security/nss/tests/iopr/cert_iopr.sh@b8a032363ba2
security/nss/tests/iopr/cert_iopr.sh
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 #! /bin/bash
2 #
3 # This Source Code Form is subject to the terms of the Mozilla Public
4 # License, v. 2.0. If a copy of the MPL was not distributed with this
5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 ########################################################################
8 #
9 # mozilla/security/nss/tests/iopr/cert_iopr.sh
10 #
11 # Certificate generating and handeling for NSS interoperability QA. This file
12 # is included from cert.sh
13 #
14 # needs to work on all Unix and Windows platforms
15 #
16 # special strings
17 # ---------------
18 # FIXME ... known problems, search for this string
19 # NOTE .... unexpected behavior
20 ########################################################################
22 IOPR_CERT_SOURCED=1
24 ########################################################################
25 # function wraps calls to pk12util, also: writes action and options
26 # to stdout.
27 # Params are the same as to pk12util.
28 # Returns pk12util status
29 #
30 pk12u()
31 {
32 echo "${CU_ACTION} --------------------------"
34 echo "pk12util $@"
35 ${BINDIR}/pk12util $@
36 RET=$?
38 return $RET
39 }
41 ########################################################################
42 # Initializes nss db directory and files if they don't exists
43 # Params:
44 # $1 - directory location
45 #
46 createDBDir() {
47 trgDir=$1
49 if [ -z "`ls $trgDir | grep db`" ]; then
50 trgDir=`cd ${trgDir}; pwd`
51 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
52 trgDir=`cygpath -m ${trgDir}`
53 fi
55 CU_ACTION="Initializing DB at ${trgDir}"
56 certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1
57 if [ "$RET" -ne 0 ]; then
58 return $RET
59 fi
61 CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"
62 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1
63 if [ "$RET" -ne 0 ]; then
64 return $RET
65 fi
66 fi
67 }
68 ########################################################################
69 # takes care of downloading config, cert and crl files from remote
70 # location.
71 # Params:
72 # $1 - name of the host file will be downloaded from
73 # $2 - path to the file as it appeared in url
74 # $3 - target directory the file will be saved at.
75 # Returns tstclnt status.
76 #
77 download_file() {
78 host=$1
79 filePath=$2
80 trgDir=$3
82 file=$trgDir/`basename $filePath`
84 createDBDir $trgDir || return $RET
86 # echo wget -O $file http://${host}${filePath}
87 # wget -O $file http://${host}${filePath}
88 # ret=$?
90 req=$file.$$
91 echo "GET $filePath HTTP/1.0" > $req
92 echo >> $req
94 echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
95 -v -w ${R_PWFILE} -o
96 ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
97 -v -w ${R_PWFILE} -o < $req > $file
98 ret=$?
99 rm -f $_tmp;
100 return $ret
101 }
103 ########################################################################
104 # Uses pk12util, certutil of cerlutil to import files to an nss db located
105 # at <dir>(the value of $1 parameter). Chooses a utility to use based on
106 # a file extension. Initializing a db if it does not exists.
107 # Params:
108 # $1 - db location directory
109 # $2 - file name to import
110 # $3 - nick name an object in the file will be associated with
111 # $4 - trust arguments
112 # Returns status of import
113 #
114 importFile() {
115 dir=$1\
116 file=$2
117 certName=$3
118 certTrust=$4
120 [ ! -d $dir ] && mkdir -p $dir;
122 createDBDir $dir || return $RET
124 case `basename $file | sed 's/^.*\.//'` in
125 p12)
126 CU_ACTION="Importing p12 $file to DB at $dir"
127 pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr
128 [ $? -ne 0 ] && return 1
129 CU_ACTION="Modifying trust for cert $certName at $dir"
130 certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}"
131 return $?
132 ;;
134 crl)
135 CU_ACTION="Importing crl $file to DB at $dir"
136 crlu -d ${dir} -I -n TestCA -i $file
137 return $?
138 ;;
140 crt | cert)
141 CU_ACTION="Importing cert $certName with trust $certTrust to $dir"
142 certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \
143 -i "$file"
144 return $?
145 ;;
147 *)
148 echo "Unknown file extension: $file:"
149 return 1
150 ;;
151 esac
152 }
155 #########################################################################
156 # Downloads and installs test certs and crl from a remote webserver.
157 # Generates server cert for reverse testing if reverse test run is turned on.
158 # Params:
159 # $1 - host name to download files from.
160 # $2 - directory at which CA cert will be installed and used for
161 # signing a server cert.
162 # $3 - path to a config file in webserver context.
163 # $4 - ssl server db location
164 # $5 - ssl client db location
165 # $5 - ocsp client db location
166 #
167 # Returns 0 upon success, otherwise, failed command error code.
168 #
169 download_install_certs() {
170 host=$1
171 caDir=$2
172 confPath=$3
173 sslServerDir=$4
174 sslClientDir=$5
175 ocspClientDir=$6
177 [ ! -d "$caDir" ] && mkdir -p $caDir;
179 #=======================================================
180 # Getting config file
181 #
182 download_file $host "$confPath/iopr_server.cfg" $caDir
183 RET=$?
184 if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then
185 html_failed "Fail to download website config file(ws: $host)"
186 return 1
187 fi
189 . $caDir/iopr_server.cfg
190 RET=$?
191 if [ $RET -ne 0 ]; then
192 html_failed "Fail to source config file(ws: $host)"
193 return $RET
194 fi
196 #=======================================================
197 # Getting CA file
198 #
200 #----------------- !!!WARNING!!! -----------------------
201 # Do NOT copy this scenario. CA should never accompany its
202 # cert with the private key when deliver cert to a customer.
