search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Import from 1.9a8 tarball
[mozilla-nss.git] / security / nss / tests / cert / cert.sh
blob1eabca562de5bb17cf1c55a514d94219b92b439e
1 #! /bin/sh
2 #
3 # ***** BEGIN LICENSE BLOCK *****
4 # Version: MPL 1.1/GPL 2.0/LGPL 2.1
5 #
6 # The contents of this file are subject to the Mozilla Public License Version
7 # 1.1 (the "License"); you may not use this file except in compliance with
8 # the License. You may obtain a copy of the License at
9 # http://www.mozilla.org/MPL/
10 #
11 # Software distributed under the License is distributed on an "AS IS" basis,
12 # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13 # for the specific language governing rights and limitations under the
14 # License.
15 #
16 # The Original Code is the Netscape security libraries.
17 #
18 # The Initial Developer of the Original Code is
19 # Netscape Communications Corporation.
20 # Portions created by the Initial Developer are Copyright (C) 1994-2000
21 # the Initial Developer. All Rights Reserved.
22 #
23 # Contributor(s):
24 # Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
25 # Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
26 #
27 # Alternatively, the contents of this file may be used under the terms of
28 # either the GNU General Public License Version 2 or later (the "GPL"), or
29 # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 # in which case the provisions of the GPL or the LGPL are applicable instead
31 # of those above. If you wish to allow use of your version of this file only
32 # under the terms of either the GPL or the LGPL, and not to allow others to
33 # use your version of this file under the terms of the MPL, indicate your
34 # decision by deleting the provisions above and replace them with the notice
35 # and other provisions required by the GPL or the LGPL. If you do not delete
36 # the provisions above, a recipient may use your version of this file under
37 # the terms of any one of the MPL, the GPL or the LGPL.
38 #
39 # ***** END LICENSE BLOCK *****
40
41 ########################################################################
42 #
43 # mozilla/security/nss/tests/cert/rcert.sh
44 #
45 # Certificate generating and handeling for NSS QA, can be included
46 # multiple times from all.sh and the individual scripts
47 #
48 # needs to work on all Unix and Windows platforms
49 #
50 # included from (don't expect this to be up to date)
51 # --------------------------------------------------
52 # all.sh
53 # ssl.sh
54 # smime.sh
55 # tools.sh
56 #
57 # special strings
58 # ---------------
59 # FIXME ... known problems, search for this string
60 # NOTE .... unexpected behavior
61 #
62 # FIXME - Netscape - NSS
63 ########################################################################
64
65 ############################## cert_init ###############################
66 # local shell function to initialize this script
67 ########################################################################
68 cert_init()
69 {
70 SCRIPTNAME="cert.sh"
71 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
72 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
73 fi
74 if [ -z "${INIT_SOURCED}" ] ; then
75 cd ../common
76 . ./init.sh
77 fi
78 if [ -z "${IOPR_CERT_SOURCED}" ]; then
79 . ../iopr/cert_iopr.sh
80 fi
81 SCRIPTNAME="cert.sh"
82 CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"`
83 if [ -n "$NSS_ENABLE_ECC" ] ; then
84 html_head "Certutil and Crlutil Tests with ECC"
85 else
86 html_head "Certutil and Crlutil Tests"
87 fi
88
89 LIBDIR="${DIST}/${OBJDIR}/lib"
90
91 ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
92 if [ ! "${ROOTCERTSFILE}" ] ; then
93 html_failed "<TR><TD>Looking for root certs module."
94 cert_log "ERROR: Root certs module not found."
95 Exit 5 "Fatal - Root certs module not found."
96 else
97 html_passed "<TR><TD>Looking for root certs module."
98 fi
99
100 ################## Generate noise for our CA cert. ######################
101 # NOTE: these keys are only suitable for testing, as this whole thing
102 # bypasses the entropy gathering. Don't use this method to generate
103 # keys and certs for product use or deployment.
104 #
105 ps -efl > ${NOISE_FILE} 2>&1
106 ps aux >> ${NOISE_FILE} 2>&1
107 noise
108
109 }
110
111 cert_log() ###################### write the cert_status file
112 {
113 echo "$SCRIPTNAME $*"
114 echo $* >>${CERT_LOG_FILE}
115 }
116
117 ################################ noise ##################################
118 # Generate noise for our certs
119 #
120 # NOTE: these keys are only suitable for testing, as this whole thing bypasses
121 # the entropy gathering. Don't use this method to generate keys and certs for
122 # product use or deployment.
123 #########################################################################
124 noise()
125 {
126 #netstat >> ${NOISE_FILE} 2>&1
127 date >> ${NOISE_FILE} 2>&1
128 }
129
130 ################################ certu #################################
131 # local shell function to call certutil, also: writes action and options to
132 # stdout, sets variable RET and writes results to the html file results
133 ########################################################################
134 certu()
135 {
136 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
137
138 if [ -n "${CU_SUBJECT}" ]; then
139 #the subject of the cert contains blanks, and the shell
140 #will strip the quotes off the string, if called otherwise...
