summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/chains/chains.sh
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /security/nss/tests/chains/chains.sh
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloadUXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/nss/tests/chains/chains.sh')
-rwxr-xr-xsecurity/nss/tests/chains/chains.sh1308
1 files changed, 1308 insertions, 0 deletions
diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh
new file mode 100755
index 000000000..4c3fa57a0
--- /dev/null
+++ b/security/nss/tests/chains/chains.sh
@@ -0,0 +1,1308 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/cert/chains.sh
+#
+# Script to test certificate chains validity.
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+
+########################### is_httpserv_alive ##########################
+# local shell function to exit with a fatal error if selfserver is not
+# running
+########################################################################
+is_httpserv_alive()
+{
+ if [ ! -f "${HTTPPID}" ]; then
+ echo "$SCRIPTNAME: Error - httpserv PID file ${HTTPPID} doesn't exist"
+ sleep 5
+ if [ ! -f "${HTTPPID}" ]; then
+ Exit 9 "Fatal - httpserv pid file ${HTTPPID} does not exist"
+ fi
+ fi
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_HTTPPID}
+ else
+ PID=`cat ${HTTPPID}`
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
+
+ echo "httpserv with PID ${PID} found at `date`"
+}
+
+########################### wait_for_httpserv ##########################
+# local shell function to wait until httpserver is running and initialized
+########################################################################
+wait_for_httpserv()
+{
+ echo "trying to connect to httpserv at `date`"
+ echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+ ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+ if [ $? -ne 0 ]; then
+ sleep 5
+ echo "retrying to connect to httpserv at `date`"
+ echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+ ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+ if [ $? -ne 0 ]; then
+ html_failed "Waiting for Server"
+ fi
+ fi
+ is_httpserv_alive
+}
+
+########################### kill_httpserv ##############################
+# local shell function to kill the httpserver after the tests are done
+########################################################################
+kill_httpserv()
+{
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_HTTPPID}
+ else
+ PID=`cat ${HTTPPID}`
+ fi
+
+ echo "trying to kill httpserv with PID ${PID} at `date`"
+
+ if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
+ echo "${KILL} ${PID}"
+ ${KILL} ${PID}
+ else
+ echo "${KILL} -USR1 ${PID}"
+ ${KILL} -USR1 ${PID}
+ fi
+ wait ${PID}
+
+ # On Linux httpserv needs up to 30 seconds to fully die and free
+ # the port. Wait until the port is free. (Bug 129701)
+ if [ "${OS_ARCH}" = "Linux" ]; then
+ echo "httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
+ until ${BINDIR}/httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null; do
+ echo "RETRY: httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
+ sleep 1
+ done
+ fi
+
+ echo "httpserv with PID ${PID} killed at `date`"
+
+ rm ${HTTPPID}
+ html_detect_core "kill_httpserv core detection step"
+}
+
+########################### start_httpserv #############################
+# local shell function to start the httpserver with the parameters required
+# for this test and log information (parameters, start time)
+# also: wait until the server is up and running
+########################################################################
+start_httpserv()
+{
+ HTTP_METHOD=$1
+
+ if [ -n "$testname" ] ; then
+ echo "$SCRIPTNAME: $testname ----"
+ fi
+ echo "httpserv starting at `date`"
+ ODDIR="${HOSTDIR}/chains/OCSPD"
+ echo "httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \\"
+ echo " -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \\"
+ echo " -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \\"
+ echo " -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \\"
+ echo " -i ${HTTPPID} $verbose &"
+ ${PROFTOOL} ${BINDIR}/httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \
+ -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \
+ -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \
+ -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \
+ -i ${HTTPPID} $verbose &
+ RET=$?
+
+ # The PID $! returned by the MKS or Cygwin shell is not the PID of
+ # the real background process, but rather the PID of a helper
+ # process (sh.exe). MKS's kill command has a bug: invoking kill
+ # on the helper process does not terminate the real background
+ # process. Our workaround has been to have httpserv save its PID
+ # in the ${HTTPPID} file and "kill" that PID instead. But this
+ # doesn't work under Cygwin; its kill command doesn't recognize
+ # the PID of the real background process, but it does work on the
+ # PID of the helper process. So we save the value of $! in the
+ # SHELL_HTTPPID variable, and use it instead of the ${HTTPPID}
+ # file under Cygwin. (In fact, this should work in any shell
+ # other than the MKS shell.)
+ SHELL_HTTPPID=$!
