michael@0: #! /bin/bash
michael@0: #
michael@0: # This Source Code Form is subject to the terms of the Mozilla Public
michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/.
michael@0: 
michael@0: ########################################################################
michael@0: #
michael@0: # mozilla/security/nss/tests/cert/rcert.sh
michael@0: #
michael@0: # Certificate generating and handeling for NSS QA, can be included 
michael@0: # multiple times from all.sh and the individual scripts
michael@0: #
michael@0: # needs to work on all Unix and Windows platforms
michael@0: #
michael@0: # included from (don't expect this to be up to date)
michael@0: # --------------------------------------------------
michael@0: #   all.sh
michael@0: #   ssl.sh
michael@0: #   smime.sh
michael@0: #   tools.sh
michael@0: #
michael@0: # special strings
michael@0: # ---------------
michael@0: #   FIXME ... known problems, search for this string
michael@0: #   NOTE .... unexpected behavior
michael@0: #
michael@0: # FIXME - Netscape - NSS
michael@0: ########################################################################
michael@0: 
michael@0: ############################## cert_init ###############################
michael@0: # local shell function to initialize this script
michael@0: ########################################################################
michael@0: cert_init()
michael@0: {
michael@0:   SCRIPTNAME="cert.sh"
michael@0:   if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
michael@0:       CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
michael@0:   fi
michael@0:   if [ -z "${INIT_SOURCED}" ] ; then
michael@0:       cd ../common
michael@0:       . ./init.sh
michael@0:   fi
michael@0:   if [ -z "${IOPR_CERT_SOURCED}" ]; then
michael@0:        . ../iopr/cert_iopr.sh
michael@0:   fi
michael@0:   SCRIPTNAME="cert.sh"
michael@0:   CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0:       html_head "Certutil and Crlutil Tests with ECC"
michael@0:   else
michael@0:       html_head "Certutil and Crlutil Tests"
michael@0:   fi
michael@0: 
michael@0:   LIBDIR="${DIST}/${OBJDIR}/lib"
michael@0: 
michael@0:   ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
michael@0:   if [ ! "${ROOTCERTSFILE}" ] ; then
michael@0:       html_failed "Looking for root certs module." 
michael@0:       cert_log "ERROR: Root certs module not found."
michael@0:       Exit 5 "Fatal - Root certs module not found."
michael@0:   else
michael@0:       html_passed "Looking for root certs module."
michael@0:   fi
michael@0: 
michael@0:   if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0: 	ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}`
michael@0:   fi
michael@0: }
michael@0: 
michael@0: cert_log() ######################    write the cert_status file
michael@0: {
michael@0:     echo "$SCRIPTNAME $*"
michael@0:     echo $* >>${CERT_LOG_FILE}
michael@0: }
michael@0: 
michael@0: ########################################################################
michael@0: # function wraps calls to pk12util, also: writes action and options
michael@0: # to stdout.
michael@0: # Params are the same as to pk12util.
michael@0: # Returns pk12util status
michael@0: #
michael@0: pk12u()
michael@0: {
michael@0:     echo "${CU_ACTION} --------------------------"
michael@0: 
michael@0:     echo "pk12util $@"
michael@0:     ${BINDIR}/pk12util $@
michael@0:     RET=$?
michael@0: 
michael@0:     return $RET
michael@0: }
michael@0: 
michael@0: ################################ certu #################################
michael@0: # local shell function to call certutil, also: writes action and options to
michael@0: # stdout, sets variable RET and writes results to the html file results
michael@0: ########################################################################
michael@0: certu()
michael@0: {
michael@0:     echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
michael@0:     EXPECTED=${RETEXPECTED-0}
michael@0: 
michael@0:     if [ -n "${CU_SUBJECT}" ]; then
michael@0:         #the subject of the cert contains blanks, and the shell 
michael@0:         #will strip the quotes off the string, if called otherwise...
michael@0:         echo "certutil -s \"${CU_SUBJECT}\" $*"
michael@0:         ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $*
michael@0:         RET=$?
michael@0:         CU_SUBJECT=""
michael@0:     else
michael@0:         echo "certutil $*"
michael@0:         ${PROFTOOL} ${BINDIR}/certutil $*
michael@0:         RET=$?
michael@0:     fi
michael@0:     if [ "$RET" -ne "$EXPECTED" ]; then
michael@0:         CERTFAILED=$RET
michael@0:         html_failed "${CU_ACTION} ($RET=$EXPECTED) " 
michael@0:         cert_log "ERROR: ${CU_ACTION} failed $RET"
michael@0:     else
michael@0:         html_passed "${CU_ACTION}"
michael@0:     fi
michael@0: 
michael@0:     return $RET
michael@0: }
michael@0: 
michael@0: ################################ crlu #################################
michael@0: # local shell function to call crlutil, also: writes action and options to
michael@0: # stdout, sets variable RET and writes results to the html file results
michael@0: ########################################################################
michael@0: crlu()
michael@0: {
michael@0:     echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
michael@0:     
michael@0:     CRLUTIL="crlutil -q"
michael@0:     echo "$CRLUTIL $*"
michael@0:     ${PROFTOOL} ${BINDIR}/$CRLUTIL $*
michael@0:     RET=$?
michael@0:     if [ "$RET" -ne 0 ]; then
michael@0:         CRLFAILED=$RET
michael@0:         html_failed "${CU_ACTION} ($RET) " 
michael@0:         cert_log "ERROR: ${CU_ACTION} failed $RET"
michael@0:     else
michael@0:         html_passed "${CU_ACTION}"
michael@0:     fi
michael@0: 
michael@0:     return $RET
michael@0: }
michael@0: 
michael@0: ################################ ocspr ##################################
michael@0: # local shell function to call ocsresp, also: writes action and options to
michael@0: # stdout, sets variable RET and writes results to the html file results
michael@0: #########################################################################
michael@0: ocspr()
michael@0: {
michael@0:     echo "$SCRIPTNAME: ${OR_ACTION} --------------------------"
michael@0: 
michael@0:     OCSPRESP="ocspresp"
michael@0:     echo "$OCSPRESP $*"
michael@0:     ${PROFTOOL} ${BINDIR}/$OCSPRESP $*
michael@0:     RET=$?
michael@0:     if [ "$RET" -ne 0 ]; then
michael@0:         OCSPFAILED=$RET
michael@0:         html_failed "${OR_ACTION} ($RET) "
michael@0:         cert_log "ERROR: ${OR_ACTION} failed $RET"
michael@0:     else
michael@0:         html_passed "${OR_ACTION}"
michael@0:     fi
michael@0: 
michael@0:     return $RET
michael@0: }
michael@0: 
michael@0: modu()
michael@0: {
michael@0:     echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
michael@0: 
michael@0:     MODUTIL="modutil"
michael@0:     echo "$MODUTIL $*"
michael@0:     # echo is used to press Enter expected by modutil
michael@0:     echo | ${BINDIR}/$MODUTIL $*
michael@0:     RET=$?
michael@0:     if [ "$RET" -ne 0 ]; then
michael@0:         MODFAILED=$RET
michael@0:         html_failed "${CU_ACTION} ($RET) " 
michael@0:         cert_log "ERROR: ${CU_ACTION} failed $RET"
michael@0:     else
michael@0:         html_passed "${CU_ACTION}"
michael@0:     fi
michael@0: 
michael@0:     return $RET
michael@0: }
michael@0: 
michael@0: ############################# cert_init_cert ##########################
michael@0: # local shell function to initialize creation of client and server certs
michael@0: ########################################################################
michael@0: cert_init_cert()
michael@0: {
michael@0:     CERTDIR="$1"
michael@0:     CERTNAME="$2"
michael@0:     CERTSERIAL="$3"
michael@0:     DOMAIN="$4"
michael@0: 
michael@0:     if [ ! -d "${CERTDIR}" ]; then
michael@0:         mkdir -p "${CERTDIR}"
michael@0:     else
michael@0:         echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
michael@0:     fi
michael@0:     cd "${CERTDIR}"
michael@0:     CERTDIR="."
