3
# The contents of this file are subject to the Mozilla Public
4
# License Version 1.1 (the "License"); you may not use this file
5
# except in compliance with the License. You may obtain a copy of
6
# the License at http://www.mozilla.org/MPL/
8
# Software distributed under the License is distributed on an "AS
9
# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
10
# implied. See the License for the specific language governing
11
# rights and limitations under the License.
13
# The Original Code is the Netscape security libraries.
15
# The Initial Developer of the Original Code is Netscape
16
# Communications Corporation. Portions created by Netscape are
17
# Copyright (C) 1994-2000 Netscape Communications Corporation. All
20
# Portions created by Sun Microsystems, Inc. are Copyright (C) 2003
21
# Sun Microsystems, Inc. All Rights Reserved.
24
# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
26
# Alternatively, the contents of this file may be used under the
27
# terms of the GNU General Public License Version 2 or later (the
28
# "GPL"), in which case the provisions of the GPL are applicable
29
# instead of those above. If you wish to allow use of your
30
# version of this file only under the terms of the GPL and not to
31
# allow others to use your version of this file under the MPL,
32
# indicate your decision by deleting the provisions above and
33
# replace them with the notice and other provisions required by
34
# the GPL. If you do not delete the provisions above, a recipient
35
# may use your version of this file under either the MPL or the
39
########################################################################
41
# mozilla/security/nss/tests/cert/rcert.sh
43
# Certificate generating and handeling for NSS QA, can be included
44
# multiple times from all.sh and the individual scripts
46
# needs to work on all Unix and Windows platforms
48
# included from (don't expect this to be up to date)
49
# --------------------------------------------------
57
# FIXME ... known problems, search for this string
58
# NOTE .... unexpected behavior
60
# FIXME - Netscape - NSS
61
########################################################################
63
############################## cert_init ###############################
64
# local shell function to initialize this script
65
########################################################################
69
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
70
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
72
if [ -z "${INIT_SOURCED}" ] ; then
77
html_head "Certutil Tests"
79
################## Generate noise for our CA cert. ######################
80
# NOTE: these keys are only suitable for testing, as this whole thing
81
# bypasses the entropy gathering. Don't use this method to generate
82
# keys and certs for product use or deployment.
84
ps -efl > ${NOISE_FILE} 2>&1
85
ps aux >> ${NOISE_FILE} 2>&1
90
cert_log() ###################### write the cert_status file
93
echo $* >>${CERT_LOG_FILE}
96
################################ noise ##################################
97
# Generate noise for our certs
99
# NOTE: these keys are only suitable for testing, as this whole thing bypasses
100
# the entropy gathering. Don't use this method to generate keys and certs for
101
# product use or deployment.
102
#########################################################################
105
#netstat >> ${NOISE_FILE} 2>&1
106
date >> ${NOISE_FILE} 2>&1
109
################################ certu #################################
110
# local shell function to call certutil, also: writes action and options to
111
# stdout, sets variable RET and writes results to the html file results
112
########################################################################
115
echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
117
if [ -n "${CU_SUBJECT}" ]; then
118
#the subject of the cert contains blanks, and the shell
119
#will strip the quotes off the string, if called otherwise...
120
echo "certutil -s \"${CU_SUBJECT}\" $*"
121
certutil -s "${CU_SUBJECT}" $*
129
if [ "$RET" -ne 0 ]; then
131
html_failed "<TR><TD>${CU_ACTION} ($RET) "
132
cert_log "ERROR: ${CU_ACTION} failed $RET"
134
html_passed "<TR><TD>${CU_ACTION}"
142
############################# cert_init_cert ##########################
143
# local shell function to initialize creation of client and server certs
144
########################################################################
152
if [ ! -d "${CERTDIR}" ]; then
153
mkdir -p "${CERTDIR}"
155
echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
160
PROFILEDIR=${CERTDIR}
161
if [ -n "${MULTIACCESS_DBM}" ]; then
162
PROFILEDIR="multiaccess:${DOMAIN}"
168
############################# hw_acc #################################
169
# local shell function to add hw accelerator modules to the db
170
########################################################################
175
if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
176
echo "creating $CERTNAME s cert with hwaccelerator..."