141 echo "certutil -s \"${CU_SUBJECT}\" $*"
142 certutil -s "${CU_SUBJECT}" $*
143 RET=$?
144 CU_SUBJECT=""
145 else
146 echo "certutil $*"
147 certutil $*
148 RET=$?
149 fi
150 if [ "$RET" -ne 0 ]; then
151 CERTFAILED=$RET
152 html_failed "<TR><TD>${CU_ACTION} ($RET) "
153 cert_log "ERROR: ${CU_ACTION} failed $RET"
154 else
155 html_passed "<TR><TD>${CU_ACTION}"
156 fi
157
158 return $RET
159 }
160
161 ################################ crlu #################################
162 # local shell function to call crlutil, also: writes action and options to
163 # stdout, sets variable RET and writes results to the html file results
164 ########################################################################
165 crlu()
166 {
167 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
168
169 CRLUTIL="crlutil -q"
170 echo "$CRLUTIL $*"
171 $CRLUTIL $*
172 RET=$?
173 if [ "$RET" -ne 0 ]; then
174 CRLFAILED=$RET
175 html_failed "<TR><TD>${CU_ACTION} ($RET) "
176 cert_log "ERROR: ${CU_ACTION} failed $RET"
177 else
178 html_passed "<TR><TD>${CU_ACTION}"
179 fi
180
181 return $RET
182 }
183
184 modu()
185 {
186 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
187
188 MODUTIL="modutil"
189 echo "$MODUTIL $*"
190 echo | $MODUTIL $*
191 RET=$?
192 if [ "$RET" -ne 0 ]; then
193 MODFAILED=$RET
194 html_failed "<TR><TD>${CU_ACTION} ($RET) "
195 cert_log "ERROR: ${CU_ACTION} failed $RET"
196 else
197 html_passed "<TR><TD>${CU_ACTION}"
198 fi
199
200 return $RET
201 }
202
203 ############################# cert_init_cert ##########################
204 # local shell function to initialize creation of client and server certs
205 ########################################################################
206 cert_init_cert()
207 {
208 CERTDIR="$1"
209 CERTNAME="$2"
210 CERTSERIAL="$3"
211 DOMAIN="$4"
212
213 if [ ! -d "${CERTDIR}" ]; then
214 mkdir -p "${CERTDIR}"
215 else
216 echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
217 fi
218 cd "${CERTDIR}"
219 CERTDIR="."
220
221 PROFILEDIR=`cd ${CERTDIR}; pwd`
222 if [ -n "${MULTIACCESS_DBM}" ]; then
223 PROFILEDIR="multiaccess:${DOMAIN}"
224 fi
225
226 noise
227 }
228
229 ############################# hw_acc #################################
230 # local shell function to add hw accelerator modules to the db
231 ########################################################################
232 hw_acc()
233 {
234 HW_ACC_RET=0
235 HW_ACC_ERR=""
236 if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
237 echo "creating $CERTNAME s cert with hwaccelerator..."
238 #case $ACCELERATOR in
239 #rainbow)
240
241 echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
242 echo " -dbdir ${PROFILEDIR} 2>&1 "
243 echo | modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
244 -dbdir ${PROFILEDIR} 2>&1
245 if [ "$?" -ne 0 ]; then
246 echo "modutil -add rainbow failed in `pwd`"
247 HW_ACC_RET=1
248 HW_ACC_ERR="modutil -add rainbow"
249 fi
250
251 echo "modutil -add ncipher "
252 echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so "
253 echo " -dbdir ${PROFILEDIR} 2>&1 "
254 echo | modutil -add ncipher \
255 -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \
256 -dbdir ${PROFILEDIR} 2>&1
257 if [ "$?" -ne 0 ]; then
258 echo "modutil -add ncipher failed in `pwd`"
259 HW_ACC_RET=`expr $HW_ACC_RET + 2`
260 HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher"
261 fi
262 if [ "$HW_ACC_RET" -ne 0 ]; then
263 html_failed "<TR><TD>Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) "
264 else
265 html_passed "<TR><TD>Adding HW accelerators to certDB for ${CERTNAME}"
266 fi
267
268 fi
269 return $HW_ACC_RET
270 }
271
272 ############################# cert_create_cert #########################
273 # local shell function to create client certs
274 # initialize DB, import
275 # root cert
276 # add cert to DB
277 ########################################################################
278 cert_create_cert()
279 {
280 cert_init_cert "$1" "$2" "$3" "$4"
281
282 CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
283 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
284 if [ "$RET" -ne 0 ]; then
285 return $RET
286 fi
287
288 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB"
289 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
290 if [ "$RET" -ne 0 ]; then
291 return $RET
292 fi
293
294 hw_acc
295
296 CU_ACTION="Import Root CA for $CERTNAME"
297 certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
298 -i "${R_CADIR}/root.cert" 2>&1
299 if [ "$RET" -ne 0 ]; then
300 return $RET
301 fi
302
303 if [ -n "$NSS_ENABLE_ECC" ] ; then
304 CU_ACTION="Import EC Root CA for $CERTNAME"
305 certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
306 -d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1
307 if [ "$RET" -ne 0 ]; then
308 return $RET
309 fi
310 fi
311
312 cert_add_cert "$5"
313 return $?
