michael@0: #!/bin/bash michael@0: # michael@0: # This Source Code Form is subject to the terms of the Mozilla Public michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: ######################################################################## michael@0: # michael@0: # mozilla/security/nss/tests/cert/chains.sh michael@0: # michael@0: # Script to test certificate chains validity. michael@0: # michael@0: # needs to work on all Unix and Windows platforms michael@0: # michael@0: # special strings michael@0: # --------------- michael@0: # FIXME ... known problems, search for this string michael@0: # NOTE .... unexpected behavior michael@0: ######################################################################## michael@0: michael@0: ########################### is_httpserv_alive ########################## michael@0: # local shell function to exit with a fatal error if selfserver is not michael@0: # running michael@0: ######################################################################## michael@0: is_httpserv_alive() michael@0: { michael@0: if [ ! -f "${HTTPPID}" ]; then michael@0: echo "$SCRIPTNAME: Error - httpserv PID file ${HTTPPID} doesn't exist" michael@0: sleep 5 michael@0: if [ ! -f "${HTTPPID}" ]; then michael@0: Exit 9 "Fatal - httpserv pid file ${HTTPPID} does not exist" michael@0: fi michael@0: fi michael@0: michael@0: if [ "${OS_ARCH}" = "WINNT" ] && \ michael@0: [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then michael@0: PID=${SHELL_HTTPPID} michael@0: else michael@0: PID=`cat ${HTTPPID}` michael@0: fi michael@0: michael@0: echo "kill -0 ${PID} >/dev/null 2>/dev/null" michael@0: kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable" michael@0: michael@0: echo "httpserv with PID ${PID} found at `date`" michael@0: } michael@0: michael@0: ########################### wait_for_httpserv ########################## michael@0: # local shell function to wait until httpserver is running and initialized michael@0: ######################################################################## michael@0: wait_for_httpserv() michael@0: { michael@0: echo "trying to connect to httpserv at `date`" michael@0: echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v" michael@0: ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v michael@0: if [ $? -ne 0 ]; then michael@0: sleep 5 michael@0: echo "retrying to connect to httpserv at `date`" michael@0: echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v" michael@0: ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v michael@0: if [ $? -ne 0 ]; then michael@0: html_failed "Waiting for Server" michael@0: fi michael@0: fi michael@0: is_httpserv_alive michael@0: } michael@0: michael@0: ########################### kill_httpserv ############################## michael@0: # local shell function to kill the httpserver after the tests are done michael@0: ######################################################################## michael@0: kill_httpserv() michael@0: { michael@0: if [ "${OS_ARCH}" = "WINNT" ] && \ michael@0: [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then michael@0: PID=${SHELL_HTTPPID} michael@0: else michael@0: PID=`cat ${HTTPPID}` michael@0: fi michael@0: michael@0: echo "trying to kill httpserv with PID ${PID} at `date`" michael@0: michael@0: if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then michael@0: echo "${KILL} ${PID}" michael@0: ${KILL} ${PID} michael@0: else michael@0: echo "${KILL} -USR1 ${PID}" michael@0: ${KILL} -USR1 ${PID} michael@0: fi michael@0: wait ${PID} michael@0: michael@0: # On Linux httpserv needs up to 30 seconds to fully die and free michael@0: # the port. Wait until the port is free. (Bug 129701) michael@0: if [ "${OS_ARCH}" = "Linux" ]; then michael@0: echo "httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;" michael@0: until ${BINDIR}/httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null; do michael@0: echo "RETRY: httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;" michael@0: sleep 1 michael@0: done michael@0: fi michael@0: michael@0: echo "httpserv with PID ${PID} killed at `date`" michael@0: michael@0: rm ${HTTPPID} michael@0: html_detect_core "kill_httpserv core detection step" michael@0: } michael@0: michael@0: ########################### start_httpserv ############################# michael@0: # local shell function to start the httpserver with the parameters required michael@0: # for this test and log information (parameters, start time) michael@0: # also: wait until the server is up and running michael@0: ######################################################################## michael@0: start_httpserv() michael@0: { michael@0: HTTP_METHOD=$1 michael@0: michael@0: if [ -n "$testname" ] ; then michael@0: echo "$SCRIPTNAME: $testname ----" michael@0: fi michael@0: echo "httpserv starting at `date`" michael@0: ODDIR="${HOSTDIR}/chains/OCSPD" michael@0: echo "httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \\" michael@0: echo " -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \\" michael@0: echo " -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \\" michael@0: echo " -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \\" michael@0: echo " -i ${HTTPPID} $verbose &" michael@0: ${PROFTOOL} ${BINDIR}/httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \ michael@0: -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \ michael@0: -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \ michael@0: -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \ michael@0: -i ${HTTPPID} $verbose & michael@0: RET=$? michael@0: michael@0: # The PID $! returned by the MKS or Cygwin shell is not the PID of michael@0: # the real background process, but rather the PID of a helper michael@0: # process (sh.exe). MKS's kill command has a bug: invoking kill michael@0: # on the helper process does not terminate the real background michael@0: # process. Our workaround has been to have httpserv save its PID michael@0: # in the ${HTTPPID} file and "kill" that PID instead. But this michael@0: # doesn't work under Cygwin; its kill command doesn't recognize michael@0: # the PID of the real background process, but it does work on the michael@0: # PID of the helper process. So we save the value of $! in the michael@0: # SHELL_HTTPPID variable, and use it instead of the ${HTTPPID} michael@0: # file under Cygwin. (In fact, this should work in any shell michael@0: # other than the MKS shell.) michael@0: SHELL_HTTPPID=$! michael@0: wait_for_httpserv michael@0: michael@0: if [ "${OS_ARCH}" = "WINNT" ] && \ michael@0: [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then michael@0: PID=${SHELL_HTTPPID} michael@0: else michael@0: PID=`cat ${HTTPPID}` michael@0: fi michael@0: michael@0: echo "httpserv with PID ${PID} started at `date`" michael@0: } michael@0: michael@0: ############################# chains_init ############################## michael@0: # local shell function to initialize this script michael@0: ######################################################################## michael@0: chains_init() michael@0: { michael@0: if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for michael@0: CLEANUP="${SCRIPTNAME}" # cleaning this script will do it michael@0: fi michael@0: if [ -z "${INIT_SOURCED}" ] ; then michael@0: cd ../common michael@0: . ./init.sh michael@0: fi michael@0: michael@0: SCRIPTNAME="chains.sh" michael@0: michael@0: CHAINS_DIR="${HOSTDIR}/chains" michael@0: mkdir -p ${CHAINS_DIR} michael@0: cd ${CHAINS_DIR} michael@0: michael@0: CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios" michael@0: michael@0: CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//") michael@0: CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000) michael@0: michael@0: PK7_NONCE=${CERT_SN_CNT} michael@0: SCEN_CNT=${CERT_SN_CNT} michael@0: michael@0: AIA_FILES="${HOSTDIR}/aiafiles" michael@0: michael@0: CU_DATA=${HOSTDIR}/cu_data michael@0: CRL_DATA=${HOSTDIR}/crl_data michael@0: michael@0: DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10) michael@0: NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT} michael@0: DEFAULT_UNUSED_PORT=$(expr ${PORT:-8631} + 11) michael@0: NSS_UNUSED_PORT=${NSS_UNUSED_PORT:-$DEFAULT_UNUSED_PORT} michael@0: NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"} michael@0: NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp} michael@0: NSS_AIA_OCSP=${NSS_AIA_OCSP:-$NSS_AIA_HTTP/ocsp} michael@0: NSS_OCSP_UNUSED=${NSS_AIA_OCSP_UNUSED:-"http://${HOSTADDR}:${NSS_UNUSED_PORT}"} michael@0: michael@0: html_head "Certificate Chains Tests" michael@0: } michael@0: michael@0: chains_run_httpserv() michael@0: { michael@0: HTTP_METHOD=$1 michael@0: michael@0: if [ -n "${NSS_AIA_PATH}" ]; then michael@0: HTTPPID=${NSS_AIA_PATH}/http_pid.$$ michael@0: mkdir -p "${NSS_AIA_PATH}" michael@0: SAVEPWD=`pwd` michael@0: cd "${NSS_AIA_PATH}" michael@0: # Start_httpserv sets environment variables, which are required for michael@0: # correct cleanup. (Running it in a subshell doesn't work, the michael@0: # value of $SHELL_HTTPPID wouldn't arrive in this scope.) michael@0: start_httpserv ${HTTP_METHOD} michael@0: cd "${SAVEPWD}" michael@0: fi michael@0: } michael@0: michael@0: chains_stop_httpserv() michael@0: { michael@0: if [ -n "${NSS_AIA_PATH}" ]; then michael@0: kill_httpserv michael@0: fi michael@0: } michael@0: michael@0: ############################ chains_cleanup ############################ michael@0: # local shell function to finish this script (no exit since it might be michael@0: # sourced) michael@0: ######################################################################## michael@0: chains_cleanup() michael@0: { michael@0: html "
" michael@0: cd ${QADIR} michael@0: . common/cleanup.sh michael@0: } michael@0: michael@0: ############################ print_cu_data ############################# michael@0: # local shell function to print certutil input data michael@0: ######################################################################## michael@0: print_cu_data() michael@0: { michael@0: echo "=== Certutil input data ===" michael@0: cat ${CU_DATA} michael@0: echo "===" michael@0: } michael@0: michael@0: set_cert_sn() michael@0: { michael@0: if [ -z "${SERIAL}" ]; then michael@0: CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1) michael@0: CERT_SN=${CERT_SN_CNT} michael@0: else michael@0: echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null michael@0: if [ $? -eq 0 ]; then michael@0: CERT_SN=$(echo ${SERIAL} | cut -b 2-) michael@0: CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN}) michael@0: else michael@0: CERT_SN=${SERIAL} michael@0: fi michael@0: fi michael@0: } michael@0: michael@0: ############################# create_db ################################ michael@0: # local shell function to create certificate database michael@0: ######################################################################## michael@0: create_db() michael@0: { michael@0: DB=$1 michael@0: michael@0: [ -d "${DB}" ] && rm -rf ${DB} michael@0: mkdir -p ${DB} michael@0: michael@0: echo "${DB}passwd" > ${DB}/dbpasswd michael@0: michael@0: TESTNAME="Creating DB ${DB}" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "certutil -N -d ${DB} -f ${DB}/dbpasswd" michael@0: ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: ########################### create_root_ca ############################# michael@0: # local shell function to generate self-signed root certificate michael@0: ######################################################################## michael@0: create_root_ca() michael@0: { michael@0: ENTITY=$1 michael@0: ENTITY_DB=${ENTITY}DB michael@0: michael@0: set_cert_sn michael@0: date >> ${NOISE_FILE} 2>&1 michael@0: michael@0: CTYPE_OPT= michael@0: if [ -n "${CTYPE}" ]; then michael@0: CTYPE_OPT="-k ${CTYPE}" michael@0: fi michael@0: michael@0: echo "5 michael@0: 6 michael@0: 9 michael@0: n michael@0: y michael@0: -1 michael@0: n michael@0: 5 michael@0: 6 michael@0: 7 michael@0: 9 michael@0: n michael@0: " > ${CU_DATA} michael@0: michael@0: TESTNAME="Creating Root CA ${ENTITY}" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}" michael@0: print_cu_data michael@0: ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA} michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: michael@0: TESTNAME="Exporting Root CA ${ENTITY}.der" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der" michael@0: ${BINDIR}/certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: ########################### create_cert_req ############################ michael@0: # local shell function to generate certificate sign request michael@0: ######################################################################## michael@0: create_cert_req() michael@0: { michael@0: ENTITY=$1 michael@0: TYPE=$2 michael@0: michael@0: ENTITY_DB=${ENTITY}DB michael@0: michael@0: REQ=${ENTITY}Req.der michael@0: michael@0: date >> ${NOISE_FILE} 2>&1 michael@0: michael@0: CTYPE_OPT= michael@0: if [ -n "${CTYPE}" ]; then michael@0: CTYPE_OPT="-k ${CTYPE}" michael@0: fi michael@0: michael@0: CA_FLAG= michael@0: EXT_DATA= michael@0: OPTIONS= michael@0: michael@0: if [ "${TYPE}" != "EE" ]; then michael@0: CA_FLAG="-2" michael@0: EXT_DATA="y michael@0: -1 michael@0: y michael@0: " michael@0: fi michael@0: michael@0: process_crldp michael@0: michael@0: echo "${EXT_DATA}" > ${CU_DATA} michael@0: michael@0: TESTNAME="Creating ${TYPE} certifiate request ${REQ}" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}" michael@0: print_cu_data michael@0: ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA} michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: ############################ create_entity ############################# michael@0: # local shell function to create certificate chain entity michael@0: ######################################################################## michael@0: create_entity() michael@0: { michael@0: ENTITY=$1 michael@0: TYPE=$2 michael@0: michael@0: if [ -z "${ENTITY}" ]; then michael@0: echo "Configuration error: Unnamed entity" michael@0: exit 1 michael@0: fi michael@0: michael@0: DB=${ENTITY}DB michael@0: ENTITY_DB=${ENTITY}DB michael@0: michael@0: case "${TYPE}" in michael@0: "Root") michael@0: create_db "${DB}" michael@0: create_root_ca "${ENTITY}" michael@0: ;; michael@0: "Intermediate" | "Bridge" | "EE") michael@0: create_db "${DB}" michael@0: create_cert_req "${ENTITY}" "${TYPE}" michael@0: ;; michael@0: "*") michael@0: echo "Configuration error: Unknown type ${TYPE}" michael@0: exit 1 michael@0: ;; michael@0: esac michael@0: } michael@0: michael@0: ######################################################################## michael@0: # List of global variables related to certificate extensions processing: michael@0: # michael@0: # Generated by process_extensions and functions called from it: michael@0: # OPTIONS - list of command line policy extensions michael@0: # DATA - list of inpud data related to policy extensions michael@0: # michael@0: # Generated by parse_config: michael@0: # POLICY - list of certificate policies michael@0: # MAPPING - list of policy mappings michael@0: # INHIBIT - inhibit flag michael@0: # AIA - AIA list michael@0: ######################################################################## michael@0: michael@0: ############################ process_policy ############################ michael@0: # local shell function to process policy extension parameters and michael@0: # generate input for certutil michael@0: ######################################################################## michael@0: process_policy() michael@0: { michael@0: if [ -n "${POLICY}" ]; then michael@0: OPTIONS="${OPTIONS} --extCP" michael@0: michael@0: NEXT= michael@0: for ITEM in ${POLICY}; do michael@0: if [ -n "${NEXT}" ]; then michael@0: DATA="${DATA}y michael@0: " michael@0: fi michael@0: michael@0: NEXT=1 michael@0: DATA="${DATA}${ITEM} michael@0: 1 michael@0: michael@0: n michael@0: " michael@0: done michael@0: michael@0: DATA="${DATA}n michael@0: n michael@0: " michael@0: fi michael@0: } michael@0: michael@0: ########################### process_mapping ############################ michael@0: # local shell function to process policy mapping parameters and michael@0: # generate input for certutil michael@0: ######################################################################## michael@0: process_mapping() michael@0: { michael@0: if [ -n "${MAPPING}" ]; then michael@0: OPTIONS="${OPTIONS} --extPM" michael@0: michael@0: NEXT= michael@0: for ITEM in ${MAPPING}; do michael@0: if [ -n "${NEXT}" ]; then michael@0: DATA="${DATA}y michael@0: " michael@0: fi michael@0: michael@0: NEXT=1 michael@0: IDP=`echo ${ITEM} | cut -d: -f1` michael@0: SDP=`echo ${ITEM} | cut -d: -f2` michael@0: DATA="${DATA}${IDP} michael@0: ${SDP} michael@0: " michael@0: done michael@0: michael@0: DATA="${DATA}n michael@0: n michael@0: " michael@0: fi michael@0: } michael@0: michael@0: ########################### process_inhibit############################# michael@0: # local shell function to process inhibit extension and generate input michael@0: # for certutil michael@0: ######################################################################## michael@0: process_inhibit() michael@0: { michael@0: if [ -n "${INHIBIT}" ]; then michael@0: OPTIONS="${OPTIONS} --extIA" michael@0: michael@0: DATA="${DATA}${INHIBIT} michael@0: n michael@0: " michael@0: fi michael@0: } michael@0: michael@0: ############################# process_aia ############################## michael@0: # local shell function to process AIA extension parameters and michael@0: # generate input for certutil michael@0: ######################################################################## michael@0: process_aia() michael@0: { michael@0: if [ -n "${AIA}" ]; then michael@0: OPTIONS="${OPTIONS} --extAIA" michael@0: michael@0: DATA="${DATA}1 michael@0: " michael@0: michael@0: for ITEM in ${AIA}; do michael@0: PK7_NONCE=`expr $PK7_NONCE + 1` michael@0: michael@0: echo ${ITEM} | grep ":" > /dev/null michael@0: if [ $? -eq 0 ]; then michael@0: CERT_NICK=`echo ${ITEM} | cut -d: -f1` michael@0: CERT_ISSUER=`echo ${ITEM} | cut -d: -f2` michael@0: CERT_LOCAL="${CERT_NICK}${CERT_ISSUER}.der" michael@0: CERT_PUBLIC="${HOST}-$$-${CERT_NICK}${CERT_ISSUER}-${PK7_NONCE}.der" michael@0: else michael@0: CERT_LOCAL="${ITEM}.p7" michael@0: CERT_PUBLIC="${HOST}-$$-${ITEM}-${PK7_NONCE}.p7" michael@0: fi michael@0: michael@0: DATA="${DATA}7 michael@0: ${NSS_AIA_HTTP}/${CERT_PUBLIC} michael@0: " michael@0: michael@0: if [ -n "${NSS_AIA_PATH}" ]; then michael@0: cp ${CERT_LOCAL} ${NSS_AIA_PATH}/${CERT_PUBLIC} 2> /dev/null michael@0: chmod a+r ${NSS_AIA_PATH}/${CERT_PUBLIC} michael@0: echo ${NSS_AIA_PATH}/${CERT_PUBLIC} >> ${AIA_FILES} michael@0: fi michael@0: done michael@0: michael@0: DATA="${DATA}0 michael@0: n michael@0: n" michael@0: fi michael@0: } michael@0: michael@0: process_ocsp() michael@0: { michael@0: if [ -n "${OCSP}" ]; then michael@0: OPTIONS="${OPTIONS} --extAIA" michael@0: michael@0: if [ "${OCSP}" = "offline" ]; then michael@0: MY_OCSP_URL=${NSS_OCSP_UNUSED} michael@0: else michael@0: MY_OCSP_URL=${NSS_AIA_OCSP} michael@0: fi michael@0: michael@0: DATA="${DATA}2 michael@0: 7 michael@0: ${MY_OCSP_URL} michael@0: 0 michael@0: n michael@0: n michael@0: " michael@0: fi michael@0: } michael@0: michael@0: process_crldp() michael@0: { michael@0: if [ -n "${CRLDP}" ]; then michael@0: OPTIONS="${OPTIONS} -4" michael@0: michael@0: EXT_DATA="${EXT_DATA}1 michael@0: " michael@0: michael@0: for ITEM in ${CRLDP}; do michael@0: CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl" michael@0: michael@0: EXT_DATA="${EXT_DATA}7 michael@0: ${NSS_AIA_HTTP}/${CRL_PUBLIC} michael@0: " michael@0: done michael@0: michael@0: EXT_DATA="${EXT_DATA}-1 michael@0: -1 michael@0: -1 michael@0: n michael@0: n michael@0: " michael@0: fi michael@0: } michael@0: michael@0: process_ku_ns_eku() michael@0: { michael@0: if [ -n "${EXT_KU}" ]; then michael@0: OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}" michael@0: fi michael@0: if [ -n "${EXT_NS}" ]; then michael@0: EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1) michael@0: EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2) michael@0: michael@0: OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}" michael@0: DATA="${DATA}${EXT_NS_CODE} michael@0: -1 michael@0: n michael@0: " michael@0: fi michael@0: if [ -n "${EXT_EKU}" ]; then michael@0: OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}" michael@0: fi michael@0: } michael@0: michael@0: copy_crl() michael@0: michael@0: { michael@0: if [ -z "${NSS_AIA_PATH}" ]; then michael@0: return; michael@0: fi michael@0: michael@0: CRL_LOCAL="${COPYCRL}.crl" michael@0: CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl" michael@0: michael@0: cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null michael@0: chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC} michael@0: echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES} michael@0: } michael@0: michael@0: ########################## process_extension ########################### michael@0: # local shell function to process entity extension parameters and michael@0: # generate input for certutil