security/nss/tests/cert/cert.sh@6474c204b198
security/nss/tests/cert/cert.sh
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rwxr-xr-x
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 #! /bin/bash
2 #
3 # This Source Code Form is subject to the terms of the Mozilla Public
4 # License, v. 2.0. If a copy of the MPL was not distributed with this
5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 ########################################################################
8 #
9 # mozilla/security/nss/tests/cert/rcert.sh
10 #
11 # Certificate generating and handeling for NSS QA, can be included
12 # multiple times from all.sh and the individual scripts
13 #
14 # needs to work on all Unix and Windows platforms
15 #
16 # included from (don't expect this to be up to date)
17 # --------------------------------------------------
18 # all.sh
19 # ssl.sh
20 # smime.sh
21 # tools.sh
22 #
23 # special strings
24 # ---------------
25 # FIXME ... known problems, search for this string
26 # NOTE .... unexpected behavior
27 #
28 # FIXME - Netscape - NSS
29 ########################################################################
31 ############################## cert_init ###############################
32 # local shell function to initialize this script
33 ########################################################################
34 cert_init()
35 {
36 SCRIPTNAME="cert.sh"
37 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
38 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
39 fi
40 if [ -z "${INIT_SOURCED}" ] ; then
41 cd ../common
42 . ./init.sh
43 fi
44 if [ -z "${IOPR_CERT_SOURCED}" ]; then
45 . ../iopr/cert_iopr.sh
46 fi
47 SCRIPTNAME="cert.sh"
48 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
49 if [ -z "$NSS_DISABLE_ECC" ] ; then
50 html_head "Certutil and Crlutil Tests with ECC"
51 else
52 html_head "Certutil and Crlutil Tests"
53 fi
55 LIBDIR="${DIST}/${OBJDIR}/lib"
57 ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
58 if [ ! "${ROOTCERTSFILE}" ] ; then
59 html_failed "Looking for root certs module."
60 cert_log "ERROR: Root certs module not found."
61 Exit 5 "Fatal - Root certs module not found."
62 else
63 html_passed "Looking for root certs module."
64 fi
66 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
67 ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}`
68 fi
69 }
71 cert_log() ###################### write the cert_status file
72 {
73 echo "$SCRIPTNAME $*"
74 echo $* >>${CERT_LOG_FILE}
75 }
77 ########################################################################
78 # function wraps calls to pk12util, also: writes action and options
79 # to stdout.
80 # Params are the same as to pk12util.
81 # Returns pk12util status
82 #
83 pk12u()
84 {
85 echo "${CU_ACTION} --------------------------"
87 echo "pk12util $@"
88 ${BINDIR}/pk12util $@
89 RET=$?
91 return $RET
92 }
94 ################################ certu #################################
95 # local shell function to call certutil, also: writes action and options to
96 # stdout, sets variable RET and writes results to the html file results
97 ########################################################################
98 certu()
99 {
100 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
101 EXPECTED=${RETEXPECTED-0}
103 if [ -n "${CU_SUBJECT}" ]; then
104 #the subject of the cert contains blanks, and the shell
105 #will strip the quotes off the string, if called otherwise...
106 echo "certutil -s \"${CU_SUBJECT}\" $*"
107 ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $*
108 RET=$?
109 CU_SUBJECT=""
110 else
111 echo "certutil $*"
112 ${PROFTOOL} ${BINDIR}/certutil $*
113 RET=$?
114 fi
115 if [ "$RET" -ne "$EXPECTED" ]; then
116 CERTFAILED=$RET
117 html_failed "${CU_ACTION} ($RET=$EXPECTED) "
118 cert_log "ERROR: ${CU_ACTION} failed $RET"
119 else
120 html_passed "${CU_ACTION}"
121 fi
123 return $RET
124 }
126 ################################ crlu #################################
127 # local shell function to call crlutil, also: writes action and options to
128 # stdout, sets variable RET and writes results to the html file results
129 ########################################################################
130 crlu()
131 {
132 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
134 CRLUTIL="crlutil -q"
135 echo "$CRLUTIL $*"
136 ${PROFTOOL} ${BINDIR}/$CRLUTIL $*
137 RET=$?
138 if [ "$RET" -ne 0 ]; then
139 CRLFAILED=$RET
140 html_failed "${CU_ACTION} ($RET) "
141 cert_log "ERROR: ${CU_ACTION} failed $RET"
142 else
143 html_passed "${CU_ACTION}"
144 fi
146 return $RET
147 }
149 ################################ ocspr ##################################
150 # local shell function to call ocsresp, also: writes action and options to
151 # stdout, sets variable RET and writes results to the html file results
152 #########################################################################
153 ocspr()
154 {
155 echo "$SCRIPTNAME: ${OR_ACTION} --------------------------"
157 OCSPRESP="ocspresp"
158 echo "$OCSPRESP $*"
159 ${PROFTOOL} ${BINDIR}/$OCSPRESP $*
160 RET=$?
161 if [ "$RET" -ne 0 ]; then
162 OCSPFAILED=$RET
163 html_failed "${OR_ACTION} ($RET) "
164 cert_log "ERROR: ${OR_ACTION} failed $RET"
165 else
166 html_passed "${OR_ACTION}"
167 fi
169 return $RET
170 }
172 modu()
173 {
174 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
176 MODUTIL="modutil"
177 echo "$MODUTIL $*"
178 # echo is used to press Enter expected by modutil
179 echo | ${BINDIR}/$MODUTIL $*
180 RET=$?
181 if [ "$RET" -ne 0 ]; then
182 MODFAILED=$RET
183 html_failed "${CU_ACTION} ($RET) "
184 cert_log "ERROR: ${CU_ACTION} failed $RET"
185 else
186 html_passed "${CU_ACTION}"
187 fi
189 return $RET
190 }
192 ############################# cert_init_cert ##########################
193 # local shell function to initialize creation of client and server certs
194 ########################################################################
195 cert_init_cert()
196 {
197 CERTDIR="$1"
198 CERTNAME="$2"
199 CERTSERIAL="$3"
200 DOMAIN="$4"
202 if [ ! -d "${CERTDIR}" ]; then
203 mkdir -p "${CERTDIR}"
204 else
205 echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
206 fi
207 cd "${CERTDIR}"
208 CERTDIR="."
210 PROFILEDIR=`cd ${CERTDIR}; pwd`
211 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
212 PROFILEDIR=`cygpath -m ${PROFILEDIR}`
213 fi
214 if [ -n "${MULTIACCESS_DBM}" ]; then
215 PROFILEDIR="multiaccess:${DOMAIN}"
216 fi
218 noise
219 }
221 ############################# hw_acc #################################
222 # local shell function to add hw accelerator modules to the db
223 ########################################################################
224 hw_acc()
225 {
226 HW_ACC_RET=0
227 HW_ACC_ERR=""
228 if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
229 echo "creating $CERTNAME s cert with hwaccelerator..."
