security/manager/ssl/tests/unit/tlsserver/generate_certs.sh@b8a032363ba2
security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rwxr-xr-x
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 #!/bin/bash
2 #
3 # This Source Code Form is subject to the terms of the Mozilla Public
4 # License, v. 2.0. If a copy of the MPL was not distributed with this
5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 #
7 # Usage: ./generate_certs.sh <path to objdir> <output directory>
8 # e.g. (from the root of mozilla-central)
9 # `./security/manager/ssl/tests/unit/tlsserver/generate_certs.sh \
10 # obj-x86_64-unknown-linux-gnu/ \
11 # security/manager/ssl/tests/unit/tlsserver/`
12 #
13 # NB: This will cause the following files to be overwritten if they are in
14 # the output directory:
15 # cert8.db, key3.db, secmod.db, ocsp-ca.der, ocsp-other-ca.der, default-ee.der
16 # NB: You must run genHPKPStaticPins.js after running this file, since its
17 # output (StaticHPKPins.h) depends on default-ee.der
19 set -x
20 set -e
22 if [ $# -ne 2 ]; then
23 echo "Usage: `basename ${0}` <path to objdir> <output directory>"
24 exit $E_BADARGS
25 fi
27 OBJDIR=${1}
28 OUTPUT_DIR=${2}
29 RUN_MOZILLA="$OBJDIR/dist/bin/run-mozilla.sh"
30 CERTUTIL="$OBJDIR/dist/bin/certutil"
31 # On BSD, mktemp requires either a template or a prefix.
32 MKTEMP="mktemp temp.XXXX"
34 NOISE_FILE=`$MKTEMP`
35 # Make a good effort at putting something unique in the noise file.
36 date +%s%N > "$NOISE_FILE"
37 PASSWORD_FILE=`$MKTEMP`
39 function cleanup {
40 rm -f "$NOISE_FILE" "$PASSWORD_FILE"
41 }
43 if [ ! -f "$RUN_MOZILLA" ]; then
44 echo "Could not find run-mozilla.sh at \'$RUN_MOZILLA\' - I'll try without it"
45 RUN_MOZILLA=""
46 fi
48 if [ ! -f "$CERTUTIL" ]; then
49 echo "Could not find certutil at \'$CERTUTIL\'"
50 exit $E_BADARGS
51 fi
53 if [ ! -d "$OUTPUT_DIR" ]; then
54 echo "Could not find output directory at \'$OUTPUT_DIR\'"
55 exit $E_BADARGS
56 fi
58 if [ -f "$OUTPUT_DIR/cert8.db" -o -f "$OUTPUT_DIR/key3.db" -o -f "$OUTPUT_DIR/secmod.db" ]; then
59 echo "Found pre-existing NSS DBs. Clobbering old OCSP certs."
60 rm -f "$OUTPUT_DIR/cert8.db" "$OUTPUT_DIR/key3.db" "$OUTPUT_DIR/secmod.db"
61 fi
62 $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -N -f $PASSWORD_FILE
64 COMMON_ARGS="-v 360 -w -1 -2 -z $NOISE_FILE"
66 function make_CA {
67 CA_RESPONSES="y\n1\ny"
68 NICKNAME="${1}"
69 SUBJECT="${2}"
70 DERFILE="${3}"
72 echo -e "$CA_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
73 -n $NICKNAME \
74 -s "$SUBJECT" \
75 -t "CT,," \
76 -x $COMMON_ARGS
77 $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n $NICKNAME -r > $OUTPUT_DIR/$DERFILE
78 }
80 SERIALNO=1
82 function make_INT {
83 INT_RESPONSES="y\n0\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
84 NICKNAME="${1}"
85 SUBJECT="${2}"
86 CA="${3}"
87 EXTRA_ARGS="${4}"
89 echo -e "$INT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
90 -n $NICKNAME \
91 -s "$SUBJECT" \
92 -c $CA \
93 -t ",," \
94 -m $SERIALNO \
95 --extAIA \
96 $COMMON_ARGS \
97 $EXTRA_ARGS
98 SERIALNO=$(($SERIALNO + 1))
99 }
101 function make_EE {
102 CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
103 NICKNAME="${1}"
104 SUBJECT="${2}"
105 CA="${3}"
106 SUBJECT_ALT_NAME="${4}"
107 EXTRA_ARGS="${5} ${6}"
109 echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
110 -n $NICKNAME \
111 -s "$SUBJECT" \
112 -8 $SUBJECT_ALT_NAME \
113 -c $CA \
114 -t ",," \
115 -m $SERIALNO \
116 --extAIA \
117 $COMMON_ARGS \
118 $EXTRA_ARGS
119 SERIALNO=$(($SERIALNO + 1))
120 }
122 function make_delegated {
123 CERT_RESPONSES="n\n\ny\n"
124 NICKNAME="${1}"
125 SUBJECT="${2}"
126 CA="${3}"
127 EXTRA_ARGS="${4}"
129 echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
130 -n $NICKNAME \
131 -s "$SUBJECT" \
132 -c $CA \
133 -t ",," \
134 -m $SERIALNO \
135 $COMMON_ARGS \
136 $EXTRA_ARGS
137 SERIALNO=$(($SERIALNO + 1))
138 }
140 make_CA testCA 'CN=Test CA' test-ca.der
141 make_CA otherCA 'CN=Other test CA' other-test-ca.der
143 make_EE localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com"
144 # Make an EE cert issued by otherCA
145 make_EE otherIssuerEE 'CN=Wrong CA Pin Test End-Entity' otherCA "*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com,*.pinning.example.com"
147 $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n localhostAndExampleCom -r > $OUTPUT_DIR/default-ee.der
148 # A cert that is like localhostAndExampleCom, but with a different serial number for
149 # testing the "OCSP response is from the right issuer, but it is for the wrong cert"
150 # case.
