diff -r 000000000000 -r 6474c204b198 security/nss/tests/iopr/server_scr/cert_gen.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/security/nss/tests/iopr/server_scr/cert_gen.sh Wed Dec 31 06:09:35 2014 +0100 @@ -0,0 +1,367 @@ +#!/bin/bash + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +###################################################################################### +# Server and client certs and crl generator functions. Generated files placed in a +# directory to be accessible through http:///iopr/TestCA.crt directory. +# This functions is used for manual webserver configuration and it is not a part of +# nss test run. +# To create certs use the following command: +# sh cert_iopr.sh cert_gen [cert req] +# Where: +# dir - directory where to place created files +# cert name - name of created server cert(FQDN) +# cert req - cert request to be used for cert generation. +# +repAndExec() { + echo + if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then + shift + echo certutil -s "$CU_SUBJECT" $@ + certutil -s "$CU_SUBJECT" $@ + RET=$? + else + echo $@ + $@ + RET=$? + fi + + return $RET +} + +setExtData() { + extData=$1 + + fldNum=0 + extData=`echo $extData | sed 's/,/ /g'` + for extDT in $extData; do + if [ $fldNum -eq 0 ]; then + eval extType=$extDT + fldNum=1 + continue + fi + eval data${fldNum}=$extDT + fldNum=`expr $fldNum + 1` + done +} + +signCert() { + dir=$1 + crtDir=$2 + crtName=$3 + crtSN=$4 + req=$5 + cuAddParam=$6 + extList=$7 + + if [ -z "$certSigner" ]; then + certSigner=TestCA + fi + + extCmdLine="" + extCmdFile=$dir/extInFile; rm -f $extCmdFile + touch $extCmdFile + extList=`echo $extList | sed 's/;/ /g'` + for ext in $extList; do + setExtData $ext + [ -z "$extType" ] && echo "incorrect extention format" && return 1 + case $extType in + ocspDR) + extCmdLine="$extCmdLine -6" + cat <> $extCmdFile +5 +9 +y +EOF + break + exit 1 + ;; + AIA) + extCmdLine="$extCmdLine -9" + cat <> $extCmdFile +2 +7 +$data1 +0 +n +n +EOF + break + ;; + *) + echo "Unsupported extension type: $extType" + break + ;; + esac + done + echo "cmdLine: $extCmdLine" + echo "cmdFile: "`cat $extCmdFile` + repAndExec \ + certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \ + -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1 + return $RET +} + +createSignedCert() { + dir=$1 + certDir=$2 + certName=$3 + certSN=$4 + certSubj=$5 + keyType=$6 + extList=$7 + + echo Creating cert $certName-$keyType with SN=$certSN + + CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + repAndExec \ + certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \ + -k $keyType -o $dir/req 2>&1 + [ "$RET" -ne 0 ] && return $RET + + signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList + ret=$? + [ "$ret" -ne 0 ] && return $ret + + rm -f $dir/req + + repAndExec \ + certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \ + -i "$dir/${certName}-$keyType.crt" 2>&1 + [ "$RET" -ne 0 ] && return $RET + + cp "$dir/${certName}-$keyType.crt" $certDir + + repAndExec \ + pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \ + -k ${PW_FILE} -W iopr + [ "$RET" -ne 0 ] && return $RET + return 0 +} + +generateAndExportSSLCerts() { + dir=$1 + certDir=$2 + serverName=$3 + servCertReq=$4 + + if [ "$servCertReq" -a -f $servCertReq ]; then + grep REQUEST $servCertReq >/dev/null 2>&1 + signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a` + ret=$? + [ "$ret" -ne 0 ] && return $ret + fi + + certName=$serverName + createSignedCert $dir $certDir $certName 500 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + createSignedCert $dir $certDir $certName 501 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser510 + createSignedCert $dir $certDir $certName 510 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser511 + createSignedCert $dir $certDir $certName 511 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser512 + createSignedCert $dir $certDir $certName 512 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser513 + createSignedCert $dir $certDir $certName 513 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret +} + +generateAndExportOCSPCerts() { + dir=$1 + certDir=$2 + + certName=ocspTrustedResponder + createSignedCert $dir $certDir $certName 525 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDesignatedResponder + createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspTRTestUser514 + createSignedCert $dir $certDir $certName 514 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspTRTestUser516 + createSignedCert $dir $certDir $certName 516 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCATestUser518 + createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCATestUser520 + createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRTestUser522 + createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRTestUser524 + createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + generateAndExportCACert $dir "" TestCA-unknown + [ $? -ne 0 ] && return $ret + + certSigner=TestCA-unknown + + certName=ocspTRUnkownIssuerCert + createSignedCert $dir $certDir $certName 531 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCAUnkownIssuerCert + createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRUnkownIssuerCert + createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certSigner="" + + return 0 +} + +generateAndExportCACert() { + dir=$1 + certDirL=$2 + caName=$3 + + certName=TestCA + [ "$caName" ] && certName=$caName + CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + repAndExec \ + certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \ + -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 < $PW_FILE + date >> ${NOISE_FILE} 2>&1 + + repAndExec \ + certutil -d $dir -N -f $PW_FILE + [ "$RET" -ne 0 ] && return $RET + + generateAndExportCACert $dir $certDir + [ "$RET" -ne 0 ] && return $RET + else + dir=$reuseCACert + PW_FILE=$dir/nss.pwd + NOISE_FILE=$dir/nss.noise + hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu` + [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \ + return $RET; + fi + + generateAndExportSSLCerts $dir $certDir $serverName $servCertReq + [ "$RET" -ne 0 ] && return $RET + + generateAndExportOCSPCerts $dir $certDir + [ "$RET" -ne 0 ] && return $RET + + crlUpdate=`date +%Y%m%d%H%M%SZ` + crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'` + repAndExec \ + crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl < [reuse CA cert] [cert req]" + exit 1 +fi +generateCerts $1 $2 "$3" $4 +exit $?