314 }
315
316 ############################# cert_add_cert ############################
317 # local shell function to add client certs to an existing CERT DB
318 # generate request
319 # sign request
320 # import Cert
321 #
322 ########################################################################
323 cert_add_cert()
324 {
325 CU_ACTION="Generate Cert Request for $CERTNAME"
326 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
327 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
328 if [ "$RET" -ne 0 ]; then
329 return $RET
330 fi
331
332 CU_ACTION="Sign ${CERTNAME}'s Request"
333 certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
334 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
335 if [ "$RET" -ne 0 ]; then
336 return $RET
337 fi
338
339 CU_ACTION="Import $CERTNAME's Cert"
340 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
341 -i "${CERTNAME}.cert" 2>&1
342 if [ "$RET" -ne 0 ]; then
343 return $RET
344 fi
345
346 cert_log "SUCCESS: $CERTNAME's Cert Created"
347
348 #
349 # Generate and add EC cert
350 #
351 if [ -n "$NSS_ENABLE_ECC" ] ; then
352 CURVE="secp384r1"
353 CU_ACTION="Generate EC Cert Request for $CERTNAME"
354 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
355 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
356 -z "${R_NOISE_FILE}" -o req 2>&1
357 if [ "$RET" -ne 0 ]; then
358 return $RET
359 fi
360
361 CU_ACTION="Sign ${CERTNAME}'s EC Request"
362 certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
363 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
364 if [ "$RET" -ne 0 ]; then
365 return $RET
366 fi
367
368 CU_ACTION="Import $CERTNAME's EC Cert"
369 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
370 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
371 if [ "$RET" -ne 0 ]; then
372 return $RET
373 fi
374 cert_log "SUCCESS: $CERTNAME's EC Cert Created"
375
376 # Generate EC certificate signed with RSA
377 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
378 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
379 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
380 -z "${R_NOISE_FILE}" -o req 2>&1
381 if [ "$RET" -ne 0 ]; then
382 return $RET
383 fi
384
385 CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA"
386 # Avoid conflicting serial numbers with TestCA issuer by keeping
387 # this set far away. A smaller number risks colliding with the
388 # extended ssl user certificates.
389 NEWSERIAL=`expr ${CERTSERIAL} + 10000`
390 certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
391 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1
392 if [ "$RET" -ne 0 ]; then
393 return $RET
394 fi
395
396 CU_ACTION="Import $CERTNAME's mixed EC Cert"
397 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
398 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
399 if [ "$RET" -ne 0 ]; then
400 return $RET
401 fi
402 cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
403 fi
404
405 return 0
406 }
407
408 ################################# cert_all_CA ################################
409 # local shell function to build the additional Temp. Certificate Authority (CA)
410 # used for the "real life" ssl test with 2 different CA's in the
411 # client and in teh server's dir
412 ##########################################################################
413 cert_all_CA()
414 {
415 echo nss > ${PWFILE}
416
417 ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
418 cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
419
420 ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
421 cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
422 ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
423 cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3"
424 ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
425 cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4"
426
427
428
429 ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
430 cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
431 ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
432 cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6"
433 ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
434 cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
435
436 rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
437
438 # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
439 # in the chain
440
441 if [ -n "$NSS_ENABLE_ECC" ] ; then
442 #
443 # Create EC version of TestCA
444 CA_CURVE="secp521r1"
445 ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
446 cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
447 #
448 # Create EC versions of the intermediate CA certs
449 ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
450 cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
451 ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
452 cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
453 ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
454 cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
455
456 ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
457 cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
458 ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
459 cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
460 ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
461 cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
462
463 rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
464 # ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
465 # in the chain
466
467 fi
468 }
469
470 ################################# cert_CA ################################
471 # local shell function to build the Temp. Certificate Authority (CA)
472 # used for testing purposes, creating a CA Certificate and a root cert
473 ##########################################################################
474 cert_CA()
475 {
476 CUR_CADIR=$1
477 NICKNAME=$2
478 SIGNER=$3
479 TRUSTARG=$4
480 DOMAIN=$5
481 CERTSERIAL=$6
482
483 echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
484
485 if [ ! -d "${CUR_CADIR}" ]; then
486 mkdir -p "${CUR_CADIR}"
487 fi
488 cd ${CUR_CADIR}
489 pwd
490
491 LPROFILE=`pwd`
492 if [ -n "${MULTIACCESS_DBM}" ]; then
493 LPROFILE="multiaccess:${DOMAIN}"
494 fi
495
496 if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
497 CU_ACTION="Creating CA Cert DB"
498 certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1
499 if [ "$RET" -ne 0 ]; then
500 Exit 5 "Fatal - failed to create CA $NICKNAME "
501 fi
502
503 CU_ACTION="Loading root cert module to CA Cert DB"
504 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1
505 if [ "$RET" -ne 0 ]; then
506 return $RET
507 fi
508
509 echo "$SCRIPTNAME: Certificate initialized ----------"
510 fi
511
512
513 ################# Creating CA Cert ######################################
514 #
515 CU_ACTION="Creating CA Cert $NICKNAME "
516 CU_SUBJECT=$ALL_CU_SUBJECT
517 certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \
518 -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
519 5
520 6
521 9
522 n
523 y
524 -1
525 n
526 5
527 6
528 7
529 9
530 n
531 CERTSCRIPT
532
533 if [ "$RET" -ne 0 ]; then
534 echo "return value is $RET"
535 Exit 6 "Fatal - failed to create CA cert"
536 fi
537
538 ################# Exporting Root Cert ###################################
539 #
540 CU_ACTION="Exporting Root Cert"
541 certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert
542 if [ "$RET" -ne 0 ]; then
543 Exit 7 "Fatal - failed to export root cert"
544 fi
545 cp root.cert ${NICKNAME}.ca.cert
546 }
547
548 ################################ cert_ec_CA ##############################
549 # local shell function to build the Temp. Certificate Authority (CA)
550 # used for testing purposes, creating a CA Certificate and a root cert
551 # This is the ECC version of cert_CA.