230 #case $ACCELERATOR in
231 #rainbow)
233 echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
234 echo " -dbdir ${PROFILEDIR} 2>&1 "
235 echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
236 -dbdir ${PROFILEDIR} 2>&1
237 if [ "$?" -ne 0 ]; then
238 echo "modutil -add rainbow failed in `pwd`"
239 HW_ACC_RET=1
240 HW_ACC_ERR="modutil -add rainbow"
241 fi
243 echo "modutil -add ncipher "
244 echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so "
245 echo " -dbdir ${PROFILEDIR} 2>&1 "
246 echo | ${BINDIR}/modutil -add ncipher \
247 -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \
248 -dbdir ${PROFILEDIR} 2>&1
249 if [ "$?" -ne 0 ]; then
250 echo "modutil -add ncipher failed in `pwd`"
251 HW_ACC_RET=`expr $HW_ACC_RET + 2`
252 HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher"
253 fi
254 if [ "$HW_ACC_RET" -ne 0 ]; then
255 html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) "
256 else
257 html_passed "Adding HW accelerators to certDB for ${CERTNAME}"
258 fi
260 fi
261 return $HW_ACC_RET
262 }
264 ############################# cert_create_cert #########################
265 # local shell function to create client certs
266 # initialize DB, import
267 # root cert
268 # add cert to DB
269 ########################################################################
270 cert_create_cert()
271 {
272 cert_init_cert "$1" "$2" "$3" "$4"
274 CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
275 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
276 if [ "$RET" -ne 0 ]; then
277 return $RET
278 fi
280 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB"
281 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
282 if [ "$RET" -ne 0 ]; then
283 return $RET
284 fi
286 hw_acc
288 CU_ACTION="Import Root CA for $CERTNAME"
289 certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
290 -i "${R_CADIR}/TestCA.ca.cert" 2>&1
291 if [ "$RET" -ne 0 ]; then
292 return $RET
293 fi
295 if [ -z "$NSS_DISABLE_ECC" ] ; then
296 CU_ACTION="Import EC Root CA for $CERTNAME"
297 certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
298 -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
299 if [ "$RET" -ne 0 ]; then
300 return $RET
301 fi
302 fi
304 cert_add_cert "$5"
305 return $?
306 }
308 ############################# cert_add_cert ############################
309 # local shell function to add client certs to an existing CERT DB
310 # generate request
311 # sign request
312 # import Cert
313 #
314 ########################################################################
315 cert_add_cert()
316 {
317 CU_ACTION="Generate Cert Request for $CERTNAME"
318 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
319 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
320 if [ "$RET" -ne 0 ]; then
321 return $RET
322 fi
324 CU_ACTION="Sign ${CERTNAME}'s Request"
325 certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
326 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
327 if [ "$RET" -ne 0 ]; then
328 return $RET
329 fi
331 CU_ACTION="Import $CERTNAME's Cert"
332 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
333 -i "${CERTNAME}.cert" 2>&1
334 if [ "$RET" -ne 0 ]; then
335 return $RET
336 fi
338 cert_log "SUCCESS: $CERTNAME's Cert Created"
340 #
341 # Generate and add EC cert
342 #
343 if [ -z "$NSS_DISABLE_ECC" ] ; then
344 CURVE="secp384r1"
345 CU_ACTION="Generate EC Cert Request for $CERTNAME"
346 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
347 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
348 -z "${R_NOISE_FILE}" -o req 2>&1
349 if [ "$RET" -ne 0 ]; then
350 return $RET
351 fi
353 CU_ACTION="Sign ${CERTNAME}'s EC Request"
354 certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
355 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
356 if [ "$RET" -ne 0 ]; then
357 return $RET
358 fi
360 CU_ACTION="Import $CERTNAME's EC Cert"
361 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
362 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
363 if [ "$RET" -ne 0 ]; then
364 return $RET
365 fi
366 cert_log "SUCCESS: $CERTNAME's EC Cert Created"
368 # Generate EC certificate signed with RSA
369 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
370 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
371 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
372 -z "${R_NOISE_FILE}" -o req 2>&1
373 if [ "$RET" -ne 0 ]; then
374 return $RET
375 fi
377 CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA"
378 # Avoid conflicting serial numbers with TestCA issuer by keeping
379 # this set far away. A smaller number risks colliding with the
380 # extended ssl user certificates.