michael@0: 
michael@0:     PROFILEDIR=`cd ${CERTDIR}; pwd`
michael@0:     if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0:         PROFILEDIR=`cygpath -m ${PROFILEDIR}`
michael@0:     fi
michael@0:     if [ -n "${MULTIACCESS_DBM}" ]; then
michael@0: 	PROFILEDIR="multiaccess:${DOMAIN}"
michael@0:     fi
michael@0: 
michael@0:     noise
michael@0: }
michael@0: 
michael@0: ############################# hw_acc #################################
michael@0: # local shell function to add hw accelerator modules to the db
michael@0: ########################################################################
michael@0: hw_acc()
michael@0: {
michael@0:     HW_ACC_RET=0
michael@0:     HW_ACC_ERR=""
michael@0:     if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
michael@0:         echo "creating $CERTNAME s cert with hwaccelerator..."
michael@0:         #case $ACCELERATOR in
michael@0:         #rainbow)
michael@0: 
michael@0:         echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
michael@0:         echo "         -dbdir ${PROFILEDIR} 2>&1 "
michael@0:         echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
michael@0:             -dbdir ${PROFILEDIR} 2>&1 
michael@0:         if [ "$?" -ne 0 ]; then
michael@0:             echo "modutil -add rainbow failed in `pwd`"
michael@0:             HW_ACC_RET=1
michael@0:             HW_ACC_ERR="modutil -add rainbow"
michael@0:         fi
michael@0:     
michael@0:         echo "modutil -add ncipher "
michael@0:         echo "         -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so "
michael@0:         echo "         -dbdir ${PROFILEDIR} 2>&1 "
michael@0:         echo | ${BINDIR}/modutil -add ncipher \
michael@0:             -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \
michael@0:             -dbdir ${PROFILEDIR} 2>&1 
michael@0:         if [ "$?" -ne 0 ]; then
michael@0:             echo "modutil -add ncipher failed in `pwd`"
michael@0:             HW_ACC_RET=`expr $HW_ACC_RET + 2`
michael@0:             HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher"
michael@0:         fi
michael@0:         if [ "$HW_ACC_RET" -ne 0 ]; then
michael@0:             html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) " 
michael@0:         else
michael@0:             html_passed "Adding HW accelerators to certDB for ${CERTNAME}"
michael@0:         fi
michael@0: 
michael@0:     fi
michael@0:     return $HW_ACC_RET
michael@0: }
michael@0: 
michael@0: ############################# cert_create_cert #########################
michael@0: # local shell function to create client certs 
michael@0: #     initialize DB, import
michael@0: #     root cert
michael@0: #     add cert to DB
michael@0: ########################################################################
michael@0: cert_create_cert()
michael@0: {
michael@0:     cert_init_cert "$1" "$2" "$3" "$4"
michael@0: 
michael@0:     CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
michael@0:     certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:     if [ "$RET" -ne 0 ]; then
michael@0:         return $RET
michael@0:     fi
michael@0: 
michael@0:     CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB"
michael@0:     modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1   
michael@0:     if [ "$RET" -ne 0 ]; then
michael@0:         return $RET
michael@0:     fi
michael@0: 
michael@0:     hw_acc
michael@0: 
michael@0:     CU_ACTION="Import Root CA for $CERTNAME"
michael@0:     certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0:           -i "${R_CADIR}/TestCA.ca.cert" 2>&1
michael@0:     if [ "$RET" -ne 0 ]; then
michael@0:         return $RET
michael@0:     fi
michael@0: 
michael@0:     if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0: 	CU_ACTION="Import EC Root CA for $CERTNAME"
michael@0: 	certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
michael@0: 	    -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
michael@0: 	if [ "$RET" -ne 0 ]; then
michael@0:             return $RET
michael@0: 	fi
michael@0:     fi
michael@0: 
michael@0:     cert_add_cert "$5"
michael@0:     return $?
michael@0: }
michael@0: 
michael@0: ############################# cert_add_cert ############################
michael@0: # local shell function to add client certs to an existing CERT DB
michael@0: #     generate request
michael@0: #     sign request
michael@0: #     import Cert
michael@0: #
michael@0: ########################################################################
michael@0: cert_add_cert()
michael@0: {
michael@0:     CU_ACTION="Generate Cert Request for $CERTNAME"
michael@0:     CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:     certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
michael@0:     if [ "$RET" -ne 0 ]; then
michael@0:         return $RET
michael@0:     fi
michael@0: 
michael@0:     CU_ACTION="Sign ${CERTNAME}'s Request"
michael@0:     certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
michael@0:           -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
michael@0:     if [ "$RET" -ne 0 ]; then
michael@0:         return $RET
michael@0:     fi
michael@0: 
michael@0:     CU_ACTION="Import $CERTNAME's Cert"
michael@0:     certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0:           -i "${CERTNAME}.cert" 2>&1
michael@0:     if [ "$RET" -ne 0 ]; then
michael@0:         return $RET
michael@0:     fi
michael@0: 
michael@0:     cert_log "SUCCESS: $CERTNAME's Cert Created"
michael@0: 
michael@0: #
michael@0: #   Generate and add EC cert
michael@0: #
michael@0:     if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0: 	CURVE="secp384r1"
michael@0: 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
michael@0: 	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0: 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0: 	    -z "${R_NOISE_FILE}" -o req  2>&1
michael@0: 	if [ "$RET" -ne 0 ]; then
michael@0:             return $RET
michael@0: 	fi
michael@0: 
michael@0: 	CU_ACTION="Sign ${CERTNAME}'s EC Request"
michael@0: 	certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
michael@0:             -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
michael@0: 	if [ "$RET" -ne 0 ]; then
michael@0:             return $RET
michael@0: 	fi
michael@0: 
michael@0: 	CU_ACTION="Import $CERTNAME's EC Cert"
michael@0: 	certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0: 	    -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
michael@0: 	if [ "$RET" -ne 0 ]; then
michael@0:             return $RET
michael@0: 	fi
michael@0: 	cert_log "SUCCESS: $CERTNAME's EC Cert Created"
michael@0: 
michael@0: #    Generate EC certificate signed with RSA
michael@0: 	CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
michael@0: 	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0: 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0: 	    -z "${R_NOISE_FILE}" -o req  2>&1
michael@0: 	if [ "$RET" -ne 0 ]; then
michael@0:             return $RET
michael@0: 	fi
michael@0: 
michael@0: 	CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA"
michael@0: # Avoid conflicting serial numbers with TestCA issuer by keeping
michael@0: # this set far away. A smaller number risks colliding with the
michael@0: # extended ssl user certificates.
