1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/tests/merge/merge.sh Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,272 @@
1.4 +#! /bin/bash
1.5 +#
1.6 +# This Source Code Form is subject to the terms of the Mozilla Public
1.7 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.9 +
1.10 +########################################################################
1.11 +#
1.12 +# mozilla/security/nss/tests/merge/merge.sh
1.13 +#
1.14 +# Script to test NSS merge
1.15 +#
1.16 +# needs to work on all Unix and Windows platforms
1.17 +#
1.18 +# special strings
1.19 +# ---------------
1.20 +# FIXME ... known problems, search for this string
1.21 +# NOTE .... unexpected behavior
1.22 +#
1.23 +########################################################################
1.24 +
1.25 +############################## merge_init ##############################
1.26 +# local shell function to initialize this script
1.27 +########################################################################
1.28 +merge_init()
1.29 +{
1.30 + SCRIPTNAME=merge.sh # sourced - $0 would point to all.sh
1.31 + HAS_EXPLICIT_DB=0
1.32 + if [ ! -z "${NSS_DEFAULT_DB_TYPE}" ]; then
1.33 + HAS_EXPLICIT_DB=1
1.34 + fi
1.35 +
1.36 +
1.37 + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
1.38 + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
1.39 + fi
1.40 +
1.41 + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
1.42 + cd ../common
1.43 + . ./init.sh
1.44 + fi
1.45 + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
1.46 + cd ${QADIR}/cert
1.47 + . ./cert.sh
1.48 + fi
1.49 +
1.50 + if [ ! -d ${HOSTDIR}/SDR ]; then
1.51 + cd ${QADIR}/sdr
1.52 + . ./sdr.sh
1.53 + fi
1.54 + SCRIPTNAME=merge.sh
1.55 +
1.56 + html_head "Merge Tests"
1.57 +
1.58 + # need the SSL & SMIME directories from cert.sh
1.59 + grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
1.60 + Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
1.61 + }
1.62 + grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
1.63 + Exit 8 "Fatal - SSL of cert.sh needs to pass first"
1.64 + }
1.65 +
1.66 + #temporary files for SDR tests
1.67 + VALUE1=$HOSTDIR/tests.v1.$$
1.68 + VALUE3=$HOSTDIR/tests.v3.$$
1.69 +
1.70 + # local directories used in this test.
1.71 + MERGEDIR=${HOSTDIR}/merge
1.72 + R_MERGEDIR=../merge
1.73 + D_MERGE="merge.$version"
1.74 + # SDR not initialized in common/init
1.75 + P_R_SDR=../SDR
1.76 + D_SDR="SDR.$version"
1.77 + mkdir -p ${MERGEDIR}
1.78 +
1.79 + PROFILE=.
1.80 + if [ -n "${MULTIACCESS_DBM}" ]; then
1.81 + PROFILE="multiaccess:${D_MERGE}"
1.82 + P_R_SDR="multiaccess:${D_SDR}"
1.83 + fi
1.84 +
1.85 + cd ${MERGEDIR}
1.86 +
1.87 + # clear out any existing databases, potentially from a previous run.
1.88 + rm -f *.db
1.89 +
1.90 + # copy alicedir over as a seed database.
1.91 + cp ${R_ALICEDIR}/* .
1.92 + # copy the smime text samples
1.93 + cp ${QADIR}/smime/*.txt .
1.94 +
1.95 + # create a set of conflicting names.
1.96 + CONFLICT1DIR=conflict1
1.97 + CONFLICT2DIR=conflict2
1.98 + mkdir ${CONFLICT1DIR}
1.99 + mkdir ${CONFLICT2DIR}
1.100 + # in the upgrade mode (dbm->sql), make sure our test databases
1.101 + # are dbm databases.