381 NEWSERIAL=`expr ${CERTSERIAL} + 10000`
382 certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
383 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1
384 if [ "$RET" -ne 0 ]; then
385 return $RET
386 fi
388 CU_ACTION="Import $CERTNAME's mixed EC Cert"
389 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
390 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
391 if [ "$RET" -ne 0 ]; then
392 return $RET
393 fi
394 cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
395 fi
397 return 0
398 }
400 ################################# cert_all_CA ################################
401 # local shell function to build the additional Temp. Certificate Authority (CA)
402 # used for the "real life" ssl test with 2 different CA's in the
403 # client and in the server's dir
404 ##########################################################################
405 cert_all_CA()
406 {
407 echo nss > ${PWFILE}
409 ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
410 cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
412 ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
413 cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
414 ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
415 cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3"
416 ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
417 cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4"
421 ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
422 cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
423 ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
424 cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6"
425 ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
426 cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
428 rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
430 # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
431 # in the chain
433 if [ -z "$NSS_DISABLE_ECC" ] ; then
434 #
435 # Create EC version of TestCA
436 CA_CURVE="secp521r1"
437 ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
438 cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
439 #
440 # Create EC versions of the intermediate CA certs
441 ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
442 cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
443 ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
444 cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
445 ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
446 cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
448 ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
449 cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
450 ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
451 cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
452 ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
453 cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
455 rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
456 # ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
457 # in the chain
459 fi
460 }
462 ################################# cert_CA ################################
463 # local shell function to build the Temp. Certificate Authority (CA)
464 # used for testing purposes, creating a CA Certificate and a root cert
465 ##########################################################################
466 cert_CA()
467 {
468 CUR_CADIR=$1
469 NICKNAME=$2
470 SIGNER=$3
471 TRUSTARG=$4
472 DOMAIN=$5
473 CERTSERIAL=$6
475 echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
477 if [ ! -d "${CUR_CADIR}" ]; then
478 mkdir -p "${CUR_CADIR}"
479 fi
480 cd ${CUR_CADIR}
481 pwd
483 LPROFILE=`pwd`
484 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
485 LPROFILE=`cygpath -m ${LPROFILE}`
486 fi
487 if [ -n "${MULTIACCESS_DBM}" ]; then
488 LPROFILE="multiaccess:${DOMAIN}"
489 fi
491 if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
492 CU_ACTION="Creating CA Cert DB"
493 certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1
494 if [ "$RET" -ne 0 ]; then
495 Exit 5 "Fatal - failed to create CA $NICKNAME "
496 fi
498 CU_ACTION="Loading root cert module to CA Cert DB"
499 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1
500 if [ "$RET" -ne 0 ]; then
501 return $RET
502 fi
504 echo "$SCRIPTNAME: Certificate initialized ----------"
505 fi
508 ################# Creating CA Cert ######################################
509 #
510 CU_ACTION="Creating CA Cert $NICKNAME "
511 CU_SUBJECT=$ALL_CU_SUBJECT
512 certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \
513 -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
514 5
515 6
516 9
517 n
518 y
519 -1
520 n
521 5
522 6
523 7
524 9
525 n
526 CERTSCRIPT
528 if [ "$RET" -ne 0 ]; then
529 echo "return value is $RET"
530 Exit 6 "Fatal - failed to create CA cert"
531 fi
533 ################# Exporting Root Cert ###################################
534 #
535 CU_ACTION="Exporting Root Cert"
536 certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert
537 if [ "$RET" -ne 0 ]; then
538 Exit 7 "Fatal - failed to export root cert"
539 fi
540 cp root.cert ${NICKNAME}.ca.cert
541 }
543 ################################ cert_ec_CA ##############################
544 # local shell function to build the Temp. Certificate Authority (CA)
545 # used for testing purposes, creating a CA Certificate and a root cert
546 # This is the ECC version of cert_CA.
547 ##########################################################################
548 cert_ec_CA()
549 {
550 CUR_CADIR=$1
551 NICKNAME=$2
552 SIGNER=$3
553 TRUSTARG=$4
554 DOMAIN=$5
555 CERTSERIAL=$6
556 CURVE=$7
558 echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
560 if [ ! -d "${CUR_CADIR}" ]; then
561 mkdir -p "${CUR_CADIR}"
562 fi
563 cd ${CUR_CADIR}
564 pwd
566 LPROFILE=.
567 if [ -n "${MULTIACCESS_DBM}" ]; then
568 LPROFILE="multiaccess:${DOMAIN}"
569 fi
571 ################# Creating an EC CA Cert ################################
572 #
573 CU_ACTION="Creating EC CA Cert $NICKNAME "
574 CU_SUBJECT=$ALL_CU_SUBJECT
575 certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \
576 -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
577 -m $CERTSERIAL 2>&1 <<CERTSCRIPT
578 5
579 6
580 9
581 n
582 y
583 -1
584 n
585 5
586 6
587 7
588 9
589 n
590 CERTSCRIPT
592 if [ "$RET" -ne 0 ]; then
593 echo "return value is $RET"
594 Exit 6 "Fatal - failed to create EC CA cert"
595 fi
597 ################# Exporting EC Root Cert ################################
598 #
599 CU_ACTION="Exporting EC Root Cert"
600 certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert
601 if [ "$RET" -ne 0 ]; then
602 Exit 7 "Fatal - failed to export ec root cert"
603 fi
604 cp ecroot.cert ${NICKNAME}.ca.cert
605 }
607 ############################## cert_smime_client #############################
608 # local shell function to create client Certificates for S/MIME tests
609 ##############################################################################
610 cert_smime_client()
611 {
612 CERTFAILED=0
613 echo "$SCRIPTNAME: Creating Client CA Issued Certificates =============="
615 cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE}
616 cert_create_cert ${BOBDIR} "Bob" 40 ${D_BOB}
618 echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
619 cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
621 ## XXX With this new script merging ECC and non-ECC tests, the
622 ## call to cert_create_cert ends up creating two separate certs
623 ## one for Eve and another for Eve-ec but they both end up with
624 ## the same Subject Alt Name Extension, i.e., both the cert for
625 ## Eve@bogus.com and the cert for Eve-ec@bogus.com end up
626 ## listing eve@bogus.net in the Certificate Subject Alt Name extension.
627 ## This can cause a problem later when cmsutil attempts to create
628 ## enveloped data and accidently picks up the ECC cert (NSS currently
629 ## does not support ECC for enveloped data creation). This script
630 ## avoids the problem by ensuring that these conflicting certs are
631 ## never added to the same cert database (see comment marked XXXX).
632 echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
633 cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
635 #echo "************* Copying CA files to ${SERVERDIR}"
636 #cp ${CADIR}/*.db .