151 make_EE ocspOtherEndEntity 'CN=Other Cert' testCA "localhost,*.example.com"
153 make_INT testINT 'CN=Test Intermediate' testCA
154 make_EE ocspEEWithIntermediate 'CN=Test End-entity with Intermediate' testINT "localhost,*.example.com"
155 make_EE expired 'CN=Expired Test End-entity' testCA "expired.example.com" "-w -400"
156 make_EE mismatch 'CN=Mismatch Test End-entity' testCA "doesntmatch.example.com"
157 make_EE selfsigned 'CN=Self-signed Test End-entity' testCA "selfsigned.example.com" "-x"
158 # If the certificate 'CN=Test Intermediate' isn't loaded into memory,
159 # this certificate will have an unknown issuer.
160 make_INT deletedINT 'CN=Test Intermediate to delete' testCA
161 make_EE unknownissuer 'CN=Test End-entity from unknown issuer' deletedINT "unknownissuer.example.com"
162 $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -D -n deletedINT
163 make_INT expiredINT 'CN=Expired Test Intermediate' testCA "-w -400"
164 make_EE expiredissuer 'CN=Test End-entity with expired issuer' expiredINT "expiredissuer.example.com"
165 NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature 'CN=Test End-entity with MD5 signature' testCA "md5signature.example.com" "-Z MD5"
166 make_EE untrustedissuer 'CN=Test End-entity with untrusted issuer' otherCA "untrustedissuer.example.com"
168 make_EE mismatch-expired 'CN=Mismatch-Expired Test End-entity' testCA "doesntmatch.example.com" "-w -400"
169 make_EE mismatch-untrusted 'CN=Mismatch-Untrusted Test End-entity' otherCA "doesntmatch.example.com"
170 make_EE untrusted-expired 'CN=Untrusted-Expired Test End-entity' otherCA "untrusted-expired.example.com" "-w -400"
171 make_EE mismatch-untrusted-expired 'CN=Mismatch-Untrusted-Expired Test End-entity' otherCA "doesntmatch.example.com" "-w -400"
172 NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature-expired 'CN=Test MD5Signature-Expired End-entity' testCA "md5signature-expired.example.com" "-Z MD5" "-w -400"
174 make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
175 make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
177 make_delegated delegatedSigner 'CN=Test Delegated Responder' testCA "--extKeyUsage ocspResponder"
178 make_delegated invalidDelegatedSignerNoExtKeyUsage 'CN=Test Invalid Delegated Responder No extKeyUsage' testCA
179 make_delegated invalidDelegatedSignerFromIntermediate 'CN=Test Invalid Delegated Responder From Intermediate' testINT "--extKeyUsage ocspResponder"
180 make_delegated invalidDelegatedSignerKeyUsageCrlSigning 'CN=Test Invalid Delegated Responder keyUsage crlSigning' testCA "--keyUsage crlSigning"
181 make_delegated invalidDelegatedSignerWrongExtKeyUsage 'CN=Test Invalid Delegated Responder Wrong extKeyUsage' testCA "--extKeyUsage codeSigning"
183 make_INT self-signed-EE-with-cA-true 'CN=Test Self-signed End-entity with CA true' unused "-x -8 self-signed-end-entity-with-cA-true.example.com"
185 cleanup