177
#case $ACCELERATOR in
181
echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
182
echo " -dbdir ${PROFILEDIR} 2>&1 "
183
echo | modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
184
-dbdir ${PROFILEDIR} 2>&1
185
if [ "$?" -ne 0 ]; then
186
echo "modutil -add rainbow failed in `pwd`"
188
HW_ACC_ERR="modutil -add rainbow"
191
echo "modutil -add ncipher "
192
echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so "
193
echo " -dbdir ${PROFILEDIR} 2>&1 "
194
echo | modutil -add ncipher \
195
-libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \
196
-dbdir ${PROFILEDIR} 2>&1
197
if [ "$?" -ne 0 ]; then
198
echo "modutil -add ncipher failed in `pwd`"
199
HW_ACC_RET=`expr $HW_ACC_RET + 2`
200
HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher"
202
if [ "$HW_ACC_RET" -ne 0 ]; then
203
html_failed "<TR><TD>Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) "
205
html_passed "<TR><TD>Adding HW accelerators to certDB for ${CERTNAME}"
212
############################# cert_create_cert #########################
213
# local shell function to create client certs
214
# initialize DB, import
217
########################################################################
220
cert_init_cert "$1" "$2" "$3" "$4"
222
CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
223
certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
224
if [ "$RET" -ne 0 ]; then
228
CU_ACTION="Import Root CA for $CERTNAME"
229
certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
230
-i "${R_CADIR}/root.cert" 2>&1
231
if [ "$RET" -ne 0 ]; then
238
############################# cert_create_certs ########################
239
# local shell function to create client certs
240
# initialize DB, import
241
# root certs (RSA and EC)
242
# add certs (RSA and EC) to DB
243
########################################################################
246
cert_init_cert "$1" "$2" "$3" "$4"
248
CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
249
certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
250
if [ "$RET" -ne 0 ]; then
254
CU_ACTION="Import Root CA for $CERTNAME"
255
certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
256
-i "${R_CADIR}/root.cert" 2>&1
257
if [ "$RET" -ne 0 ]; then
260
CU_ACTION="Import EC Root CA for $CERTNAME"
261
certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
262
-i "${R_CADIR}/ecroot.cert" 2>&1
263
if [ "$RET" -ne 0 ]; then
270
############################# cert_add_cert ############################
271
# local shell function to add client certs to an existing CERT DB
276
########################################################################
280
CU_ACTION="Generate Cert Request for $CERTNAME"
281
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
282
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
283
if [ "$RET" -ne 0 ]; then
287
CU_ACTION="Sign ${CERTNAME}'s Request"
288
certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
289
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
290
if [ "$RET" -ne 0 ]; then
294
CU_ACTION="Import $CERTNAME's Cert"
295
certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
296
-i "${CERTNAME}.cert" 2>&1
297
if [ "$RET" -ne 0 ]; then
301
cert_log "SUCCESS: $CERTNAME's Cert Created"
305
############################# cert_add_certs ############################
306
# local shell function to add client certs to an existing CERT DB
311
# Do this for both RSA and EC certs
312
########################################################################
317
CU_ACTION="Generate Cert Request for $CERTNAME"
318
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
319
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
320
if [ "$RET" -ne 0 ]; then
324
CU_ACTION="Sign ${CERTNAME}'s Request"
325
certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
326
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
327
if [ "$RET" -ne 0 ]; then
331
CU_ACTION="Import $CERTNAME's Cert"
332
certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
333
-i "${CERTNAME}.cert" 2>&1
334
if [ "$RET" -ne 0 ]; then
338
cert_log "SUCCESS: $CERTNAME's Cert Created"
341
# Generate and add EC cert
343
CU_ACTION="Generate EC Cert Request for $CERTNAME"
344
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
345
certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
346
if [ "$RET" -ne 0 ]; then
350
CU_ACTION="Sign ${CERTNAME}'s EC Request"
351
certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
352
-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
353
if [ "$RET" -ne 0 ]; then
357
CU_ACTION="Import $CERTNAME's EC Cert"
358
certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
359
-i "${CERTNAME}-ec.cert" 2>&1
360
if [ "$RET" -ne 0 ]; then
364
cert_log "SUCCESS: $CERTNAME's EC Cert Created"
369
################################# cert_all_CA ################################
370
# local shell function to build the additional Temp. Certificate Authority (CA)
371
# used for the "real life" ssl test with 2 different CA's in the
372
# client and in teh server's dir
373
##########################################################################
380
ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
381
cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
383
# Create EC version of TestCA
384
ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
385
cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
387
ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
388
cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
389
ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
390
cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3"
391
ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
392
cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4"
395
# Create EC versions of the above CA certs
397
ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
398
cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
399
ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
400
cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
401
ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
402
cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
405
ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
406
cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
407
ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
408
cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6"
409
ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
410
cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
413
# Create EC versions of the above CA certs
415
ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
416
cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
417
ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
418
cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
419
ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
420
cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
422
rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
423
rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
424
# root.cert in $CLIENT_CADIR and in $SERVER_CADIR is the one of the last
428
################################# cert_CA ################################
429
# local shell function to build the Temp. Certificate Authority (CA)
430
# used for testing purposes, creating a CA Certificate and a root cert
431
##########################################################################
441
echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
443
if [ ! -d "${CUR_CADIR}" ]; then
444
mkdir -p "${CUR_CADIR}"
450
if [ -n "${MULTIACCESS_DBM}" ]; then
451
LPROFILE="multiaccess:${DOMAIN}"
454
if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
455
CU_ACTION="Creating CA Cert DB"
456
certu -N -d ${LPROFILE} -f ${R_PWFILE} 2>&1
457
if [ "$RET" -ne 0 ]; then
458
Exit 5 "Fatal - failed to create CA $NICKNAME "
460
echo "$SCRIPTNAME: Certificate initialized ----------"
464
################# Creating CA Cert ######################################
466
CU_ACTION="Creating CA Cert $NICKNAME "
467
CU_SUBJECT=$ALL_CU_SUBJECT
468
certu -S -n $NICKNAME -t $TRUSTARG -v 60 $SIGNER -d ${LPROFILE} -1 -2 -5 \
469
-f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
483
if [ "$RET" -ne 0 ]; then
484
echo "return value is $RET"
485
Exit 6 "Fatal - failed to create CA cert"
488
################# Exporting Root Cert ###################################
490
CU_ACTION="Exporting Root Cert"
491
certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert
492
if [ "$RET" -ne 0 ]; then
493
Exit 7 "Fatal - failed to export root cert"
