1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/tests/iopr/cert_iopr.sh Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,405 @@
1.4 +#! /bin/bash
1.5 +#
1.6 +# This Source Code Form is subject to the terms of the Mozilla Public
1.7 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.9 +
1.10 +########################################################################
1.11 +#
1.12 +# mozilla/security/nss/tests/iopr/cert_iopr.sh
1.13 +#
1.14 +# Certificate generating and handeling for NSS interoperability QA. This file
1.15 +# is included from cert.sh
1.16 +#
1.17 +# needs to work on all Unix and Windows platforms
1.18 +#
1.19 +# special strings
1.20 +# ---------------
1.21 +# FIXME ... known problems, search for this string
1.22 +# NOTE .... unexpected behavior
1.23 +########################################################################
1.24 +
1.25 +IOPR_CERT_SOURCED=1
1.26 +
1.27 +########################################################################
1.28 +# function wraps calls to pk12util, also: writes action and options
1.29 +# to stdout.
1.30 +# Params are the same as to pk12util.
1.31 +# Returns pk12util status
1.32 +#
1.33 +pk12u()
1.34 +{
1.35 + echo "${CU_ACTION} --------------------------"
1.36 +
1.37 + echo "pk12util $@"
1.38 + ${BINDIR}/pk12util $@
1.39 + RET=$?
1.40 +
1.41 + return $RET
1.42 +}
1.43 +
1.44 +########################################################################
1.45 +# Initializes nss db directory and files if they don't exists
1.46 +# Params:
1.47 +# $1 - directory location
1.48 +#
1.49 +createDBDir() {
1.50 + trgDir=$1
1.51 +
1.52 + if [ -z "`ls $trgDir | grep db`" ]; then
1.53 + trgDir=`cd ${trgDir}; pwd`
1.54 + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
1.55 + trgDir=`cygpath -m ${trgDir}`
1.56 + fi
1.57 +
1.58 + CU_ACTION="Initializing DB at ${trgDir}"
1.59 + certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1
1.60 + if [ "$RET" -ne 0 ]; then
1.61 + return $RET
1.62 + fi
1.63 +
1.64 + CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"
1.65 + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1
1.66 + if [ "$RET" -ne 0 ]; then
1.67 + return $RET
1.68 + fi
1.69 + fi
1.70 +}
1.71 +########################################################################
1.72 +# takes care of downloading config, cert and crl files from remote
1.73 +# location.
1.74 +# Params:
1.75 +# $1 - name of the host file will be downloaded from
1.76 +# $2 - path to the file as it appeared in url
1.77 +# $3 - target directory the file will be saved at.
1.78 +# Returns tstclnt status.
1.79 +#
1.80 +download_file() {
1.81 + host=$1
1.82 + filePath=$2
1.83 + trgDir=$3
1.84 +
1.85 + file=$trgDir/`basename $filePath`
1.86 +
1.87 + createDBDir $trgDir || return $RET
1.88 +
1.89 +# echo wget -O $file http://${host}${filePath}
1.90 +# wget -O $file http://${host}${filePath}
1.91 +# ret=$?
1.92 +
1.93 + req=$file.$$
1.94 + echo "GET $filePath HTTP/1.0" > $req
1.95 + echo >> $req
1.96 +
1.97 + echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
1.98 + -v -w ${R_PWFILE} -o
1.99 + ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
1.100 + -v -w ${R_PWFILE} -o < $req > $file
1.101 + ret=$?
1.102 + rm -f $_tmp;
1.103 + return $ret
1.104 +}
1.105 +
1.106 +########################################################################
1.107 +# Uses pk12util, certutil of cerlutil to import files to an nss db located
1.108 +# at <dir>(the value of $1 parameter). Chooses a utility to use based on
1.109 +# a file extension. Initializing a db if it does not exists.
1.110 +# Params:
1.111 +# $1 - db location directory
1.112 +# $2 - file name to import
1.113 +# $3 - nick name an object in the file will be associated with
1.114 +# $4 - trust arguments
1.115 +# Returns status of import
1.116 +#
1.117 +importFile() {
1.118 + dir=$1\
1.119 + file=$2
1.120 + certName=$3
1.121 + certTrust=$4
1.122 +
1.123 + [ ! -d $dir ] && mkdir -p $dir;
1.124 +
1.125 + createDBDir $dir || return $RET
1.126 +
1.127 + case `basename $file | sed 's/^.*\.//'` in
1.128 + p12)
1.129 + CU_ACTION="Importing p12 $file to DB at $dir"
1.130 + pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr
1.131 + [ $? -ne 0 ] && return 1
1.132 + CU_ACTION="Modifying trust for cert $certName at $dir"
1.133 + certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}"
1.134 + return $?