203 #----------------- !!!WARNING!!! -----------------------
205 download_file $host $certDir/$caCertName.p12 $caDir
206 RET=$?
207 if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then
208 html_failed "Fail to download $caCertName cert(ws: $host)"
209 return 1
210 fi
211 tmpFiles="$caDir/$caCertName.p12"
213 importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C"
214 RET=$?
215 if [ $RET -ne 0 ]; then
216 html_failed "Fail to import $caCertName cert to CA DB(ws: $host)"
217 return $RET
218 fi
220 CU_ACTION="Exporting Root CA cert(ws: $host)"
221 certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert
222 if [ "$RET" -ne 0 ]; then
223 Exit 7 "Fatal - failed to export $caCertName cert"
224 fi
226 #=======================================================
227 # Check what tests we want to run
228 #
229 doSslTests=0; doOcspTests=0
230 # XXX remove "_new" from variables below
231 [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
232 [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
234 if [ $doSslTests -eq 1 ]; then
235 if [ "$reverseRunCGIScript" ]; then
236 [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
237 #=======================================================
238 # Import CA cert to server DB
239 #
240 importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
241 "TC,C,C"
242 RET=$?
243 if [ $RET -ne 0 ]; then
244 html_failed "Fail to import server-client-CA cert to \
245 server DB(ws: $host)"
246 return $RET
247 fi
249 #=======================================================
250 # Creating server cert
251 #
252 CERTNAME=$HOSTADDR
254 CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
255 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
256 L=Mountain View, ST=California, C=US"
257 certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
258 -o $sslServerDir/req 2>&1
259 tmpFiles="$tmpFiles $sslServerDir/req"
261 # NOTE:
262 # For possible time synchronization problems (bug 444308) we generate
263 # certificates valid also some time in past (-w -1)
265 CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
266 certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \
267 -d "${caDir}" \
268 -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
269 -f "${R_PWFILE}" 2>&1
271 importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
272 RET=$?
273 if [ $RET -ne 0 ]; then
274 html_failed "Fail to import $CERTNAME cert to server\
275 DB(ws: $host)"
276 return $RET
277 fi
278 tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
280 #=======================================================
281 # Download and import CA crl to server DB
282 #
283 download_file $host "$certDir/$caCrlName.crl" $sslServerDir
284 RET=$?
285 if [ $? -ne 0 ]; then
286 html_failed "Fail to download $caCertName crl\
287 (ws: $host)"
288 return $RET
289 fi
290 tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
292 importFile $sslServerDir $sslServerDir/TestCA.crl
293 RET=$?
294 if [ $RET -ne 0 ]; then
295 html_failed "Fail to import TestCA crt to server\
296 DB(ws: $host)"
297 return $RET
298 fi
299 fi # if [ "$reverseRunCGIScript" ]
301 [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
302 #=======================================================
303 # Import CA cert to ssl client DB
304 #
305 importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
306 "TC,C,C"
307 RET=$?
308 if [ $RET -ne 0 ]; then
309 html_failed "Fail to import server-client-CA cert to \
310 server DB(ws: $host)"
311 return $RET
312 fi
313 fi
315 if [ $doOcspTests -eq 1 ]; then
316 [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
317 #=======================================================
318 # Import CA cert to ocsp client DB
319 #
320 importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
321 "TC,C,C"
322 RET=$?
323 if [ $RET -ne 0 ]; then
324 html_failed "Fail to import server-client-CA cert to \
325 server DB(ws: $host)"
326 return $RET
327 fi
328 fi
330 #=======================================================
331 # Import client certs to client DB
332 #
333 for fileName in $downloadFiles; do
334 certName=`echo $fileName | sed 's/\..*//'`
336 if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
337 clientDir=$ocspClientDir
338 elif [ $doSslTests -eq 1 ]; then
339 clientDir=$sslClientDir
340 else
341 continue
342 fi
344 download_file $host "$certDir/$fileName" $clientDir
345 RET=$?
346 if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
347 html_failed "Fail to download $certName cert(ws: $host)"
348 return $RET
349 fi
350 tmpFiles="$tmpFiles $clientDir/$fileName"
352 importFile $clientDir $clientDir/$fileName $certName ",,"
353 RET=$?
354 if [ $RET -ne 0 ]; then
355 html_failed "Fail to import $certName cert to client DB\
356 (ws: $host)"
357 return $RET
358 fi
359 done
361 rm -f $tmpFiles
363 return 0
364 }
367 #########################################################################
368 # Initial point for downloading config, cert, crl files for multiple hosts
369 # involved in interoperability testing. Called from nss/tests/cert/cert.sh
370 # It will only proceed with downloading if environment variable
371 # IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.
372 #
373 # Returns 1 if interoperability testing is off, 0 otherwise.
374 #
375 cert_iopr_setup() {
377 if [ "$IOPR" -ne 1 ]; then
378 return 1
379 fi
380 num=1
381 IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '`
382 while [ "$IOPR_HOST_PARAM" ]; do
383 IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
384 IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
385 [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443
386 IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
387 [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
389 echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
390 $IOPR_CONF_PATH"
392 download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
393 ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
394 ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
395 ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
396 if [ $? -ne 0 ]; then
397 echo "wsFlags=\"NOIOPR $wsParam\"" >> \
398 ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
399 fi
400 num=`expr $num + 1`
401 IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
402 done
404 return 0
405 }