552 ##########################################################################
553 cert_ec_CA()
554 {
555 CUR_CADIR=$1
556 NICKNAME=$2
557 SIGNER=$3
558 TRUSTARG=$4
559 DOMAIN=$5
560 CERTSERIAL=$6
561 CURVE=$7
562
563 echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
564
565 if [ ! -d "${CUR_CADIR}" ]; then
566 mkdir -p "${CUR_CADIR}"
567 fi
568 cd ${CUR_CADIR}
569 pwd
570
571 LPROFILE=.
572 if [ -n "${MULTIACCESS_DBM}" ]; then
573 LPROFILE="multiaccess:${DOMAIN}"
574 fi
575
576 ################# Creating an EC CA Cert ################################
577 #
578 CU_ACTION="Creating EC CA Cert $NICKNAME "
579 CU_SUBJECT=$ALL_CU_SUBJECT
580 certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \
581 -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
582 -m $CERTSERIAL 2>&1 <<CERTSCRIPT
583 5
584 6
585 9
586 n
587 y
588 -1
589 n
590 5
591 6
592 7
593 9
594 n
595 CERTSCRIPT
596
597 if [ "$RET" -ne 0 ]; then
598 echo "return value is $RET"
599 Exit 6 "Fatal - failed to create EC CA cert"
600 fi
601
602 ################# Exporting EC Root Cert ################################
603 #
604 CU_ACTION="Exporting EC Root Cert"
605 certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert
606 if [ "$RET" -ne 0 ]; then
607 Exit 7 "Fatal - failed to export ec root cert"
608 fi
609 cp ecroot.cert ${NICKNAME}.ca.cert
610 }
611
612 ############################## cert_smime_client #############################
613 # local shell function to create client Certificates for S/MIME tests
614 ##############################################################################
615 cert_smime_client()
616 {
617 CERTFAILED=0
618 echo "$SCRIPTNAME: Creating Client CA Issued Certificates =============="
619
620 cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE}
621 cert_create_cert ${BOBDIR} "Bob" 40 ${D_BOB}
622
623 echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
624 cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
625
626 ## XXX With this new script merging ECC and non-ECC tests, the
627 ## call to cert_create_cert ends up creating two separate certs
628 ## one for Eve and another for Eve-ec but they both end up with
629 ## the same Subject Alt Name Extension, i.e., both the cert for
630 ## Eve@bogus.com and the cert for Eve-ec@bogus.com end up
631 ## listing eve@bogus.net in the Certificate Subject Alt Name extension.
632 ## This can cause a problem later when cmsutil attempts to create
633 ## enveloped data and accidently picks up the ECC cert (NSS currently
634 ## does not support ECC for enveloped data creation). This script
635 ## avoids the problem by ensuring that these conflicting certs are
636 ## never added to the same cert database (see comment marked XXXX).
637 echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
638 cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
639
640 #echo "************* Copying CA files to ${SERVERDIR}"
641 #cp ${CADIR}/*.db .
642 #hw_acc
643
644 #########################################################################
645 #
646 #cd ${CERTDIR}
647 #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
648 #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
649 #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
650 # -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
651
652 #CU_ACTION="Export Dave's Cert"
653 #cd ${DAVEDIR}
654 #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
655
656 ################# Importing Certificates for S/MIME tests ###############
657 #
658 echo "$SCRIPTNAME: Importing Certificates =============================="
659 CU_ACTION="Import Bob's cert into Alice's db"
660 certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
661 -i ${R_BOBDIR}/Bob.cert 2>&1
662
663 CU_ACTION="Import Dave's cert into Alice's DB"
664 certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
665 -i ${R_DAVEDIR}/Dave.cert 2>&1
666
667 CU_ACTION="Import Dave's cert into Bob's DB"
668 certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
669 -i ${R_DAVEDIR}/Dave.cert 2>&1
670
671 CU_ACTION="Import Eve's cert into Alice's DB"
672 certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
673 -i ${R_EVEDIR}/Eve.cert 2>&1
674
675 CU_ACTION="Import Eve's cert into Bob's DB"
676 certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
677 -i ${R_EVEDIR}/Eve.cert 2>&1
678
679 if [ -n "$NSS_ENABLE_ECC" ] ; then
680 echo "$SCRIPTNAME: Importing EC Certificates =============================="
681 CU_ACTION="Import Bob's EC cert into Alice's db"
682 certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
683 -i ${R_BOBDIR}/Bob-ec.cert 2>&1
684
685 CU_ACTION="Import Dave's EC cert into Alice's DB"
686 certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
687 -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
688
689 CU_ACTION="Import Dave's EC cert into Bob's DB"
690 certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
691 -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
692
693 ## XXXX Do not import Eve's EC cert until we can make sure that
694 ## the email addresses listed in the Subject Alt Name Extension
695 ## inside Eve's ECC and non-ECC certs are different.