michael@0: 	NEWSERIAL=`expr ${CERTSERIAL} + 10000`
michael@0:         certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
michael@0:             -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1
michael@0: 	if [ "$RET" -ne 0 ]; then
michael@0:             return $RET
michael@0: 	fi
michael@0: 
michael@0: 	CU_ACTION="Import $CERTNAME's mixed EC Cert"
michael@0: 	certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0: 	    -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
michael@0: 	if [ "$RET" -ne 0 ]; then
michael@0:             return $RET
michael@0: 	fi
michael@0: 	cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
michael@0:     fi
michael@0: 
michael@0:     return 0
michael@0: }
michael@0: 
michael@0: ################################# cert_all_CA ################################
michael@0: # local shell function to build the additional Temp. Certificate Authority (CA)
michael@0: # used for the "real life" ssl test with 2 different CA's in the
michael@0: # client and in the server's dir
michael@0: ##########################################################################
michael@0: cert_all_CA()
michael@0: {
michael@0:     echo nss > ${PWFILE}
michael@0: 
michael@0:     ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:     cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
michael@0: 
michael@0:     ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0:     cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
michael@0:     ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0:     cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3"
michael@0:     ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 
michael@0:     cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4"
michael@0: 
michael@0: 
michael@0: 
michael@0:     ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0:     cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
michael@0:     ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0:     cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6"
michael@0:     ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0:     cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
michael@0: 
michael@0:     rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
michael@0: 
michael@0:     # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 
michael@0:     # in the chain
michael@0: 
michael@0:     if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0: #
michael@0: #       Create EC version of TestCA
michael@0: 	CA_CURVE="secp521r1"
michael@0: 	ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0: 	cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
michael@0: #
michael@0: #       Create EC versions of the intermediate CA certs
michael@0: 	ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0: 	cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
michael@0: 	ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0: 	cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
michael@0: 	ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 
michael@0: 	cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
michael@0: 
michael@0: 	ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0: 	cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
michael@0: 	ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0: 	cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
michael@0: 	ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
michael@0: 	cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
michael@0: 
michael@0: 	rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
michael@0: #	ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 
michael@0: #	in the chain
michael@0: 
michael@0:     fi
michael@0: }
michael@0: 
michael@0: ################################# cert_CA ################################
michael@0: # local shell function to build the Temp. Certificate Authority (CA)
michael@0: # used for testing purposes, creating  a CA Certificate and a root cert
michael@0: ##########################################################################
michael@0: cert_CA()
michael@0: {
michael@0:   CUR_CADIR=$1
michael@0:   NICKNAME=$2
michael@0:   SIGNER=$3
michael@0:   TRUSTARG=$4
michael@0:   DOMAIN=$5
michael@0:   CERTSERIAL=$6
michael@0: 
michael@0:   echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
michael@0: 
michael@0:   if [ ! -d "${CUR_CADIR}" ]; then
michael@0:       mkdir -p "${CUR_CADIR}"
michael@0:   fi
michael@0:   cd ${CUR_CADIR}
michael@0:   pwd
michael@0: 
michael@0:   LPROFILE=`pwd`
michael@0:   if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0:      LPROFILE=`cygpath -m ${LPROFILE}`
michael@0:   fi
michael@0:   if [ -n "${MULTIACCESS_DBM}" ]; then
michael@0: 	LPROFILE="multiaccess:${DOMAIN}"
michael@0:   fi
michael@0: 
michael@0:   if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
michael@0:       CU_ACTION="Creating CA Cert DB"
michael@0:       certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1
michael@0:       if [ "$RET" -ne 0 ]; then
michael@0:           Exit 5 "Fatal - failed to create CA $NICKNAME "
michael@0:       fi
michael@0: 
michael@0:       CU_ACTION="Loading root cert module to CA Cert DB"
michael@0:       modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1   
michael@0:       if [ "$RET" -ne 0 ]; then
michael@0:           return $RET
michael@0:       fi
michael@0: 
michael@0:       echo "$SCRIPTNAME: Certificate initialized ----------"
michael@0:   fi
michael@0: 
michael@0: 
michael@0:   ################# Creating CA Cert ######################################
michael@0:   #
michael@0:   CU_ACTION="Creating CA Cert $NICKNAME "
michael@0:   CU_SUBJECT=$ALL_CU_SUBJECT
michael@0:   certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \
michael@0:         -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
michael@0: 5
michael@0: 6
michael@0: 9
michael@0: n
michael@0: y
michael@0: -1
michael@0: n
michael@0: 5
michael@0: 6
michael@0: 7
michael@0: 9
michael@0: n
michael@0: CERTSCRIPT
michael@0: 
michael@0:   if [ "$RET" -ne 0 ]; then
michael@0:       echo "return value is $RET"
michael@0:       Exit 6 "Fatal - failed to create CA cert"
michael@0:   fi
michael@0: 
michael@0:   ################# Exporting Root Cert ###################################
michael@0:   #
michael@0:   CU_ACTION="Exporting Root Cert"
michael@0:   certu -L -n  $NICKNAME -r -d ${LPROFILE} -o root.cert 
michael@0:   if [ "$RET" -ne 0 ]; then
michael@0:       Exit 7 "Fatal - failed to export root cert"
michael@0:   fi
michael@0:   cp root.cert ${NICKNAME}.ca.cert
michael@0: }
michael@0: 
michael@0: ################################ cert_ec_CA ##############################
michael@0: # local shell function to build the Temp. Certificate Authority (CA)
michael@0: # used for testing purposes, creating  a CA Certificate and a root cert
michael@0: # This is the ECC version of cert_CA.
michael@0: ##########################################################################
michael@0: cert_ec_CA()
michael@0: {
michael@0:   CUR_CADIR=$1
michael@0:   NICKNAME=$2
michael@0:   SIGNER=$3
michael@0:   TRUSTARG=$4
michael@0:   DOMAIN=$5
michael@0:   CERTSERIAL=$6
michael@0:   CURVE=$7
michael@0: 
michael@0:   echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
michael@0: 
michael@0:   if [ ! -d "${CUR_CADIR}" ]; then
michael@0:       mkdir -p "${CUR_CADIR}"
michael@0:   fi
michael@0:   cd ${CUR_CADIR}
michael@0:   pwd
michael@0: 
michael@0:   LPROFILE=.
michael@0:   if [ -n "${MULTIACCESS_DBM}" ]; then
michael@0: 	LPROFILE="multiaccess:${DOMAIN}"
michael@0:   fi
michael@0: 
michael@0:   ################# Creating an EC CA Cert ################################
michael@0:   #
michael@0:   CU_ACTION="Creating EC CA Cert $NICKNAME "
michael@0:   CU_SUBJECT=$ALL_CU_SUBJECT
michael@0:   certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \
michael@0:     -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
michael@0:     -m $CERTSERIAL 2>&1 <<CERTSCRIPT
michael@0: 5
michael@0: 6
michael@0: 9
michael@0: n
michael@0: y
michael@0: -1
michael@0: n
michael@0: 5
michael@0: 6
michael@0: 7
michael@0: 9
michael@0: n
michael@0: CERTSCRIPT
michael@0: 
michael@0:   if [ "$RET" -ne 0 ]; then
michael@0:       echo "return value is $RET"
michael@0:       Exit 6 "Fatal - failed to create EC CA cert"
michael@0:   fi
michael@0: 
michael@0:   ################# Exporting EC Root Cert ################################
michael@0:   #
michael@0:   CU_ACTION="Exporting EC Root Cert"
michael@0:   certu -L -n  $NICKNAME -r -d ${LPROFILE} -o ecroot.cert 
michael@0:   if [ "$RET" -ne 0 ]; then
michael@0:       Exit 7 "Fatal - failed to export ec root cert"
michael@0:   fi
michael@0:   cp ecroot.cert ${NICKNAME}.ca.cert
michael@0: }
michael@0: 
michael@0: ############################## cert_smime_client #############################
michael@0: # local shell function to create client Certificates for S/MIME tests 
michael@0: ##############################################################################
michael@0: cert_smime_client()
michael@0: {
michael@0:   CERTFAILED=0
michael@0:   echo "$SCRIPTNAME: Creating Client CA Issued Certificates =============="
michael@0: 
michael@0:   cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE}
michael@0:   cert_create_cert ${BOBDIR} "Bob" 40  ${D_BOB}
michael@0: 
michael@0:   echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
michael@0:   cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
michael@0: 
michael@0: ## XXX With this new script merging ECC and non-ECC tests, the
michael@0: ## call to cert_create_cert ends up creating two separate certs
michael@0: ## one for Eve and another for Eve-ec but they both end up with
michael@0: ## the same Subject Alt Name Extension, i.e., both the cert for
michael@0: ## Eve@bogus.com and the cert for Eve-ec@bogus.com end up 
michael@0: ## listing eve@bogus.net in the Certificate Subject Alt Name extension. 
michael@0: ## This can cause a problem later when cmsutil attempts to create
michael@0: ## enveloped data and accidently picks up the ECC cert (NSS currently
michael@0: ## does not support ECC for enveloped data creation). This script
michael@0: ## avoids the problem by ensuring that these conflicting certs are
michael@0: ## never added to the same cert database (see comment marked XXXX).
