← Back to branch summary

~ubuntu-branches/ubuntu/quantal/nss/quantal-updates

« back to all changes in this revision

Viewing changes to mozilla/security/nss/tests/chains/chains.sh

  • Committer: Bazaar Package Importer
  • Author(s): Chris Coulson
  • Date: 2010-03-25 13:46:06 UTC
  • mfrom: (1.1.11 upstream)
  • Revision ID: james.westby@ubuntu.com-20100325134606-bl6liuok2w9l7snv
Tags: 3.12.6-0ubuntu1
* New upstream release 3.12.6 RTM (NSS_3_12_6_RTM)
  - fixes CVE-2009-3555 aka US-CERT VU#120541
* Adjust patches to changed upstream code base
  - update debian/patches/38_kbsd.patch
  - update debian/patches/38_mips64_build.patch
  - update debian/patches/85_security_load.patch
* Remove patches that are merged upstream
  - delete debian/patches/91_nonexec_stack.patch
  - update debian/patches/series
* Bump nspr dependency to 4.8
  - update debian/control
* Add new symbols for 3.12.6
  - update debian/libnss3-1d.symbols

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/tests/chains/chains.sh
16
16
# The Original Code is the Network Security Services (NSS)
17
17
#
18
18
# The Initial Developer of the Original Code is Sun Microsystems, Inc.
19
 
# Portions created by the Initial Developer are Copyright (C) 2008
 
19
# Portions created by the Initial Developer are Copyright (C) 2008-2009
20
20
# the Initial Developer. All Rights Reserved.
21
21
#
22
22
# Contributor(s):
71
71
 
72
72
    CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
73
73
 
74
 
    CERT_SN_CNT=$(date '+%m%d%H%M%S')
 
74
    CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
75
75
    CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
76
76
 
77
 
    PK7_NONCE=$CERT_SN_CNT;
 
77
    PK7_NONCE=${CERT_SN_CNT}
 
78
    SCEN_CNT=${CERT_SN_CNT}
78
79
 
79
80
    AIA_FILES="${HOSTDIR}/aiafiles"
80
81
 
167
168
6
168
169
7
169
170
9
170
 
n" > ${CU_DATA}
 
171
n
 
172
" > ${CU_DATA}
171
173
 
172
174
    TESTNAME="Creating Root CA ${ENTITY}"
173
175
    echo "${SCRIPTNAME}: ${TESTNAME}"
204
206
 
205
207
    CA_FLAG=
206
208
    EXT_DATA=
 
209
    OPTIONS=
 
210
 
207
211
    if [ "${TYPE}" != "EE" ]; then
208
212
        CA_FLAG="-2"
209
213
        EXT_DATA="y
210
214
-1
211
 
y"
 
215
y
 
216
"
212
217
    fi
213
218
 
 
219
    process_crldp
 
220
 
214
221
    echo "${EXT_DATA}" > ${CU_DATA}
215
222
 
216
223
    TESTNAME="Creating ${TYPE} certifiate request ${REQ}"
217
224
    echo "${SCRIPTNAME}: ${TESTNAME}"
218
 
    echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} < ${CU_DATA}"
 
225
    echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}"
219
226
    print_cu_data
220
 
    ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} < ${CU_DATA} 
 
227
    ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA} 
221
228
    html_msg $? 0 "${SCENARIO}${TESTNAME}"
222
229
}
223
230
 
395
402
${NSS_AIA_OCSP}:${OCSP}
396
403
0
397
404
n
398
 
n"
399
 
    fi
 
405
n
 
406
"
 
407
    fi
 
408
}
 
409
 
 
410
process_crldp()
 
411
{
 
412
    if [ -n "${CRLDP}" ]; then
 
413
        OPTIONS="${OPTIONS} -4"
 
414
 
 
415
        EXT_DATA="${EXT_DATA}1
 
416
"
 
417
 
 
418
        for ITEM in ${CRLDP}; do
 
419
            CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl"
 
420
 
 
421
            EXT_DATA="${EXT_DATA}7
 
422
${NSS_AIA_HTTP}/${CRL_PUBLIC}
 
423
"
 
