "Linux" ]; then
1.97 + echo "httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
1.98 + until ${BINDIR}/httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null; do
1.99 + echo "RETRY: httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
1.100 + sleep 1
1.101 + done
1.102 + fi
1.103 +
1.104 + echo "httpserv with PID ${PID} killed at `date`"
1.105 +
1.106 + rm ${HTTPPID}
1.107 + html_detect_core "kill_httpserv core detection step"
1.108 +}
1.109 +
1.110 +########################### start_httpserv #############################
1.111 +# local shell function to start the httpserver with the parameters required
1.112 +# for this test and log information (parameters, start time)
1.113 +# also: wait until the server is up and running
1.114 +########################################################################
1.115 +start_httpserv()
1.116 +{
1.117 + HTTP_METHOD=$1
1.118 +
1.119 + if [ -n "$testname" ] ; then
1.120 + echo "$SCRIPTNAME: $testname ----"
1.121 + fi
1.122 + echo "httpserv starting at `date`"
1.123 + ODDIR="${HOSTDIR}/chains/OCSPD"
1.124 + echo "httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \\"
1.125 + echo " -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \\"
1.126 + echo " -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \\"
1.127 + echo " -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \\"
1.128 + echo " -i ${HTTPPID} $verbose &"
1.129 + ${PROFTOOL} ${BINDIR}/httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \
1.130 + -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \
1.131 + -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \
1.132 + -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \
1.133 + -i ${HTTPPID} $verbose &
1.134 + RET=$?
1.135 +
1.136 + # The PID $! returned by the MKS or Cygwin shell is not the PID of
1.137 + # the real background process, but rather the PID of a helper
1.138 + # process (sh.exe). MKS's kill command has a bug: invoking kill
1.139 + # on the helper process does not terminate the real background
1.140 + # process. Our workaround has been to have httpserv save its PID
1.141 + # in the ${HTTPPID} file and "kill" that PID instead. But this
1.142 + # doesn't work under Cygwin; its kill command doesn't recognize
1.143 + # the PID of the real background process, but it does work on the
1.144 + # PID of the helper process. So we save the value of $! in the
1.145 + # SHELL_HTTPPID variable, and use it instead of the ${HTTPPID}
1.146 + # file under Cygwin. (In fact, this should work in any shell
1.147 + # other than the MKS shell.)
1.148 + SHELL_HTTPPID=$!
1.149 + wait_for_httpserv
1.150 +
1.151 + if [ "${OS_ARCH}" = "WINNT" ] && \
1.152 + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
1.153 + PID=${SHELL_HTTPPID}
1.154 + else
1.155 + PID=`cat ${HTTPPID}`
1.156 + fi
1.157 +
1.158 + echo "httpserv with PID ${PID} started at `date`"
1.159 +}
1.160 +
1.161 +############################# chains_init ##############################
1.162 +# local shell function to initialize this script
1.163 +########################################################################
1.164 +chains_init()
1.165 +{
1.166 + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
1.167 + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
1.168 + fi
1.169 + if [ -z "${INIT_SOURCED}" ] ; then
1.170 + cd ../common
1.171 + . ./init.sh
1.172 + fi
1.173 +
1.174 + SCRIPTNAME="chains.sh"
1.175 +
1.176 + CHAINS_DIR="${HOSTDIR}/chains"
1.177 + mkdir -p ${CHAINS_DIR}
1.178 + cd ${CHAINS_DIR}
1.179 +
1.180 + CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
1.181 +
1.182 + CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
1.183 + CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
1.184 +
1.185 + PK7_NONCE=${CERT_SN_CNT}
1.186 + SCEN_CNT=${CERT_SN_CNT}
1.187 +
1.188 + AIA_FILES="${HOSTDIR}/aiafiles"
1.189 +
1.190 + CU_DATA=${HOSTDIR}/cu_data
1.191 + CRL_DATA=${HOSTDIR}/crl_data
1.192 +
1.193 + DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10)
1.194 + NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT}
1.195 + DEFAULT_UNUSED_PORT=$(expr ${PORT:-8631} + 11)
1.196 + NSS_UNUSED_PORT=${NSS_UNUSED_PORT:-$DEFAULT_UNUSED_PORT}
1.197 + NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"}
1.198 + NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp}
1.199 + NSS_AIA_OCSP=${NSS_AIA_OCSP:-$NSS_AIA_HTTP/ocsp}
1.200 + NSS_OCSP_UNUSED=${NSS_AIA_OCSP_UNUSED:-"http://${HOSTADDR}:${NSS_UNUSED_PORT}"}
1.201 +
1.202 + html_head "Certificate Chains Tests"
1.203 +}
1.204 +
1.205 +chains_run_httpserv()
1.206 +{
1.207 + HTTP_METHOD=$1
1.208 +
1.209 + if [ -n "${NSS_AIA_PATH}" ]; then
1.210 + HTTPPID=${NSS_AIA_PATH}/http_pid.$$
1.211 + mkdir -p "${NSS_AIA_PATH}"
1.212 + SAVEPWD=`pwd`
1.213 + cd "${NSS_AIA_PATH}"
1.214 + # Start_httpserv sets environment variables, which are required for
1.215 + # correct cleanup. (Running it in a subshell doesn't work, the
1.216 + # value of $SHELL_HTTPPID wouldn't arrive in this scope.)