michael@0:   echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
michael@0:   cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
michael@0: 
michael@0:   #echo "************* Copying CA files to ${SERVERDIR}"
michael@0:   #cp ${CADIR}/*.db .
michael@0:   #hw_acc
michael@0: 
michael@0:   #########################################################################
michael@0:   #
michael@0:   #cd ${CERTDIR}
michael@0:   #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
michael@0:   #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
michael@0:   #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
michael@0:   #	-d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
michael@0: 
michael@0:   #CU_ACTION="Export Dave's Cert"
michael@0:   #cd ${DAVEDIR}
michael@0:   #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
michael@0: 
michael@0:   ################# Importing Certificates for S/MIME tests ###############
michael@0:   #
michael@0:   echo "$SCRIPTNAME: Importing Certificates =============================="
michael@0:   CU_ACTION="Import Bob's cert into Alice's db"
michael@0:   certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0:         -i ${R_BOBDIR}/Bob.cert 2>&1
michael@0: 
michael@0:   CU_ACTION="Import Dave's cert into Alice's DB"
michael@0:   certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0:         -i ${R_DAVEDIR}/Dave.cert 2>&1
michael@0: 
michael@0:   CU_ACTION="Import Dave's cert into Bob's DB"
michael@0:   certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
michael@0:         -i ${R_DAVEDIR}/Dave.cert 2>&1
michael@0: 
michael@0:   CU_ACTION="Import Eve's cert into Alice's DB"
michael@0:   certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0:         -i ${R_EVEDIR}/Eve.cert 2>&1
michael@0: 
michael@0:   CU_ACTION="Import Eve's cert into Bob's DB"
michael@0:   certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
michael@0:         -i ${R_EVEDIR}/Eve.cert 2>&1
michael@0: 
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0:       echo "$SCRIPTNAME: Importing EC Certificates =============================="
michael@0:       CU_ACTION="Import Bob's EC cert into Alice's db"
michael@0:       certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0:           -i ${R_BOBDIR}/Bob-ec.cert 2>&1
michael@0: 
michael@0:       CU_ACTION="Import Dave's EC cert into Alice's DB"
michael@0:       certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0:           -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
michael@0: 
michael@0:       CU_ACTION="Import Dave's EC cert into Bob's DB"
michael@0:       certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
michael@0:           -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
michael@0: 
michael@0: ## XXXX Do not import Eve's EC cert until we can make sure that
michael@0: ## the email addresses listed in the Subject Alt Name Extension 
michael@0: ## inside Eve's ECC and non-ECC certs are different.
michael@0: #     CU_ACTION="Import Eve's EC cert into Alice's DB"
michael@0: #     certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
michael@0: #         -i ${R_EVEDIR}/Eve-ec.cert 2>&1
michael@0: 
michael@0: #     CU_ACTION="Import Eve's EC cert into Bob's DB"
michael@0: #     certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
michael@0: #         -i ${R_EVEDIR}/Eve-ec.cert 2>&1
michael@0:   fi
michael@0: 
michael@0:   if [ "$CERTFAILED" != 0 ] ; then
michael@0:       cert_log "ERROR: SMIME failed $RET"
michael@0:   else
michael@0:       cert_log "SUCCESS: SMIME passed"
michael@0:   fi
michael@0: }
michael@0: 
michael@0: ############################## cert_extended_ssl #######################
michael@0: # local shell function to create client + server certs for extended SSL test
michael@0: ########################################################################
michael@0: cert_extended_ssl()
michael@0: {
michael@0: 
michael@0:   ################# Creating Certs for extended SSL test ####################
michael@0:   #
michael@0:   CERTFAILED=0
michael@0:   echo "$SCRIPTNAME: Creating Certificates, issued by the last ==============="
michael@0:   echo "     of a chain of CA's which are not in the same database============"
michael@0: 
michael@0:   echo "Server Cert"
michael@0:   cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
michael@0: 
michael@0:   CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
michael@0:   certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:   CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
michael@0:   modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
michael@0: 
michael@0:   CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
michael@0:   CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
michael@0: 
michael@0:   CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
michael@0:   cp ${CERTDIR}/req ${SERVER_CADIR}
michael@0:   certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
michael@0:         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:   CU_ACTION="Import $CERTNAME's Cert  -t u,u,u (ext)"
michael@0:   certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0:         -i "${CERTNAME}.cert" 2>&1
michael@0: 
michael@0:   CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
michael@0:   certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0:           -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
michael@0: 
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0: #
michael@0: #     Repeat the above for EC certs
michael@0: #
michael@0:       EC_CURVE="secp256r1"
michael@0:       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
michael@0:       CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
michael@0: 	  -z "${R_NOISE_FILE}" -o req 2>&1
michael@0: 
michael@0:       CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
michael@0:       cp ${CERTDIR}/req ${SERVER_CADIR}
michael@0:       certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
michael@0:           -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:       CU_ACTION="Import $CERTNAME's EC Cert  -t u,u,u (ext)"
michael@0:       certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0: 	  -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
michael@0: 
michael@0:       CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
michael@0:       certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0:           -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
michael@0: #
michael@0: #     done with EC certs
michael@0: #
michael@0: #     Repeat again for mixed EC certs
michael@0: #
michael@0:       EC_CURVE="secp256r1"
michael@0:       CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
michael@0:       CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
michael@0: 	  -z "${R_NOISE_FILE}" -o req 2>&1
michael@0: 
michael@0:       CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
michael@0:       cp ${CERTDIR}/req ${SERVER_CADIR}
michael@0:       certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \
michael@0:           -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:       CU_ACTION="Import $CERTNAME's mixed EC Cert  -t u,u,u (ext)"
michael@0:       certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0: 	  -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
michael@0: 
michael@0: #      CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)"
michael@0: #      certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
michael@0: #	  -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
michael@0: #	  2>&1
michael@0:   fi
michael@0: 
michael@0:   echo "Importing all the server's own CA chain into the servers DB"
michael@0:   for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
michael@0:   do
michael@0:       N=`basename $CA | sed -e "s/.ca.cert//"`
michael@0:       if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then
michael@0:           T="-t C,C,C"
michael@0:       else
michael@0:           T="-t u,u,u"
michael@0:       fi
michael@0:       CU_ACTION="Import $N CA $T for $CERTNAME (ext.) "
michael@0:       certu -A -n $N  $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0:           -i "${CA}" 2>&1
michael@0:   done
michael@0: #============
michael@0:   echo "Client Cert"
michael@0:   cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
michael@0: 
michael@0:   CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
michael@0:   certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:   CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
michael@0:   modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
michael@0: 
michael@0:   CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
michael@0:   CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
michael@0:       -o req 2>&1
michael@0: 
michael@0:   CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
michael@0:   cp ${CERTDIR}/req ${CLIENT_CADIR}
michael@0:   certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
michael@0:         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:   CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
michael@0:   certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0:         -i "${CERTNAME}.cert" 2>&1
michael@0:   CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
michael@0:   certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0:           -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
michael@0: 
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0: #
michael@0: #     Repeat the above for EC certs
michael@0: #
michael@0:       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
michael@0:       CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
michael@0: 	  -z "${R_NOISE_FILE}" -o req 2>&1
michael@0: 
michael@0:       CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
michael@0:       cp ${CERTDIR}/req ${CLIENT_CADIR}
michael@0:       certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
michael@0:           -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:       CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
michael@0:       certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0: 	  -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
michael@0: 
michael@0:       CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
michael@0:       certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
michael@0: 	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
michael@0: #
michael@0: # done with EC certs
michael@0: #
michael@0: #
michael@0: #     Repeat the above for mixed EC certs
michael@0: #
michael@0:       CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
michael@0:       CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
michael@0: 	  -z "${R_NOISE_FILE}" -o req 2>&1
michael@0: 
michael@0:       CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
michael@0:       cp ${CERTDIR}/req ${CLIENT_CADIR}
michael@0:       certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \
michael@0:           -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:       CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
michael@0:       certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0: 	  -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
michael@0: 
michael@0: #      CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
michael@0: #      certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
michael@0: #	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
michael@0: #
michael@0: # done with mixed EC certs
michael@0: #
michael@0:   fi
michael@0: 
michael@0:   echo "Importing all the client's own CA chain into the servers DB"
michael@0:   for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
michael@0:   do
michael@0:       N=`basename $CA | sed -e "s/.ca.cert//"`
michael@0:       if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then
michael@0:           T="-t T,C,C"
michael@0:       else
michael@0:           T="-t u,u,u"
michael@0:       fi
michael@0:       CU_ACTION="Import $N CA $T for $CERTNAME (ext.)"