424
        done
 
425
 
 
426
        EXT_DATA="${EXT_DATA}-1
 
427
-1
 
428
-1
 
429
n
 
430
n
 
431
"
 
432
    fi
 
433
}
 
434
 
 
435
process_ku_ns_eku()
 
436
{
 
437
    if [ -n "${EXT_KU}" ]; then
 
438
        OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}"
 
439
    fi
 
440
    if [ -n "${EXT_NS}" ]; then
 
441
        EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1)
 
442
        EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2)
 
443
 
 
444
        OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}"
 
445
        DATA="${DATA}${EXT_NS_CODE}
 
446
-1
 
447
n
 
448
"
 
449
    fi
 
450
    if [ -n "${EXT_EKU}" ]; then
 
451
        OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}"
 
452
    fi
 
453
}
 
454
 
 
455
copy_crl()
 
456
 
 
457
{
 
458
    if [ -z "${NSS_AIA_PATH}" ]; then
 
459
        return;
 
460
    fi
 
461
 
 
462
    CRL_LOCAL="${COPYCRL}.crl"
 
463
    CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl"
 
464
 
 
465
    cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
 
466
    chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
 
467
    echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES}
400
468
}
401
469
 
402
470
########################## process_extension ###########################
413
481
    process_inhibit
414
482
    process_aia
415
483
    process_ocsp
 
484
    process_ku_ns_eku
416
485
}
417
486
 
418
487
############################## sign_cert ###############################
555
624
    CRL=${ISSUER}.crl
556
625
 
557
626
    DATE=$(date -u '+%Y%m%d%H%M%SZ')
 
627
    DATE_LAST="${DATE}"
 
628
 
558
629
    UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ')
559
630
 
560
631
    echo "update=${DATE}" > ${CRL_DATA}
579
650
 
580
651
    set_cert_sn
581
652
 
582
 
    sleep 1
583
653
    DATE=$(date -u '+%Y%m%d%H%M%SZ')
 
654
    while [ "${DATE}" = "${DATE_LAST}" ]; do
 
655
        sleep 1
 
656
        DATE=$(date -u '+%Y%m%d%H%M%SZ')
 
657
    done
 
658
    DATE_LAST="${DATE}"
 
659
 
584
660
    echo "update=${DATE}" > ${CRL_DATA}
585
661
    echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA}
586
662
 
663
739
        fi
664
740
    done
665
741
 
666
 
    TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${POLICY_OPT} ${TRUST_OPT}"
 
742
    VFY_OPTS_TNAME="${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
 
743
    VFY_OPTS_ALL="${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
 
744
 
 
745
    TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
667
746
    echo "${SCRIPTNAME}: ${TESTNAME}"
668
 
    echo "vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
 
747
    echo "vfychain ${VFY_OPTS_ALL}"
669
748
 
670
749
    if [ -z "${MEMLEAK_DBG}" ]; then
671
 
        VFY_OUT=$(${BINDIR}/vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT})
 
750
        VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1)
672
751
        RESULT=$?
673
752
        echo "${VFY_OUT}"
674
753
    else 
675
 
        VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${REV_OPTS} ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>> ${LOGFILE})
 
754
        VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE})
676
755
        RESULT=$?
677
756
        echo "${VFY_OUT}"
678
757
    fi
679
758
 
680
759
    echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null
681
 
    if [ $? -eq 0 ]; then
 
760
    E5990=$?
 
761
    echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null
 
762
    E8030=$?
 
763
 
 
764
    if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then
682
765
        echo "Result of this test is not valid due to network time out."
683
766
        html_unknown "${SCENARIO}${TESTNAME}"
684
767
        return
695
778
    fi
696
779
}
697
780
 
 
781
check_ocsp()
 
782
{
 
783
    OCSP_CERT=$1
 
784
 
 
785
    CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1`
 
786
    CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2`
 
787
 
 
788
    if [ "${CERT_ISSUER}" = "x" ]; then
 
789
        CERT_ISSUER=
 
790
        CERT=${CERT_NICK}.cert
 
791
        CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
 
792
    else
 
793
        CERT=${CERT_NICK}${CERT_ISSUER}.der
 
794
        CERT_FILE=${CERT}
 
795
    fi
 
796
 
 
797
    OCSP_HOST=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
 
798
 
 
799
    if [ "${OS_ARCH}" = "WINNT" ]; then
 
800
        ping -n 1 ${OCSP_HOST}
 
801
        return $?
 