637 #hw_acc
639 #########################################################################
640 #
641 #cd ${CERTDIR}
642 #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
643 #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
644 #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
645 # -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
647 #CU_ACTION="Export Dave's Cert"
648 #cd ${DAVEDIR}
649 #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
651 ################# Importing Certificates for S/MIME tests ###############
652 #
653 echo "$SCRIPTNAME: Importing Certificates =============================="
654 CU_ACTION="Import Bob's cert into Alice's db"
655 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
656 -i ${R_BOBDIR}/Bob.cert 2>&1
658 CU_ACTION="Import Dave's cert into Alice's DB"
659 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
660 -i ${R_DAVEDIR}/Dave.cert 2>&1
662 CU_ACTION="Import Dave's cert into Bob's DB"
663 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
664 -i ${R_DAVEDIR}/Dave.cert 2>&1
666 CU_ACTION="Import Eve's cert into Alice's DB"
667 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
668 -i ${R_EVEDIR}/Eve.cert 2>&1
670 CU_ACTION="Import Eve's cert into Bob's DB"
671 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
672 -i ${R_EVEDIR}/Eve.cert 2>&1
674 if [ -z "$NSS_DISABLE_ECC" ] ; then
675 echo "$SCRIPTNAME: Importing EC Certificates =============================="
676 CU_ACTION="Import Bob's EC cert into Alice's db"
677 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
678 -i ${R_BOBDIR}/Bob-ec.cert 2>&1
680 CU_ACTION="Import Dave's EC cert into Alice's DB"
681 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
682 -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
684 CU_ACTION="Import Dave's EC cert into Bob's DB"
685 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
686 -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
688 ## XXXX Do not import Eve's EC cert until we can make sure that
689 ## the email addresses listed in the Subject Alt Name Extension
690 ## inside Eve's ECC and non-ECC certs are different.
691 # CU_ACTION="Import Eve's EC cert into Alice's DB"
692 # certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
693 # -i ${R_EVEDIR}/Eve-ec.cert 2>&1
695 # CU_ACTION="Import Eve's EC cert into Bob's DB"
696 # certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
697 # -i ${R_EVEDIR}/Eve-ec.cert 2>&1
698 fi
700 if [ "$CERTFAILED" != 0 ] ; then
701 cert_log "ERROR: SMIME failed $RET"
702 else
703 cert_log "SUCCESS: SMIME passed"
704 fi
705 }
707 ############################## cert_extended_ssl #######################
708 # local shell function to create client + server certs for extended SSL test
709 ########################################################################
710 cert_extended_ssl()
711 {
713 ################# Creating Certs for extended SSL test ####################
714 #
715 CERTFAILED=0
716 echo "$SCRIPTNAME: Creating Certificates, issued by the last ==============="
717 echo " of a chain of CA's which are not in the same database============"
719 echo "Server Cert"
720 cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
722 CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
723 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
725 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
726 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
728 CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
729 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
730 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
732 CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
733 cp ${CERTDIR}/req ${SERVER_CADIR}
734 certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
735 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
737 CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
738 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
739 -i "${CERTNAME}.cert" 2>&1
741 CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
742 certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
743 -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
745 if [ -z "$NSS_DISABLE_ECC" ] ; then
746 #
747 # Repeat the above for EC certs
748 #
749 EC_CURVE="secp256r1"
750 CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
751 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
752 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
753 -z "${R_NOISE_FILE}" -o req 2>&1
755 CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
756 cp ${CERTDIR}/req ${SERVER_CADIR}
757 certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
758 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
760 CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
761 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
762 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
764 CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
765 certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
766 -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
767 #
768 # done with EC certs
769 #
770 # Repeat again for mixed EC certs
771 #
772 EC_CURVE="secp256r1"
773 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
774 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
775 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
776 -z "${R_NOISE_FILE}" -o req 2>&1
778 CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
779 cp ${CERTDIR}/req ${SERVER_CADIR}
780 certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \
781 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
783 CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
784 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
785 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
787 # CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)"
788 # certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
789 # -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
790 # 2>&1
791 fi
793 echo "Importing all the server's own CA chain into the servers DB"
794 for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
795 do
796 N=`basename $CA | sed -e "s/.ca.cert//"`
797 if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then
798 T="-t C,C,C"
799 else
800 T="-t u,u,u"
801 fi
802 CU_ACTION="Import $N CA $T for $CERTNAME (ext.) "
803 certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
804 -i "${CA}" 2>&1
805 done
806 #============
807 echo "Client Cert"
808 cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
810 CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
811 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
813 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
814 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
816 CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
817 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
818 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
819 -o req 2>&1
821 CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
822 cp ${CERTDIR}/req ${CLIENT_CADIR}
823 certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
824 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
826 CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
827 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
828 -i "${CERTNAME}.cert" 2>&1
829 CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
830 certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
831 -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
833 if [ -z "$NSS_DISABLE_ECC" ] ; then
834 #
835 # Repeat the above for EC certs
836 #
837 CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
838 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
839 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
840 -z "${R_NOISE_FILE}" -o req 2>&1
842 CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
843 cp ${CERTDIR}/req ${CLIENT_CADIR}
844 certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
845 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
847 CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
848 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
849 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
851 CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
852 certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
853 -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
854 #
855 # done with EC certs
856 #
857 #
858 # Repeat the above for mixed EC certs
859 #
860 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
861 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
862 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
863 -z "${R_NOISE_FILE}" -o req 2>&1
865 CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
866 cp ${CERTDIR}/req ${CLIENT_CADIR}
867 certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \
868 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
870 CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
871 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
872 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
874 # CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
875 # certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
876 # -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
877 #
878 # done with mixed EC certs
879 #
880 fi
882 echo "Importing all the client's own CA chain into the servers DB"
883 for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
884 do
885 N=`basename $CA | sed -e "s/.ca.cert//"`
886 if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then
887 T="-t T,C,C"
888 else
889 T="-t u,u,u"
890 fi
891 CU_ACTION="Import $N CA $T for $CERTNAME (ext.)"
892 certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
893 -i "${CA}" 2>&1
894 done
895 if [ "$CERTFAILED" != 0 ] ; then
896 cert_log "ERROR: EXT failed $RET"
897 else
898 cert_log "SUCCESS: EXT passed"
899 fi
900 }
902 ############################## cert_ssl ################################
903 # local shell function to create client + server certs for SSL test
904 ########################################################################
905 cert_ssl()
906 {
907 ################# Creating Certs for SSL test ###########################
908 #
909 CERTFAILED=0
910 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
911 cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT}
913 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
914 echo " ${HOSTADDR} ------------------------------------"
915 cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
916 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
917 echo " ${HOSTADDR}-sni --------------------------------"
918 CERTSERIAL=101
919 CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}"
920 cert_add_cert
921 CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
922 certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
923 if [ -z "$NSS_DISABLE_ECC" ] ; then
924 CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
925 certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
926 fi
927 # cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
928 # echo "************* Copying CA files to ${SERVERDIR}"
929 # cp ${CADIR}/*.db .