michael@0:       certu -A -n $N  $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0:           -i "${CA}" 2>&1
michael@0:   done
michael@0:   if [ "$CERTFAILED" != 0 ] ; then
michael@0:       cert_log "ERROR: EXT failed $RET"
michael@0:   else
michael@0:       cert_log "SUCCESS: EXT passed"
michael@0:   fi
michael@0: }
michael@0: 
michael@0: ############################## cert_ssl ################################
michael@0: # local shell function to create client + server certs for SSL test
michael@0: ########################################################################
michael@0: cert_ssl()
michael@0: {
michael@0:   ################# Creating Certs for SSL test ###########################
michael@0:   #
michael@0:   CERTFAILED=0
michael@0:   echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
michael@0:   cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT}
michael@0: 
michael@0:   echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
michael@0:   echo "             ${HOSTADDR} ------------------------------------"
michael@0:   cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
michael@0:   echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
michael@0:   echo "             ${HOSTADDR}-sni --------------------------------"
michael@0:   CERTSERIAL=101
michael@0:   CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}"
michael@0:   cert_add_cert 
michael@0:   CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
michael@0:   certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0:       CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
michael@0:       certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
michael@0:   fi
michael@0: #  cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
michael@0: #  echo "************* Copying CA files to ${SERVERDIR}"
michael@0: #  cp ${CADIR}/*.db .
michael@0: #  hw_acc
michael@0: #  CU_ACTION="Creating ${CERTNAME}'s Server Cert"
michael@0: #  CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
michael@0: #  certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
michael@0: #	 -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
michael@0: 
michael@0:   if [ "$CERTFAILED" != 0 ] ; then
michael@0:       cert_log "ERROR: SSL failed $RET"
michael@0:   else
michael@0:       cert_log "SUCCESS: SSL passed"
michael@0:   fi
michael@0: 
michael@0:   echo "$SCRIPTNAME: Creating database for OCSP stapling tests  ==============="
michael@0:   echo "cp -r ${SERVERDIR} ${STAPLINGDIR}"
michael@0:   cp -r ${R_SERVERDIR} ${R_STAPLINGDIR}
michael@0:   pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
michael@0:   pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
michael@0: }
michael@0: ############################## cert_stresscerts ################################
michael@0: # local shell function to create client certs for SSL stresstest
michael@0: ########################################################################
michael@0: cert_stresscerts()
michael@0: {
michael@0: 
michael@0:   ############### Creating Certs for SSL stress test #######################
michael@0:   #
michael@0:   CERTDIR="$CLIENTDIR"
michael@0:   cd "${CERTDIR}"
michael@0: 
michael@0:   PROFILEDIR=`cd ${CERTDIR}; pwd`
michael@0:   if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0:      PROFILEDIR=`cygpath -m ${PROFILEDIR}`
michael@0:   fi  
michael@0:   if [ -n "${MULTIACCESS_DBM}" ]; then
michael@0:      PROFILEDIR="multiaccess:${D_CLIENT}"
michael@0:   fi
michael@0:   CERTFAILED=0
michael@0:   echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
michael@0: 
michael@0:   CONTINUE=$GLOB_MAX_CERT
michael@0:   CERTSERIAL=10
michael@0: 
michael@0:   while [ $CONTINUE -ge $GLOB_MIN_CERT ]
michael@0:   do
michael@0:       CERTNAME="TestUser$CONTINUE"
michael@0: #      cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL
michael@0:       cert_add_cert 
michael@0:       CERTSERIAL=`expr $CERTSERIAL + 1 `
michael@0:       CONTINUE=`expr $CONTINUE - 1 `
michael@0:   done
michael@0:   if [ "$CERTFAILED" != 0 ] ; then
michael@0:       cert_log "ERROR: StressCert failed $RET"
michael@0:   else
michael@0:       cert_log "SUCCESS: StressCert passed"
michael@0:   fi
michael@0: }
michael@0: 
michael@0: ############################## cert_fips #####################################
michael@0: # local shell function to create certificates for FIPS tests 
michael@0: ##############################################################################
michael@0: cert_fips()
michael@0: {
michael@0:   CERTFAILED=0
michael@0:   echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
michael@0:   cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
michael@0: 
michael@0:   CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
michael@0:   certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
michael@0: 
michael@0:   CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
michael@0:   modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
michael@0: 
michael@0:   echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
michael@0:   CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
michael@0:   echo "modutil -dbdir ${PROFILEDIR} -fips true "
michael@0:   ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
michael@0: y
michael@0: MODSCRIPT
michael@0:   RET=$?
michael@0:   if [ "$RET" -ne 0 ]; then
michael@0:     html_failed "${CU_ACTION} ($RET) " 
michael@0:     cert_log "ERROR: ${CU_ACTION} failed $RET"
michael@0:   else
michael@0:     html_passed "${CU_ACTION}"
michael@0:   fi
michael@0: 
michael@0:   CU_ACTION="Generate Certificate for ${CERTNAME}"
michael@0:   CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
michael@0:   certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
michael@0:   if [ "$RET" -eq 0 ]; then
michael@0:     cert_log "SUCCESS: FIPS passed"
michael@0:   fi
michael@0: }
michael@0: 
michael@0: ############################## cert_eccurves ###########################
michael@0: # local shell function to create server certs for all EC curves
michael@0: ########################################################################
michael@0: cert_eccurves()
michael@0: {
michael@0:   ################# Creating Certs for EC curves test ########################
michael@0:   #
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0:     echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
michael@0:     echo "             EC Curves Test Certificates ------------------------------------"
michael@0: 
michael@0:     cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
michael@0: 
michael@0:     CU_ACTION="Initializing EC Curve's Cert DB"
michael@0:     certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:     CU_ACTION="Loading root cert module to EC Curve's Cert DB"
michael@0:     modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
michael@0: 
michael@0:     CU_ACTION="Import EC Root CA for $CERTNAME"
michael@0:     certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
michael@0:         -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
michael@0: 
michael@0:     if [ -n "${NSS_ECC_MORE_THAN_SUITE_B}" ] ; then
michael@0:       CURVE_LIST="c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 \
michael@0: 	c2pnb208w1 c2pnb272w1 c2pnb304w1 c2pnb368w1 \
michael@0: 	c2tnb191v1 c2tnb191v2 c2tnb191v3 c2tnb239v1 \
michael@0: 	c2tnb239v2 c2tnb239v3 c2tnb359v1 c2tnb431r1 \
michael@0: 	nistb163 nistb233 nistb283 nistb409 nistb571 \
michael@0: 	nistk163 nistk233 nistk283 nistk409 nistk571 \
michael@0: 	nistp192 nistp224 nistp256 nistp384 nistp521 \
michael@0: 	prime192v1 prime192v2 prime192v3 \
michael@0: 	prime239v1 prime239v2 prime239v3 \
michael@0: 	secp112r1 secp112r2 secp128r1 secp128r2 secp160k1 \
michael@0: 	secp160r1 secp160r2 secp192k1 secp192r1 secp224k1 \
michael@0: 	secp224r1 secp256k1 secp256r1 secp384r1 secp521r1 \
michael@0: 	sect113r1 sect113r2 sect131r1 sect131r2 sect163k1 sect163r1 \
michael@0: 	sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 \
michael@0: 	sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1"
michael@0:     else
michael@0:       CURVE_LIST="nistp256 nistp384 nistp521"
michael@0:     fi
michael@0:     CERTSERIAL=2000
michael@0: 
michael@0:     for CURVE in ${CURVE_LIST}
michael@0:     do
michael@0: 	CERTFAILED=0
michael@0: 	CERTNAME="Curve-${CURVE}"
michael@0: 	CERTSERIAL=`expr $CERTSERIAL + 1 `
michael@0: 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
michael@0: 	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0: 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0: 		-z "${R_NOISE_FILE}" -o req  2>&1
michael@0: 	
michael@0: 	if [ $RET -eq 0 ] ; then
michael@0: 	  CU_ACTION="Sign ${CERTNAME}'s EC Request"
michael@0: 	  certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
michael@0: 		-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
michael@0: 	fi
michael@0: 	
michael@0: 	if [ $RET -eq 0 ] ; then
michael@0: 	  CU_ACTION="Import $CERTNAME's EC Cert"
michael@0: 	  certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
michael@0: 		-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
michael@0: 	fi
michael@0:     done
michael@0: 
michael@0:   fi # $NSS_DISABLE_ECC
michael@0: }
michael@0: 
michael@0: ########################### cert_extensions_test #############################
michael@0: # local shell function to test cert extensions generation
michael@0: ##############################################################################
michael@0: cert_extensions_test()
michael@0: {
michael@0:     COUNT=`expr ${COUNT} + 1`
michael@0:     CERTNAME=TestExt${COUNT}
michael@0:     CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0: 
michael@0:     echo
michael@0:     echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
michael@0:         -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
michael@0:         -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
michael@0:     echo "certutil options:"
michael@0:     cat ${TARG_FILE}
michael@0:     ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
michael@0:         -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
michael@0:         -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE}
michael@0:     RET=$?