1.217 + start_httpserv ${HTTP_METHOD}
1.218 + cd "${SAVEPWD}"
1.219 + fi
1.220 +}
1.221 +
1.222 +chains_stop_httpserv()
1.223 +{
1.224 + if [ -n "${NSS_AIA_PATH}" ]; then
1.225 + kill_httpserv
1.226 + fi
1.227 +}
1.228 +
1.229 +############################ chains_cleanup ############################
1.230 +# local shell function to finish this script (no exit since it might be
1.231 +# sourced)
1.232 +########################################################################
1.233 +chains_cleanup()
1.234 +{
1.235 + html "</TABLE><BR>"
1.236 + cd ${QADIR}
1.237 + . common/cleanup.sh
1.238 +}
1.239 +
1.240 +############################ print_cu_data #############################
1.241 +# local shell function to print certutil input data
1.242 +########################################################################
1.243 +print_cu_data()
1.244 +{
1.245 + echo "=== Certutil input data ==="
1.246 + cat ${CU_DATA}
1.247 + echo "==="
1.248 +}
1.249 +
1.250 +set_cert_sn()
1.251 +{
1.252 + if [ -z "${SERIAL}" ]; then
1.253 + CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1)
1.254 + CERT_SN=${CERT_SN_CNT}
1.255 + else
1.256 + echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null
1.257 + if [ $? -eq 0 ]; then
1.258 + CERT_SN=$(echo ${SERIAL} | cut -b 2-)
1.259 + CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN})
1.260 + else
1.261 + CERT_SN=${SERIAL}
1.262 + fi
1.263 + fi
1.264 +}
1.265 +
1.266 +############################# create_db ################################
1.267 +# local shell function to create certificate database
1.268 +########################################################################
1.269 +create_db()
1.270 +{
1.271 + DB=$1
1.272 +
1.273 + [ -d "${DB}" ] && rm -rf ${DB}
1.274 + mkdir -p ${DB}
1.275 +
1.276 + echo "${DB}passwd" > ${DB}/dbpasswd
1.277 +
1.278 + TESTNAME="Creating DB ${DB}"
1.279 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.280 + echo "certutil -N -d ${DB} -f ${DB}/dbpasswd"
1.281 + ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd
1.282 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.283 +}
1.284 +
1.285 +########################### create_root_ca #############################
1.286 +# local shell function to generate self-signed root certificate
1.287 +########################################################################
1.288 +create_root_ca()
1.289 +{
1.290 + ENTITY=$1
1.291 + ENTITY_DB=${ENTITY}DB
1.292 +
1.293 + set_cert_sn
1.294 + date >> ${NOISE_FILE} 2>&1
1.295 +
1.296 + CTYPE_OPT=
1.297 + if [ -n "${CTYPE}" ]; then
1.298 + CTYPE_OPT="-k ${CTYPE}"
1.299 + fi
1.300 +
1.301 + echo "5
1.302 +6
1.303 +9
1.304 +n
1.305 +y
1.306 +-1
1.307 +n
1.308 +5
1.309 +6
1.310 +7
1.311 +9
1.312 +n
1.313 +" > ${CU_DATA}
1.314 +
1.315 + TESTNAME="Creating Root CA ${ENTITY}"
1.316 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.317 + echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}"
1.318 + print_cu_data
1.319 + ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}
1.320 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.321 +
1.322 + TESTNAME="Exporting Root CA ${ENTITY}.der"
1.323 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.324 + echo "certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der"
1.325 + ${BINDIR}/certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der
1.326 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.327 +}
1.328 +
1.329 +########################### create_cert_req ############################
1.330 +# local shell function to generate certificate sign request
1.331 +########################################################################
1.332 +create_cert_req()
1.333 +{
1.334 + ENTITY=$1
1.335 + TYPE=$2
1.336 +
1.337 + ENTITY_DB=${ENTITY}DB
1.338 +
1.339 + REQ=${ENTITY}Req.der
1.340 +
1.341 + date >> ${NOISE_FILE} 2>&1
1.342 +
1.343 + CTYPE_OPT=
1.344 + if [ -n "${CTYPE}" ]; then
1.345 + CTYPE_OPT="-k ${CTYPE}"
1.346 + fi
1.347 +
1.348 + CA_FLAG=
1.349 + EXT_DATA=
1.350 + OPTIONS=
1.351 +
1.352 + if [ "${TYPE}" != "EE" ]; then
1.353 + CA_FLAG="-2"
1.354 + EXT_DATA="y
1.355 +-1
1.356 +y
1.357 +"
1.358 + fi
1.359 +
1.360 + process_crldp
1.361 +
1.362 + echo "${EXT_DATA}" > ${CU_DATA}
1.363 +
1.364 + TESTNAME="Creating ${TYPE} certifiate request ${REQ}"
1.365 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.366 + echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}"
1.367 + print_cu_data
1.368 + ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}
1.369 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.370 +}
1.371 +
1.372 +############################ create_entity #############################
1.373 +# local shell function to create certificate chain entity
1.374 +########################################################################
