michael@0: #!/bin/bash michael@0: michael@0: # This Source Code Form is subject to the terms of the Mozilla Public michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: ###################################################################################### michael@0: # Server and client certs and crl generator functions. Generated files placed in a michael@0: # directory to be accessible through http:///iopr/TestCA.crt directory. michael@0: # This functions is used for manual webserver configuration and it is not a part of michael@0: # nss test run. michael@0: # To create certs use the following command: michael@0: # sh cert_iopr.sh cert_gen [cert req] michael@0: # Where: michael@0: # dir - directory where to place created files michael@0: # cert name - name of created server cert(FQDN) michael@0: # cert req - cert request to be used for cert generation. michael@0: # michael@0: repAndExec() { michael@0: echo michael@0: if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then michael@0: shift michael@0: echo certutil -s "$CU_SUBJECT" $@ michael@0: certutil -s "$CU_SUBJECT" $@ michael@0: RET=$? michael@0: else michael@0: echo $@ michael@0: $@ michael@0: RET=$? michael@0: fi michael@0: michael@0: return $RET michael@0: } michael@0: michael@0: setExtData() { michael@0: extData=$1 michael@0: michael@0: fldNum=0 michael@0: extData=`echo $extData | sed 's/,/ /g'` michael@0: for extDT in $extData; do michael@0: if [ $fldNum -eq 0 ]; then michael@0: eval extType=$extDT michael@0: fldNum=1 michael@0: continue michael@0: fi michael@0: eval data${fldNum}=$extDT michael@0: fldNum=`expr $fldNum + 1` michael@0: done michael@0: } michael@0: michael@0: signCert() { michael@0: dir=$1 michael@0: crtDir=$2 michael@0: crtName=$3 michael@0: crtSN=$4 michael@0: req=$5 michael@0: cuAddParam=$6 michael@0: extList=$7 michael@0: michael@0: if [ -z "$certSigner" ]; then michael@0: certSigner=TestCA michael@0: fi michael@0: michael@0: extCmdLine="" michael@0: extCmdFile=$dir/extInFile; rm -f $extCmdFile michael@0: touch $extCmdFile michael@0: extList=`echo $extList | sed 's/;/ /g'` michael@0: for ext in $extList; do michael@0: setExtData $ext michael@0: [ -z "$extType" ] && echo "incorrect extention format" && return 1 michael@0: case $extType in michael@0: ocspDR) michael@0: extCmdLine="$extCmdLine -6" michael@0: cat <> $extCmdFile michael@0: 5 michael@0: 9 michael@0: y michael@0: EOF michael@0: break michael@0: exit 1 michael@0: ;; michael@0: AIA) michael@0: extCmdLine="$extCmdLine -9" michael@0: cat <> $extCmdFile michael@0: 2 michael@0: 7 michael@0: $data1 michael@0: 0 michael@0: n michael@0: n michael@0: EOF michael@0: break michael@0: ;; michael@0: *) michael@0: echo "Unsupported extension type: $extType" michael@0: break michael@0: ;; michael@0: esac michael@0: done michael@0: echo "cmdLine: $extCmdLine" michael@0: echo "cmdFile: "`cat $extCmdFile` michael@0: repAndExec \ michael@0: certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \ michael@0: -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1 michael@0: return $RET michael@0: } michael@0: michael@0: createSignedCert() { michael@0: dir=$1 michael@0: certDir=$2 michael@0: certName=$3 michael@0: certSN=$4 michael@0: certSubj=$5 michael@0: keyType=$6 michael@0: extList=$7 michael@0: michael@0: echo Creating cert $certName-$keyType with SN=$certSN michael@0: michael@0: CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" michael@0: repAndExec \ michael@0: certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \ michael@0: -k $keyType -o $dir/req 2>&1 michael@0: [ "$RET" -ne 0 ] && return $RET michael@0: michael@0: signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: rm -f $dir/req michael@0: michael@0: repAndExec \ michael@0: certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \ michael@0: -i "$dir/${certName}-$keyType.crt" 2>&1 michael@0: [ "$RET" -ne 0 ] && return $RET michael@0: michael@0: cp "$dir/${certName}-$keyType.crt" $certDir michael@0: michael@0: repAndExec \ michael@0: pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \ michael@0: -k ${PW_FILE} -W iopr michael@0: [ "$RET" -ne 0 ] && return $RET michael@0: return 0 michael@0: } michael@0: michael@0: generateAndExportSSLCerts() { michael@0: dir=$1 michael@0: certDir=$2 michael@0: serverName=$3 michael@0: servCertReq=$4 michael@0: michael@0: if [ "$servCertReq" -a -f $servCertReq ]; then michael@0: grep REQUEST $servCertReq >/dev/null 2>&1 michael@0: signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a` michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: fi michael@0: michael@0: certName=$serverName michael@0: createSignedCert $dir $certDir $certName 500 "$certSubj" rsa michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: createSignedCert $dir $certDir $certName 501 "$certSubj" dsa michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=TestUser510 michael@0: createSignedCert $dir $certDir $certName 510 "$certSubj" rsa michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=TestUser511 michael@0: createSignedCert $dir $certDir $certName 511 "$certSubj" dsa michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=TestUser512 michael@0: createSignedCert $dir $certDir $certName 512 "$certSubj" rsa michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=TestUser513 michael@0: createSignedCert $dir $certDir $certName 513 "$certSubj" dsa michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: } michael@0: michael@0: generateAndExportOCSPCerts() { michael@0: dir=$1 michael@0: certDir=$2 michael@0: michael@0: certName=ocspTrustedResponder michael@0: createSignedCert $dir $certDir $certName 525 "$certSubj" rsa michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=ocspDesignatedResponder michael@0: createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=ocspTRTestUser514 michael@0: createSignedCert $dir $certDir $certName 514 "$certSubj" rsa michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=ocspTRTestUser516 michael@0: createSignedCert $dir $certDir $certName 516 "$certSubj" rsa michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=ocspRCATestUser518 michael@0: createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \ michael@0: AIA,http://dochinups.red.iplanet.com:2561 michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=ocspRCATestUser520 michael@0: createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \ michael@0: AIA,http://dochinups.red.iplanet.com:2561 michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=ocspDRTestUser522 michael@0: createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \ michael@0: AIA,http://dochinups.red.iplanet.com:2562 michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=ocspDRTestUser524 michael@0: createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \ michael@0: AIA,http://dochinups.red.iplanet.com:2562 michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: generateAndExportCACert $dir "" TestCA-unknown michael@0: [ $? -ne 0 ] && return $ret michael@0: michael@0: certSigner=TestCA-unknown michael@0: michael@0: certName=ocspTRUnkownIssuerCert michael@0: createSignedCert $dir $certDir $certName 531 "$certSubj" rsa michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=ocspRCAUnkownIssuerCert michael@0: createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \ michael@0: AIA,http://dochinups.red.iplanet.com:2561 michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certName=ocspDRUnkownIssuerCert michael@0: createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \ michael@0: AIA,http://dochinups.red.iplanet.com:2562 michael@0: ret=$? michael@0: [ "$ret" -ne 0 ] && return $ret michael@0: michael@0: certSigner="" michael@0: michael@0: return 0 michael@0: } michael@0: michael@0: generateAndExportCACert() { michael@0: dir=$1 michael@0: certDirL=$2 michael@0: caName=$3 michael@0: michael@0: certName=TestCA michael@0: [ "$caName" ] && certName=$caName michael@0: CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" michael@0: repAndExec \ michael@0: certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \ michael@0: -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 < $PW_FILE michael@0: date >> ${NOISE_FILE} 2>&1 michael@0: michael@0: repAndExec \ michael@0: certutil -d $dir -N -f $PW_FILE michael@0: [ "$RET" -ne 0 ] && return $RET michael@0: michael@0: generateAndExportCACert $dir $certDir michael@0: [ "$RET" -ne 0 ] && return $RET michael@0: else michael@0: dir=$reuseCACert michael@0: PW_FILE=$dir/nss.pwd michael@0: NOISE_FILE=$dir/nss.noise michael@0: hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu` michael@0: [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \ michael@0: return $RET; michael@0: fi michael@0: michael@0: generateAndExportSSLCerts $dir $certDir $serverName $servCertReq michael@0: [ "$RET" -ne 0 ] && return $RET michael@0: michael@0: generateAndExportOCSPCerts $dir $certDir michael@0: [ "$RET" -ne 0 ] && return $RET michael@0: michael@0: crlUpdate=`date +%Y%m%d%H%M%SZ` michael@0: crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'` michael@0: repAndExec \ michael@0: crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl < [reuse CA cert] [cert req]" michael@0: exit 1 michael@0: fi michael@0: generateCerts $1 $2 "$3" $4 michael@0: exit $?