495
cp root.cert ${NICKNAME}.ca.cert
498
################################ cert_ec_CA ##############################
499
# local shell function to build the Temp. Certificate Authority (CA)
500
# used for testing purposes, creating a CA Certificate and a root cert
501
# This is the ECC version of cert_CA.
502
##########################################################################
513
echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
515
if [ ! -d "${CUR_CADIR}" ]; then
516
mkdir -p "${CUR_CADIR}"
522
if [ -n "${MULTIACCESS_DBM}" ]; then
523
LPROFILE="multiaccess:${DOMAIN}"
526
################# Creating an EC CA Cert ################################
528
CU_ACTION="Creating EC CA Cert $NICKNAME "
529
CU_SUBJECT=$ALL_CU_SUBJECT
530
certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 60 $SIGNER \
531
-d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
532
-m $CERTSERIAL 2>&1 <<CERTSCRIPT
546
if [ "$RET" -ne 0 ]; then
547
echo "return value is $RET"
548
Exit 6 "Fatal - failed to create EC CA cert"
551
################# Exporting EC Root Cert ################################
553
CU_ACTION="Exporting EC Root Cert"
554
certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert
555
if [ "$RET" -ne 0 ]; then
556
Exit 7 "Fatal - failed to export ec root cert"
558
cp ecroot.cert ${NICKNAME}.ca.cert
561
############################## cert_smime_client #############################
562
# local shell function to create client Certificates for S/MIME tests
563
##############################################################################
567
echo "$SCRIPTNAME: Creating Client CA Issued Certificates =============="
569
cert_create_certs ${ALICEDIR} "Alice" 30 ${D_ALICE}
570
cert_create_cert ${BOBDIR} "Bob" 40 ${D_BOB}
572
echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
573
cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
575
echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
576
cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
578
#echo "************* Copying CA files to ${SERVERDIR}"
582
#########################################################################
585
#CU_ACTION="Creating ${CERTNAME}'s Server Cert"
586
#CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
587
#certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
588
# -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
590
#CU_ACTION="Export Dave's Cert"
592
#certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
594
################# Importing Certificates for S/MIME tests ###############
596
echo "$SCRIPTNAME: Importing Certificates =============================="
597
CU_ACTION="Import Alices's cert into Bob's db"
598
certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
599
-i ${R_ALICEDIR}/Alice.cert 2>&1
601
CU_ACTION="Import Bob's cert into Alice's db"
602
certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
603
-i ${R_BOBDIR}/Bob.cert 2>&1
605
CU_ACTION="Import Dave's cert into Alice's DB"
606
certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
607
-i ${R_DAVEDIR}/Dave.cert 2>&1
609
CU_ACTION="Import Dave's cert into Bob's DB"
610
certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
611
-i ${R_DAVEDIR}/Dave.cert 2>&1
613
CU_ACTION="Import Eve's cert into Alice's DB"
614
certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
615
-i ${R_EVEDIR}/Eve.cert 2>&1
617
CU_ACTION="Import Eve's cert into Bob's DB"
618
certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
619
-i ${R_EVEDIR}/Eve.cert 2>&1
621
if [ "$CERTFAILED" != 0 ] ; then
622
cert_log "ERROR: SMIME failed $RET"
624
cert_log "SUCCESS: SMIME passed"
628
############################## cert_ssl ################################
629
# local shell function to create client + server certs for extended SSL test
630
########################################################################
635
################# Creating Certs for extended SSL test ####################
638
echo "$SCRIPTNAME: Creating Certificates, issued by the last ==============="
639
echo " of a chain of CA's which are not in the same database============"
642
cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
644
CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
645
certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
647
CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
648
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
649
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
651
CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
652
cp ${CERTDIR}/req ${SERVER_CADIR}
653
certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
654
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
656
CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
657
certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
658
-i "${CERTNAME}.cert" 2>&1
660
CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
661
certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
662
-i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
664
# Repeat the above for EC certs
666
CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
667
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
668
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
670
CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
671
cp ${CERTDIR}/req ${SERVER_CADIR}
672
certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
673
-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
675
CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
676
certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
677
-i "${CERTNAME}-ec.cert" 2>&1
679
CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
680
certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
681
-i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
685
echo "Importing all the server's own CA chain into the servers DB"
686
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
688
N=`basename $CA | sed -e "s/.ca.cert//"`
689
if [ $N = "serverCA" ] ; then
694
CU_ACTION="Import $N CA $T for $CERTNAME (ext.) "
695
certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
700
cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
702
CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
703
certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
705
CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
706
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
707
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
709
CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
710
cp ${CERTDIR}/req ${CLIENT_CADIR}
711
certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
712
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
714
CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
715
certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
716
-i "${CERTNAME}.cert" 2>&1
717
CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
718
certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
719
-i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
721
# Repeat the above for EC certs
723
CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
724
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
725
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
727
CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
728
cp ${CERTDIR}/req ${CLIENT_CADIR}
729
certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
730
-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
732
CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
733
certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
734
-i "${CERTNAME}-ec.cert" 2>&1
735
CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
736
certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
737
-i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
741
echo "Importing all the client's own CA chain into the servers DB"
742
for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
744
N=`basename $CA | sed -e "s/.ca.cert//"`
745
if [ $N = "clientCA" ] ; then
750
CU_ACTION="Import $N CA $T for $CERTNAME (ext.)"