1.375 +create_entity()
1.376 +{
1.377 + ENTITY=$1
1.378 + TYPE=$2
1.379 +
1.380 + if [ -z "${ENTITY}" ]; then
1.381 + echo "Configuration error: Unnamed entity"
1.382 + exit 1
1.383 + fi
1.384 +
1.385 + DB=${ENTITY}DB
1.386 + ENTITY_DB=${ENTITY}DB
1.387 +
1.388 + case "${TYPE}" in
1.389 + "Root")
1.390 + create_db "${DB}"
1.391 + create_root_ca "${ENTITY}"
1.392 + ;;
1.393 + "Intermediate" | "Bridge" | "EE")
1.394 + create_db "${DB}"
1.395 + create_cert_req "${ENTITY}" "${TYPE}"
1.396 + ;;
1.397 + "*")
1.398 + echo "Configuration error: Unknown type ${TYPE}"
1.399 + exit 1
1.400 + ;;
1.401 + esac
1.402 +}
1.403 +
1.404 +########################################################################
1.405 +# List of global variables related to certificate extensions processing:
1.406 +#
1.407 +# Generated by process_extensions and functions called from it:
1.408 +# OPTIONS - list of command line policy extensions
1.409 +# DATA - list of inpud data related to policy extensions
1.410 +#
1.411 +# Generated by parse_config:
1.412 +# POLICY - list of certificate policies
1.413 +# MAPPING - list of policy mappings
1.414 +# INHIBIT - inhibit flag
1.415 +# AIA - AIA list
1.416 +########################################################################
1.417 +
1.418 +############################ process_policy ############################
1.419 +# local shell function to process policy extension parameters and
1.420 +# generate input for certutil
1.421 +########################################################################
1.422 +process_policy()
1.423 +{
1.424 + if [ -n "${POLICY}" ]; then
1.425 + OPTIONS="${OPTIONS} --extCP"
1.426 +
1.427 + NEXT=
1.428 + for ITEM in ${POLICY}; do
1.429 + if [ -n "${NEXT}" ]; then
1.430 + DATA="${DATA}y
1.431 +"
1.432 + fi
1.433 +
1.434 + NEXT=1
1.435 + DATA="${DATA}${ITEM}
1.436 +1
1.437 +
1.438 +n
1.439 +"
1.440 + done
1.441 +
1.442 + DATA="${DATA}n
1.443 +n
1.444 +"
1.445 + fi
1.446 +}
1.447 +
1.448 +########################### process_mapping ############################
1.449 +# local shell function to process policy mapping parameters and
1.450 +# generate input for certutil
1.451 +########################################################################
1.452 +process_mapping()
1.453 +{
1.454 + if [ -n "${MAPPING}" ]; then
1.455 + OPTIONS="${OPTIONS} --extPM"
1.456 +
1.457 + NEXT=
1.458 + for ITEM in ${MAPPING}; do
1.459 + if [ -n "${NEXT}" ]; then
1.460 + DATA="${DATA}y
1.461 +"
1.462 + fi
1.463 +
1.464 + NEXT=1
1.465 + IDP=`echo ${ITEM} | cut -d: -f1`
1.466 + SDP=`echo ${ITEM} | cut -d: -f2`
1.467 + DATA="${DATA}${IDP}
1.468 +${SDP}
1.469 +"
1.470 + done
1.471 +
1.472 + DATA="${DATA}n
1.473 +n
1.474 +"
1.475 + fi
1.476 +}
1.477 +
1.478 +########################### process_inhibit#############################
1.479 +# local shell function to process inhibit extension and generate input
1.480 +# for certutil
1.481 +########################################################################
1.482 +process_inhibit()
1.483 +{
1.484 + if [ -n "${INHIBIT}" ]; then
1.485 + OPTIONS="${OPTIONS} --extIA"
1.486 +
1.487 + DATA="${DATA}${INHIBIT}
1.488 +n
1.489 +"
1.490 + fi
1.491 +}
1.492 +
1.493 +############################# process_aia ##############################
1.494 +# local shell function to process AIA extension parameters and
1.495 +# generate input for certutil
1.496 +########################################################################
1.497 +process_aia()
1.498 +{
1.499 + if [ -n "${AIA}" ]; then
1.500 + OPTIONS="${OPTIONS} --extAIA"
1.501 +
1.502 + DATA="${DATA}1
1.503 +"
1.504 +
1.505 + for ITEM in ${AIA}; do
1.506 + PK7_NONCE=`expr $PK7_NONCE + 1`
1.507 +
1.508 + echo ${ITEM} | grep ":" > /dev/null
1.509 + if [ $? -eq 0 ]; then
1.510 + CERT_NICK=`echo ${ITEM} | cut -d: -f1`
1.511 + CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
1.512 + CERT_LOCAL="${CERT_NICK}${CERT_ISSUER}.der"
1.513 + CERT_PUBLIC="${HOST}-$$-${CERT_NICK}${CERT_ISSUER}-${PK7_NONCE}.der"
1.514 + else
1.515 + CERT_LOCAL="${ITEM}.p7"
1.516 + CERT_PUBLIC="${HOST}-$$-${ITEM}-${PK7_NONCE}.p7"
1.517 + fi
1.518 +
1.519 + DATA="${DATA}7
1.520 +${NSS_AIA_HTTP}/${CERT_PUBLIC}
1.521 +"
1.522 +
1.523 + if [ -n "${NSS_AIA_PATH}" ]; then
1.524 + cp ${CERT_LOCAL} ${NSS_AIA_PATH}/${CERT_PUBLIC} 2> /dev/null
1.525 + chmod a+r ${NSS_AIA_PATH}/${CERT_PUBLIC}
1.526 + echo ${NSS_AIA_PATH}/${CERT_PUBLIC} >> ${AIA_FILES}
1.527 + fi
1.528 + done
1.529 +
1.530 + DATA="${DATA}0
1.531 +n
1.532 +n"
1.533 + fi
1.534 +}
1.535 +
1.536 +process_ocsp()
1.537 +{
1.538 + if [ -n "${OCSP}" ]; then
1.539 + OPTIONS="${OPTIONS} --extAIA"
1.540 +
1.541 + if [ "${OCSP}" = "offline" ]; then
1.542 + MY_OCSP_URL=${NSS_OCSP_UNUSED}
1.543 + else
1.544 + MY_OCSP_URL=${NSS_AIA_OCSP}