696 # CU_ACTION="Import Eve's EC cert into Alice's DB"
697 # certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
698 # -i ${R_EVEDIR}/Eve-ec.cert 2>&1
699
700 # CU_ACTION="Import Eve's EC cert into Bob's DB"
701 # certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
702 # -i ${R_EVEDIR}/Eve-ec.cert 2>&1
703 fi
704
705 if [ "$CERTFAILED" != 0 ] ; then
706 cert_log "ERROR: SMIME failed $RET"
707 else
708 cert_log "SUCCESS: SMIME passed"
709 fi
710 }
711
712 ############################## cert_extended_ssl #######################
713 # local shell function to create client + server certs for extended SSL test
714 ########################################################################
715 cert_extended_ssl()
716 {
717
718 ################# Creating Certs for extended SSL test ####################
719 #
720 CERTFAILED=0
721 echo "$SCRIPTNAME: Creating Certificates, issued by the last ==============="
722 echo " of a chain of CA's which are not in the same database============"
723
724 echo "Server Cert"
725 cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
726
727 CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
728 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
729
730 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
731 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
732
733 CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
734 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
735 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
736
737 CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
738 cp ${CERTDIR}/req ${SERVER_CADIR}
739 certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
740 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
741
742 CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
743 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
744 -i "${CERTNAME}.cert" 2>&1
745
746 CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
747 certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
748 -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
749
750 if [ -n "$NSS_ENABLE_ECC" ] ; then
751 #
752 # Repeat the above for EC certs
753 #
754 EC_CURVE="secp256r1"
755 CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
756 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
757 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
758 -z "${R_NOISE_FILE}" -o req 2>&1
759
760 CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
761 cp ${CERTDIR}/req ${SERVER_CADIR}
762 certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
763 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
764
765 CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
766 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
767 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
768
769 CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
770 certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
771 -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
772 #
773 # done with EC certs
774 #
775 # Repeat again for mixed EC certs
776 #
777 EC_CURVE="secp256r1"
778 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
779 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
780 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
781 -z "${R_NOISE_FILE}" -o req 2>&1
782
783 CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
784 cp ${CERTDIR}/req ${SERVER_CADIR}
785 certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \
786 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
787
788 CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
789 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
790 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
791
792 # CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)"
793 # certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
794 # -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
795 # 2>&1
796 fi
797
798 echo "Importing all the server's own CA chain into the servers DB"
799 for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
800 do
801 N=`basename $CA | sed -e "s/.ca.cert//"`
802 if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then
803 T="-t C,C,C"
804 else
805 T="-t u,u,u"
806 fi
807 CU_ACTION="Import $N CA $T for $CERTNAME (ext.) "
808 certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
809 -i "${CA}" 2>&1
810 done
811 #============
812 echo "Client Cert"
813 cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
814
815 CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
816 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
817
818 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
819 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
820
821 CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
822 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
823 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
824 -o req 2>&1
825
826 CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
827 cp ${CERTDIR}/req ${CLIENT_CADIR}
828 certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
829 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
830
831 CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
832 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
833 -i "${CERTNAME}.cert" 2>&1
834 CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
835 certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
836 -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
837
838 if [ -n "$NSS_ENABLE_ECC" ] ; then
839 #
840 # Repeat the above for EC certs
841 #
842 CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
843 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
844 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
845 -z "${R_NOISE_FILE}" -o req 2>&1
846
847 CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
848 cp ${CERTDIR}/req ${CLIENT_CADIR}
849 certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
850 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
851
852 CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
853 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
854 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
855
856 CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
857 certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
858 -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
859 #
860 # done with EC certs
861 #
862 #
863 # Repeat the above for mixed EC certs
864 #
865 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
866 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
867 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
868 -z "${R_NOISE_FILE}" -o req 2>&1
869
870 CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
871 cp ${CERTDIR}/req ${CLIENT_CADIR}
872 certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \
873 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
874
875 CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
876 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
877 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
878
879 # CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
880 # certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
881 # -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
882 #
883 # done with mixed EC certs
884 #
885 fi
886
887 echo "Importing all the client's own CA chain into the servers DB"
888 for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
889 do
890 N=`basename $CA | sed -e "s/.ca.cert//"`
891 if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then
892 T="-t T,C,C"
893 else
894 T="-t u,u,u"
895 fi
896 CU_ACTION="Import $N CA $T for $CERTNAME (ext.)"
897 certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
898 -i "${CA}" 2>&1
899 done
900 if [ "$CERTFAILED" != 0 ] ; then
901 cert_log "ERROR: EXT failed $RET"
902 else
903 cert_log "SUCCESS: EXT passed"
904 fi
905 }
906
907 ############################## cert_ssl ################################
908 # local shell function to create client + server certs for SSL test
909 ########################################################################
910 cert_ssl()
911 {
912 ################# Creating Certs for SSL test ###########################
913 #
914 CERTFAILED=0
915 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
916 cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT}
917
918 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
919 echo " ${HOSTADDR} ------------------------------------"
920 cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
921 CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
922 certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR}
923 if [ -n "$NSS_ENABLE_ECC" ] ; then
924 CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
925 certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR}
926 fi
927 # cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
928 # echo "************* Copying CA files to ${SERVERDIR}"
929 # cp ${CADIR}/*.db .