751
certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
754
if [ "$CERTFAILED" != 0 ] ; then
755
cert_log "ERROR: EXT failed $RET"
757
cert_log "SUCCESS: EXT passed"
761
############################## cert_ssl ################################
762
# local shell function to create client + server certs for SSL test
763
########################################################################
766
################# Creating Certs for SSL test ###########################
769
echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
770
cert_create_certs ${CLIENTDIR} "TestUser" 70 ${D_CLIENT}
772
echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
773
echo " ${HOSTADDR} ------------------------------------"
774
cert_create_certs ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
775
certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR}
776
certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR}
777
# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
778
# echo "************* Copying CA files to ${SERVERDIR}"
781
# CU_ACTION="Creating ${CERTNAME}'s Server Cert"
782
# CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
783
# certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
784
# -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
786
if [ "$CERTFAILED" != 0 ] ; then
787
cert_log "ERROR: SSL failed $RET"
789
cert_log "SUCCESS: SSL passed"
792
############################## cert_stresscerts ################################
793
# local shell function to create client certs for SSL stresstest
794
########################################################################
798
############### Creating Certs for SSL stress test #######################
803
PROFILEDIR=${CERTDIR}
804
if [ -n "${MULTIACCESS_DBM}" ]; then
805
PROFILEDIR="multiaccess:${D_CLIENT}"
808
echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
810
CONTINUE=$GLOB_MAX_CERT
813
while [ $CONTINUE -ge $GLOB_MIN_CERT ]
815
CERTNAME="TestUser$CONTINUE"
816
# cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL
818
CERTSERIAL=`expr $CERTSERIAL + 1 `
819
CONTINUE=`expr $CONTINUE - 1 `
821
if [ "$CERTFAILED" != 0 ] ; then
822
cert_log "ERROR: StressCert failed $RET"
824
cert_log "SUCCESS: StressCert passed"
828
############################## cert_fips #####################################
829
# local shell function to create certificates for FIPS tests
830
##############################################################################
834
echo "$SCRIPTNAME: Creating FIPS 140-1 DSA Certificates =============="
835
cert_init_cert "${FIPSDIR}" "FIPS PUB 140-1 Test Certificate" 1000 "${D_FIPS}"
837
CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
838
certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
840
echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
841
CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
842
echo "modutil -dbdir ${PROFILEDIR} -fips true "
843
modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
847
if [ "$RET" -ne 0 ]; then
848
html_failed "<TR><TD>${CU_ACTION} ($RET) "
849
cert_log "ERROR: ${CU_ACTION} failed $RET"
851
html_passed "<TR><TD>${CU_ACTION}"
854
CU_ACTION="Generate Certificate for ${CERTNAME}"
855
CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140-1, L=Mountain View, ST=California, C=US"
856
certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -m 500 -z "${R_NOISE_FILE}" 2>&1
857
if [ "$RET" -eq 0 ]; then
858
cert_log "SUCCESS: FIPS passed"
862
############################## cert_cleanup ############################
863
# local shell function to finish this script (no exit since it might be
865
########################################################################
868
cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
874
################## main #################################################
882
if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
884
#following lines to be used when databases are to be reused
885
#cp -r /u/sonmi/tmp/stress/kentuckyderby.13/* $HOSTDIR
886
#cp -r $HOSTDIR/../${HOST}.2/* $HOSTDIR