930 # hw_acc
931 # CU_ACTION="Creating ${CERTNAME}'s Server Cert"
932 # CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
933 # certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
934 # -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
936 if [ "$CERTFAILED" != 0 ] ; then
937 cert_log "ERROR: SSL failed $RET"
938 else
939 cert_log "SUCCESS: SSL passed"
940 fi
942 echo "$SCRIPTNAME: Creating database for OCSP stapling tests ==============="
943 echo "cp -r ${SERVERDIR} ${STAPLINGDIR}"
944 cp -r ${R_SERVERDIR} ${R_STAPLINGDIR}
945 pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
946 pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
947 }
948 ############################## cert_stresscerts ################################
949 # local shell function to create client certs for SSL stresstest
950 ########################################################################
951 cert_stresscerts()
952 {
954 ############### Creating Certs for SSL stress test #######################
955 #
956 CERTDIR="$CLIENTDIR"
957 cd "${CERTDIR}"
959 PROFILEDIR=`cd ${CERTDIR}; pwd`
960 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
961 PROFILEDIR=`cygpath -m ${PROFILEDIR}`
962 fi
963 if [ -n "${MULTIACCESS_DBM}" ]; then
964 PROFILEDIR="multiaccess:${D_CLIENT}"
965 fi
966 CERTFAILED=0
967 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
969 CONTINUE=$GLOB_MAX_CERT
970 CERTSERIAL=10
972 while [ $CONTINUE -ge $GLOB_MIN_CERT ]
973 do
974 CERTNAME="TestUser$CONTINUE"
975 # cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL
976 cert_add_cert
977 CERTSERIAL=`expr $CERTSERIAL + 1 `
978 CONTINUE=`expr $CONTINUE - 1 `
979 done
980 if [ "$CERTFAILED" != 0 ] ; then
981 cert_log "ERROR: StressCert failed $RET"
982 else
983 cert_log "SUCCESS: StressCert passed"
984 fi
985 }
987 ############################## cert_fips #####################################
988 # local shell function to create certificates for FIPS tests
989 ##############################################################################
990 cert_fips()
991 {
992 CERTFAILED=0
993 echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
994 cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
996 CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
997 certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
999 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
1000 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
1002 echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
1003 CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
1004 echo "modutil -dbdir ${PROFILEDIR} -fips true "
1005 ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
1006 y
1007 MODSCRIPT
1008 RET=$?
1009 if [ "$RET" -ne 0 ]; then
1010 html_failed "${CU_ACTION} ($RET) "
1011 cert_log "ERROR: ${CU_ACTION} failed $RET"
1012 else
1013 html_passed "${CU_ACTION}"
1014 fi
1016 CU_ACTION="Generate Certificate for ${CERTNAME}"
1017 CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
1018 certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
1019 if [ "$RET" -eq 0 ]; then
1020 cert_log "SUCCESS: FIPS passed"
1021 fi
1022 }
1024 ############################## cert_eccurves ###########################
1025 # local shell function to create server certs for all EC curves
1026 ########################################################################
1027 cert_eccurves()
1028 {
1029 ################# Creating Certs for EC curves test ########################
1030 #
1031 if [ -z "$NSS_DISABLE_ECC" ] ; then
1032 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
1033 echo " EC Curves Test Certificates ------------------------------------"
1035 cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
1037 CU_ACTION="Initializing EC Curve's Cert DB"
1038 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1040 CU_ACTION="Loading root cert module to EC Curve's Cert DB"
1041 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
1043 CU_ACTION="Import EC Root CA for $CERTNAME"
1044 certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
1045 -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
1047 if [ -n "${NSS_ECC_MORE_THAN_SUITE_B}" ] ; then
1048 CURVE_LIST="c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 \
1049 c2pnb208w1 c2pnb272w1 c2pnb304w1 c2pnb368w1 \
1050 c2tnb191v1 c2tnb191v2 c2tnb191v3 c2tnb239v1 \
1051 c2tnb239v2 c2tnb239v3 c2tnb359v1 c2tnb431r1 \
1052 nistb163 nistb233 nistb283 nistb409 nistb571 \
1053 nistk163 nistk233 nistk283 nistk409 nistk571 \
1054 nistp192 nistp224 nistp256 nistp384 nistp521 \
1055 prime192v1 prime192v2 prime192v3 \
1056 prime239v1 prime239v2 prime239v3 \
1057 secp112r1 secp112r2 secp128r1 secp128r2 secp160k1 \
1058 secp160r1 secp160r2 secp192k1 secp192r1 secp224k1 \
1059 secp224r1 secp256k1 secp256r1 secp384r1 secp521r1 \
1060 sect113r1 sect113r2 sect131r1 sect131r2 sect163k1 sect163r1 \
1061 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 \
1062 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1"
1063 else
1064 CURVE_LIST="nistp256 nistp384 nistp521"
1065 fi
1066 CERTSERIAL=2000
1068 for CURVE in ${CURVE_LIST}
1069 do
1070 CERTFAILED=0
1071 CERTNAME="Curve-${CURVE}"
1072 CERTSERIAL=`expr $CERTSERIAL + 1 `
1073 CU_ACTION="Generate EC Cert Request for $CERTNAME"
1074 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1075 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
1076 -z "${R_NOISE_FILE}" -o req 2>&1
1078 if [ $RET -eq 0 ] ; then
1079 CU_ACTION="Sign ${CERTNAME}'s EC Request"
1080 certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
1081 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
1082 fi
1084 if [ $RET -eq 0 ] ; then
1085 CU_ACTION="Import $CERTNAME's EC Cert"
1086 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
1087 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
1088 fi
1089 done
1091 fi # $NSS_DISABLE_ECC
1092 }
1094 ########################### cert_extensions_test #############################
1095 # local shell function to test cert extensions generation
1096 ##############################################################################
1097 cert_extensions_test()
1098 {
1099 COUNT=`expr ${COUNT} + 1`
1100 CERTNAME=TestExt${COUNT}
1101 CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1103 echo
1104 echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
1105 -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
1106 -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
1107 echo "certutil options:"