930 # hw_acc
931 # CU_ACTION="Creating ${CERTNAME}'s Server Cert"
932 # CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
933 # certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
934 # -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
935
936 if [ "$CERTFAILED" != 0 ] ; then
937 cert_log "ERROR: SSL failed $RET"
938 else
939 cert_log "SUCCESS: SSL passed"
940 fi
941 }
942 ############################## cert_stresscerts ################################
943 # local shell function to create client certs for SSL stresstest
944 ########################################################################
945 cert_stresscerts()
946 {
947
948 ############### Creating Certs for SSL stress test #######################
949 #
950 CERTDIR="$CLIENTDIR"
951 cd "${CERTDIR}"
952
953 PROFILEDIR=`cd ${CERTDIR}; pwd`
954 if [ -n "${MULTIACCESS_DBM}" ]; then
955 PROFILEDIR="multiaccess:${D_CLIENT}"
956 fi
957 CERTFAILED=0
958 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
959
960 CONTINUE=$GLOB_MAX_CERT
961 CERTSERIAL=10
962
963 while [ $CONTINUE -ge $GLOB_MIN_CERT ]
964 do
965 CERTNAME="TestUser$CONTINUE"
966 # cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL
967 cert_add_cert
968 CERTSERIAL=`expr $CERTSERIAL + 1 `
969 CONTINUE=`expr $CONTINUE - 1 `
970 done
971 if [ "$CERTFAILED" != 0 ] ; then
972 cert_log "ERROR: StressCert failed $RET"
973 else
974 cert_log "SUCCESS: StressCert passed"
975 fi
976 }
977
978 ############################## cert_fips #####################################
979 # local shell function to create certificates for FIPS tests
980 ##############################################################################
981 cert_fips()
982 {
983 CERTFAILED=0
984 echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
985 cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
986
987 CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
988 certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
989
990 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
991 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
992
993 echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
994 CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
995 echo "modutil -dbdir ${PROFILEDIR} -fips true "
996 modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
997 y
998 MODSCRIPT
999 RET=$?
1000 if [ "$RET" -ne 0 ]; then
1001 html_failed "<TR><TD>${CU_ACTION} ($RET) "
1002 cert_log "ERROR: ${CU_ACTION} failed $RET"
1003 else
1004 html_passed "<TR><TD>${CU_ACTION}"
1005 fi
1006
1007 CU_ACTION="Generate Certificate for ${CERTNAME}"
1008 CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
1009 certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
1010 if [ "$RET" -eq 0 ]; then
1011 cert_log "SUCCESS: FIPS passed"
1012 fi
1013 }
1014
1015 ############################## cert_eccurves ###########################
1016 # local shell function to create server certs for all EC curves
1017 ########################################################################
1018 cert_eccurves()
1019 {
1020 ################# Creating Certs for EC curves test ########################
1021 #
1022 if [ -n "$NSS_ENABLE_ECC" ] ; then
1023 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
1024 echo " EC Curves Test Certificates ------------------------------------"
1025
1026 cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
1027
1028 CU_ACTION="Initializing EC Curve's Cert DB"
1029 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
1030
1031 CU_ACTION="Loading root cert module to EC Curve's Cert DB"
1032 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
1033
1034 CU_ACTION="Import EC Root CA for $CERTNAME"
1035 certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
1036 -d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1
1037
1038 if [ -n "${NSS_ECC_MORE_THAN_SUITE_B}" ] ; then
1039 CURVE_LIST="c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 \
1040 c2pnb208w1 c2pnb272w1 c2pnb304w1 c2pnb368w1 \
1041 c2tnb191v1 c2tnb191v2 c2tnb191v3 c2tnb239v1 \
1042 c2tnb239v2 c2tnb239v3 c2tnb359v1 c2tnb431r1 \
1043 nistb163 nistb233 nistb283 nistb409 nistb571 \
1044 nistk163 nistk233 nistk283 nistk409 nistk571 \
1045 nistp192 nistp224 nistp256 nistp384 nistp521 \
1046 prime192v1 prime192v2 prime192v3 \
1047 prime239v1 prime239v2 prime239v3 \
1048 secp112r1 secp112r2 secp128r1 secp128r2 secp160k1 \
1049 secp160r1 secp160r2 secp192k1 secp192r1 secp224k1 \
1050 secp224r1 secp256k1 secp256r1 secp384r1 secp521r1 \
1051 sect113r1 sect113r2 sect131r1 sect131r2 sect163k1 sect163r1 \
1052 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 \
1053 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1"
1054 else
1055 CURVE_LIST="nistp256 nistp384 nistp521"
1056 fi
1057 CERTSERIAL=2000
1058
1059 for CURVE in ${CURVE_LIST}
1060 do
1061 CERTFAILED=0
1062 CERTNAME="Curve-${CURVE}"
1063 CERTSERIAL=`expr $CERTSERIAL + 1 `
1064 CU_ACTION="Generate EC Cert Request for $CERTNAME"
1065 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1066 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
1067 -z "${R_NOISE_FILE}" -o req 2>&1
1068
1069 if [ $RET -eq 0 ] ; then
1070 CU_ACTION="Sign ${CERTNAME}'s EC Request"
1071 certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
1072 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
1073 fi
1074
1075 if [ $RET -eq 0 ] ; then
1076 CU_ACTION="Import $CERTNAME's EC Cert"
1077 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
1078 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
1079 fi
1080 done
1081
1082 fi # if NSS_ENABLE_ECC=1
1083 }
1084 ############################## cert_extensions ###############################
1085 # local shell function to test cert extensions generation.