1.135 + ;;
1.136 +
1.137 + crl)
1.138 + CU_ACTION="Importing crl $file to DB at $dir"
1.139 + crlu -d ${dir} -I -n TestCA -i $file
1.140 + return $?
1.141 + ;;
1.142 +
1.143 + crt | cert)
1.144 + CU_ACTION="Importing cert $certName with trust $certTrust to $dir"
1.145 + certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \
1.146 + -i "$file"
1.147 + return $?
1.148 + ;;
1.149 +
1.150 + *)
1.151 + echo "Unknown file extension: $file:"
1.152 + return 1
1.153 + ;;
1.154 + esac
1.155 +}
1.156 +
1.157 +
1.158 +#########################################################################
1.159 +# Downloads and installs test certs and crl from a remote webserver.
1.160 +# Generates server cert for reverse testing if reverse test run is turned on.
1.161 +# Params:
1.162 +# $1 - host name to download files from.
1.163 +# $2 - directory at which CA cert will be installed and used for
1.164 +# signing a server cert.
1.165 +# $3 - path to a config file in webserver context.
1.166 +# $4 - ssl server db location
1.167 +# $5 - ssl client db location
1.168 +# $5 - ocsp client db location
1.169 +#
1.170 +# Returns 0 upon success, otherwise, failed command error code.
1.171 +#
1.172 +download_install_certs() {
1.173 + host=$1
1.174 + caDir=$2
1.175 + confPath=$3
1.176 + sslServerDir=$4
1.177 + sslClientDir=$5
1.178 + ocspClientDir=$6
1.179 +
1.180 + [ ! -d "$caDir" ] && mkdir -p $caDir;
1.181 +
1.182 + #=======================================================
1.183 + # Getting config file
1.184 + #
1.185 + download_file $host "$confPath/iopr_server.cfg" $caDir
1.186 + RET=$?
1.187 + if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then
1.188 + html_failed "Fail to download website config file(ws: $host)"
1.189 + return 1
1.190 + fi
1.191 +
1.192 + . $caDir/iopr_server.cfg
1.193 + RET=$?
1.194 + if [ $RET -ne 0 ]; then
1.195 + html_failed "Fail to source config file(ws: $host)"
1.196 + return $RET
1.197 + fi
1.198 +
1.199 + #=======================================================
1.200 + # Getting CA file
1.201 + #
1.202 +
1.203 + #----------------- !!!WARNING!!! -----------------------
1.204 + # Do NOT copy this scenario. CA should never accompany its
1.205 + # cert with the private key when deliver cert to a customer.
1.206 + #----------------- !!!WARNING!!! -----------------------
1.207 +
1.208 + download_file $host $certDir/$caCertName.p12 $caDir
1.209 + RET=$?
1.210 + if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then
1.211 + html_failed "Fail to download $caCertName cert(ws: $host)"
1.212 + return 1
1.213 + fi
1.214 + tmpFiles="$caDir/$caCertName.p12"
1.215 +
1.216 + importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C"
1.217 + RET=$?
1.218 + if [ $RET -ne 0 ]; then
1.219 + html_failed "Fail to import $caCertName cert to CA DB(ws: $host)"
1.220 + return $RET
1.221 + fi
1.222 +
1.223 + CU_ACTION="Exporting Root CA cert(ws: $host)"
1.224 + certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert
1.225 + if [ "$RET" -ne 0 ]; then
1.226 + Exit 7 "Fatal - failed to export $caCertName cert"
1.227 + fi
1.228 +
1.229 + #=======================================================
1.230 + # Check what tests we want to run
1.231 + #
1.232 + doSslTests=0; doOcspTests=0
1.233 + # XXX remove "_new" from variables below
1.234 + [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
1.235 + [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
1.236 +
1.237 + if [ $doSslTests -eq 1 ]; then
1.238 + if [ "$reverseRunCGIScript" ]; then
1.239 + [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
1.240 + #=======================================================
1.241 + # Import CA cert to server DB
1.242 + #
1.243 + importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
1.244 + "TC,C,C"
1.245 + RET=$?
1.246 + if [ $RET -ne 0 ]; then
1.247 + html_failed "Fail to import server-client-CA cert to \
1.248 + server DB(ws: $host)"
1.249 + return $RET
1.250 + fi
1.251 +
1.252 + #=======================================================
1.253 + # Creating server cert
1.254 + #
1.255 + CERTNAME=$HOSTADDR
1.256 +
1.257 + CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
1.258 + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
1.259 + L=Mountain View, ST=California, C=US"
1.260 + certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
1.261 + -o $sslServerDir/req 2>&1
1.262 + tmpFiles="$tmpFiles $sslServerDir/req"
1.263 +
1.264 + # NOTE:
1.265 + # For possible time synchronization problems (bug 444308) we generate
1.266 + # certificates valid also some time in past (-w -1)
1.267 +
1.268 + CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
1.269 + certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \
1.270 + -d "${caDir}" \
1.271 + -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
1.272 + -f "${R_PWFILE}" 2>&1
1.273 +
1.274 + importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
1.275 + RET=$?