1108 cat ${TARG_FILE}
1109 ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
1110 -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
1111 -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE}
1112 RET=$?
1113 if [ "${RET}" -ne 0 ]; then
1114 CERTFAILED=1
1115 html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate"
1116 cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed"
1117 return 1
1118 fi
1120 echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}
1121 EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}`
1122 RET=$?
1123 echo "${EXTLIST}"
1124 if [ "${RET}" -ne 0 ]; then
1125 CERTFAILED=1
1126 html_failed "${TESTNAME} (${COUNT}) - List Certificate"
1127 cert_log "ERROR: ${TESTNAME} - List Certificate failed"
1128 return 1
1129 fi
1131 for FL in `echo ${FILTERLIST} | tr \| ' '`; do
1132 FL="`echo ${FL} | tr _ ' '`"
1133 EXPSTAT=0
1134 if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then
1135 EXPSTAT=1
1136 FL=`echo ${FL} | tr -d '!'`
1137 fi
1138 echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1
1139 RET=$?
1140 if [ "${RET}" -ne "${EXPSTAT}" ]; then
1141 CERTFAILED=1
1142 html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}"
1143 cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed"
1144 return 1
1145 fi
1146 done
1148 html_passed "${TESTNAME} (${COUNT})"
1149 return 0
1150 }
1152 ############################## cert_extensions ###############################
1153 # local shell function to run cert extensions tests
1154 ##############################################################################
1155 cert_extensions()
1156 {
1157 CERTNAME=TestExt
1158 cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS}
1159 TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args
1161 COUNT=0
1162 while read ARG OPT FILTERLIST; do
1163 if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then
1164 continue
1165 fi
1166 if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then
1167 TESTNAME="${FILTERLIST}"
1168 continue
1169 fi
1170 if [ X"${ARG}" = "X=" ]; then
1171 cert_extensions_test
1172 rm -f ${TARG_FILE}
1173 else
1174 echo ${ARG} >> ${TARG_FILE}
1175 fi
1176 done < ${QADIR}/cert/certext.txt
1177 }
1179 cert_make_with_param()
1180 {
1181 DIRPASS="$1"
1182 CERTNAME="$2"
1183 MAKE="$3"
1184 SUBJ="$4"
1185 EXTRA="$5"
1186 EXPECT="$6"
1187 TESTNAME="$7"
1189 echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
1190 ${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
1192 RET=$?
1193 if [ "${RET}" -ne "${EXPECT}" ]; then
1194 # if we expected failure to create, then delete unexpected certificate
1195 if [ "${EXPECT}" -ne 0 ]; then
1196 ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
1197 fi
1199 CERTFAILED=1
1200 html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}"
1201 cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed"
1202 return 1
1203 fi
1205 html_passed "${TESTNAME} (${COUNT})"
1206 return 0
1207 }
1209 cert_list_and_count_dns()
1210 {
1211 DIRPASS="$1"
1212 CERTNAME="$2"
1213 EXPECT="$3"
1214 EXPECTCOUNT="$4"
1215 TESTNAME="$5"
1217 echo certutil ${DIRPASS} -L ${CERTNAME}
1218 ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME}
1220 RET=$?
1221 if [ "${RET}" -ne "${EXPECT}" ]; then
1222 CERTFAILED=1
1223 html_failed "${TESTNAME} (${COUNT}) - list and count"
1224 cert_log "ERROR: ${TESTNAME} - list and count failed"
1225 return 1
1226 fi
1228 LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS`
1229 if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then
1230 CERTFAILED=1
1231 html_failed "${TESTNAME} (${COUNT}) - list and count"
1232 cert_log "ERROR: ${TESTNAME} - list and count failed"
1233 return 1
1234 fi
1236 html_passed "${TESTNAME} (${COUNT})"
1237 return 0
1238 }
1240 cert_dump_ext_to_file()
1241 {
1242 DIRPASS="$1"
1243 CERTNAME="$2"
1244 OID="$3"
1245 OUTFILE="$4"
1246 EXPECT="$5"
1247 TESTNAME="$6"
1249 echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID}
1250 echo "writing output to ${OUTFILE}"
1251 ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE}
1253 RET=$?
1254 if [ "${RET}" -ne "${EXPECT}" ]; then
1255 CERTFAILED=1
1256 html_failed "${TESTNAME} (${COUNT}) - dump to file"
1257 cert_log "ERROR: ${TESTNAME} - dump to file failed"
1258 return 1
1259 fi
1261 html_passed "${TESTNAME} (${COUNT})"
1262 return 0
1263 }
1265 cert_delete()
