michael@0: #! /bin/bash michael@0: # michael@0: # This Source Code Form is subject to the terms of the Mozilla Public michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: ######################################################################## michael@0: # michael@0: # mozilla/security/nss/tests/iopr/cert_iopr.sh michael@0: # michael@0: # Certificate generating and handeling for NSS interoperability QA. This file michael@0: # is included from cert.sh michael@0: # michael@0: # needs to work on all Unix and Windows platforms michael@0: # michael@0: # special strings michael@0: # --------------- michael@0: # FIXME ... known problems, search for this string michael@0: # NOTE .... unexpected behavior michael@0: ######################################################################## michael@0: michael@0: IOPR_CERT_SOURCED=1 michael@0: michael@0: ######################################################################## michael@0: # function wraps calls to pk12util, also: writes action and options michael@0: # to stdout. michael@0: # Params are the same as to pk12util. michael@0: # Returns pk12util status michael@0: # michael@0: pk12u() michael@0: { michael@0: echo "${CU_ACTION} --------------------------" michael@0: michael@0: echo "pk12util $@" michael@0: ${BINDIR}/pk12util $@ michael@0: RET=$? michael@0: michael@0: return $RET michael@0: } michael@0: michael@0: ######################################################################## michael@0: # Initializes nss db directory and files if they don't exists michael@0: # Params: michael@0: # $1 - directory location michael@0: # michael@0: createDBDir() { michael@0: trgDir=$1 michael@0: michael@0: if [ -z "`ls $trgDir | grep db`" ]; then michael@0: trgDir=`cd ${trgDir}; pwd` michael@0: if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then michael@0: trgDir=`cygpath -m ${trgDir}` michael@0: fi michael@0: michael@0: CU_ACTION="Initializing DB at ${trgDir}" michael@0: certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1 michael@0: if [ "$RET" -ne 0 ]; then michael@0: return $RET michael@0: fi michael@0: michael@0: CU_ACTION="Loading root cert module to Cert DB at ${trgDir}" michael@0: modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1 michael@0: if [ "$RET" -ne 0 ]; then michael@0: return $RET michael@0: fi michael@0: fi michael@0: } michael@0: ######################################################################## michael@0: # takes care of downloading config, cert and crl files from remote michael@0: # location. michael@0: # Params: michael@0: # $1 - name of the host file will be downloaded from michael@0: # $2 - path to the file as it appeared in url michael@0: # $3 - target directory the file will be saved at. michael@0: # Returns tstclnt status. michael@0: # michael@0: download_file() { michael@0: host=$1 michael@0: filePath=$2 michael@0: trgDir=$3 michael@0: michael@0: file=$trgDir/`basename $filePath` michael@0: michael@0: createDBDir $trgDir || return $RET michael@0: michael@0: # echo wget -O $file http://${host}${filePath} michael@0: # wget -O $file http://${host}${filePath} michael@0: # ret=$? michael@0: michael@0: req=$file.$$ michael@0: echo "GET $filePath HTTP/1.0" > $req michael@0: echo >> $req michael@0: michael@0: echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \ michael@0: -v -w ${R_PWFILE} -o michael@0: ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \ michael@0: -v -w ${R_PWFILE} -o < $req > $file michael@0: ret=$? michael@0: rm -f $_tmp; michael@0: return $ret michael@0: } michael@0: michael@0: ######################################################################## michael@0: # Uses pk12util, certutil of cerlutil to import files to an nss db located michael@0: # at (the value of $1 parameter). Chooses a utility to use based on michael@0: # a file extension. Initializing a db if it does not exists. michael@0: # Params: michael@0: # $1 - db location directory michael@0: # $2 - file name to import michael@0: # $3 - nick name an object in the file will be associated with michael@0: # $4 - trust arguments michael@0: # Returns status of import michael@0: # michael@0: importFile() { michael@0: dir=$1\ michael@0: file=$2 michael@0: certName=$3 michael@0: certTrust=$4 michael@0: michael@0: [ ! -d $dir ] && mkdir -p $dir; michael@0: michael@0: createDBDir $dir || return $RET michael@0: michael@0: case `basename $file | sed 's/^.*\.//'` in michael@0: p12) michael@0: CU_ACTION="Importing p12 $file to DB at $dir" michael@0: pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr michael@0: [ $? -ne 0 ] && return 1 michael@0: CU_ACTION="Modifying trust for cert $certName at $dir" michael@0: certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" michael@0: return $? michael@0: ;; michael@0: michael@0: crl) michael@0: CU_ACTION="Importing crl $file to DB at $dir" michael@0: crlu -d ${dir} -I -n TestCA -i $file michael@0: return $? michael@0: ;; michael@0: michael@0: crt | cert) michael@0: CU_ACTION="Importing cert $certName with trust $certTrust to $dir" michael@0: certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \ michael@0: -i "$file" michael@0: return $? michael@0: ;; michael@0: michael@0: *) michael@0: echo "Unknown file extension: $file:" michael@0: return 1 michael@0: ;; michael@0: esac michael@0: } michael@0: michael@0: michael@0: ######################################################################### michael@0: # Downloads and installs test certs and crl from a remote webserver. michael@0: # Generates server cert for reverse testing if reverse test run is turned on. michael@0: # Params: michael@0: # $1 - host name to download files from. michael@0: # $2 - directory at which CA cert will be installed and used for michael@0: # signing a server cert. michael@0: # $3 - path to a config file in webserver context. michael@0: # $4 - ssl server db location michael@0: # $5 - ssl client db location michael@0: # $5 - ocsp client db location michael@0: # michael@0: # Returns 0 upon success, otherwise, failed command error code. michael@0: # michael@0: download_install_certs() { michael@0: host=$1 michael@0: caDir=$2 michael@0: confPath=$3 michael@0: sslServerDir=$4 michael@0: sslClientDir=$5 michael@0: ocspClientDir=$6 michael@0: michael@0: [ ! -d "$caDir" ] && mkdir -p $caDir; michael@0: michael@0: #======================================================= michael@0: # Getting config file michael@0: # michael@0: download_file $host "$confPath/iopr_server.cfg" $caDir michael@0: RET=$? michael@0: if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then michael@0: html_failed "Fail to download website config file(ws: $host)" michael@0: return 1 michael@0: fi michael@0: michael@0: . $caDir/iopr_server.cfg michael@0: RET=$? michael@0: if [ $RET -ne 0 ]; then michael@0: html_failed "Fail to source config file(ws: $host)" michael@0: return $RET michael@0: fi michael@0: michael@0: #======================================================= michael@0: # Getting CA file michael@0: # michael@0: michael@0: #----------------- !!!WARNING!!! ----------------------- michael@0: # Do NOT copy this scenario. CA should never accompany its michael@0: # cert with the private key when deliver cert to a customer. michael@0: #----------------- !!!WARNING!!! ----------------------- michael@0: michael@0: download_file $host $certDir/$caCertName.p12 $caDir michael@0: RET=$? michael@0: if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then michael@0: html_failed "Fail to download $caCertName cert(ws: $host)" michael@0: return 1 michael@0: fi michael@0: tmpFiles="$caDir/$caCertName.p12" michael@0: michael@0: importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C" michael@0: RET=$? michael@0: if [ $RET -ne 0 ]; then michael@0: html_failed "Fail to import $caCertName cert to CA DB(ws: $host)" michael@0: return $RET michael@0: fi michael@0: michael@0: CU_ACTION="Exporting Root CA cert(ws: $host)" michael@0: certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert michael@0: if [ "$RET" -ne 0 ]; then michael@0: Exit 7 "Fatal - failed to export $caCertName cert" michael@0: fi michael@0: michael@0: #======================================================= michael@0: # Check what tests we want to run michael@0: # michael@0: doSslTests=0; doOcspTests=0 michael@0: # XXX remove "_new" from variables below michael@0: [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1 michael@0: [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1 michael@0: michael@0: if [ $doSslTests -eq 1 ]; then michael@0: if [ "$reverseRunCGIScript" ]; then michael@0: [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir; michael@0: #======================================================= michael@0: # Import CA cert to server DB michael@0: # michael@0: importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \ michael@0: "TC,C,C" michael@0: RET=$? michael@0: if [ $RET -ne 0 ]; then michael@0: html_failed "Fail to import server-client-CA cert to \ michael@0: server DB(ws: $host)" michael@0: return $RET michael@0: fi michael@0: michael@0: #======================================================= michael@0: # Creating server cert michael@0: # michael@0: CERTNAME=$HOSTADDR michael@0: michael@0: CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)" michael@0: CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \ michael@0: L=Mountain View, ST=California, C=US" michael@0: certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\ michael@0: -o $sslServerDir/req 2>&1 michael@0: tmpFiles="$tmpFiles $sslServerDir/req" michael@0: michael@0: # NOTE: michael@0: # For possible time synchronization problems (bug 444308) we generate michael@0: # certificates valid also some time in past (-w -1) michael@0: michael@0: CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)" michael@0: certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \ michael@0: -d "${caDir}" \ michael@0: -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \ michael@0: -f "${R_PWFILE}" 2>&1 michael@0: michael@0: importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",," michael@0: RET=$? michael@0: if [ $RET -ne 0 ]; then michael@0: html_failed "Fail to import $CERTNAME cert to server\ michael@0: DB(ws: $host)" michael@0: return $RET michael@0: fi michael@0: tmpFiles="$tmpFiles $caDir/$CERTNAME.cert" michael@0: michael@0: #======================================================= michael@0: # Download and import CA crl to server DB michael@0: # michael@0: download_file $host "$certDir/$caCrlName.crl" $sslServerDir michael@0: RET=$? michael@0: if [ $? -ne 0 ]; then michael@0: html_failed "Fail to download $caCertName crl\ michael@0: (ws: $host)" michael@0: return $RET michael@0: fi michael@0: tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl" michael@0: michael@0: importFile $sslServerDir $sslServerDir/TestCA.crl michael@0: RET=$? michael@0: if [ $RET -ne 0 ]; then michael@0: html_failed "Fail to import TestCA crt to server\ michael@0: DB(ws: $host)" michael@0: return $RET michael@0: fi michael@0: fi # if [ "$reverseRunCGIScript" ] michael@0: michael@0: [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir; michael@0: #======================================================= michael@0: # Import CA cert to ssl client DB michael@0: # michael@0: importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \ michael@0: "TC,C,C" michael@0: RET=$? michael@0: if [ $RET -ne 0 ]; then michael@0: html_failed "Fail to import server-client-CA cert to \ michael@0: server DB(ws: $host)" michael@0: return $RET michael@0: fi michael@0: fi michael@0: michael@0: if [ $doOcspTests -eq 1 ]; then michael@0: [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir; michael@0: #======================================================= michael@0: # Import CA cert to ocsp client DB michael@0: # michael@0: importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \ michael@0: "TC,C,C" michael@0: RET=$? michael@0: if [ $RET -ne 0 ]; then michael@0: html_failed "Fail to import server-client-CA cert to \ michael@0: server DB(ws: $host)" michael@0: return $RET michael@0: fi michael@0: fi michael@0: michael@0: #======================================================= michael@0: # Import client certs to client DB michael@0: # michael@0: for fileName in $downloadFiles; do michael@0: certName=`echo $fileName | sed 's/\..*//'` michael@0: michael@0: if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then michael@0: clientDir=$ocspClientDir michael@0: elif [ $doSslTests -eq 1 ]; then michael@0: clientDir=$sslClientDir michael@0: else michael@0: continue michael@0: fi michael@0: michael@0: download_file $host "$certDir/$fileName" $clientDir michael@0: RET=$? michael@0: if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then michael@0: html_failed "Fail to download $certName cert(ws: $host)" michael@0: return $RET michael@0: fi michael@0: tmpFiles="$tmpFiles $clientDir/$fileName" michael@0: michael@0: importFile $clientDir $clientDir/$fileName $certName ",," michael@0: RET=$? michael@0: if [ $RET -ne 0 ]; then michael@0: html_failed "Fail to import $certName cert to client DB\ michael@0: (ws: $host)" michael@0: return $RET michael@0: fi michael@0: done michael@0: michael@0: rm -f $tmpFiles michael@0: michael@0: return 0 michael@0: } michael@0: michael@0: michael@0: ######################################################################### michael@0: # Initial point for downloading config, cert, crl files for multiple hosts michael@0: # involved in interoperability testing. Called from nss/tests/cert/cert.sh michael@0: # It will only proceed with downloading if environment variable michael@0: # IOPR_HOSTADDR_LIST is set and has a value of host names separated by space. michael@0: # michael@0: # Returns 1 if interoperability testing is off, 0 otherwise. michael@0: # michael@0: cert_iopr_setup() { michael@0: michael@0: if [ "$IOPR" -ne 1 ]; then michael@0: return 1 michael@0: fi michael@0: num=1 michael@0: IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '` michael@0: while [ "$IOPR_HOST_PARAM" ]; do michael@0: IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'` michael@0: IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'` michael@0: [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443 michael@0: IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'` michael@0: [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr" michael@0: michael@0: echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\ michael@0: $IOPR_CONF_PATH" michael@0: michael@0: download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \ michael@0: ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \ michael@0: ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \ michael@0: ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} michael@0: if [ $? -ne 0 ]; then michael@0: echo "wsFlags=\"NOIOPR $wsParam\"" >> \ michael@0: ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg michael@0: fi michael@0: num=`expr $num + 1` michael@0: IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` michael@0: done michael@0: michael@0: return 0 michael@0: }