1.545 + fi
1.546 +
1.547 + DATA="${DATA}2
1.548 +7
1.549 +${MY_OCSP_URL}
1.550 +0
1.551 +n
1.552 +n
1.553 +"
1.554 + fi
1.555 +}
1.556 +
1.557 +process_crldp()
1.558 +{
1.559 + if [ -n "${CRLDP}" ]; then
1.560 + OPTIONS="${OPTIONS} -4"
1.561 +
1.562 + EXT_DATA="${EXT_DATA}1
1.563 +"
1.564 +
1.565 + for ITEM in ${CRLDP}; do
1.566 + CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl"
1.567 +
1.568 + EXT_DATA="${EXT_DATA}7
1.569 +${NSS_AIA_HTTP}/${CRL_PUBLIC}
1.570 +"
1.571 + done
1.572 +
1.573 + EXT_DATA="${EXT_DATA}-1
1.574 +-1
1.575 +-1
1.576 +n
1.577 +n
1.578 +"
1.579 + fi
1.580 +}
1.581 +
1.582 +process_ku_ns_eku()
1.583 +{
1.584 + if [ -n "${EXT_KU}" ]; then
1.585 + OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}"
1.586 + fi
1.587 + if [ -n "${EXT_NS}" ]; then
1.588 + EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1)
1.589 + EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2)
1.590 +
1.591 + OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}"
1.592 + DATA="${DATA}${EXT_NS_CODE}
1.593 +-1
1.594 +n
1.595 +"
1.596 + fi
1.597 + if [ -n "${EXT_EKU}" ]; then
1.598 + OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}"
1.599 + fi
1.600 +}
1.601 +
1.602 +copy_crl()
1.603 +
1.604 +{
1.605 + if [ -z "${NSS_AIA_PATH}" ]; then
1.606 + return;
1.607 + fi
1.608 +
1.609 + CRL_LOCAL="${COPYCRL}.crl"
1.610 + CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl"
1.611 +
1.612 + cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
1.613 + chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
1.614 + echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES}
1.615 +}
1.616 +
1.617 +########################## process_extension ###########################
1.618 +# local shell function to process entity extension parameters and
1.619 +# generate input for certutil
1.620 +########################################################################
1.621 +process_extensions()
1.622 +{
1.623 + OPTIONS=
1.624 + DATA=
1.625 +
1.626 + process_policy
1.627 + process_mapping
1.628 + process_inhibit
1.629 + process_aia
1.630 + process_ocsp
1.631 + process_ku_ns_eku
1.632 +}
1.633 +
1.634 +############################## sign_cert ###############################
1.635 +# local shell function to sign certificate sign reuqest
1.636 +########################################################################
1.637 +sign_cert()
1.638 +{
1.639 + ENTITY=$1
1.640 + ISSUER=$2
1.641 + TYPE=$3
1.642 +
1.643 + [ -z "${ISSUER}" ] && return
1.644 +
1.645 + ENTITY_DB=${ENTITY}DB
1.646 + ISSUER_DB=${ISSUER}DB
1.647 + REQ=${ENTITY}Req.der
1.648 + CERT=${ENTITY}${ISSUER}.der
1.649 +
1.650 + set_cert_sn
1.651 +
1.652 + EMAIL_OPT=
1.653 + if [ "${TYPE}" = "Bridge" ]; then
1.654 + EMAIL_OPT="-7 ${ENTITY}@${ISSUER}"
1.655 +
1.656 + [ -n "${EMAILS}" ] && EMAILS="${EMAILS},"
1.657 + EMAILS="${EMAILS}${ENTITY}@${ISSUER}"
1.658 + fi
1.659 +
1.660 + process_extensions
1.661 +
1.662 + echo "${DATA}" > ${CU_DATA}
1.663 +
1.664 + TESTNAME="Creating certficate ${CERT} signed by ${ISSUER}"
1.665 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.666 + echo "certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}"
1.667 + print_cu_data
1.668 + ${BINDIR}/certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}
1.669 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.670 +
1.671 + TESTNAME="Importing certificate ${CERT} to ${ENTITY_DB} database"
1.672 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.673 + echo "certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}"
1.674 + ${BINDIR}/certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}
1.675 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.676 +}
1.677 +
1.678 +############################# create_pkcs7##############################
1.679 +# local shell function to package bridge certificates into pkcs7
1.680 +# package
1.681 +########################################################################
1.682 +create_pkcs7()
1.683 +{
1.684 + ENTITY=$1
1.685 + ENTITY_DB=${ENTITY}DB
1.686 +
1.687 + TESTNAME="Generating PKCS7 package from ${ENTITY_DB} database"
1.688 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.689 + echo "cmsutil -O -r \"${EMAILS}\" -d ${ENTITY_DB} > ${ENTITY}.p7"
1.690 + ${BINDIR}/cmsutil -O -r "${EMAILS}" -d ${ENTITY_DB} > ${ENTITY}.p7
1.691 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.692 +}
1.693 +
1.694 +############################# import_key ###############################
1.695 +# local shell function to import private key + cert into database
1.696 +########################################################################
1.697 +import_key()
1.698 +{
1.699 + KEY_NAME=$1.p12
1.700 + DB=$2
1.701 +
1.702 + KEY_FILE=../OCSPD/${KEY_NAME}
1.703 +
