1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/tests/iopr/server_scr/cert_gen.sh Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,367 @@
1.4 +#!/bin/bash
1.5 +
1.6 +# This Source Code Form is subject to the terms of the Mozilla Public
1.7 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.9 +
1.10 +######################################################################################
1.11 +# Server and client certs and crl generator functions. Generated files placed in a <dir>
1.12 +# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
1.13 +# This functions is used for manual webserver configuration and it is not a part of
1.14 +# nss test run.
1.15 +# To create certs use the following command:
1.16 +# sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
1.17 +# Where:
1.18 +# dir - directory where to place created files
1.19 +# cert name - name of created server cert(FQDN)
1.20 +# cert req - cert request to be used for cert generation.
1.21 +#
1.22 +repAndExec() {
1.23 + echo
1.24 + if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
1.25 + shift
1.26 + echo certutil -s "$CU_SUBJECT" $@
1.27 + certutil -s "$CU_SUBJECT" $@
1.28 + RET=$?
1.29 + else
1.30 + echo $@
1.31 + $@
1.32 + RET=$?
1.33 + fi
1.34 +
1.35 + return $RET
1.36 +}
1.37 +
1.38 +setExtData() {
1.39 + extData=$1
1.40 +
1.41 + fldNum=0
1.42 + extData=`echo $extData | sed 's/,/ /g'`
1.43 + for extDT in $extData; do
1.44 + if [ $fldNum -eq 0 ]; then
1.45 + eval extType=$extDT
1.46 + fldNum=1
1.47 + continue
1.48 + fi
1.49 + eval data${fldNum}=$extDT
1.50 + fldNum=`expr $fldNum + 1`
1.51 + done
1.52 +}
1.53 +
1.54 +signCert() {
1.55 + dir=$1
1.56 + crtDir=$2
1.57 + crtName=$3
1.58 + crtSN=$4
1.59 + req=$5
1.60 + cuAddParam=$6
1.61 + extList=$7
1.62 +
1.63 + if [ -z "$certSigner" ]; then
1.64 + certSigner=TestCA
1.65 + fi
1.66 +
1.67 + extCmdLine=""
1.68 + extCmdFile=$dir/extInFile; rm -f $extCmdFile
1.69 + touch $extCmdFile
1.70 + extList=`echo $extList | sed 's/;/ /g'`
1.71 + for ext in $extList; do
1.72 + setExtData $ext
1.73 + [ -z "$extType" ] && echo "incorrect extention format" && return 1
1.74 + case $extType in
1.75 + ocspDR)
1.76 + extCmdLine="$extCmdLine -6"
1.77 + cat <<EOF >> $extCmdFile
1.78 +5
1.79 +9
1.80 +y
1.81 +EOF
1.82 + break
1.83 + exit 1
1.84 + ;;
1.85 + AIA)
1.86 + extCmdLine="$extCmdLine -9"
1.87 + cat <<EOF >> $extCmdFile
1.88 +2
1.89 +7
1.90 +$data1
1.91 +0
1.92 +n
1.93 +n
1.94 +EOF
1.95 + break
1.96 + ;;
1.97 + *)
1.98 + echo "Unsupported extension type: $extType"
1.99 + break
1.100 + ;;
1.101 + esac
1.102 + done
1.103 + echo "cmdLine: $extCmdLine"
1.104 + echo "cmdFile: "`cat $extCmdFile`
1.105 + repAndExec \
1.106 + certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
1.107 + -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
1.108 + return $RET
1.109 +}
1.110 +
1.111 +createSignedCert() {
1.112 + dir=$1
1.113 + certDir=$2
1.114 + certName=$3
1.115 + certSN=$4
1.116 + certSubj=$5
1.117 + keyType=$6
1.118 + extList=$7
1.119 +
1.120 + echo Creating cert $certName-$keyType with SN=$certSN
1.121 +
1.122 + CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.123 + repAndExec \
1.124 + certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
1.125 + -k $keyType -o $dir/req 2>&1
1.126 + [ "$RET" -ne 0 ] && return $RET
1.127 +
1.128 + signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
1.129 + ret=$?
