3
# ***** BEGIN LICENSE BLOCK *****
4
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
6
# The contents of this file are subject to the Mozilla Public License Version
7
# 1.1 (the "License"); you may not use this file except in compliance with
8
# the License. You may obtain a copy of the License at
9
# http://www.mozilla.org/MPL/
11
# Software distributed under the License is distributed on an "AS IS" basis,
12
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13
# for the specific language governing rights and limitations under the
16
# The Original Code is the Netscape security libraries.
18
# The Initial Developer of the Original Code is
19
# Netscape Communications Corporation.
20
# Portions created by the Initial Developer are Copyright (C) 1994-2000
21
# the Initial Developer. All Rights Reserved.
23
# Alternatively, the contents of this file may be used under the terms of
24
# either the GNU General Public License Version 2 or later (the "GPL"), or
25
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26
# in which case the provisions of the GPL or the LGPL are applicable instead
27
# of those above. If you wish to allow use of your version of this file only
28
# under the terms of either the GPL or the LGPL, and not to allow others to
29
# use your version of this file under the terms of the MPL, indicate your
30
# decision by deleting the provisions above and replace them with the notice
31
# and other provisions required by the GPL or the LGPL. If you do not delete
32
# the provisions above, a recipient may use your version of this file under
33
# the terms of any one of the MPL, the GPL or the LGPL.
35
# ***** END LICENSE BLOCK *****
37
########################################################################
39
# mozilla/security/nss/tests/iopr/cert_iopr.sh
41
# Certificate generating and handeling for NSS interoperability QA. This file
42
# is included from cert.sh
44
# needs to work on all Unix and Windows platforms
48
# FIXME ... known problems, search for this string
49
# NOTE .... unexpected behavior
51
# FIXME - Netscape - NSS
52
########################################################################
56
########################################################################
57
# function wraps calls to pk12util, also: writes action and options
59
# Params are the same as to pk12util.
60
# Returns pk12util status
64
echo "${CU_ACTION} --------------------------"
73
########################################################################
74
# Initializes nss db directory and files if they don't exists
76
# $1 - directory location
81
if [ -z "`ls $trgDir | grep db`" ]; then
82
trgDir=`cd ${trgDir}; pwd`
83
if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
84
trgDir=`cygpath -m ${trgDir}`
87
CU_ACTION="Initializing DB at ${trgDir}"
88
certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1
89
if [ "$RET" -ne 0 ]; then
93
CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"
94
modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1
95
if [ "$RET" -ne 0 ]; then
100
########################################################################
101
# takes care of downloading config, cert and crl files from remote
104
# $1 - name of the host file will be downloaded from
105
# $2 - path to the file as it appeared in url
106
# $3 - target directory the file will be saved at.
107
# Returns tstclnt status.
114
file=$trgDir/`basename $filePath`
116
createDBDir $trgDir || return $RET
118
# echo wget -O $file http://${host}${filePath}
119
# wget -O $file http://${host}${filePath}
123
echo "GET $filePath HTTP/1.0" > $req
126
tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
127
-w ${R_PWFILE} -o < $req > $file
133
########################################################################
134
# Uses pk12util, certutil of cerlutil to import files to an nss db located
135
# at <dir>(the value of $1 parameter). Chooses a utility to use based on
136
# a file extension. Initializing a db if it does not exists.
138
# $1 - db location directory
139
# $2 - file name to import
140
# $3 - nick name an object in the file will be associated with
141
# $4 - trust arguments
142
# Returns status of import
150
[ ! -d $dir ] && mkdir -p $dir;
152
createDBDir $dir || return $RET
154
case `basename $file | sed 's/^.*\.//'` in
156
CU_ACTION="Importing p12 $file to DB at $dir"
157
pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr
158
[ $? -ne 0 ] && return 1
159
CU_ACTION="Modifying trust for cert $certName at $dir"
160
certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}"
165
CU_ACTION="Importing crl $file to DB at $dir"
166
crlu -d ${dir} -I -n TestCA -i $file
171
CU_ACTION="Importing cert $certName with trust $certTrust to $dir"
172
certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \
178
echo "Unknown file extension: $file:"