1.704 + TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database"
1.705 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.706 + echo "${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss"
1.707 + ${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss
1.708 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.709 +}
1.710 +
1.711 +export_key()
1.712 +{
1.713 + KEY_NAME=$1.p12
1.714 + DB=$2
1.715 +
1.716 + TESTNAME="Exporting $1 as ${KEY_NAME} from ${DB} database"
1.717 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.718 + echo "${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss"
1.719 + ${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss
1.720 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.721 +}
1.722 +
1.723 +############################# import_cert ##############################
1.724 +# local shell function to import certificate into database
1.725 +########################################################################
1.726 +import_cert()
1.727 +{
1.728 + IMPORT=$1
1.729 + DB=$2
1.730 +
1.731 + CERT_NICK=`echo ${IMPORT} | cut -d: -f1`
1.732 + CERT_ISSUER=`echo ${IMPORT} | cut -d: -f2`
1.733 + CERT_TRUST=`echo ${IMPORT} | cut -d: -f3`
1.734 +
1.735 + if [ "${CERT_ISSUER}" = "x" ]; then
1.736 + CERT_ISSUER=
1.737 + CERT=${CERT_NICK}.cert
1.738 + CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
1.739 + elif [ "${CERT_ISSUER}" = "d" ]; then
1.740 + CERT_ISSUER=
1.741 + CERT=${CERT_NICK}.der
1.742 + CERT_FILE="../OCSPD/${CERT}"
1.743 + else
1.744 + CERT=${CERT_NICK}${CERT_ISSUER}.der
1.745 + CERT_FILE=${CERT}
1.746 + fi
1.747 +
1.748 + IS_ASCII=`grep -c -- "-----BEGIN CERTIFICATE-----" ${CERT_FILE}`
1.749 +
1.750 + ASCII_OPT=
1.751 + if [ "${IS_ASCII}" -gt 0 ]; then
1.752 + ASCII_OPT="-a"
1.753 + fi
1.754 +
1.755 + TESTNAME="Importing certificate ${CERT} to ${DB} database"
1.756 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.757 + echo "certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t \"${CERT_TRUST}\" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}"
1.758 + ${BINDIR}/certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t "${CERT_TRUST}" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}
1.759 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.760 +}
1.761 +
1.762 +import_crl()
1.763 +{
1.764 + IMPORT=$1
1.765 + DB=$2
1.766 +
1.767 + CRL_NICK=`echo ${IMPORT} | cut -d: -f1`
1.768 + CRL_FILE=${CRL_NICK}.crl
1.769 +
1.770 + if [ ! -f "${CRL_FILE}" ]; then
1.771 + return
1.772 + fi
1.773 +
1.774 + TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database"
1.775 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.776 + echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}"
1.777 + ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}
1.778 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.779 +}
1.780 +
1.781 +create_crl()
1.782 +{
1.783 + ISSUER=$1
1.784 + ISSUER_DB=${ISSUER}DB
1.785 +
1.786 + CRL=${ISSUER}.crl
1.787 +
1.788 + DATE=$(date -u '+%Y%m%d%H%M%SZ')
1.789 + DATE_LAST="${DATE}"
1.790 +
1.791 + UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ')
1.792 +
1.793 + echo "update=${DATE}" > ${CRL_DATA}
1.794 + echo "nextupdate=${UPDATE}" >> ${CRL_DATA}
1.795 +
1.796 + TESTNAME="Create CRL for ${ISSUER_DB}"
1.797 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.798 + echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
1.799 + echo "=== Crlutil input data ==="
1.800 + cat ${CRL_DATA}
1.801 + echo "==="
1.802 + ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
1.803 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.804 +}
1.805 +
1.806 +revoke_cert()
1.807 +{
1.808 + ISSUER=$1
1.809 + ISSUER_DB=${ISSUER}DB
1.810 +
1.811 + CRL=${ISSUER}.crl
1.812 +
1.813 + set_cert_sn
1.814 +
1.815 + DATE=$(date -u '+%Y%m%d%H%M%SZ')
1.816 + while [ "${DATE}" = "${DATE_LAST}" ]; do
1.817 + sleep 1
1.818 + DATE=$(date -u '+%Y%m%d%H%M%SZ')
1.819 + done
1.820 + DATE_LAST="${DATE}"
1.821 +
1.822 + echo "update=${DATE}" > ${CRL_DATA}
1.823 + echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA}
1.824 +
1.825 + TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}"
1.826 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.827 + echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
1.828 + echo "=== Crlutil input data ==="
1.829 + cat ${CRL_DATA}
1.830 + echo "==="
1.831 + ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
1.832 + html_msg $? 0 "${SCENARIO}${TESTNAME}"
1.833 +}
1.834 +
1.835 +########################################################################
1.836 +# List of global variables related to certificate verification:
1.837 +#
1.838 +# Generated by parse_config:
1.839 +# DB - DB used for testing
1.840 +# FETCH - fetch flag (used with AIA extension)