1.102 + if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
1.103 + save=${NSS_DEFAULT_DB_TYPE}
1.104 + NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
1.105 + fi
1.106 +
1.107 + certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
1.108 + certutil -N -d ${CONFLICT2DIR} -f ${R_PWFILE}
1.109 + certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser41.cert -d ${CONFLICT1DIR}
1.110 + certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser42.cert -d ${CONFLICT1DIR}
1.111 + certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser43.cert -d ${CONFLICT1DIR}
1.112 + certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser44.cert -d ${CONFLICT2DIR}
1.113 + certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser45.cert -d ${CONFLICT2DIR}
1.114 + certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser46.cert -d ${CONFLICT2DIR}
1.115 + if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
1.116 + NSS_DEFAULT_DB_TYPE=${save}; export NSS_DEFAULT_DB_TYPE
1.117 + fi
1.118 +
1.119 + #
1.120 + # allow all the tests to run in standalone mode.
1.121 + # in standalone mode, TEST_MODE is not set.
1.122 + # if NSS_DEFAULT_DB_TYPE is dbm, then test merge with dbm
1.123 + # if NSS_DEFAULT_DB_TYPE is sql, then test merge with sql
1.124 + # if NSS_DEFAULT_DB_TYPE is not set, then test database upgrade merge
1.125 + # from dbm databases (created above) into a new sql db.
1.126 + if [ -z "${TEST_MODE}" ] && [ ${HAS_EXPLICIT_DB} -eq 0 ]; then
1.127 + echo "*** Using Standalone Upgrade DB mode"
1.128 + NSS_DEFAULT_DB_TYPE=sql; export NSS_DEFAULT_DB_TYPE
1.129 + echo certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
1.130 + ${BINDIR}/certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
1.131 + TEST_MODE=UPGRADE_DB
1.132 +
1.133 + fi
1.134 +
1.135 +}
1.136 +
1.137 +#
1.138 +# this allows us to run this test for both merge and upgrade-merge cases.
1.139 +# merge_cmd takes the potential upgrade-id and the rest of the certutil
1.140 +# arguments.
1.141 +#
1.142 +merge_cmd()
1.143 +{
1.144 + MERGE_CMD=--merge
1.145 + if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
1.146 + MERGE_CMD="--upgrade-merge --upgrade-token-name OldDB --upgrade-id ${1}"
1.147 + fi
1.148 + shift
1.149 + echo certutil ${MERGE_CMD} $*
1.150 + ${PROFTOOL} ${BINDIR}/certutil ${MERGE_CMD} $*
1.151 +}
1.152 +
1.153 +
1.154 +merge_main()
1.155 +{
1.156 + # first create a local sdr key and encrypt some data with it
1.157 + # This will cause a colision with the SDR key in ../SDR.
1.158 + echo "$SCRIPTNAME: Creating an SDR key & Encrypt"
1.159 + echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}"
1.160 + ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}
1.161 + html_msg $? 0 "Creating SDR Key"
1.162 +
1.163 + # Now merge in Dave
1.164 + # Dave's cert is already in alicedir, but his key isn't. This will make
1.165 + # sure we are updating the keys and CKA_ID's on the certificate properly.
1.166 + MERGE_ID=dave
1.167 + echo "$SCRIPTNAME: Merging in Key for Existing user"
1.168 + merge_cmd dave --source-dir ${P_R_DAVEDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
1.169 + html_msg $? 0 "Merging Dave"
1.170 +
1.171 + # Merge in server
1.172 + # contains a CRL and new user certs
1.173 + MERGE_ID=server
1.174 + echo "$SCRIPTNAME: Merging in new user "
1.175 + merge_cmd server --source-dir ${P_R_SERVERDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
1.176 + html_msg $? 0 "Merging server"
1.177 +
1.178 + # Merge in ext_client
1.179 + # contains a new certificate chain and additional trust flags
1.180 + MERGE_ID=ext_client
1.181 + echo "$SCRIPTNAME: Merging in new chain "
1.182 + merge_cmd ext_client --source-dir ${P_R_EXT_CLIENTDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
1.183 + html_msg $? 0 "Merging ext_client"
1.184 +
1.185 + # Merge conflicting nicknames in conflict1dir
1.186 + # contains several certificates with nicknames that conflict with the target
1.187 + # database
1.188 + MERGE_ID=conflict1
1.189 + echo "$SCRIPTNAME: Merging in conflicting nicknames 1"
1.190 + merge_cmd conflict1 --source-dir ${CONFLICT1DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
1.191 +
1.192 + html_msg $? 0 "Merging conflicting nicknames 1"
1.193 +
1.194 + # Merge conflicting nicknames in conflict2dir
1.195 + # contains several certificates with nicknames that conflict with the target
1.196 + # database
1.197 + MERGE_ID=conflict2
1.198 + echo "$SCRIPTNAME: Merging in conflicting nicknames 1"
1.199 + merge_cmd conflict2 --source-dir ${CONFLICT2DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
1.200 + html_msg $? 0 "Merging conflicting nicknames 2"
1.201 +
1.202 + # Make sure conflicted names were properly sorted out.