michael@0:     if [ "${RET}" -ne 0 ]; then
michael@0:         CERTFAILED=1
michael@0:         html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate" 
michael@0:         cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed" 
michael@0:         return 1
michael@0:     fi
michael@0: 
michael@0:     echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME} 
michael@0:     EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}`
michael@0:     RET=$?
michael@0:     echo "${EXTLIST}"
michael@0:     if [ "${RET}" -ne 0 ]; then
michael@0:         CERTFAILED=1
michael@0:         html_failed "${TESTNAME} (${COUNT}) - List Certificate" 
michael@0:         cert_log "ERROR: ${TESTNAME} - List Certificate failed" 
michael@0:         return 1
michael@0:     fi
michael@0: 
michael@0:     for FL in `echo ${FILTERLIST} | tr \| ' '`; do
michael@0:         FL="`echo ${FL} | tr _ ' '`"
michael@0:         EXPSTAT=0
michael@0:         if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then
michael@0:             EXPSTAT=1
michael@0:             FL=`echo ${FL} | tr -d '!'`
michael@0:         fi
michael@0:         echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1
michael@0:         RET=$?
michael@0:         if [ "${RET}" -ne "${EXPSTAT}" ]; then
michael@0:             CERTFAILED=1
michael@0:             html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}" 
michael@0:             cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed"
michael@0:             return 1
michael@0:         fi
michael@0:     done
michael@0: 
michael@0:     html_passed "${TESTNAME} (${COUNT})"
michael@0:     return 0
michael@0: }
michael@0: 
michael@0: ############################## cert_extensions ###############################
michael@0: # local shell function to run cert extensions tests
michael@0: ##############################################################################
michael@0: cert_extensions()
michael@0: {
michael@0:     CERTNAME=TestExt
michael@0:     cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS}
michael@0:     TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args
michael@0: 
michael@0:     COUNT=0
michael@0:     while read ARG OPT FILTERLIST; do
michael@0:         if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then
michael@0:             continue
michael@0:         fi
michael@0:         if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then
michael@0:             TESTNAME="${FILTERLIST}"
michael@0:             continue
michael@0:         fi
michael@0:         if [ X"${ARG}" = "X=" ]; then
michael@0:             cert_extensions_test
michael@0:             rm -f ${TARG_FILE}
michael@0:         else
michael@0:             echo ${ARG} >> ${TARG_FILE}
michael@0:         fi
michael@0:     done < ${QADIR}/cert/certext.txt
michael@0: }
michael@0: 
michael@0: cert_make_with_param()
michael@0: {
michael@0:     DIRPASS="$1"
michael@0:     CERTNAME="$2"
michael@0:     MAKE="$3"
michael@0:     SUBJ="$4"
michael@0:     EXTRA="$5"
michael@0:     EXPECT="$6"
michael@0:     TESTNAME="$7"
michael@0: 
michael@0:     echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
michael@0:     ${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
michael@0:         
michael@0:     RET=$?
michael@0:     if [ "${RET}" -ne "${EXPECT}" ]; then
michael@0:         # if we expected failure to create, then delete unexpected certificate
michael@0:         if [ "${EXPECT}" -ne 0 ]; then
michael@0:             ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
michael@0:         fi
michael@0:     
michael@0:         CERTFAILED=1
michael@0:         html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}" 
michael@0:         cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed"
michael@0:         return 1
michael@0:     fi
michael@0: 
michael@0:     html_passed "${TESTNAME} (${COUNT})"
michael@0:     return 0
michael@0: }
michael@0: 
michael@0: cert_list_and_count_dns()
michael@0: {
michael@0:     DIRPASS="$1"
michael@0:     CERTNAME="$2"
michael@0:     EXPECT="$3"
michael@0:     EXPECTCOUNT="$4"
michael@0:     TESTNAME="$5"
michael@0: 
michael@0:     echo certutil ${DIRPASS} -L ${CERTNAME}
michael@0:     ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME}
michael@0: 
michael@0:     RET=$?
michael@0:     if [ "${RET}" -ne "${EXPECT}" ]; then
michael@0:         CERTFAILED=1
michael@0:         html_failed "${TESTNAME} (${COUNT}) - list and count" 
michael@0:         cert_log "ERROR: ${TESTNAME} - list and count failed"
michael@0:         return 1
michael@0:     fi
michael@0: 
michael@0:     LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS`
michael@0:     if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then
michael@0:         CERTFAILED=1
michael@0:         html_failed "${TESTNAME} (${COUNT}) - list and count" 
michael@0:         cert_log "ERROR: ${TESTNAME} - list and count failed"
michael@0:         return 1
michael@0:     fi
michael@0: 
michael@0:     html_passed "${TESTNAME} (${COUNT})"
michael@0:     return 0
michael@0: }
michael@0: 
michael@0: cert_dump_ext_to_file()
michael@0: {
michael@0:     DIRPASS="$1"
michael@0:     CERTNAME="$2"
michael@0:     OID="$3"
michael@0:     OUTFILE="$4"
michael@0:     EXPECT="$5"
michael@0:     TESTNAME="$6"
michael@0: 
michael@0:     echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID}
michael@0:     echo "writing output to ${OUTFILE}"
michael@0:     ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE}
michael@0:         
michael@0:     RET=$?
michael@0:     if [ "${RET}" -ne "${EXPECT}" ]; then
michael@0:         CERTFAILED=1
michael@0:         html_failed "${TESTNAME} (${COUNT}) - dump to file"
michael@0:         cert_log "ERROR: ${TESTNAME} - dump to file failed"
michael@0:         return 1
michael@0:     fi
michael@0: 
michael@0:     html_passed "${TESTNAME} (${COUNT})"
michael@0:     return 0
michael@0: }
michael@0: 
michael@0: cert_delete()
michael@0: {
michael@0:     DIRPASS="$1"
michael@0:     CERTNAME="$2"
michael@0:     EXPECT="$3"
michael@0:     TESTNAME="$4"
michael@0: 
michael@0:     echo certutil ${DIRPASS} -D ${CERTNAME}
michael@0:     ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
michael@0:         
michael@0:     RET=$?