1.841 +# POLICY - list of policies
1.842 +# TRUST - trust anchor
1.843 +# TRUST_AND_DB - Examine both trust anchors and the cert db for trust
1.844 +# VERIFY - list of certificates to use as vfychain parameters
1.845 +# EXP_RESULT - expected result
1.846 +# REV_OPTS - revocation options
1.847 +########################################################################
1.848 +
1.849 +############################# verify_cert ##############################
1.850 +# local shell function to verify certificate validity
1.851 +########################################################################
1.852 +verify_cert()
1.853 +{
1.854 + ENGINE=$1
1.855 +
1.856 + DB_OPT=
1.857 + FETCH_OPT=
1.858 + POLICY_OPT=
1.859 + TRUST_OPT=
1.860 + VFY_CERTS=
1.861 + VFY_LIST=
1.862 + TRUST_AND_DB_OPT=
1.863 +
1.864 + if [ -n "${DB}" ]; then
1.865 + DB_OPT="-d ${DB}"
1.866 + fi
1.867 +
1.868 + if [ -n "${FETCH}" ]; then
1.869 + FETCH_OPT="-f"
1.870 + if [ -z "${NSS_AIA_HTTP}" ]; then
1.871 + echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined"
1.872 + return
1.873 + fi
1.874 + fi
1.875 +
1.876 + if [ -n "${TRUST_AND_DB}" ]; then
1.877 + TRUST_AND_DB_OPT="-T"
1.878 + fi
1.879 +
1.880 + for ITEM in ${POLICY}; do
1.881 + POLICY_OPT="${POLICY_OPT} -o ${ITEM}"
1.882 + done
1.883 +
1.884 + for ITEM in ${TRUST}; do
1.885 + echo ${ITEM} | grep ":" > /dev/null
1.886 + if [ $? -eq 0 ]; then
1.887 + CERT_NICK=`echo ${ITEM} | cut -d: -f1`
1.888 + CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
1.889 + CERT=${CERT_NICK}${CERT_ISSUER}.der
1.890 +
1.891 + TRUST_OPT="${TRUST_OPT} -t ${CERT}"
1.892 + else
1.893 + TRUST_OPT="${TRUST_OPT} -t ${ITEM}"
1.894 + fi
1.895 + done
1.896 +
1.897 + for ITEM in ${VERIFY}; do
1.898 + CERT_NICK=`echo ${ITEM} | cut -d: -f1`
1.899 + CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
1.900 +
1.901 + if [ "${CERT_ISSUER}" = "x" ]; then
1.902 + CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert"
1.903 + VFY_CERTS="${VFY_CERTS} ${CERT}"
1.904 + VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
1.905 + elif [ "${CERT_ISSUER}" = "d" ]; then
1.906 + CERT="../OCSPD/${CERT_NICK}.der"
1.907 + VFY_CERTS="${VFY_CERTS} ${CERT}"
1.908 + VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
1.909 + else
1.910 + CERT=${CERT_NICK}${CERT_ISSUER}.der
1.911 + VFY_CERTS="${VFY_CERTS} ${CERT}"
1.912 + VFY_LIST="${VFY_LIST} ${CERT}"
1.913 + fi
1.914 + done
1.915 +
1.916 + VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
1.917 + VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
1.918 +
1.919 + TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
1.920 + echo "${SCRIPTNAME}: ${TESTNAME}"
1.921 + echo "vfychain ${VFY_OPTS_ALL}"
1.922 +
1.923 + if [ -z "${MEMLEAK_DBG}" ]; then
1.924 + VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1)
1.925 + RESULT=$?
1.926 + echo "${VFY_OUT}"
1.927 + else
1.928 + VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE})
1.929 + RESULT=$?
1.930 + echo "${VFY_OUT}"
1.931 + fi
1.932 +
1.933 + echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null
1.934 + E5990=$?
1.935 + echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null
1.936 + E8030=$?
1.937 +
1.938 + if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then
1.939 + echo "Result of this test is not valid due to network time out."
1.940 + html_unknown "${SCENARIO}${TESTNAME}"
1.941 + return
1.942 + fi
1.943 +
1.944 + echo "Returned value is ${RESULT}, expected result is ${EXP_RESULT}"
1.945 +
1.946 + if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then
1.947 + html_passed "${SCENARIO}${TESTNAME}"
1.948 + elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then
1.949 + html_passed "${SCENARIO}${TESTNAME}"
1.950 + else
1.951 + html_failed "${SCENARIO}${TESTNAME}"
1.952 + fi
1.953 +}
1.954 +
1.955 +check_ocsp()
1.956 +{
1.957 + OCSP_CERT=$1
1.958 +
1.959 + CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1`
1.960 + CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2`
1.961 +
1.962 + if [ "${CERT_ISSUER}" = "x" ]; then
1.963 + CERT_ISSUER=
1.964 + CERT=${CERT_NICK}.cert
1.965 + CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
1.966 + elif [ "${CERT_ISSUER}" = "d" ]; then
1.967 + CERT_ISSUER=
1.968 + CERT=${CERT_NICK}.der
1.969 + CERT_FILE="../OCSPD/${CERT}"
1.970 + else
1.971 + CERT=${CERT_NICK}${CERT_ISSUER}.der
1.972 + CERT_FILE=${CERT}
1.973 + fi
1.974 +
1.975 + # sample line:
1.976 + # URI: "http://ocsp.server:2601"
1.977 + OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
1.978 + OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
1.979 +
1.980 + echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
1.981 + tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
1.982 + return $?