1086 ##############################################################################
1087
1088 checkRes()
1089 {
1090 res=$1
1091 filterList=$2
1092
1093 [ $res -ne 0 ] && return 1
1094
1095 for fl in `echo $filterList | tr \| ' '`; do
1096 fl="`echo $fl | tr _ ' '`"
1097 expStat=0
1098 if [ X`echo "$fl" | cut -c 1` = 'X!' ]; then
1099 expStat=1
1100 fl=`echo $fl | tr -d '!'`
1101 fi
1102 certutil -d ${CERT_EXTENSIONS_DIR} -L -n $CERTNAME | grep "$fl" >/dev/null 2>&1
1103 [ $? -ne $expStat ] && return 1
1104 done
1105 return 0
1106 }
1107
1108
1109 cert_extensions()
1110 {
1111
1112 CERTNAME=TestExt
1113 cert_create_cert ${CERT_EXTENSIONS_DIR} $CERTNAME 90 ${D_CERT_EXTENSTIONS}
1114 TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args
1115
1116 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
1117
1118 count=0
1119 while read arg opt filterList; do
1120 if [ X"`echo $arg | cut -c 1`" = "X#" ]; then
1121 continue
1122 fi
1123 if [ X"`echo $arg | cut -c 1`" = "X!" ]; then
1124 testName="$filterList"
1125 continue
1126 fi
1127 if [ X"$arg" = "X=" ]; then
1128 count=`expr $count + 1`
1129 echo "#################################################"
1130 CU_ACTION="Testing $testName"
1131 certutil -d ${CERT_EXTENSIONS_DIR} -D -n $CERTNAME
1132 echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n $CERTNAME \
1133 -t "u,u,u" -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
1134 -z "${R_NOISE_FILE}" -$opt < $TARG_FILE
1135 certutil -d ${CERT_EXTENSIONS_DIR} -S -n $CERTNAME -t "u,u,u" \
1136 -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
1137 -z "${R_NOISE_FILE}" -$opt < $TARG_FILE
1138 ret=$?
1139 echo "certutil options:"
1140 cat $TARG_FILE
1141 checkRes $ret "$filterList"
1142 RET=$?
1143 if [ "$RET" -ne 0 ]; then
1144 CERTFAILED=$RET
1145 html_failed "<TR><TD>${CU_ACTION} ($RET) "
1146 cert_log "ERROR: ${CU_ACTION} failed $RET"
1147 else
1148 html_passed "<TR><TD>${CU_ACTION}"
1149 fi
1150 rm -f $TARG_FILE
1151 else
1152 echo $arg >> $TARG_FILE
1153 fi
1154 done < ${QADIR}/cert/certext.txt
1155 }
1156
1157
1158 ############################## cert_crl_ssl ############################
1159 # local shell function to generate certs and crls for SSL tests
1160 ########################################################################
1161 cert_crl_ssl()
1162 {
1163
1164 ################# Creating Certs ###################################
1165 #
1166 CERTFAILED=0
1167 CERTSERIAL=${CRL_GRP_1_BEGIN}
1168
1169 cd $CADIR
1170
1171 PROFILEDIR=`cd ${CLIENTDIR}; pwd`
1172 CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1`
1173 echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ==="
1174 CU_ACTION="Creating client test certs"
1175
1176 while [ $CERTSERIAL -le $CRL_GRPS_END ]
1177 do
1178 CERTNAME="TestUser$CERTSERIAL"
1179 cert_add_cert
1180 CERTSERIAL=`expr $CERTSERIAL + 1 `
1181 done
1182
1183 #################### CRL Creation ##############################
1184 CRL_GEN_RES=0
1185 echo "$SCRIPTNAME: Creating CA CRL ====================================="
1186
1187 CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1`
1188 CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END}
1189 CRL_FILE=${CRL_FILE_GRP_1}
1190
1191 CRLUPDATE=`date +%Y%m%d%H%M%SZ`
1192 CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority"
1193 CRL_GRP_END_=`expr ${CRL_GRP_END} - 1`
1194 crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \
1195 -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
1196 update=$CRLUPDATE
1197 addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
1198 addext reasonCode 0 4
1199 addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA"
1200 EOF_CRLINI
1201 # This extension should be added to the list, but currently nss has bug
1202 #addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1
1203 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1204 chmod 600 ${CRL_FILE_GRP_1}_or
1205
1206 if [ -n "$NSS_ENABLE_ECC" ] ; then
1207 CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
1208
1209 # Until Bug 292285 is resolved, do not encode x400 Addresses. After
1210 # the bug is resolved, reintroduce "x400Address:x400Address" within
1211 # addext issuerAltNames ...