1.276 + if [ $RET -ne 0 ]; then
1.277 + html_failed "Fail to import $CERTNAME cert to server\
1.278 + DB(ws: $host)"
1.279 + return $RET
1.280 + fi
1.281 + tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
1.282 +
1.283 + #=======================================================
1.284 + # Download and import CA crl to server DB
1.285 + #
1.286 + download_file $host "$certDir/$caCrlName.crl" $sslServerDir
1.287 + RET=$?
1.288 + if [ $? -ne 0 ]; then
1.289 + html_failed "Fail to download $caCertName crl\
1.290 + (ws: $host)"
1.291 + return $RET
1.292 + fi
1.293 + tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
1.294 +
1.295 + importFile $sslServerDir $sslServerDir/TestCA.crl
1.296 + RET=$?
1.297 + if [ $RET -ne 0 ]; then
1.298 + html_failed "Fail to import TestCA crt to server\
1.299 + DB(ws: $host)"
1.300 + return $RET
1.301 + fi
1.302 + fi # if [ "$reverseRunCGIScript" ]
1.303 +
1.304 + [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
1.305 + #=======================================================
1.306 + # Import CA cert to ssl client DB
1.307 + #
1.308 + importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
1.309 + "TC,C,C"
1.310 + RET=$?
1.311 + if [ $RET -ne 0 ]; then
1.312 + html_failed "Fail to import server-client-CA cert to \
1.313 + server DB(ws: $host)"
1.314 + return $RET
1.315 + fi
1.316 + fi
1.317 +
1.318 + if [ $doOcspTests -eq 1 ]; then
1.319 + [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
1.320 + #=======================================================
1.321 + # Import CA cert to ocsp client DB
1.322 + #
1.323 + importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
1.324 + "TC,C,C"
1.325 + RET=$?
1.326 + if [ $RET -ne 0 ]; then
1.327 + html_failed "Fail to import server-client-CA cert to \
1.328 + server DB(ws: $host)"
1.329 + return $RET
1.330 + fi
1.331 + fi
1.332 +
1.333 + #=======================================================
1.334 + # Import client certs to client DB
1.335 + #
1.336 + for fileName in $downloadFiles; do
1.337 + certName=`echo $fileName | sed 's/\..*//'`
1.338 +
1.339 + if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
1.340 + clientDir=$ocspClientDir
1.341 + elif [ $doSslTests -eq 1 ]; then
1.342 + clientDir=$sslClientDir
1.343 + else
1.344 + continue
1.345 + fi
1.346 +
1.347 + download_file $host "$certDir/$fileName" $clientDir
1.348 + RET=$?
1.349 + if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
1.350 + html_failed "Fail to download $certName cert(ws: $host)"
1.351 + return $RET
1.352 + fi
1.353 + tmpFiles="$tmpFiles $clientDir/$fileName"
1.354 +
1.355 + importFile $clientDir $clientDir/$fileName $certName ",,"
1.356 + RET=$?
1.357 + if [ $RET -ne 0 ]; then
1.358 + html_failed "Fail to import $certName cert to client DB\
1.359 + (ws: $host)"
1.360 + return $RET
1.361 + fi
1.362 + done
1.363 +
1.364 + rm -f $tmpFiles
1.365 +
1.366 + return 0
1.367 +}
1.368 +
1.369 +
1.370 +#########################################################################
1.371 +# Initial point for downloading config, cert, crl files for multiple hosts
1.372 +# involved in interoperability testing. Called from nss/tests/cert/cert.sh
1.373 +# It will only proceed with downloading if environment variable
1.374 +# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.
1.375 +#
1.376 +# Returns 1 if interoperability testing is off, 0 otherwise.
1.377 +#
1.378 +cert_iopr_setup() {
1.379 +
1.380 + if [ "$IOPR" -ne 1 ]; then
1.381 + return 1
1.382 + fi
1.383 + num=1
1.384 + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '`
1.385 + while [ "$IOPR_HOST_PARAM" ]; do
1.386 + IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
1.387 + IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
1.388 + [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443
1.389 + IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
1.390 + [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
1.391 +
1.392 + echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
1.393 + $IOPR_CONF_PATH"
1.394 +
1.395 + download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
1.396 + ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
1.397 + ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
1.398 + ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
1.399 + if [ $? -ne 0 ]; then
1.400 + echo "wsFlags=\"NOIOPR $wsParam\"" >> \
1.401 + ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
1.402 + fi
1.403 + num=`expr $num + 1`
1.404 + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
1.405 + done
1.406 +
1.407 + return 0
1.408 +}