1.130 + [ "$ret" -ne 0 ] && return $ret
1.131 +
1.132 + rm -f $dir/req
1.133 +
1.134 + repAndExec \
1.135 + certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
1.136 + -i "$dir/${certName}-$keyType.crt" 2>&1
1.137 + [ "$RET" -ne 0 ] && return $RET
1.138 +
1.139 + cp "$dir/${certName}-$keyType.crt" $certDir
1.140 +
1.141 + repAndExec \
1.142 + pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
1.143 + -k ${PW_FILE} -W iopr
1.144 + [ "$RET" -ne 0 ] && return $RET
1.145 + return 0
1.146 +}
1.147 +
1.148 +generateAndExportSSLCerts() {
1.149 + dir=$1
1.150 + certDir=$2
1.151 + serverName=$3
1.152 + servCertReq=$4
1.153 +
1.154 + if [ "$servCertReq" -a -f $servCertReq ]; then
1.155 + grep REQUEST $servCertReq >/dev/null 2>&1
1.156 + signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
1.157 + ret=$?
1.158 + [ "$ret" -ne 0 ] && return $ret
1.159 + fi
1.160 +
1.161 + certName=$serverName
1.162 + createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
1.163 + ret=$?
1.164 + [ "$ret" -ne 0 ] && return $ret
1.165 +
1.166 + createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
1.167 + ret=$?
1.168 + [ "$ret" -ne 0 ] && return $ret
1.169 +
1.170 + certName=TestUser510
1.171 + createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
1.172 + ret=$?
1.173 + [ "$ret" -ne 0 ] && return $ret
1.174 +
1.175 + certName=TestUser511
1.176 + createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
1.177 + ret=$?
1.178 + [ "$ret" -ne 0 ] && return $ret
1.179 +
1.180 + certName=TestUser512
1.181 + createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
1.182 + ret=$?
1.183 + [ "$ret" -ne 0 ] && return $ret
1.184 +
1.185 + certName=TestUser513
1.186 + createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
1.187 + ret=$?
1.188 + [ "$ret" -ne 0 ] && return $ret
1.189 +}
1.190 +
1.191 +generateAndExportOCSPCerts() {
1.192 + dir=$1
1.193 + certDir=$2
1.194 +
1.195 + certName=ocspTrustedResponder
1.196 + createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
1.197 + ret=$?
1.198 + [ "$ret" -ne 0 ] && return $ret
1.199 +
1.200 + certName=ocspDesignatedResponder
1.201 + createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
1.202 + ret=$?
1.203 + [ "$ret" -ne 0 ] && return $ret
1.204 +
1.205 + certName=ocspTRTestUser514
1.206 + createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
1.207 + ret=$?
1.208 + [ "$ret" -ne 0 ] && return $ret
1.209 +
1.210 + certName=ocspTRTestUser516
1.211 + createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
1.212 + ret=$?
1.213 + [ "$ret" -ne 0 ] && return $ret
1.214 +
1.215 + certName=ocspRCATestUser518
1.216 + createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
1.217 + AIA,http://dochinups.red.iplanet.com:2561
1.218 + ret=$?
1.219 + [ "$ret" -ne 0 ] && return $ret
1.220 +
1.221 + certName=ocspRCATestUser520
1.222 + createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
1.223 + AIA,http://dochinups.red.iplanet.com:2561
1.224 + ret=$?
1.225 + [ "$ret" -ne 0 ] && return $ret
1.226 +
1.227 + certName=ocspDRTestUser522
1.228 + createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
1.229 + AIA,http://dochinups.red.iplanet.com:2562
1.230 + ret=$?
1.231 + [ "$ret" -ne 0 ] && return $ret
1.232 +
1.233 + certName=ocspDRTestUser524
1.234 + createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
1.235 + AIA,http://dochinups.red.iplanet.com:2562
1.236 + ret=$?
1.237 + [ "$ret" -ne 0 ] && return $ret
1.238 +
1.239 + generateAndExportCACert $dir "" TestCA-unknown
1.240 + [ $? -ne 0 ] && return $ret
1.241 +
1.242 + certSigner=TestCA-unknown
1.243 +
1.244 + certName=ocspTRUnkownIssuerCert
1.245 + createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
1.246 + ret=$?