1266 {
1267 DIRPASS="$1"
1268 CERTNAME="$2"
1269 EXPECT="$3"
1270 TESTNAME="$4"
1272 echo certutil ${DIRPASS} -D ${CERTNAME}
1273 ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
1275 RET=$?
1276 if [ "${RET}" -ne "${EXPECT}" ]; then
1277 CERTFAILED=1
1278 html_failed "${TESTNAME} (${COUNT}) - delete cert"
1279 cert_log "ERROR: ${TESTNAME} - delete cert failed"
1280 return 1
1281 fi
1283 html_passed "${TESTNAME} (${COUNT})"
1284 return 0
1285 }
1287 cert_inc_count()
1288 {
1289 COUNT=`expr ${COUNT} + 1`
1290 }
1292 ############################## cert_crl_ssl ############################
1293 # test adding subject-alt-name, dumping, and adding generic extension
1294 ########################################################################
1295 cert_san_and_generic_extensions()
1296 {
1297 EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der
1299 DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}"
1300 CERTNAME="-n WithSAN"
1301 MAKE="-S -t ,, -x -z ${R_NOISE_FILE}"
1302 SUBJ="CN=example.com"
1304 TESTNAME="san-and-generic-extensions"
1306 cert_inc_count
1307 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1308 "--extSAN example.com" 255 \
1309 "create cert with invalid SAN parameter"
1311 cert_inc_count
1312 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1313 "--extSAN example.com,dns:www.example.com" 255 \
1314 "create cert with invalid SAN parameter"
1316 TN="create cert with valid SAN parameter"
1318 cert_inc_count
1319 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1320 "--extSAN dns:example.com,dns:www.example.com" 0 \
1321 "${TN}"
1323 cert_inc_count
1324 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
1325 "${TN}"
1327 cert_inc_count
1328 cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \
1329 "dump extension 2.5.29.17 to file ${EXTDUMP}"
1331 cert_inc_count
1332 cert_delete "${DIR}" "${CERTNAME}" 0 \
1333 "${TN}"
1335 cert_inc_count
1336 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
1337 "expect failure to list cert, because we deleted it"
1339 cert_inc_count
1340 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1341 "--extGeneric ${EXTDUMP}" 255 \
1342 "create cert with invalid generic ext parameter"
1344 cert_inc_count
1345 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1346 "--extGeneric not-critical:${EXTDUMP}" 255 \
1347 "create cert with invalid generic ext parameter"
1349 cert_inc_count
1350 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1351 "--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \
1352 "create cert with invalid generic ext parameter"
1354 TN="create cert with valid generic ext parameter"
1356 cert_inc_count
1357 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
1358 "--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \
1359 "${TN}"
1361 cert_inc_count
1362 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
1363 "${TN}"
1365 cert_inc_count
1366 cert_delete "${DIR}" "${CERTNAME}" 0 \
1367 "${TN}"
1369 cert_inc_count
1370 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
1371 "expect failure to list cert, because we deleted it"
1372 }
1374 ############################## cert_crl_ssl ############################
1375 # local shell function to generate certs and crls for SSL tests
1376 ########################################################################
1377 cert_crl_ssl()
1378 {
1380 ################# Creating Certs ###################################
1381 #
1382 CERTFAILED=0
1383 CERTSERIAL=${CRL_GRP_1_BEGIN}
1385 cd $CADIR
1387 PROFILEDIR=`cd ${CLIENTDIR}; pwd`
1388 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
1389 PROFILEDIR=`cygpath -m ${PROFILEDIR}`
1390 fi
1391 CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1`
1392 echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ==="
1393 CU_ACTION="Creating client test certs"
1395 while [ $CERTSERIAL -le $CRL_GRPS_END ]
1396 do
1397 CERTNAME="TestUser$CERTSERIAL"
1398 cert_add_cert
1399 CERTSERIAL=`expr $CERTSERIAL + 1 `
1400 done
1402 #################### CRL Creation ##############################
1403 CRL_GEN_RES=0
1404 echo "$SCRIPTNAME: Creating CA CRL ====================================="
1406 CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1`
1407 CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END}
1408 CRL_FILE=${CRL_FILE_GRP_1}
1410 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
1411 CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority"
1412 CRL_GRP_END_=`expr ${CRL_GRP_END} - 1`
1413 crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \
1414 -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
1415 update=$CRLUPDATE
1416 addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
1417 addext reasonCode 0 4
1418 addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA"
1419 EOF_CRLINI
1420 # This extension should be added to the list, but currently nss has bug
1421 #addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1
1422 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1423 chmod 600 ${CRL_FILE_GRP_1}_or
1425 if [ -z "$NSS_DISABLE_ECC" ] ; then
1426 CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
1428 # Until Bug 292285 is resolved, do not encode x400 Addresses. After
1429 # the bug is resolved, reintroduce "x400Address:x400Address" within
1430 # addext issuerAltNames ...
1431 crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
1432 -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
1433 update=$CRLUPDATE
1434 addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
1435 addext reasonCode 0 4
1436 addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
1437 EOF_CRLINI
1438 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1439 chmod 600 ${CRL_FILE_GRP_1}_or-ec
1440 fi
1442 echo test > file
1443 ############################# Modification ##################################
1445 echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
1446 sleep 2
1447 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
1448 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
1449 CU_ACTION="Modify CRL by adding one more cert"
1450 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \
1451 -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
1452 update=$CRLUPDATE
1453 addcert ${CRL_GRP_END} $CRL_GRP_DATE
1454 EOF_CRLINI
1455 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1456 chmod 600 ${CRL_FILE_GRP_1}_or1
1457 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
1458 if [ -z "$NSS_DISABLE_ECC" ] ; then
1459 CU_ACTION="Modify CRL (ECC) by adding one more cert"
1460 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
1461 -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
1462 update=$CRLUPDATE
1463 addcert ${CRL_GRP_END} $CRL_GRP_DATE
1464 EOF_CRLINI
1465 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1466 chmod 600 ${CRL_FILE_GRP_1}_or1-ec
1467 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
1468 fi
1470 ########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
1471 echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
1472 CU_ACTION="Modify CRL by removing one cert"
1473 sleep 2
1474 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
1475 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
1476 -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
1477 update=$CRLUPDATE
1478 rmcert ${UNREVOKED_CERT_GRP_1}
1479 EOF_CRLINI
1480 chmod 600 ${CRL_FILE_GRP_1}
1481 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
1482 if [ -z "$NSS_DISABLE_ECC" ] ; then
1483 CU_ACTION="Modify CRL (ECC) by removing one cert"
1484 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
1485 -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
1486 update=$CRLUPDATE
1487 rmcert ${UNREVOKED_CERT_GRP_1}
1488 EOF_CRLINI
1489 chmod 600 ${CRL_FILE_GRP_1}-ec
1490 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
1491 fi
1493 ########### Creating second CRL which includes groups 1 and 2 ##############
1494 CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
1495 CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END}
1497 echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ==============="
1498 sleep 2
1499 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
1500 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
1501 CU_ACTION="Creating CRL for groups 1 and 2"
1502 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2} \
1503 -i ${CRL_FILE_GRP_1} <<EOF_CRLINI
1504 update=$CRLUPDATE
1505 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1506 addext invalidityDate 0 $CRLUPDATE
1507 rmcert ${UNREVOKED_CERT_GRP_2}