michael@0:     if [ "${RET}" -ne "${EXPECT}" ]; then
michael@0:         CERTFAILED=1
michael@0:         html_failed "${TESTNAME} (${COUNT}) - delete cert" 
michael@0:         cert_log "ERROR: ${TESTNAME} - delete cert failed"
michael@0:         return 1
michael@0:     fi
michael@0: 
michael@0:     html_passed "${TESTNAME} (${COUNT})"
michael@0:     return 0
michael@0: }
michael@0: 
michael@0: cert_inc_count()
michael@0: {
michael@0:     COUNT=`expr ${COUNT} + 1`
michael@0: }
michael@0: 
michael@0: ############################## cert_crl_ssl ############################
michael@0: # test adding subject-alt-name, dumping, and adding generic extension
michael@0: ########################################################################
michael@0: cert_san_and_generic_extensions()
michael@0: {
michael@0:     EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der
michael@0: 
michael@0:     DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}"
michael@0:     CERTNAME="-n WithSAN"
michael@0:     MAKE="-S -t ,, -x -z ${R_NOISE_FILE}"
michael@0:     SUBJ="CN=example.com"
michael@0: 
michael@0:     TESTNAME="san-and-generic-extensions"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0:         "--extSAN example.com" 255 \
michael@0:         "create cert with invalid SAN parameter"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0:         "--extSAN example.com,dns:www.example.com" 255 \
michael@0:         "create cert with invalid SAN parameter"
michael@0: 
michael@0:     TN="create cert with valid SAN parameter"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0:         "--extSAN dns:example.com,dns:www.example.com" 0 \
michael@0:         "${TN}"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
michael@0:         "${TN}"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \
michael@0:         "dump extension 2.5.29.17 to file ${EXTDUMP}"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_delete "${DIR}" "${CERTNAME}" 0 \
michael@0:         "${TN}"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
michael@0:         "expect failure to list cert, because we deleted it"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0:         "--extGeneric ${EXTDUMP}" 255 \
michael@0:         "create cert with invalid generic ext parameter"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0:         "--extGeneric not-critical:${EXTDUMP}" 255 \
michael@0:         "create cert with invalid generic ext parameter"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0:         "--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \
michael@0:         "create cert with invalid generic ext parameter"
michael@0: 
michael@0:     TN="create cert with valid generic ext parameter"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
michael@0:         "--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \
michael@0:         "${TN}"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
michael@0:         "${TN}"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_delete "${DIR}" "${CERTNAME}" 0 \
michael@0:         "${TN}"
michael@0: 
michael@0:     cert_inc_count
michael@0:     cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
michael@0:         "expect failure to list cert, because we deleted it"
michael@0: }
michael@0: 
michael@0: ############################## cert_crl_ssl ############################
michael@0: # local shell function to generate certs and crls for SSL tests
michael@0: ########################################################################
michael@0: cert_crl_ssl()
michael@0: {
michael@0:     
michael@0:   ################# Creating Certs ###################################
michael@0:   #
michael@0:   CERTFAILED=0
michael@0:   CERTSERIAL=${CRL_GRP_1_BEGIN}
michael@0: 
michael@0:   cd $CADIR
michael@0:   
michael@0:   PROFILEDIR=`cd ${CLIENTDIR}; pwd`
michael@0:   if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
michael@0:      PROFILEDIR=`cygpath -m ${PROFILEDIR}`
michael@0:   fi
michael@0:   CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1`
michael@0:   echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ==="
michael@0:   CU_ACTION="Creating client test certs"
michael@0: 
michael@0:   while [ $CERTSERIAL -le $CRL_GRPS_END ]
michael@0:   do
michael@0:       CERTNAME="TestUser$CERTSERIAL"
michael@0:       cert_add_cert 
michael@0:       CERTSERIAL=`expr $CERTSERIAL + 1 `
michael@0:   done
michael@0: 
michael@0:   #################### CRL Creation ##############################
michael@0:   CRL_GEN_RES=0
michael@0:   echo "$SCRIPTNAME: Creating CA CRL ====================================="
michael@0: 
michael@0:   CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1`
michael@0:   CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END}
michael@0:   CRL_FILE=${CRL_FILE_GRP_1}
michael@0:   
michael@0:   CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0:   CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority"
michael@0:   CRL_GRP_END_=`expr ${CRL_GRP_END} - 1`
michael@0:   crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \
michael@0:       -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
michael@0: update=$CRLUPDATE
michael@0: addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
michael@0: addext reasonCode 0 4
michael@0: addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA"
michael@0: EOF_CRLINI
michael@0: # This extension should be added to the list, but currently nss has bug
michael@0: #addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1
michael@0:   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0:   chmod 600 ${CRL_FILE_GRP_1}_or
michael@0: 
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0:       CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
michael@0: 
michael@0: #     Until Bug 292285 is resolved, do not encode x400 Addresses. After
michael@0: #     the bug is resolved, reintroduce "x400Address:x400Address" within
michael@0: #     addext issuerAltNames ...
michael@0:       crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
michael@0: 	  -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
michael@0: update=$CRLUPDATE
michael@0: addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
michael@0: addext reasonCode 0 4
michael@0: addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
michael@0: EOF_CRLINI
michael@0:       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0:       chmod 600 ${CRL_FILE_GRP_1}_or-ec
michael@0:   fi
michael@0: 
michael@0:   echo test > file
michael@0:   ############################# Modification ##################################
michael@0: 
michael@0:   echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
michael@0:   sleep 2
michael@0:   CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0:   CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0:   CU_ACTION="Modify CRL by adding one more cert"
michael@0:   crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \
michael@0:       -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
michael@0: update=$CRLUPDATE
michael@0: addcert ${CRL_GRP_END} $CRL_GRP_DATE
michael@0: EOF_CRLINI
michael@0:   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0:   chmod 600 ${CRL_FILE_GRP_1}_or1
michael@0:   TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0:       CU_ACTION="Modify CRL (ECC) by adding one more cert"
michael@0:       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
michael@0: 	  -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
michael@0: update=$CRLUPDATE
michael@0: addcert ${CRL_GRP_END} $CRL_GRP_DATE
michael@0: EOF_CRLINI
michael@0:       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0:       chmod 600 ${CRL_FILE_GRP_1}_or1-ec
michael@0:       TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
michael@0:   fi
michael@0: 
michael@0:   ########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
michael@0:   echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
michael@0:   CU_ACTION="Modify CRL by removing one cert"
michael@0:   sleep 2
michael@0:   CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0:   crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
michael@0:       -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
michael@0: update=$CRLUPDATE
michael@0: rmcert  ${UNREVOKED_CERT_GRP_1}
michael@0: EOF_CRLINI
michael@0:   chmod 600 ${CRL_FILE_GRP_1}
michael@0:   TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0:       CU_ACTION="Modify CRL (ECC) by removing one cert"
michael@0:       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
michael@0: 	  -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
michael@0: update=$CRLUPDATE
michael@0: rmcert  ${UNREVOKED_CERT_GRP_1}
michael@0: EOF_CRLINI
michael@0:       chmod 600 ${CRL_FILE_GRP_1}-ec
michael@0:       TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
michael@0:   fi
michael@0: 
michael@0:   ########### Creating second CRL which includes groups 1 and 2 ##############
michael@0:   CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
michael@0:   CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END}
michael@0: 
michael@0:   echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2  ==============="
michael@0:   sleep 2
michael@0:   CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0:   CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0:   CU_ACTION="Creating CRL for groups 1 and 2"
michael@0:   crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2} \
michael@0:           -i ${CRL_FILE_GRP_1} <<EOF_CRLINI
michael@0: update=$CRLUPDATE
michael@0: addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
michael@0: addext invalidityDate 0 $CRLUPDATE