1212 crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
1213 -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
1214 update=$CRLUPDATE
1215 addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
1216 addext reasonCode 0 4
1217 addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
1218 EOF_CRLINI
1219 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1220 chmod 600 ${CRL_FILE_GRP_1}_or-ec
1221 fi
1222
1223 echo test > file
1224 ############################# Modification ##################################
1225
1226 echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
1227 sleep 2
1228 CRLUPDATE=`date "+%Y%m%d%H%M%SZ"`
1229 CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"`
1230 CU_ACTION="Modify CRL by adding one more cert"
1231 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \
1232 -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
1233 update=$CRLUPDATE
1234 addcert ${CRL_GRP_END} $CRL_GRP_DATE
1235 EOF_CRLINI
1236 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1237 chmod 600 ${CRL_FILE_GRP_1}_or1
1238 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
1239 if [ -n "$NSS_ENABLE_ECC" ] ; then
1240 CU_ACTION="Modify CRL (ECC) by adding one more cert"
1241 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
1242 -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
1243 update=$CRLUPDATE
1244 addcert ${CRL_GRP_END} $CRL_GRP_DATE
1245 EOF_CRLINI
1246 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1247 chmod 600 ${CRL_FILE_GRP_1}_or1-ec
1248 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
1249 fi
1250
1251 ########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
1252 echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
1253 CU_ACTION="Modify CRL by removing one cert"
1254 sleep 2
1255 CRLUPDATE=`date "+%Y%m%d%H%M%SZ"`
1256 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
1257 -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
1258 update=$CRLUPDATE
1259 rmcert ${UNREVOKED_CERT_GRP_1}
1260 EOF_CRLINI
1261 chmod 600 ${CRL_FILE_GRP_1}
1262 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
1263 if [ -n "$NSS_ENABLE_ECC" ] ; then
1264 CU_ACTION="Modify CRL (ECC) by removing one cert"
1265 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
1266 -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
1267 update=$CRLUPDATE
1268 rmcert ${UNREVOKED_CERT_GRP_1}
1269 EOF_CRLINI
1270 chmod 600 ${CRL_FILE_GRP_1}-ec
1271 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
1272 fi
1273
1274 ########### Creating second CRL which includes groups 1 and 2 ##############
1275 CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
1276 CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END}
1277
1278 echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ==============="
1279 sleep 2
1280 CRLUPDATE=`date "+%Y%m%d%H%M%SZ"`
1281 CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"`
1282 CU_ACTION="Creating CRL for groups 1 and 2"
1283 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2} \
1284 -i ${CRL_FILE_GRP_1} <<EOF_CRLINI
1285 update=$CRLUPDATE
1286 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1287 addext invalidityDate 0 $CRLUPDATE
1288 rmcert ${UNREVOKED_CERT_GRP_2}
1289 EOF_CRLINI
1290 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1291 chmod 600 ${CRL_FILE_GRP_2}
1292 if [ -n "$NSS_ENABLE_ECC" ] ; then
1293 CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
1294 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
1295 -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
1296 update=$CRLUPDATE
1297 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1298 addext invalidityDate 0 $CRLUPDATE
1299 rmcert ${UNREVOKED_CERT_GRP_2}
1300 EOF_CRLINI
1301 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1302 chmod 600 ${CRL_FILE_GRP_2}-ec
1303 fi
1304
1305 ########### Creating second CRL which includes groups 1, 2 and 3 ##############
1306 CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
1307 CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END}
1308
1309 echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3 ==============="
1310 sleep 2
1311 CRLUPDATE=`date "+%Y%m%d%H%M%SZ"`
1312 CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"`
1313 CU_ACTION="Creating CRL for groups 1, 2 and 3"
1314 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3} \
1315 -i ${CRL_FILE_GRP_2} <<EOF_CRLINI
1316 update=$CRLUPDATE
1317 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1318 rmcert ${UNREVOKED_CERT_GRP_3}
1319 addext crlNumber 0 2
1320 EOF_CRLINI
1321 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1322 chmod 600 ${CRL_FILE_GRP_3}
1323 if [ -n "$NSS_ENABLE_ECC" ] ; then
1324 CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
1325 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
1326 -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
1327 update=$CRLUPDATE
1328 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
1329 rmcert ${UNREVOKED_CERT_GRP_3}
1330 addext crlNumber 0 2
1331 EOF_CRLINI
1332 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1333 chmod 600 ${CRL_FILE_GRP_3}-ec
1334 fi
1335
1336 ############ Importing Server CA Issued CRL for certs of first group #######
1337
1338 echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
1339 CU_ACTION="Importing CRL for groups 1"
1340 crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}"
1341 crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
1342 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1343 if [ -n "$NSS_ENABLE_ECC" ] ; then
1344 CU_ACTION="Importing CRL (ECC) for groups 1"
1345 crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}"
1346 crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
1347 -d "${R_SERVERDIR}"
1348 CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
1349 fi
1350
1351 if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
1352 cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
1353 else
1354 cert_log "SUCCESS: SSL CRL prep passed"
1355 fi
1356 }
1357
1358 ############################## cert_cleanup ############################
1359 # local shell function to finish this script (no exit since it might be
1360 # sourced)
1361 ########################################################################
1362 cert_cleanup()
1363 {
1364 cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
1365 html "</TABLE><BR>"
1366 cd ${QADIR}
1367 . common/cleanup.sh
1368 }
1369
1370 ################## main #################################################
1371
1372 cert_init
1373 cert_all_CA
1374 cert_extended_ssl
1375 cert_ssl
1376 cert_smime_client
1377 cert_fips
1378 cert_eccurves
1379 cert_extensions
1380
1381 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
1382 cert_crl_ssl
1383 else
1384 echo "$SCRIPTNAME: Skipping CRL Tests"
1385 fi
1386
1387 cert_iopr_setup
1388
1389 if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
1390 cert_stresscerts
1391 fi
1392
1393 cert_cleanup
Mozilla NSS module