185
#########################################################################
186
# Downloads and installs test certs and crl from a remote webserver.
187
# Generates server cert for reverse testing if reverse test run is turned on.
189
# $1 - host name to download files from.
190
# $2 - directory at which CA cert will be installed and used for
191
# signing a server cert.
192
# $3 - path to a config file in webserver context.
193
# $4 - ssl server db location
194
# $5 - ssl client db location
195
# $5 - ocsp client db location
197
# Returns 0 upon success, otherwise, failed command error code.
199
download_install_certs() {
207
[ ! -d "$caDir" ] && mkdir -p $caDir;
209
#=======================================================
210
# Getting config file
212
download_file $host "$confPath/iopr_server.cfg" $caDir
214
if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then
215
html_failed "<TR><TD>Fail to download website config file(ws: $host)"
219
. $caDir/iopr_server.cfg
221
if [ $RET -ne 0 ]; then
222
html_failed "<TR><TD>Fail to source config file(ws: $host)"
226
#=======================================================
230
#----------------- !!!WARNING!!! -----------------------
231
# Do NOT copy this scenario. CA should never accompany its
232
# cert with the private key when deliver cert to a customer.
233
#----------------- !!!WARNING!!! -----------------------
235
download_file $host $certDir/$caCertName.p12 $caDir
237
if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then
238
html_failed "<TR><TD>Fail to download $caCertName cert(ws: $host)"
241
tmpFiles="$caDir/$caCertName.p12"
243
importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C"
245
if [ $RET -ne 0 ]; then
246
html_failed "<TR><TD>Fail to import $caCertName cert to CA DB(ws: $host)"
250
CU_ACTION="Exporting Root CA cert(ws: $host)"
251
certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert
252
if [ "$RET" -ne 0 ]; then
253
Exit 7 "Fatal - failed to export $caCertName cert"
256
#=======================================================
257
# Check what tests we want to run
259
doSslTests=0; doOcspTests=0
260
# XXX remove "_new" from variables below
261
[ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
262
[ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
264
if [ $doSslTests -eq 1 ]; then
265
if [ "$reverseRunCGIScript" ]; then
266
[ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
267
#=======================================================
268
# Import CA cert to server DB
270
importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
273
if [ $RET -ne 0 ]; then
274
html_failed "<TR><TD>Fail to import server-client-CA cert to \
275
server DB(ws: $host)"
279
#=======================================================
280
# Creating server cert
284
CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
285
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
286
L=Mountain View, ST=California, C=US"
287
certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
288
-o $sslServerDir/req 2>&1
289
tmpFiles="$tmpFiles $sslServerDir/req"
292
CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
293
certu -C -c "$caCertName" -m `date +"%s"` -v 60 -d "${caDir}" \
294
-i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
295
-f "${R_PWFILE}" 2>&1
297
importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
299
if [ $RET -ne 0 ]; then
300
html_failed "<TR><TD>Fail to import $CERTNAME cert to server\
304
tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
306
#=======================================================
307
# Download and import CA crl to server DB
309
download_file $host "$certDir/$caCrlName.crl" $sslServerDir
311
if [ $? -ne 0 ]; then
312
html_failed "<TR><TD>Fail to download $caCertName crl\
316
tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
318
importFile $sslServerDir $sslServerDir/TestCA.crl
320
if [ $RET -ne 0 ]; then
321
html_failed "<TR><TD>Fail to import TestCA crt to server\
325
fi # if [ "$reverseRunCGIScript" ]
327
[ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
328
#=======================================================
329
# Import CA cert to ssl client DB
331
importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
334
if [ $RET -ne 0 ]; then
335
html_failed "<TR><TD>Fail to import server-client-CA cert to \
336
server DB(ws: $host)"
341
if [ $doOcspTests -eq 1 ]; then
342
[ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
343
#=======================================================
344
# Import CA cert to ocsp client DB
346
importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
349
if [ $RET -ne 0 ]; then
350
html_failed "<TR><TD>Fail to import server-client-CA cert to \
351
server DB(ws: $host)"
356
#=======================================================
357
# Import client certs to client DB
359
for fileName in $downloadFiles; do
360
certName=`echo $fileName | sed 's/\..*//'`
362
if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
363
clientDir=$ocspClientDir
364
elif [ $doSslTests -eq 1 ]; then
365
clientDir=$sslClientDir
370
download_file $host "$certDir/$fileName" $clientDir
372
if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
373
html_failed "<TR><TD>Fail to download $certName cert(ws: $host)"
376
tmpFiles="$tmpFiles $clientDir/$fileName"
378
importFile $clientDir $clientDir/$fileName $certName ",,"
380
if [ $RET -ne 0 ]; then
381
html_failed "<TR><TD>Fail to import $certName cert to client DB\
393
#########################################################################
394
# Initial point for downloading config, cert, crl files for multiple hosts
395
# involved in interoperability testing. Called from nss/tests/cert/cert.sh
396
# It will only proceed with downloading if environment variable
397
# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.
399
# Returns 1 if interoperability testing is off, 0 otherwise.
403
if [ "$IOPR" -ne 1 ]; then
407
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '`
408
while [ "$IOPR_HOST_PARAM" ]; do
409
IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
410
IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
411
[ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443
412
IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
413
[ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
415
echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
418
download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
419
${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
420
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
421
${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
422
if [ $? -ne 0 ]; then
423
echo "wsFlags=\"NOIOPR $wsParam\"" >> \
424
${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
427
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`