802
    elif [ "${OS_ARCH}" = "HP-UX" ]; then
 
803
        ping ${OCSP_HOST} -n 1
 
804
        return $?
 
805
    else
 
806
        ping -c 1 ${OCSP_HOST}
 
807
        return $?
 
808
    fi
 
809
}
 
810
 
698
811
############################ parse_result ##############################
699
812
# local shell function to process expected result value
700
813
# this function was created for case that expected result depends on
745
858
            MAPPING=
746
859
            INHIBIT=
747
860
            AIA=
 
861
            CRLDP=
748
862
            OCSP=
749
863
            DB=
750
864
            EMAILS=
 
865
            EXT_KU=
 
866
            EXT_NS=
 
867
            EXT_EKU=
 
868
            SERIAL=
751
869
            ;;
752
870
        "type")
753
871
            TYPE="${VALUE}"
765
883
            MAPPING=
766
884
            INHIBIT=
767
885
            AIA=
 
886
            EXT_KU=
 
887
            EXT_NS=
 
888
            EXT_EKU=
768
889
            ;;
769
890
        "ctype") 
770
891
            CTYPE="${VALUE}"
781
902
        "aia")
782
903
            AIA="${AIA} ${VALUE}"
783
904
            ;;
 
905
        "crldp")
 
906
            CRLDP="${CRLDP} ${VALUE}"
 
907
            ;;
784
908
        "ocsp")
785
909
            OCSP="${VALUE}"
786
910
            ;;
807
931
        "serial")
808
932
            SERIAL="${VALUE}"
809
933
            ;;
 
934
        "copycrl")
 
935
            COPYCRL="${VALUE}"
 
936
            copy_crl "${COPYCRL}"
 
937
            ;;
810
938
        "verify")
811
939
            VERIFY="${VALUE}"
812
940
            TRUST=
814
942
            FETCH=
815
943
            EXP_RESULT=
816
944
            REV_OPTS=
 
945
            USAGE_OPT=
817
946
            ;;
818
947
        "cert")
819
948
            VERIFY="${VERIFY} ${VALUE}"
858
987
                LOGNAME="libpkix-${VALUE}"
859
988
                LOGFILE="${LOGDIR}/${LOGNAME}"
860
989
            fi
 
990
 
 
991
            SCEN_CNT=$(expr ${SCEN_CNT} + 1)
861
992
            ;;
862
993
        "sleep")
863
994
            sleep ${VALUE}
865
996
        "break")
866
997
            break
867
998
            ;;
 
999
        "check_ocsp")
 
1000
            check_ocsp ${VALUE}
 
1001
            if [ $? -ne 0 ]; then
 
1002
                echo "OCSP server not accessible, skipping OCSP tests"
 
1003
                break;
 
1004
            fi
 
1005
            ;;
 
1006
        "ku")
 
1007
            EXT_KU="${VALUE}"
 
1008
            ;;
 
1009
        "ns")
 
1010
            EXT_NS="${VALUE}"
 
1011
            ;;
 
1012
        "eku")
 
1013
            EXT_EKU="${VALUE}"
 
1014
            ;;
 
1015
        "usage")
 
1016
            USAGE_OPT="-u ${VALUE}"
 
1017
            ;;
868
1018
        "")
869
1019
            if [ -n "${ENTITY}" ]; then
870
1020
                if [ -z "${DB}" ]; then
909
1059
{
910
1060
    while read LINE 
911
1061
    do
 
1062
        [ `echo ${LINE} | cut -b 1` != "#" ] || continue
 
1063
 
912
1064
        > ${AIA_FILES}
913
1065
 
914
1066
        parse_config < "${QADIR}/chains/scenarios/${LINE}"