1.983 +}
1.984 +
1.985 +############################ parse_result ##############################
1.986 +# local shell function to process expected result value
1.987 +# this function was created for case that expected result depends on
1.988 +# some conditions - in our case type of cert DB
1.989 +#
1.990 +# default results are pass and fail
1.991 +# this function added parsable values in format:
1.992 +# type1:value1 type2:value2 .... typex:valuex
1.993 +#
1.994 +# allowed types are dbm, sql, all (all means all other cases)
1.995 +# allowed values are pass and fail
1.996 +#
1.997 +# if this format is not used, EXP_RESULT will stay unchanged (this also
1.998 +# covers pass and fail states)
1.999 +########################################################################
1.1000 +parse_result()
1.1001 +{
1.1002 + for RES in ${EXP_RESULT}
1.1003 + do
1.1004 + RESTYPE=$(echo ${RES} | cut -d: -f1)
1.1005 + RESSTAT=$(echo ${RES} | cut -d: -f2)
1.1006 +
1.1007 + if [ "${RESTYPE}" = "${NSS_DEFAULT_DB_TYPE}" -o "${RESTYPE}" = "all" ]; then
1.1008 + EXP_RESULT=${RESSTAT}
1.1009 + break
1.1010 + fi
1.1011 + done
1.1012 +}
1.1013 +
1.1014 +############################ parse_config ##############################
1.1015 +# local shell function to parse and process file containing certificate
1.1016 +# chain configuration and list of tests
1.1017 +########################################################################
1.1018 +parse_config()
1.1019 +{
1.1020 + SCENARIO=
1.1021 + LOGNAME=
1.1022 +
1.1023 + while read KEY VALUE
1.1024 + do
1.1025 + case "${KEY}" in
1.1026 + "entity")
1.1027 + ENTITY="${VALUE}"
1.1028 + TYPE=
1.1029 + ISSUER=
1.1030 + CTYPE=
1.1031 + POLICY=
1.1032 + MAPPING=
1.1033 + INHIBIT=
1.1034 + AIA=
1.1035 + CRLDP=
1.1036 + OCSP=
1.1037 + DB=
1.1038 + EMAILS=
1.1039 + EXT_KU=
1.1040 + EXT_NS=
1.1041 + EXT_EKU=
1.1042 + SERIAL=
1.1043 + EXPORT_KEY=
1.1044 + ;;
1.1045 + "type")
1.1046 + TYPE="${VALUE}"
1.1047 + ;;
1.1048 + "issuer")
1.1049 + if [ -n "${ISSUER}" ]; then
1.1050 + if [ -z "${DB}" ]; then
1.1051 + create_entity "${ENTITY}" "${TYPE}"
1.1052 + fi
1.1053 + sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
1.1054 + fi
1.1055 +
1.1056 + ISSUER="${VALUE}"
1.1057 + POLICY=
1.1058 + MAPPING=
1.1059 + INHIBIT=
1.1060 + AIA=
1.1061 + EXT_KU=
1.1062 + EXT_NS=
1.1063 + EXT_EKU=
1.1064 + ;;
1.1065 + "ctype")
1.1066 + CTYPE="${VALUE}"
1.1067 + ;;
1.1068 + "policy")
1.1069 + POLICY="${POLICY} ${VALUE}"
1.1070 + ;;
1.1071 + "mapping")
1.1072 + MAPPING="${MAPPING} ${VALUE}"
1.1073 + ;;
1.1074 + "inhibit")
1.1075 + INHIBIT="${VALUE}"
1.1076 + ;;
1.1077 + "aia")
1.1078 + AIA="${AIA} ${VALUE}"
1.1079 + ;;
1.1080 + "crldp")
1.1081 + CRLDP="${CRLDP} ${VALUE}"
1.1082 + ;;
1.1083 + "ocsp")
1.1084 + OCSP="${VALUE}"
1.1085 + ;;
1.1086 + "db")
1.1087 + DB="${VALUE}DB"
1.1088 + create_db "${DB}"
1.1089 + ;;
1.1090 + "import")
1.1091 + IMPORT="${VALUE}"
1.1092 + import_cert "${IMPORT}" "${DB}"
1.1093 + import_crl "${IMPORT}" "${DB}"
1.1094 + ;;
1.1095 + "import_key")
1.1096 + IMPORT="${VALUE}"
1.1097 + import_key "${IMPORT}" "${DB}"
1.1098 + ;;
1.1099 + "crl")
1.1100 + ISSUER="${VALUE}"
1.1101 + create_crl "${ISSUER}"
1.1102 + ;;
1.1103 + "revoke")
1.1104 + REVOKE="${VALUE}"
1.1105 + ;;
1.1106 + "serial")
1.1107 + SERIAL="${VALUE}"
1.1108 + ;;
1.1109 + "export_key")
1.1110 + EXPORT_KEY=1
1.1111 + ;;
1.1112 + "copycrl")
1.1113 + COPYCRL="${VALUE}"
1.1114 + copy_crl "${COPYCRL}"
1.1115 + ;;
1.1116 + "verify")
1.1117 + VERIFY="${VALUE}"
1.1118 + TRUST=
1.1119 + TRUST_AND_DB=
1.1120 + POLICY=
1.1121 + FETCH=
1.1122 + EXP_RESULT=
1.1123 + REV_OPTS=
1.1124 + USAGE_OPT=
1.1125 + ;;
1.1126 + "cert")
1.1127 + VERIFY="${VERIFY} ${VALUE}"
1.1128 + ;;
1.1129 + "testdb")
1.1130 + if [ -n "${VALUE}" ]; then
1.1131 + DB="${VALUE}DB"
1.1132 + else
1.1133 + DB=
1.1134 + fi
1.1135 + ;;
1.1136 + "trust")
1.1137 + TRUST="${TRUST} ${VALUE}"
1.1138 + ;;
1.1139 + "trust_and_db")
1.1140 + TRUST_AND_DB=1
1.1141 + ;;
1.1142 + "fetch")
1.1143 + FETCH=1
1.1144 + ;;
1.1145 + "result")
1.1146 + EXP_RESULT="${VALUE}"
1.1147 + parse_result
1.1148 + ;;
1.1149 + "rev_type")
1.1150 + REV_OPTS="${REV_OPTS} -g ${VALUE}"
1.1151 + ;;
1.1152 + "rev_flags")
1.1153 + REV_OPTS="${REV_OPTS} -h ${VALUE}"
1.1154 + ;;
1.1155 + "rev_mtype")
1.1156 + REV_OPTS="${REV_OPTS} -m ${VALUE}"
1.1157 + ;;
1.1158 + "rev_mflags")
1.1159 + REV_OPTS="${REV_OPTS} -s ${VALUE}"
1.1160 + ;;
1.1161 + "scenario")
1.1162 + SCENARIO="${VALUE}: "
1.1163 +
1.1164 + CHAINS_DIR="${HOSTDIR}/chains/${VALUE}"
1.1165 + mkdir -p ${CHAINS_DIR}
1.1166 + cd ${CHAINS_DIR}
1.1167 +
1.1168 + if [ -n "${MEMLEAK_DBG}" ]; then
1.1169 + LOGNAME="libpkix-${VALUE}"
1.1170 + LOGFILE="${LOGDIR}/${LOGNAME}"
1.1171 + fi
1.1172 +
1.1173 + SCEN_CNT=$(expr ${SCEN_CNT} + 1)
1.1174 + ;;
1.1175 + "sleep")
1.1176 + sleep ${VALUE}
1.1177 + ;;
1.1178 + "break")
1.1179 + break
1.1180 + ;;
1.1181 + "check_ocsp")
1.1182 + TESTNAME="Test that OCSP server is reachable"
1.1183 + check_ocsp ${VALUE}
1.1184 + if [ $? -ne 0 ]; then
1.1185 + html_failed "$TESTNAME"
1.1186 + break;
1.1187 + else
1.1188 + html_passed "$TESTNAME"
1.1189 + fi
1.1190 + ;;
1.1191 + "ku")
1.1192 + EXT_KU="${VALUE}"
1.1193 + ;;
1.1194 + "ns")
1.1195 + EXT_NS="${VALUE}"
1.1196 + ;;
1.1197 + "eku")
1.1198 + EXT_EKU="${VALUE}"
1.1199 + ;;
1.1200 + "usage")
1.1201 + USAGE_OPT="-u ${VALUE}"
1.1202 + ;;
1.1203 + "")
1.1204 + if [ -n "${ENTITY}" ]; then
1.1205 + if [ -z "${DB}" ]; then
1.1206 + create_entity "${ENTITY}" "${TYPE}"
1.1207 + fi
1.1208 + sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
1.1209 + if [ "${TYPE}" = "Bridge" ]; then
1.1210 + create_pkcs7 "${ENTITY}"
1.1211 + fi
1.1212 + if [ -n "${EXPORT_KEY}" ]; then
1.1213 + export_key "${ENTITY}" "${DB}"
1.1214 + fi
1.1215 + ENTITY=
1.1216 + fi
1.1217 +
1.1218 + if [ -n "${VERIFY}" ]; then
1.1219 + verify_cert "-pp"
1.1220 + if [ -n "${VERIFY_CLASSIC_ENGINE_TOO}" ]; then
1.1221 + verify_cert ""
1.1222 + verify_cert "-p"
1.1223 + fi
1.1224 + VERIFY=
1.1225 + fi
1.1226 +
1.1227 + if [ -n "${REVOKE}" ]; then
1.1228 + revoke_cert "${REVOKE}" "${DB}"
1.1229 + REVOKE=
1.1230 + fi
1.1231 + ;;
1.1232 + *)
1.1233 + if [ `echo ${KEY} | cut -b 1` != "#" ]; then
1.1234 + echo "Configuration error: Unknown keyword ${KEY}"
1.1235 + exit 1
1.1236 + fi
1.1237 + ;;
1.1238 + esac
1.1239 + done
1.1240 +
1.1241 + if [ -n "${MEMLEAK_DBG}" ]; then
1.1242 + log_parse
1.1243 + html_msg $? 0 "${SCENARIO}Memory leak checking"
1.1244 + fi
1.1245 +}
1.1246 +
1.1247 +process_scenario()
1.1248 +{
1.1249 + SCENARIO_FILE=$1
1.1250 +
1.1251 + > ${AIA_FILES}
1.1252 +
1.1253 + parse_config < "${QADIR}/chains/scenarios/${SCENARIO_FILE}"
1.1254 +
1.1255 + while read AIA_FILE
1.1256 + do
1.1257 + rm ${AIA_FILE} 2> /dev/null
1.1258 + done < ${AIA_FILES}
1.1259 + rm ${AIA_FILES}
1.1260 +}
1.1261 +
1.1262 +# process ocspd.cfg separately
1.1263 +chains_ocspd()
1.1264 +{
1.1265 + process_scenario "ocspd.cfg"
1.1266 +}
1.1267 +
1.1268 +# process ocsp.cfg separately
1.1269 +chains_method()
1.1270 +{
1.1271 + process_scenario "method.cfg"
1.1272 +}
1.1273 +
1.1274 +############################# chains_main ##############################
1.1275 +# local shell function to process all testing scenarios
1.1276 +########################################################################
1.1277 +chains_main()
1.1278 +{
1.1279 + while read LINE
1.1280 + do
1.1281 + [ `echo ${LINE} | cut -b 1` != "#" ] || continue
1.1282 +
1.1283 + [ ${LINE} != 'ocspd.cfg' ] || continue
1.1284 + [ ${LINE} != 'method.cfg' ] || continue
1.1285 +
1.1286 + process_scenario ${LINE}
1.1287 + done < "${CHAINS_SCENARIOS}"
1.1288 +}
1.1289 +
1.1290 +################################ main ##################################
1.1291 +
1.1292 +chains_init
1.1293 +VERIFY_CLASSIC_ENGINE_TOO=
1.1294 +chains_ocspd
1.1295 +VERIFY_CLASSIC_ENGINE_TOO=1
1.1296 +chains_run_httpserv get
1.1297 +chains_method
1.1298 +chains_stop_httpserv
1.1299 +chains_run_httpserv post
1.1300 +chains_method
1.1301 +chains_stop_httpserv
1.1302 +VERIFY_CLASSIC_ENGINE_TOO=
1.1303 +chains_run_httpserv random
1.1304 +chains_main
1.1305 +chains_stop_httpserv
1.1306 +chains_run_httpserv get-unknown
1.1307 +chains_main
1.1308 +chains_stop_httpserv
1.1309 +chains_cleanup