1.203 + echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #4)"
1.204 + certutil -L -n "Alice #4" -d ${PROFILE}
1.205 + html_msg $? 0 "Verify nicknames were deconflicted (Alice #4)"
1.206 +
1.207 + # Make sure conflicted names were properly sorted out.
1.208 + echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #100)"
1.209 + certutil -L -n "Alice #100" -d ${PROFILE}
1.210 + html_msg $? 0 "Verify nicknames were deconflicted (Alice #100)"
1.211 +
1.212 + # Merge in SDR
1.213 + # contains a secret SDR key
1.214 + MERGE_ID=SDR
1.215 + echo "$SCRIPTNAME: Merging in SDR "
1.216 + merge_cmd sdr --source-dir ${P_R_SDR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
1.217 + html_msg $? 0 "Merging SDR"
1.218 +
1.219 + # insert a listing of the database into the log for diagonic purposes
1.220 + ${BINDIR}/certutil -L -d ${PROFILE}
1.221 + ${BINDIR}/crlutil -L -d ${PROFILE}
1.222 +
1.223 + # Make sure we can decrypt with our original SDR key generated above
1.224 + echo "$SCRIPTNAME: Decrypt - With Original SDR Key"
1.225 + echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}"
1.226 + ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}
1.227 + html_msg $? 0 "Decrypt - Value 3"
1.228 +
1.229 + # Make sure we can decrypt with our the SDR key merged in from ../SDR
1.230 + echo "$SCRIPTNAME: Decrypt - With Merged SDR Key"
1.231 + echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}"
1.232 + ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}
1.233 + html_msg $? 0 "Decrypt - Value 1"
1.234 +
1.235 + # Make sure we can sign with merge certificate
1.236 + echo "$SCRIPTNAME: Signing with merged key ------------------"
1.237 + echo "cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig"
1.238 + ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig
1.239 + html_msg $? 0 "Create Detached Signature Dave" "."
1.240 +
1.241 + echo "cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} "
1.242 + ${PROFTOOL} ${BINDIR}/cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE}
1.243 + html_msg $? 0 "Verifying Dave's Detached Signature"
1.244 +
1.245 + # Make sure that trust objects were properly merged
1.246 + echo "$SCRIPTNAME: verifying merged cert ------------------"
1.247 + echo "certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}"
1.248 + ${PROFTOOL} ${BINDIR}/certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}
1.249 + html_msg $? 0 "Verifying ExtendedSSL User Cert"
1.250 +
1.251 + # Make sure that the crl got properly copied in
1.252 + echo "$SCRIPTNAME: verifying merged crl ------------------"
1.253 + echo "crlutil -L -n TestCA -d ${PROFILE}"
1.254 + ${PROFTOOL} ${BINDIR}/crlutil -L -n TestCA -d ${PROFILE}
1.255 + html_msg $? 0 "Verifying TestCA CRL"
1.256 +
1.257 +}
1.258 +
1.259 +############################## smime_cleanup ###########################
1.260 +# local shell function to finish this script (no exit since it might be
1.261 +# sourced)
1.262 +########################################################################
1.263 +merge_cleanup()
1.264 +{
1.265 + html "</TABLE><BR>"
1.266 + cd ${QADIR}
1.267 + . common/cleanup.sh
1.268 +}
1.269 +
1.270 +################## main #################################################
1.271 +
1.272 +merge_init
1.273 +merge_main
1.274 +merge_cleanup
1.275 +
