michael@0: #! /bin/bash michael@0: # michael@0: # This Source Code Form is subject to the terms of the Mozilla Public michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: ######################################################################## michael@0: # michael@0: # mozilla/security/nss/tests/merge/merge.sh michael@0: # michael@0: # Script to test NSS merge michael@0: # michael@0: # needs to work on all Unix and Windows platforms michael@0: # michael@0: # special strings michael@0: # --------------- michael@0: # FIXME ... known problems, search for this string michael@0: # NOTE .... unexpected behavior michael@0: # michael@0: ######################################################################## michael@0: michael@0: ############################## merge_init ############################## michael@0: # local shell function to initialize this script michael@0: ######################################################################## michael@0: merge_init() michael@0: { michael@0: SCRIPTNAME=merge.sh # sourced - $0 would point to all.sh michael@0: HAS_EXPLICIT_DB=0 michael@0: if [ ! -z "${NSS_DEFAULT_DB_TYPE}" ]; then michael@0: HAS_EXPLICIT_DB=1 michael@0: fi michael@0: michael@0: michael@0: if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for michael@0: CLEANUP="${SCRIPTNAME}" # cleaning this script will do it michael@0: fi michael@0: michael@0: if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then michael@0: cd ../common michael@0: . ./init.sh michael@0: fi michael@0: if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here michael@0: cd ${QADIR}/cert michael@0: . ./cert.sh michael@0: fi michael@0: michael@0: if [ ! -d ${HOSTDIR}/SDR ]; then michael@0: cd ${QADIR}/sdr michael@0: . ./sdr.sh michael@0: fi michael@0: SCRIPTNAME=merge.sh michael@0: michael@0: html_head "Merge Tests" michael@0: michael@0: # need the SSL & SMIME directories from cert.sh michael@0: grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { michael@0: Exit 11 "Fatal - S/MIME of cert.sh needs to pass first" michael@0: } michael@0: grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { michael@0: Exit 8 "Fatal - SSL of cert.sh needs to pass first" michael@0: } michael@0: michael@0: #temporary files for SDR tests michael@0: VALUE1=$HOSTDIR/tests.v1.$$ michael@0: VALUE3=$HOSTDIR/tests.v3.$$ michael@0: michael@0: # local directories used in this test. michael@0: MERGEDIR=${HOSTDIR}/merge michael@0: R_MERGEDIR=../merge michael@0: D_MERGE="merge.$version" michael@0: # SDR not initialized in common/init michael@0: P_R_SDR=../SDR michael@0: D_SDR="SDR.$version" michael@0: mkdir -p ${MERGEDIR} michael@0: michael@0: PROFILE=. michael@0: if [ -n "${MULTIACCESS_DBM}" ]; then michael@0: PROFILE="multiaccess:${D_MERGE}" michael@0: P_R_SDR="multiaccess:${D_SDR}" michael@0: fi michael@0: michael@0: cd ${MERGEDIR} michael@0: michael@0: # clear out any existing databases, potentially from a previous run. michael@0: rm -f *.db michael@0: michael@0: # copy alicedir over as a seed database. michael@0: cp ${R_ALICEDIR}/* . michael@0: # copy the smime text samples michael@0: cp ${QADIR}/smime/*.txt . michael@0: michael@0: # create a set of conflicting names. michael@0: CONFLICT1DIR=conflict1 michael@0: CONFLICT2DIR=conflict2 michael@0: mkdir ${CONFLICT1DIR} michael@0: mkdir ${CONFLICT2DIR} michael@0: # in the upgrade mode (dbm->sql), make sure our test databases michael@0: # are dbm databases. michael@0: if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then michael@0: save=${NSS_DEFAULT_DB_TYPE} michael@0: NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE michael@0: fi michael@0: michael@0: certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE} michael@0: certutil -N -d ${CONFLICT2DIR} -f ${R_PWFILE} michael@0: certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser41.cert -d ${CONFLICT1DIR} michael@0: certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser42.cert -d ${CONFLICT1DIR} michael@0: certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser43.cert -d ${CONFLICT1DIR} michael@0: certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser44.cert -d ${CONFLICT2DIR} michael@0: certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser45.cert -d ${CONFLICT2DIR} michael@0: certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser46.cert -d ${CONFLICT2DIR} michael@0: if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then michael@0: NSS_DEFAULT_DB_TYPE=${save}; export NSS_DEFAULT_DB_TYPE michael@0: fi michael@0: michael@0: # michael@0: # allow all the tests to run in standalone mode. michael@0: # in standalone mode, TEST_MODE is not set. michael@0: # if NSS_DEFAULT_DB_TYPE is dbm, then test merge with dbm michael@0: # if NSS_DEFAULT_DB_TYPE is sql, then test merge with sql michael@0: # if NSS_DEFAULT_DB_TYPE is not set, then test database upgrade merge michael@0: # from dbm databases (created above) into a new sql db. michael@0: if [ -z "${TEST_MODE}" ] && [ ${HAS_EXPLICIT_DB} -eq 0 ]; then michael@0: echo "*** Using Standalone Upgrade DB mode" michael@0: NSS_DEFAULT_DB_TYPE=sql; export NSS_DEFAULT_DB_TYPE michael@0: echo certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} michael@0: ${BINDIR}/certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} michael@0: TEST_MODE=UPGRADE_DB michael@0: michael@0: fi michael@0: michael@0: } michael@0: michael@0: # michael@0: # this allows us to run this test for both merge and upgrade-merge cases. michael@0: # merge_cmd takes the potential upgrade-id and the rest of the certutil michael@0: # arguments. michael@0: # michael@0: merge_cmd() michael@0: { michael@0: MERGE_CMD=--merge michael@0: if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then michael@0: MERGE_CMD="--upgrade-merge --upgrade-token-name OldDB --upgrade-id ${1}" michael@0: fi michael@0: shift michael@0: echo certutil ${MERGE_CMD} $* michael@0: ${PROFTOOL} ${BINDIR}/certutil ${MERGE_CMD} $* michael@0: } michael@0: michael@0: michael@0: merge_main() michael@0: { michael@0: # first create a local sdr key and encrypt some data with it michael@0: # This will cause a colision with the SDR key in ../SDR. michael@0: echo "$SCRIPTNAME: Creating an SDR key & Encrypt" michael@0: echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}" michael@0: ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE} michael@0: html_msg $? 0 "Creating SDR Key" michael@0: michael@0: # Now merge in Dave michael@0: # Dave's cert is already in alicedir, but his key isn't. This will make michael@0: # sure we are updating the keys and CKA_ID's on the certificate properly. michael@0: MERGE_ID=dave michael@0: echo "$SCRIPTNAME: Merging in Key for Existing user" michael@0: merge_cmd dave --source-dir ${P_R_DAVEDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} michael@0: html_msg $? 0 "Merging Dave" michael@0: michael@0: # Merge in server michael@0: # contains a CRL and new user certs michael@0: MERGE_ID=server michael@0: echo "$SCRIPTNAME: Merging in new user " michael@0: merge_cmd server --source-dir ${P_R_SERVERDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} michael@0: html_msg $? 0 "Merging server" michael@0: michael@0: # Merge in ext_client michael@0: # contains a new certificate chain and additional trust flags michael@0: MERGE_ID=ext_client michael@0: echo "$SCRIPTNAME: Merging in new chain " michael@0: merge_cmd ext_client --source-dir ${P_R_EXT_CLIENTDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} michael@0: html_msg $? 0 "Merging ext_client" michael@0: michael@0: # Merge conflicting nicknames in conflict1dir michael@0: # contains several certificates with nicknames that conflict with the target michael@0: # database michael@0: MERGE_ID=conflict1 michael@0: echo "$SCRIPTNAME: Merging in conflicting nicknames 1" michael@0: merge_cmd conflict1 --source-dir ${CONFLICT1DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} michael@0: michael@0: html_msg $? 