1508 EOF_CRLINI
1509 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1510 chmod 600 ${CRL_FILE_GRP_2}
1511 if [ -z "$NSS_DISABLE_ECC" ] ; then
1512 CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
1513 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
1514 -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
1515 update=$CRLUPDATE
1516 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1517 addext invalidityDate 0 $CRLUPDATE
1518 rmcert ${UNREVOKED_CERT_GRP_2}
1519 EOF_CRLINI
1520 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1521 chmod 600 ${CRL_FILE_GRP_2}-ec
1522 fi
1524 ########### Creating second CRL which includes groups 1, 2 and 3 ##############
1525 CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
1526 CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END}
1530 echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3 ==============="
1531 sleep 2
1532 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
1533 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
1534 CU_ACTION="Creating CRL for groups 1, 2 and 3"
1535 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3} \
1536 -i ${CRL_FILE_GRP_2} <<EOF_CRLINI
1537 update=$CRLUPDATE
1538 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1539 rmcert ${UNREVOKED_CERT_GRP_3}
1540 addext crlNumber 0 2
1541 EOF_CRLINI
1542 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1543 chmod 600 ${CRL_FILE_GRP_3}
1544 if [ -z "$NSS_DISABLE_ECC" ] ; then
1545 CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
1546 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
1547 -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
1548 update=$CRLUPDATE
1549 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1550 rmcert ${UNREVOKED_CERT_GRP_3}
1551 addext crlNumber 0 2
1552 EOF_CRLINI
1553 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1554 chmod 600 ${CRL_FILE_GRP_3}-ec
1555 fi
1557 ############ Importing Server CA Issued CRL for certs of first group #######
1559 echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
1560 CU_ACTION="Importing CRL for groups 1"
1561 crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}"
1562 crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
1563 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1564 if [ -z "$NSS_DISABLE_ECC" ] ; then
1565 CU_ACTION="Importing CRL (ECC) for groups 1"
1566 crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}"
1567 crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
1568 -d "${R_SERVERDIR}"
1569 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1570 fi
1572 if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
1573 cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
1574 else
1575 cert_log "SUCCESS: SSL CRL prep passed"
1576 fi
1577 }
1579 #################
1580 # Verify the we can successfully change the password on the database
1581 #
1582 cert_test_password()
1583 {
1584 CERTFAILED=0
1585 echo "$SCRIPTNAME: Create A Password Test Cert =============="
1586 cert_init_cert "${DBPASSDIR}" "Password Test Cert" 1000 "${D_DBPASSDIR}"
1588 echo "$SCRIPTNAME: Create A Password Test Ca --------"
1589 ALL_CU_SUBJECT="CN=NSS Password Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1590 cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1"
1592 # now change the password
1593 CU_ACTION="Changing password on ${CERTNAME}'s Cert DB"
1594 certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1
1596 # finally make sure we can use the old key with the new password
1597 CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
1598 CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1599 certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
1600 if [ "$RET" -eq 0 ]; then
1601 cert_log "SUCCESS: PASSWORD passed"
1602 fi
1603 CU_ACTION="Verify Certificate for ${CERTNAME} with new password"
1604 certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
1605 }
1607 ###############################
1608 # test if we can distrust a certificate.
1609 #
1610 # we create 3 new certs:
1611 # 1 leaf signed by the trusted root.
1612 # 1 intermediate signed by the trusted root.
1613 # 1 leaf signed by the intermediate.
1614 #
1615 # we mark the first leaf and the intermediate as explicitly untrusted.
1616 # we then try to verify the two leaf certs for our possible usages.
1617 # All verification should fail.
1618 #
1619 cert_test_distrust()
1620 {
1621 echo "$SCRIPTNAME: Creating Distrusted Certificate"
1622 cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST}
1623 CU_ACTION="Mark CERT as unstrusted"
1624 certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1
1625 echo "$SCRIPTNAME: Creating Distrusted Intermediate"
1626 CERTNAME="DistrustedCA"
1627 ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1628 cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1
1629 CU_ACTION="Import Distrusted Intermediate"
1630 certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
1631 -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1
1633 # now create the last leaf signed by our distrusted CA
1634 # since it's not signed by TestCA it requires more steps.
1635 CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA"
1636 CERTNAME="LeafChainedToDistrustedCA"
1637 CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1638 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
1640 CU_ACTION="Sign ${CERTNAME}'s Request"
1641 cp ${CERTDIR}/req ${CADIR}
1642 certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \
1643 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
1645 CU_ACTION="Import $CERTNAME's Cert -t u,u,u"
1646 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
1647 -i "${CERTNAME}.cert" 2>&1
1649 RETEXPECTED=255
1650 CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
1651 certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1652 CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
1653 certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1654 CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
1655 certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1656 CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
1657 certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1658 CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
1659 certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1660 CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
1661 certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1663 CERTNAME="Distrusted"
1664 CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
1665 certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1666 CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
1667 certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1668 CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
1669 certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1670 CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
1671 certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1672 CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
1673 certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1674 CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
1675 certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1676 RETEXPECTED=0
1677 }
1679 cert_test_ocspresp()
1680 {
1681 echo "$SCRIPTNAME: OCSP response creation selftest"
1682 OR_ACTION="perform selftest"
1683 RETEXPECTED=0
1684 ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
1685 }
1687 ############################## cert_cleanup ############################
1688 # local shell function to finish this script (no exit since it might be
1689 # sourced)
1690 ########################################################################
1691 cert_cleanup()
1692 {
1693 cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
1694 html "</TABLE><BR>"
1695 cd ${QADIR}
1696 . common/cleanup.sh
1697 }
1699 ################## main #################################################
1701 cert_init
1702 cert_all_CA
1703 cert_extended_ssl
1704 cert_ssl
1705 cert_smime_client
1706 if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
1707 cert_fips
1708 fi
1709 cert_eccurves
1710 cert_extensions
1711 cert_san_and_generic_extensions
1712 cert_test_password
1713 cert_test_distrust
1714 cert_test_ocspresp
1716 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
1717 cert_crl_ssl
1718 else
1719 echo "$SCRIPTNAME: Skipping CRL Tests"
1720 fi
1722 if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
1723 cert_stresscerts
1724 fi
1726 cert_iopr_setup
1728 cert_cleanup