1.247 + [ "$ret" -ne 0 ] && return $ret
1.248 +
1.249 + certName=ocspRCAUnkownIssuerCert
1.250 + createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
1.251 + AIA,http://dochinups.red.iplanet.com:2561
1.252 + ret=$?
1.253 + [ "$ret" -ne 0 ] && return $ret
1.254 +
1.255 + certName=ocspDRUnkownIssuerCert
1.256 + createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
1.257 + AIA,http://dochinups.red.iplanet.com:2562
1.258 + ret=$?
1.259 + [ "$ret" -ne 0 ] && return $ret
1.260 +
1.261 + certSigner=""
1.262 +
1.263 + return 0
1.264 +}
1.265 +
1.266 +generateAndExportCACert() {
1.267 + dir=$1
1.268 + certDirL=$2
1.269 + caName=$3
1.270 +
1.271 + certName=TestCA
1.272 + [ "$caName" ] && certName=$caName
1.273 + CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1.274 + repAndExec \
1.275 + certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
1.276 + -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
1.277 +5
1.278 +6
1.279 +9
1.280 +n
1.281 +y
1.282 +-1
1.283 +n
1.284 +EOF
1.285 +
1.286 + if [ "$certDirL" ]; then
1.287 + repAndExec \
1.288 + certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
1.289 + [ "$RET" -ne 0 ] && return $RET
1.290 +
1.291 + repAndExec \
1.292 + pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
1.293 + [ "$RET" -ne 0 ] && return $RET
1.294 + fi
1.295 +}
1.296 +
1.297 +
1.298 +generateCerts() {
1.299 + certDir=$1
1.300 + serverName=$2
1.301 + reuseCACert=$3
1.302 + servCertReq=$4
1.303 +
1.304 + [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
1.305 + [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
1.306 +
1.307 + mkdir -p $certDir
1.308 + [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
1.309 +
1.310 +
1.311 + dir=/tmp/db.$$
1.312 + if [ -z "$reuseCACert" ]; then
1.313 + if [ -d "$dir" ]; then
1.314 + rm -f $dir
1.315 + fi
1.316 +
1.317 + PW_FILE=$dir/nss.pwd
1.318 + NOISE_FILE=$dir/nss.noise
1.319 +
1.320 + mkdir -p $dir
1.321 + [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
1.322 +
1.323 + echo nss > $PW_FILE
1.324 + date >> ${NOISE_FILE} 2>&1
1.325 +
1.326 + repAndExec \
1.327 + certutil -d $dir -N -f $PW_FILE
1.328 + [ "$RET" -ne 0 ] && return $RET
1.329 +
1.330 + generateAndExportCACert $dir $certDir
1.331 + [ "$RET" -ne 0 ] && return $RET
1.332 + else
1.333 + dir=$reuseCACert
1.334 + PW_FILE=$dir/nss.pwd
1.335 + NOISE_FILE=$dir/nss.noise
1.336 + hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
1.337 + [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
1.338 + return $RET;
1.339 + fi
1.340 +
1.341 + generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
1.342 + [ "$RET" -ne 0 ] && return $RET
1.343 +
1.344 + generateAndExportOCSPCerts $dir $certDir
1.345 + [ "$RET" -ne 0 ] && return $RET
1.346 +
1.347 + crlUpdate=`date +%Y%m%d%H%M%SZ`
1.348 + crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
1.349 + repAndExec \
1.350 + crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
1.351 +update=$crlUpdate
1.352 +nextupdate=$crlNextUpdate
1.353 +addcert 509-511 $crlUpdate
1.354 +addcert 516 $crlUpdate
1.355 +addcert 520 $crlUpdate
1.356 +addcert 524 $crlUpdate
1.357 +EOF_CRLINI
1.358 + [ "$RET" -ne 0 ] && return $RET
1.359 +
1.360 + rm -rf $dir
1.361 + return 0
1.362 +}
1.363 +
1.364 +
1.365 +if [ -z "$1" -o -z "$2" ]; then
1.366 + echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
1.367 + exit 1
1.368 +fi
1.369 +generateCerts $1 $2 "$3" $4
1.370 +exit $?