0 "Merging conflicting nicknames 1" michael@0: michael@0: # Merge conflicting nicknames in conflict2dir michael@0: # contains several certificates with nicknames that conflict with the target michael@0: # database michael@0: MERGE_ID=conflict2 michael@0: echo "$SCRIPTNAME: Merging in conflicting nicknames 1" michael@0: merge_cmd conflict2 --source-dir ${CONFLICT2DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} michael@0: html_msg $? 0 "Merging conflicting nicknames 2" michael@0: michael@0: # Make sure conflicted names were properly sorted out. michael@0: echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #4)" michael@0: certutil -L -n "Alice #4" -d ${PROFILE} michael@0: html_msg $? 0 "Verify nicknames were deconflicted (Alice #4)" michael@0: michael@0: # Make sure conflicted names were properly sorted out. michael@0: echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #100)" michael@0: certutil -L -n "Alice #100" -d ${PROFILE} michael@0: html_msg $? 0 "Verify nicknames were deconflicted (Alice #100)" michael@0: michael@0: # Merge in SDR michael@0: # contains a secret SDR key michael@0: MERGE_ID=SDR michael@0: echo "$SCRIPTNAME: Merging in SDR " michael@0: merge_cmd sdr --source-dir ${P_R_SDR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} michael@0: html_msg $? 0 "Merging SDR" michael@0: michael@0: # insert a listing of the database into the log for diagonic purposes michael@0: ${BINDIR}/certutil -L -d ${PROFILE} michael@0: ${BINDIR}/crlutil -L -d ${PROFILE} michael@0: michael@0: # Make sure we can decrypt with our original SDR key generated above michael@0: echo "$SCRIPTNAME: Decrypt - With Original SDR Key" michael@0: echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}" michael@0: ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE} michael@0: html_msg $? 0 "Decrypt - Value 3" michael@0: michael@0: # Make sure we can decrypt with our the SDR key merged in from ../SDR michael@0: echo "$SCRIPTNAME: Decrypt - With Merged SDR Key" michael@0: echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}" michael@0: ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE} michael@0: html_msg $? 0 "Decrypt - Value 1" michael@0: michael@0: # Make sure we can sign with merge certificate michael@0: echo "$SCRIPTNAME: Signing with merged key ------------------" michael@0: echo "cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig" michael@0: ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig michael@0: html_msg $? 0 "Create Detached Signature Dave" "." michael@0: michael@0: echo "cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} " michael@0: ${PROFTOOL} ${BINDIR}/cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} michael@0: html_msg $? 0 "Verifying Dave's Detached Signature" michael@0: michael@0: # Make sure that trust objects were properly merged michael@0: echo "$SCRIPTNAME: verifying merged cert ------------------" michael@0: echo "certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}" michael@0: ${PROFTOOL} ${BINDIR}/certutil -V -n ExtendedSSLUser -u C -d ${PROFILE} michael@0: html_msg $? 0 "Verifying ExtendedSSL User Cert" michael@0: michael@0: # Make sure that the crl got properly copied in michael@0: echo "$SCRIPTNAME: verifying merged crl ------------------" michael@0: echo "crlutil -L -n TestCA -d ${PROFILE}" michael@0: ${PROFTOOL} ${BINDIR}/crlutil -L -n TestCA -d ${PROFILE} michael@0: html_msg $? 0 "Verifying TestCA CRL" michael@0: michael@0: } michael@0: michael@0: ############################## smime_cleanup ########################### michael@0: # local shell function to finish this script (no exit since it might be michael@0: # sourced) michael@0: ######################################################################## michael@0: merge_cleanup() michael@0: { michael@0: html "
" michael@0: cd ${QADIR} michael@0: . common/cleanup.sh michael@0: } michael@0: michael@0: ################## main ################################################# michael@0: michael@0: merge_init michael@0: merge_main michael@0: merge_cleanup michael@0: