michael@0: #!/bin/bash michael@0: # michael@0: # This Source Code Form is subject to the terms of the Mozilla Public michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: # michael@0: # Usage: ./generate_certs.sh michael@0: # e.g. (from the root of mozilla-central) michael@0: # `./security/manager/ssl/tests/unit/tlsserver/generate_certs.sh \ michael@0: # obj-x86_64-unknown-linux-gnu/ \ michael@0: # security/manager/ssl/tests/unit/tlsserver/` michael@0: # michael@0: # NB: This will cause the following files to be overwritten if they are in michael@0: # the output directory: michael@0: # cert8.db, key3.db, secmod.db, ocsp-ca.der, ocsp-other-ca.der, default-ee.der michael@0: # NB: You must run genHPKPStaticPins.js after running this file, since its michael@0: # output (StaticHPKPins.h) depends on default-ee.der michael@0: michael@0: set -x michael@0: set -e michael@0: michael@0: if [ $# -ne 2 ]; then michael@0: echo "Usage: `basename ${0}` " michael@0: exit $E_BADARGS michael@0: fi michael@0: michael@0: OBJDIR=${1} michael@0: OUTPUT_DIR=${2} michael@0: RUN_MOZILLA="$OBJDIR/dist/bin/run-mozilla.sh" michael@0: CERTUTIL="$OBJDIR/dist/bin/certutil" michael@0: # On BSD, mktemp requires either a template or a prefix. michael@0: MKTEMP="mktemp temp.XXXX" michael@0: michael@0: NOISE_FILE=`$MKTEMP` michael@0: # Make a good effort at putting something unique in the noise file. michael@0: date +%s%N > "$NOISE_FILE" michael@0: PASSWORD_FILE=`$MKTEMP` michael@0: michael@0: function cleanup { michael@0: rm -f "$NOISE_FILE" "$PASSWORD_FILE" michael@0: } michael@0: michael@0: if [ ! -f "$RUN_MOZILLA" ]; then michael@0: echo "Could not find run-mozilla.sh at \'$RUN_MOZILLA\' - I'll try without it" michael@0: RUN_MOZILLA="" michael@0: fi michael@0: michael@0: if [ ! -f "$CERTUTIL" ]; then michael@0: echo "Could not find certutil at \'$CERTUTIL\'" michael@0: exit $E_BADARGS michael@0: fi michael@0: michael@0: if [ ! -d "$OUTPUT_DIR" ]; then michael@0: echo "Could not find output directory at \'$OUTPUT_DIR\'" michael@0: exit $E_BADARGS michael@0: fi michael@0: michael@0: if [ -f "$OUTPUT_DIR/cert8.db" -o -f "$OUTPUT_DIR/key3.db" -o -f "$OUTPUT_DIR/secmod.db" ]; then michael@0: echo "Found pre-existing NSS DBs. Clobbering old OCSP certs." michael@0: rm -f "$OUTPUT_DIR/cert8.db" "$OUTPUT_DIR/key3.db" "$OUTPUT_DIR/secmod.db" michael@0: fi michael@0: $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -N -f $PASSWORD_FILE michael@0: michael@0: COMMON_ARGS="-v 360 -w -1 -2 -z $NOISE_FILE" michael@0: michael@0: function make_CA { michael@0: CA_RESPONSES="y\n1\ny" michael@0: NICKNAME="${1}" michael@0: SUBJECT="${2}" michael@0: DERFILE="${3}" michael@0: michael@0: echo -e "$CA_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \ michael@0: -n $NICKNAME \ michael@0: -s "$SUBJECT" \ michael@0: -t "CT,," \ michael@0: -x $COMMON_ARGS michael@0: $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n $NICKNAME -r > $OUTPUT_DIR/$DERFILE michael@0: } michael@0: michael@0: SERIALNO=1 michael@0: michael@0: function make_INT { michael@0: INT_RESPONSES="y\n0\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n" michael@0: NICKNAME="${1}" michael@0: SUBJECT="${2}" michael@0: CA="${3}" michael@0: EXTRA_ARGS="${4}" michael@0: michael@0: echo -e "$INT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \ michael@0: -n $NICKNAME \ michael@0: -s "$SUBJECT" \ michael@0: -c $CA \ michael@0: -t ",," \ michael@0: -m $SERIALNO \ michael@0: --extAIA \ michael@0: $COMMON_ARGS \ michael@0: $EXTRA_ARGS michael@0: SERIALNO=$(($SERIALNO + 1)) michael@0: } michael@0: michael@0: function make_EE { michael@0: CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n" michael@0: NICKNAME="${1}" michael@0: SUBJECT="${2}" michael@0: CA="${3}" michael@0: SUBJECT_ALT_NAME="${4}" michael@0: EXTRA_ARGS="${5} ${6}" michael@0: michael@0: echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \ michael@0: -n $NICKNAME \ michael@0: -s "$SUBJECT" \ michael@0: -8 $SUBJECT_ALT_NAME \ michael@0: -c $CA \ michael@0: -t ",," \ michael@0: -m $SERIALNO \ michael@0: --extAIA \ michael@0: $COMMON_ARGS \ michael@0: $EXTRA_ARGS michael@0: SERIALNO=$(($SERIALNO + 1)) michael@0: } michael@0: michael@0: function make_delegated { michael@0: CERT_RESPONSES="n\n\ny\n" michael@0: NICKNAME="${1}" michael@0: SUBJECT="${2}" michael@0: CA="${3}" michael@0: EXTRA_ARGS="${4}" michael@0: michael@0: echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \ michael@0: -n $NICKNAME \ michael@0: -s "$SUBJECT" \ michael@0: -c $CA \ michael@0: -t ",," \ michael@0: -m $SERIALNO \ michael@0: $COMMON_ARGS \ michael@0: $EXTRA_ARGS michael@0: SERIALNO=$(($SERIALNO + 1)) michael@0: } michael@0: michael@0: make_CA testCA 'CN=Test CA' test-ca.der michael@0: make_CA otherCA 'CN=Other test CA' other-test-ca.der michael@0: michael@0: make_EE localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com" michael@0: # Make an EE cert issued by otherCA michael@0: make_EE otherIssuerEE 'CN=Wrong CA Pin Test End-Entity' otherCA "*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com,*.pinning.example.com" michael@0: michael@0: $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -L -n localhostAndExampleCom -r > $OUTPUT_DIR/default-ee.der michael@0: # A cert that is like localhostAndExampleCom, but with a different serial number for michael@0: # testing the "OCSP response is from the right issuer, but it is for the wrong cert" michael@0: # case. michael@0: make_EE ocspOtherEndEntity 'CN=Other Cert' testCA "localhost,*.example.com" michael@0: michael@0: make_INT testINT 'CN=Test Intermediate' testCA michael@0: make_EE ocspEEWithIntermediate 'CN=Test End-entity with Intermediate' testINT "localhost,*.example.com" michael@0: make_EE expired 'CN=Expired Test End-entity' testCA "expired.example.com" "-w -400" michael@0: make_EE mismatch 'CN=Mismatch Test End-entity' testCA "doesntmatch.example.com" michael@0: make_EE selfsigned 'CN=Self-signed Test End-entity' testCA "selfsigned.example.com" "-x" michael@0: # If the certificate 'CN=Test Intermediate' isn't loaded into memory, michael@0: # this certificate will have an unknown issuer. michael@0: make_INT deletedINT 'CN=Test Intermediate to delete' testCA michael@0: make_EE unknownissuer 'CN=Test End-entity from unknown issuer' deletedINT "unknownissuer.example.com" michael@0: $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -D -n deletedINT michael@0: make_INT expiredINT 'CN=Expired Test Intermediate' testCA "-w -400" michael@0: make_EE expiredissuer 'CN=Test End-entity with expired issuer' expiredINT "expiredissuer.example.com" michael@0: NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature 'CN=Test End-entity with MD5 signature' testCA "md5signature.example.com" "-Z MD5" michael@0: make_EE untrustedissuer 'CN=Test End-entity with untrusted issuer' otherCA "untrustedissuer.example.com" michael@0: michael@0: make_EE mismatch-expired 'CN=Mismatch-Expired Test End-entity' testCA "doesntmatch.example.com" "-w -400" michael@0: make_EE mismatch-untrusted 'CN=Mismatch-Untrusted Test End-entity' otherCA "doesntmatch.example.com" michael@0: make_EE untrusted-expired 'CN=Untrusted-Expired Test End-entity' otherCA "untrusted-expired.example.com" "-w -400" michael@0: make_EE mismatch-untrusted-expired 'CN=Mismatch-Untrusted-Expired Test End-entity' otherCA "doesntmatch.example.com" "-w -400" michael@0: NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature-expired 'CN=Test MD5Signature-Expired End-entity' testCA "md5signature-expired.example.com" "-Z MD5" "-w -400" michael@0: michael@0: make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning" michael@0: make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x" michael@0: michael@0: make_delegated delegatedSigner 'CN=Test Delegated Responder' testCA "--extKeyUsage ocspResponder" michael@0: make_delegated invalidDelegatedSignerNoExtKeyUsage 'CN=Test Invalid Delegated Responder No extKeyUsage' testCA michael@0: make_delegated invalidDelegatedSignerFromIntermediate 'CN=Test Invalid Delegated Responder From Intermediate' testINT "--extKeyUsage ocspResponder" michael@0: make_delegated invalidDelegatedSignerKeyUsageCrlSigning 'CN=Test Invalid Delegated Responder keyUsage crlSigning' testCA "--keyUsage crlSigning" michael@0: make_delegated invalidDelegatedSignerWrongExtKeyUsage 'CN=Test Invalid Delegated Responder Wrong extKeyUsage' testCA "--extKeyUsage codeSigning" michael@0: michael@0: make_INT self-signed-EE-with-cA-true 'CN=Test Self-signed End-entity with CA true' unused "-x -8 self-signed-end-entity-with-cA-true.example.com" michael@0: michael@0: cleanup