michael@0: ######################################################################## michael@0: process_extensions() michael@0: { michael@0: OPTIONS= michael@0: DATA= michael@0: michael@0: process_policy michael@0: process_mapping michael@0: process_inhibit michael@0: process_aia michael@0: process_ocsp michael@0: process_ku_ns_eku michael@0: } michael@0: michael@0: ############################## sign_cert ############################### michael@0: # local shell function to sign certificate sign reuqest michael@0: ######################################################################## michael@0: sign_cert() michael@0: { michael@0: ENTITY=$1 michael@0: ISSUER=$2 michael@0: TYPE=$3 michael@0: michael@0: [ -z "${ISSUER}" ] && return michael@0: michael@0: ENTITY_DB=${ENTITY}DB michael@0: ISSUER_DB=${ISSUER}DB michael@0: REQ=${ENTITY}Req.der michael@0: CERT=${ENTITY}${ISSUER}.der michael@0: michael@0: set_cert_sn michael@0: michael@0: EMAIL_OPT= michael@0: if [ "${TYPE}" = "Bridge" ]; then michael@0: EMAIL_OPT="-7 ${ENTITY}@${ISSUER}" michael@0: michael@0: [ -n "${EMAILS}" ] && EMAILS="${EMAILS}," michael@0: EMAILS="${EMAILS}${ENTITY}@${ISSUER}" michael@0: fi michael@0: michael@0: process_extensions michael@0: michael@0: echo "${DATA}" > ${CU_DATA} michael@0: michael@0: TESTNAME="Creating certficate ${CERT} signed by ${ISSUER}" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}" michael@0: print_cu_data michael@0: ${BINDIR}/certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA} michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: michael@0: TESTNAME="Importing certificate ${CERT} to ${ENTITY_DB} database" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}" michael@0: ${BINDIR}/certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT} michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: ############################# create_pkcs7############################## michael@0: # local shell function to package bridge certificates into pkcs7 michael@0: # package michael@0: ######################################################################## michael@0: create_pkcs7() michael@0: { michael@0: ENTITY=$1 michael@0: ENTITY_DB=${ENTITY}DB michael@0: michael@0: TESTNAME="Generating PKCS7 package from ${ENTITY_DB} database" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "cmsutil -O -r \"${EMAILS}\" -d ${ENTITY_DB} > ${ENTITY}.p7" michael@0: ${BINDIR}/cmsutil -O -r "${EMAILS}" -d ${ENTITY_DB} > ${ENTITY}.p7 michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: ############################# import_key ############################### michael@0: # local shell function to import private key + cert into database michael@0: ######################################################################## michael@0: import_key() michael@0: { michael@0: KEY_NAME=$1.p12 michael@0: DB=$2 michael@0: michael@0: KEY_FILE=../OCSPD/${KEY_NAME} michael@0: michael@0: TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss" michael@0: ${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: export_key() michael@0: { michael@0: KEY_NAME=$1.p12 michael@0: DB=$2 michael@0: michael@0: TESTNAME="Exporting $1 as ${KEY_NAME} from ${DB} database" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss" michael@0: ${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: ############################# import_cert ############################## michael@0: # local shell function to import certificate into database michael@0: ######################################################################## michael@0: import_cert() michael@0: { michael@0: IMPORT=$1 michael@0: DB=$2 michael@0: michael@0: CERT_NICK=`echo ${IMPORT} | cut -d: -f1` michael@0: CERT_ISSUER=`echo ${IMPORT} | cut -d: -f2` michael@0: CERT_TRUST=`echo ${IMPORT} | cut -d: -f3` michael@0: michael@0: if [ "${CERT_ISSUER}" = "x" ]; then michael@0: CERT_ISSUER= michael@0: CERT=${CERT_NICK}.cert michael@0: CERT_FILE="${QADIR}/libpkix/certs/${CERT}" michael@0: elif [ "${CERT_ISSUER}" = "d" ]; then michael@0: CERT_ISSUER= michael@0: CERT=${CERT_NICK}.der michael@0: CERT_FILE="../OCSPD/${CERT}" michael@0: else michael@0: CERT=${CERT_NICK}${CERT_ISSUER}.der michael@0: CERT_FILE=${CERT} michael@0: fi michael@0: michael@0: IS_ASCII=`grep -c -- "-----BEGIN CERTIFICATE-----" ${CERT_FILE}` michael@0: michael@0: ASCII_OPT= michael@0: if [ "${IS_ASCII}" -gt 0 ]; then michael@0: ASCII_OPT="-a" michael@0: fi michael@0: michael@0: TESTNAME="Importing certificate ${CERT} to ${DB} database" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t \"${CERT_TRUST}\" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}" michael@0: ${BINDIR}/certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t "${CERT_TRUST}" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE} michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: import_crl() michael@0: { michael@0: IMPORT=$1 michael@0: DB=$2 michael@0: michael@0: CRL_NICK=`echo ${IMPORT} | cut -d: -f1` michael@0: CRL_FILE=${CRL_NICK}.crl michael@0: michael@0: if [ ! -f "${CRL_FILE}" ]; then michael@0: return michael@0: fi michael@0: michael@0: TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}" michael@0: ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE} michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: create_crl() michael@0: { michael@0: ISSUER=$1 michael@0: ISSUER_DB=${ISSUER}DB michael@0: michael@0: CRL=${ISSUER}.crl michael@0: michael@0: DATE=$(date -u '+%Y%m%d%H%M%SZ') michael@0: DATE_LAST="${DATE}" michael@0: michael@0: UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ') michael@0: michael@0: echo "update=${DATE}" > ${CRL_DATA} michael@0: echo "nextupdate=${UPDATE}" >> ${CRL_DATA} michael@0: michael@0: TESTNAME="Create CRL for ${ISSUER_DB}" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}" michael@0: echo "=== Crlutil input data ===" michael@0: cat ${CRL_DATA} michael@0: echo "===" michael@0: ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA} michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: revoke_cert() michael@0: { michael@0: ISSUER=$1 michael@0: ISSUER_DB=${ISSUER}DB michael@0: michael@0: CRL=${ISSUER}.crl michael@0: michael@0: set_cert_sn michael@0: michael@0: DATE=$(date -u '+%Y%m%d%H%M%SZ') michael@0: while [ "${DATE}" = "${DATE_LAST}" ]; do michael@0: sleep 1 michael@0: DATE=$(date -u '+%Y%m%d%H%M%SZ') michael@0: done michael@0: DATE_LAST="${DATE}" michael@0: michael@0: echo "update=${DATE}" > ${CRL_DATA} michael@0: echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA} michael@0: michael@0: TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}" michael@0: echo "=== Crlutil input data ===" michael@0: cat ${CRL_DATA} michael@0: echo "===" michael@0: ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA} michael@0: html_msg $? 0 "${SCENARIO}${TESTNAME}" michael@0: } michael@0: michael@0: ######################################################################## michael@0: # List of global variables related to certificate verification: michael@0: # michael@0: # Generated by parse_config: michael@0: # DB - DB used for testing michael@0: # FETCH - fetch flag (used with AIA extension) michael@0: # POLICY - list of policies michael@0: # TRUST - trust anchor michael@0: # TRUST_AND_DB - Examine both trust anchors and the cert db for trust michael@0: # VERIFY - list of certificates to use as vfychain parameters michael@0: # EXP_RESULT - expected result michael@0: # REV_OPTS - revocation options michael@0: ######################################################################## michael@0: michael@0: ############################# verify_cert ############################## michael@0: # local shell function to verify certificate validity michael@0: ######################################################################## michael@0: verify_cert() michael@0: { michael@0: ENGINE=$1 michael@0: michael@0: DB_OPT= michael@0: FETCH_OPT= michael@0: POLICY_OPT= michael@0: TRUST_OPT= michael@0: VFY_CERTS= michael@0: VFY_LIST= michael@0: TRUST_AND_DB_OPT= michael@0: michael@0: if [ -n "${DB}" ]; then michael@0: DB_OPT="-d ${DB}" michael@0: fi michael@0: michael@0: if [ -n "${FETCH}" ]; then michael@0: FETCH_OPT="-f" michael@0: if [ -z "${NSS_AIA_HTTP}" ]; then michael@0: echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined" michael@0: return michael@0: fi michael@0: fi michael@0: michael@0: if [ -n "${TRUST_AND_DB}" ]; then michael@0: TRUST_AND_DB_OPT="-T" michael@0: fi michael@0: michael@0: for ITEM in ${POLICY}; do michael@0: POLICY_OPT="${POLICY_OPT} -o ${ITEM}" michael@0: done michael@0: michael@0: for ITEM in ${TRUST}; do michael@0: echo ${ITEM} | grep ":" > /dev/null michael@0: if [ $? -eq 0 ]; then michael@0: CERT_NICK=`echo ${ITEM} | cut -d: -f1` michael@0: CERT_ISSUER=`echo ${ITEM} | cut -d: -f2` michael@0: CERT=${CERT_NICK}${CERT_ISSUER}.der michael@0: michael@0: TRUST_OPT="${TRUST_OPT} -t ${CERT}" michael@0: else michael@0: TRUST_OPT="${TRUST_OPT} -t ${ITEM}" michael@0: fi michael@0: done michael@0: michael@0: for ITEM in ${VERIFY}; do michael@0: CERT_NICK=`echo ${ITEM} | cut -d: -f1` michael@0: CERT_ISSUER=`echo ${ITEM} | cut -d: -f2` michael@0: michael@0: if [ "${CERT_ISSUER}" = "x" ]; then michael@0: CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert" michael@0: VFY_CERTS="${VFY_CERTS} ${CERT}" michael@0: VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert" michael@0: elif [ "${CERT_ISSUER}" = "d" ]; then michael@0: CERT="../OCSPD/${CERT_NICK}.der" michael@0: VFY_CERTS="${VFY_CERTS} ${CERT}" michael@0: VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert" michael@0: else michael@0: CERT=${CERT_NICK}${CERT_ISSUER}.der michael@0: VFY_CERTS="${VFY_CERTS} ${CERT}" michael@0: VFY_LIST="${VFY_LIST} ${CERT}" michael@0: fi michael@0: done michael@0: michael@0: VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}" michael@0: VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" michael@0: michael@0: TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}" michael@0: echo "${SCRIPTNAME}: ${TESTNAME}" michael@0: echo "vfychain ${VFY_OPTS_ALL}" michael@0: michael@0: if [ -z "${MEMLEAK_DBG}" ]; then michael@0: VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1) michael@0: RESULT=$? michael@0: echo "${VFY_OUT}" michael@0: else michael@0: VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE}) michael@0: RESULT=$? michael@0: echo "${VFY_OUT}" michael@0: fi michael@0: michael@0: echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null michael@0: E5990=$? michael@0: echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null michael@0: E8030=$? michael@0: michael@0: if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then michael@0: echo "Result of this test is not valid due to network time out." michael@0: html_unknown "${SCENARIO}${TESTNAME}" michael@0: return michael@0: fi michael@0: michael@0: echo "Returned value is ${RESULT}, expected result is ${EXP_RESULT}" michael@0: michael@0: if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then michael@0: html_passed "${SCENARIO}${TESTNAME}" michael@0: elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then michael@0: html_passed "${SCENARIO}${TESTNAME}" michael@0: else michael@0: html_failed "${SCENARIO}${TESTNAME}" michael@0: fi michael@0: } michael@0: michael@0: check_ocsp() michael@0: { michael@0: OCSP_CERT=$1 michael@0: michael@0: CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1` michael@0: CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2` michael@0: michael@0: if [ "${CERT_ISSUER}" = "x" ]; then michael@0: CERT_ISSUER= michael@0: CERT=${CERT_NICK}.cert michael@0: CERT_FILE="${QADIR}/libpkix/certs/${CERT}" michael@0: elif [ "${CERT_ISSUER}" = "d" ]; then michael@0: CERT_ISSUER= michael@0: CERT=${CERT_NICK}.der michael@0: CERT_FILE="../OCSPD/${CERT}" michael@0: else michael@0: CERT=${CERT_NICK}${CERT_ISSUER}.der michael@0: CERT_FILE=${CERT} michael@0: fi michael@0: michael@0: # sample line: michael@0: # URI: "http://ocsp.server:2601" michael@0: OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//") michael@0: OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/") michael@0: michael@0: echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20" michael@0: tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20 michael@0: return $? michael@0: } michael@0: michael@0: ############################ parse_result ############################## michael@0: # local shell function to process expected result value michael@0: # this function was created for case that expected result depends on michael@0: # some conditions - in our case type of cert DB michael@0: # michael@0: # default results are pass and fail michael@0: # this function added parsable values in format: michael@0: # type1:value1 type2:value2 .... typex:valuex michael@0: # michael@0: # allowed types are dbm, sql, all (all means all other cases) michael@0: # allowed values are pass and fail michael@0: # michael@0: # if this format is not used, EXP_RESULT will stay unchanged (this also michael@0: # covers pass and fail states) michael@0: ######################################################################## michael@0: parse_result() michael@0: { michael@0: for RES in ${EXP_RESULT} michael@0: do michael@0: RESTYPE=$(echo ${RES} | cut -d: -f1) michael@0: RESSTAT=$(echo ${RES} | cut -d: -f2) michael@0: michael@0: if [ "${RESTYPE}" = "${NSS_DEFAULT_DB_TYPE}" -o "${RESTYPE}" = "all" ]; then michael@0: EXP_RESULT=${RESSTAT} michael@0: break michael@0: fi michael@0: done michael@0: } michael@0: michael@0: ############################ parse_config ############################## michael@0: # local shell function to parse and process file containing certificate michael@0: # chain configuration and list of tests michael@0: ######################################################################## michael@0: parse_config() michael@0: { michael@0: SCENARIO= michael@0: LOGNAME= michael@0: michael@0: while read KEY VALUE michael@0: do michael@0: case "${KEY}" in michael@0: "entity") michael@0: ENTITY="${VALUE}" michael@0: TYPE= michael@0: ISSUER= michael@0: CTYPE= michael@0: POLICY= michael@0: MAPPING= michael@0: INHIBIT= michael@0: AIA= michael@0: CRLDP= michael@0: OCSP= michael@0: DB= michael@0: EMAILS= michael@0: EXT_KU= michael@0: EXT_NS= michael@0: EXT_EKU= michael@0: SERIAL= michael@0: EXPORT_KEY= michael@0: ;; michael@0: "type") michael@0: TYPE="${VALUE}" michael@0: ;; michael@0: "issuer") michael@0: if [ -n "${ISSUER}" ]; then michael@0: if [ -z "${DB}" ]; then michael@0: create_entity "${ENTITY}" "${TYPE}" michael@0: fi michael@0: sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}" michael@0: fi michael@0: michael@0: ISSUER="${VALUE}" michael@0: POLICY= michael@0: MAPPING= michael@0: INHIBIT= michael@0: AIA= michael@0: EXT_KU= michael@0: EXT_NS= michael@0: EXT_EKU= michael@0: ;; michael@0: "ctype") michael@0: CTYPE="${VALUE}" michael@0: ;; michael@0: "policy") michael@0: POLICY="${POLICY} ${VALUE}" michael@0: ;; michael@0: "mapping") michael@0: MAPPING="${MAPPING} ${VALUE}" michael@0: ;; michael@0: "inhibit") michael@0: INHIBIT="${VALUE}" michael@0: ;; michael@0: "aia") michael@0: AIA="${AIA} ${VALUE}" michael@0: ;; michael@0: "crldp") michael@0: CRLDP="${CRLDP} ${VALUE}" michael@0: ;; michael@0: "ocsp") michael@0: OCSP="${VALUE}" michael@0: ;; michael@0: "db") michael@0: DB="${VALUE}DB" michael@0: create_db "${DB}" michael@0: ;; michael@0: "import") michael@0: IMPORT="${VALUE}" michael@0: import_cert "${IMPORT}" "${DB}" michael@0: import_crl "${IMPORT}" "${DB}" michael@0: ;; michael@0: "import_key") michael@0: IMPORT="${VALUE}" michael@0: import_key "${IMPORT}" "${DB}" michael@0: ;; michael@0: "crl") michael@0: ISSUER="${VALUE}" michael@0: create_crl "${ISSUER}" michael@0: ;; michael@0: "revoke") michael@0: REVOKE="${VALUE}" michael@0: ;; michael@0: "serial") michael@0: SERIAL="${VALUE}" michael@0: ;; michael@0: "export_key") michael@0: EXPORT_KEY=1 michael@0: ;; michael@0: "copycrl") michael@0: COPYCRL="${VALUE}" michael@0: copy_crl "${COPYCRL}" michael@0: ;; michael@0: "verify") michael@0: VERIFY="${VALUE}" michael@0: TRUST= michael@0: TRUST_AND_DB= michael@0: POLICY= michael@0: FETCH= michael@0: EXP_RESULT= michael@0: REV_OPTS= michael@0: USAGE_OPT= michael@0: ;; michael@0: "cert") michael@0: VERIFY="${VERIFY} ${VALUE}" michael@0: ;; michael@0: "testdb") michael@0: if [ -n "${VALUE}" ]; then michael@0: DB="${VALUE}DB" michael@0: else michael@0: DB= michael@0: fi michael@0: ;; michael@0: "trust") michael@0: TRUST="${TRUST} ${VALUE}" michael@0: ;; michael@0: "trust_and_db") michael@0: TRUST_AND_DB=1 michael@0: ;; michael@0: "fetch") michael@0: FETCH=1 michael@0: ;; michael@0: "result") michael@0: EXP_RESULT="${VALUE}" michael@0: parse_result michael@0: ;; michael@0: "rev_type") michael@0: REV_OPTS="${REV_OPTS} -g ${VALUE}" michael@0: ;; michael@0: "rev_flags") michael@0: REV_OPTS="${REV_OPTS} -h ${VALUE}" michael@0: ;; michael@0: "rev_mtype") michael@0: REV_OPTS="${REV_OPTS} -m ${VALUE}" michael@0: ;; michael@0: "rev_mflags") michael@0: REV_OPTS="${REV_OPTS} -s ${VALUE}" michael@0: ;; michael@0: "scenario") michael@0: SCENARIO="${VALUE}: " michael@0: michael@0: CHAINS_DIR="${HOSTDIR}/chains/${VALUE}" michael@0: mkdir -p ${CHAINS_DIR} michael@0: cd ${CHAINS_DIR} michael@0: michael@0: if [ -n "${MEMLEAK_DBG}" ]; then michael@0: LOGNAME="libpkix-${VALUE}" michael@0: LOGFILE="${LOGDIR}/${LOGNAME}" michael@0: fi michael@0: michael@0: SCEN_CNT=$(expr ${SCEN_CNT} + 1) michael@0: ;; michael@0: "sleep") michael@0: sleep ${VALUE} michael@0: ;; michael@0: "break") michael@0: break michael@0: ;; michael@0: "check_ocsp") michael@0: TESTNAME="Test that OCSP server is reachable" michael@0: check_ocsp ${VALUE} michael@0: if [ $? -ne 0 ]; then michael@0: html_failed "$TESTNAME" michael@0: break; michael@0: else michael@0: html_passed "$TESTNAME" michael@0: fi michael@0: ;; michael@0: "ku") michael@0: EXT_KU="${VALUE}" michael@0: ;; michael@0: "ns") michael@0: EXT_NS="${VALUE}" michael@0: ;; michael@0: "eku") michael@0: EXT_EKU="${VALUE}" michael@0: ;; michael@0: "usage") michael@0: USAGE_OPT="-u ${VALUE}" michael@0: ;; michael@0: "") michael@0: if [ -n "${ENTITY}" ]; then michael@0: if [ -z "${DB}" ]; then michael@0: create_entity "${ENTITY}" "${TYPE}" michael@0: fi michael@0: sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}" michael@0: if [ "${TYPE}" = "Bridge" ]; then michael@0: create_pkcs7 "${ENTITY}" michael@0: fi michael@0: if [ -n "${EXPORT_KEY}" ]; then michael@0: export_key "${ENTITY}" "${DB}" michael@0: fi michael@0: ENTITY= michael@0: fi michael@0: michael@0: if [ -n "${VERIFY}" ]; then michael@0: verify_cert "-pp" michael@0: if [ -n "${VERIFY_CLASSIC_ENGINE_TOO}" ]; then michael@0: verify_cert "" michael@0: verify_cert "-p" michael@0: fi michael@0: VERIFY= michael@0: fi michael@0: michael@0: if [ -n "${REVOKE}" ]; then michael@0: revoke_cert "${REVOKE}" "${DB}" michael@0: REVOKE= michael@0: fi michael@0: ;; michael@0: *) michael@0: if [ `echo ${KEY} | cut -b 1` != "#" ]; then michael@0: echo "Configuration error: Unknown keyword ${KEY}" michael@0: exit 1 michael@0: fi michael@0: ;; michael@0: esac michael@0: done michael@0: michael@0: if [ -n "${MEMLEAK_DBG}" ]; then michael@0: log_parse michael@0: html_msg $? 0 "${SCENARIO}Memory leak checking" michael@0: fi michael@0: } michael@0: michael@0: process_scenario() michael@0: { michael@0: SCENARIO_FILE=$1 michael@0: michael@0: > ${AIA_FILES} michael@0: michael@0: parse_config < "${QADIR}/chains/scenarios/${SCENARIO_FILE}" michael@0: michael@0: while read AIA_FILE michael@0: do michael@0: rm ${AIA_FILE} 2> /dev/null michael@0: done < ${AIA_FILES} michael@0: rm ${AIA_FILES} michael@0: } michael@0: michael@0: # process ocspd.cfg separately michael@0: chains_ocspd() michael@0: { michael@0: process_scenario "ocspd.cfg" michael@0: } michael@0: michael@0: # process ocsp.cfg separately michael@0: chains_method() michael@0: { michael@0: process_scenario "method.cfg" michael@0: } michael@0: michael@0: ############################# chains_main ############################## michael@0: # local shell function to process all testing scenarios michael@0: ######################################################################## michael@0: chains_main() michael@0: { michael@0: while read LINE michael@0: do michael@0: [ `echo ${LINE} | cut -b 1` != "#" ] || continue michael@0: michael@0: [ ${LINE} != 'ocspd.cfg' ] || continue michael@0: [ ${LINE} != 'method.cfg' ] || continue michael@0: michael@0: process_scenario ${LINE} michael@0: done < "${CHAINS_SCENARIOS}" michael@0: } michael@0: michael@0: ################################ main ################################## michael@0: michael@0: chains_init michael@0: VERIFY_CLASSIC_ENGINE_TOO= michael@0: chains_ocspd michael@0: VERIFY_CLASSIC_ENGINE_TOO=1 michael@0: chains_run_httpserv get michael@0: chains_method michael@0: chains_stop_httpserv michael@0: chains_run_httpserv post michael@0: chains_method michael@0: chains_stop_httpserv michael@0: VERIFY_CLASSIC_ENGINE_TOO= michael@0: chains_run_httpserv random michael@0: chains_main michael@0: chains_stop_httpserv michael@0: chains_run_httpserv get-unknown michael@0: chains_main michael@0: chains_stop_httpserv michael@0: chains_cleanup