michael@0: rmcert  ${UNREVOKED_CERT_GRP_2}
michael@0: EOF_CRLINI
michael@0:   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0:   chmod 600 ${CRL_FILE_GRP_2}
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0:       CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
michael@0:       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
michael@0:           -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
michael@0: update=$CRLUPDATE
michael@0: addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
michael@0: addext invalidityDate 0 $CRLUPDATE
michael@0: rmcert  ${UNREVOKED_CERT_GRP_2}
michael@0: EOF_CRLINI
michael@0:       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0:       chmod 600 ${CRL_FILE_GRP_2}-ec
michael@0:   fi
michael@0: 
michael@0:   ########### Creating second CRL which includes groups 1, 2 and 3 ##############
michael@0:   CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
michael@0:   CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END}
michael@0: 
michael@0: 
michael@0: 
michael@0:   echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3  ==============="
michael@0:   sleep 2
michael@0:   CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0:   CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
michael@0:   CU_ACTION="Creating CRL for groups 1, 2 and 3"
michael@0:   crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3} \
michael@0:             -i ${CRL_FILE_GRP_2} <<EOF_CRLINI
michael@0: update=$CRLUPDATE
michael@0: addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
michael@0: rmcert  ${UNREVOKED_CERT_GRP_3}
michael@0: addext crlNumber 0 2
michael@0: EOF_CRLINI
michael@0:   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0:   chmod 600 ${CRL_FILE_GRP_3}
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0:       CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
michael@0:       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
michael@0:           -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
michael@0: update=$CRLUPDATE
michael@0: addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
michael@0: rmcert  ${UNREVOKED_CERT_GRP_3}
michael@0: addext crlNumber 0 2
michael@0: EOF_CRLINI
michael@0:       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0:       chmod 600 ${CRL_FILE_GRP_3}-ec
michael@0:   fi
michael@0: 
michael@0:   ############ Importing Server CA Issued CRL for certs of first group #######
michael@0: 
michael@0:   echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
michael@0:   CU_ACTION="Importing CRL for groups 1"
michael@0:   crlu -D -n TestCA  -f "${R_PWFILE}" -d "${R_SERVERDIR}"
michael@0:   crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
michael@0:   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0:   if [ -z "$NSS_DISABLE_ECC" ] ; then
michael@0:       CU_ACTION="Importing CRL (ECC) for groups 1"
michael@0:       crlu -D -n TestCA-ec  -f "${R_PWFILE}" -d "${R_SERVERDIR}"
michael@0:       crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
michael@0: 	  -d "${R_SERVERDIR}"
michael@0:       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
michael@0:   fi
michael@0: 
michael@0:   if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
michael@0:       cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
michael@0:   else
michael@0:       cert_log "SUCCESS: SSL CRL prep passed"
michael@0:   fi
michael@0: }
michael@0: 
michael@0: #################
michael@0: # Verify the we can successfully change the password on the database
michael@0: #
michael@0: cert_test_password()
michael@0: {
michael@0:   CERTFAILED=0
michael@0:   echo "$SCRIPTNAME: Create A Password Test Cert  =============="
michael@0:   cert_init_cert "${DBPASSDIR}" "Password Test Cert" 1000 "${D_DBPASSDIR}"
michael@0: 
michael@0:   echo "$SCRIPTNAME: Create A Password Test Ca  --------"
michael@0:   ALL_CU_SUBJECT="CN=NSS Password Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:   cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1"
michael@0: 
michael@0:   # now change the password
michael@0:   CU_ACTION="Changing password on ${CERTNAME}'s Cert DB"
michael@0:   certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1
michael@0: 
michael@0:   # finally make sure we can use the old key with the new password
michael@0:   CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
michael@0:   CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:   certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
michael@0:   if [ "$RET" -eq 0 ]; then
michael@0:     cert_log "SUCCESS: PASSWORD passed"
michael@0:   fi
michael@0:   CU_ACTION="Verify Certificate for ${CERTNAME} with new password"
michael@0:   certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
michael@0: }
michael@0: 
michael@0: ###############################
michael@0: # test if we can distrust a certificate.
michael@0: #
michael@0: # we create 3 new certs:
michael@0: #   1 leaf signed by the trusted root.
michael@0: #   1 intermediate signed by the trusted root.
michael@0: #   1 leaf signed by the intermediate.
michael@0: #
michael@0: #  we mark the first leaf and the intermediate as explicitly untrusted.
michael@0: #  we then try to verify the two leaf certs for our possible usages.
michael@0: #  All verification should fail.
michael@0: # 
michael@0: cert_test_distrust()
michael@0: {
michael@0:   echo "$SCRIPTNAME: Creating Distrusted Certificate"
michael@0:   cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST}
michael@0:   CU_ACTION="Mark CERT as unstrusted"
michael@0:   certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1
michael@0:   echo "$SCRIPTNAME: Creating Distrusted Intermediate"
michael@0:   CERTNAME="DistrustedCA"
michael@0:   ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:   cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1
michael@0:   CU_ACTION="Import Distrusted Intermediate"
michael@0:   certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
michael@0:           -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1
michael@0: 
michael@0:   # now create the last leaf signed by our distrusted CA
michael@0:   # since it's not signed by TestCA it requires more steps.
michael@0:   CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA"
michael@0:   CERTNAME="LeafChainedToDistrustedCA"
michael@0:   CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
michael@0:   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
michael@0: 
michael@0:   CU_ACTION="Sign ${CERTNAME}'s Request"
michael@0:   cp ${CERTDIR}/req ${CADIR}
michael@0:   certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \
michael@0:         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:   CU_ACTION="Import $CERTNAME's Cert  -t u,u,u"
michael@0:   certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
michael@0:         -i "${CERTNAME}.cert" 2>&1
michael@0: 
michael@0:   RETEXPECTED=255
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
michael@0:   certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
michael@0:   certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
michael@0:   certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
michael@0:   certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
michael@0:   certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
michael@0:   certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0: 
michael@0:   CERTNAME="Distrusted"
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
michael@0:   certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
michael@0:   certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
michael@0:   certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
michael@0:   certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
michael@0:   certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
michael@0:   certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
michael@0:   RETEXPECTED=0
michael@0: }
michael@0: 
michael@0: cert_test_ocspresp()
michael@0: {
michael@0:   echo "$SCRIPTNAME: OCSP response creation selftest"
michael@0:   OR_ACTION="perform selftest"
michael@0:   RETEXPECTED=0
michael@0:   ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
michael@0: }
michael@0: 
michael@0: ############################## cert_cleanup ############################
michael@0: # local shell function to finish this script (no exit since it might be
michael@0: # sourced)
michael@0: ########################################################################
michael@0: cert_cleanup()
michael@0: {
michael@0:   cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
michael@0:   html "</TABLE><BR>" 
michael@0:   cd ${QADIR}
michael@0:   . common/cleanup.sh
michael@0: }
michael@0: 
michael@0: ################## main #################################################
michael@0: 
michael@0: cert_init 
michael@0: cert_all_CA
michael@0: cert_extended_ssl 
michael@0: cert_ssl 
michael@0: cert_smime_client        
michael@0: if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
michael@0:     cert_fips
michael@0: fi
michael@0: cert_eccurves
michael@0: cert_extensions
michael@0: cert_san_and_generic_extensions
michael@0: cert_test_password
michael@0: cert_test_distrust
michael@0: cert_test_ocspresp
michael@0: 
michael@0: if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
michael@0:     cert_crl_ssl
michael@0: else
michael@0:     echo "$SCRIPTNAME: Skipping CRL Tests"
michael@0: fi
michael@0: 
michael@0: if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
michael@0:     cert_stresscerts 
michael@0: fi
michael@0: 
michael@0: cert_iopr_setup
michael@0: 
michael@0: cert_cleanup