+ wait_for_httpserv
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_HTTPPID}
+ else
+ PID=`cat ${HTTPPID}`
+ fi
+
+ echo "httpserv with PID ${PID} started at `date`"
+}
+
+############################# chains_init ##############################
+# local shell function to initialize this script
+########################################################################
+chains_init()
+{
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+ if [ -z "${INIT_SOURCED}" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+
+ SCRIPTNAME="chains.sh"
+
+ CHAINS_DIR="${HOSTDIR}/chains"
+ mkdir -p ${CHAINS_DIR}
+ cd ${CHAINS_DIR}
+
+ CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
+
+ CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
+ CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
+
+ PK7_NONCE=${CERT_SN_CNT}
+ SCEN_CNT=${CERT_SN_CNT}
+
+ AIA_FILES="${HOSTDIR}/aiafiles"
+
+ CU_DATA=${HOSTDIR}/cu_data
+ CRL_DATA=${HOSTDIR}/crl_data
+
+ DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10)
+ NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT}
+ DEFAULT_UNUSED_PORT=$(expr ${PORT:-8631} + 11)
+ NSS_UNUSED_PORT=${NSS_UNUSED_PORT:-$DEFAULT_UNUSED_PORT}
+ NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"}
+ NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp}
+ NSS_AIA_OCSP=${NSS_AIA_OCSP:-$NSS_AIA_HTTP/ocsp}
+ NSS_OCSP_UNUSED=${NSS_AIA_OCSP_UNUSED:-"http://${HOSTADDR}:${NSS_UNUSED_PORT}"}
+
+ html_head "Certificate Chains Tests"
+}
+
+chains_run_httpserv()
+{
+ HTTP_METHOD=$1
+
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ HTTPPID=${NSS_AIA_PATH}/http_pid.$$
+ mkdir -p "${NSS_AIA_PATH}"
+ SAVEPWD=`pwd`
+ cd "${NSS_AIA_PATH}"
+ # Start_httpserv sets environment variables, which are required for
+ # correct cleanup. (Running it in a subshell doesn't work, the
+ # value of $SHELL_HTTPPID wouldn't arrive in this scope.)
+ start_httpserv ${HTTP_METHOD}
+ cd "${SAVEPWD}"
+ fi
+}
+
+chains_stop_httpserv()
+{
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ kill_httpserv
+ fi
+}
+
+############################ chains_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+chains_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+############################ print_cu_data #############################
+# local shell function to print certutil input data
+########################################################################
+print_cu_data()
+{
+ echo "=== Certutil input data ==="
+ cat ${CU_DATA}
+ echo "==="
+}
+
+set_cert_sn()
+{
+ if [ -z "${SERIAL}" ]; then
+ CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1)
+ CERT_SN=${CERT_SN_CNT}
+ else
+ echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null
+ if [ $? -eq 0 ]; then
+ CERT_SN=$(echo ${SERIAL} | cut -b 2-)
+ CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN})
+ else
+ CERT_SN=${SERIAL}
+ fi
+ fi
+}
+
+############################# create_db ################################
+# local shell function to create certificate database
+########################################################################
+create_db()
+{
+ DB=$1
+
+ [ -d "${DB}" ] && rm -rf ${DB}
+ mkdir -p ${DB}
+
+ echo "${DB}passwd" > ${DB}/dbpasswd
+
+ TESTNAME="Creating DB ${DB}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -N -d ${DB} -f ${DB}/dbpasswd"
+ ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################### create_root_ca #############################
+# local shell function to generate self-signed root certificate
+########################################################################
+create_root_ca()
+{
+ ENTITY=$1
+ ENTITY_DB=${ENTITY}DB
+
+ set_cert_sn
+ date >> ${NOISE_FILE} 2>&1
+
+ CTYPE_OPT=
+ if [ -n "${CTYPE}" ]; then
+ CTYPE_OPT="-k ${CTYPE}"
+ fi
+
+ echo "5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+" > ${CU_DATA}
+
+ TESTNAME="Creating Root CA ${ENTITY}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}"
+ print_cu_data
+ ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+
+ TESTNAME="Exporting Root CA ${ENTITY}.der"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der"
+ ${BINDIR}/certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################### create_cert_req ############################
+# local shell function to generate certificate sign request
+########################################################################
+create_cert_req()
+{
+ ENTITY=$1
+ TYPE=$2
+
+ ENTITY_DB=${ENTITY}DB
+
+ REQ=${ENTITY}Req.der
+
+ date >> ${NOISE_FILE} 2>&1
+
+ CTYPE_OPT=
+ if [ -n "${CTYPE}" ]; then
+ CTYPE_OPT="-k ${CTYPE}"
+ fi
+
+ CA_FLAG=
+ EXT_DATA=
+ OPTIONS=
+
+ if [ "${TYPE}" != "EE" ]; then
+ CA_FLAG="-2"
+ EXT_DATA="y
+-1
+y
+"
+ fi
+
+ process_crldp
+
+ echo "${EXT_DATA}" > ${CU_DATA}
+
+ TESTNAME="Creating ${TYPE} certifiate request ${REQ}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}"
+ print_cu_data
+ ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################ create_entity #############################
+# local shell function to create certificate chain entity
+########################################################################
+create_entity()
+{
+ ENTITY=$1
+ TYPE=$2
+
+ if [ -z "${ENTITY}" ]; then
+ echo "Configuration error: Unnamed entity"
+ exit 1
+ fi
+
+ DB=${ENTITY}DB
+ ENTITY_DB=${ENTITY}DB
+
+ case "${TYPE}" in
+ "Root")
+ create_db "${DB}"
+ create_root_ca "${ENTITY}"
+ ;;
+ "Intermediate" | "Bridge" | "EE")
+ create_db "${DB}"
+ create_cert_req "${ENTITY}" "${TYPE}"
+ ;;
+ "*")
+ echo "Configuration error: Unknown type ${TYPE}"
+ exit 1
+ ;;
+ esac
+}
+
+########################################################################
+# List of global variables related to certificate extensions processing:
+#
+# Generated by process_extensions and functions called from it:
+# OPTIONS - list of command line policy extensions
+# DATA - list of inpud data related to policy extensions
+#
+# Generated by parse_config:
+# POLICY - list of certificate policies
+# MAPPING - list of policy mappings
+# INHIBIT - inhibit flag
+# AIA - AIA list
+########################################################################
+
+############################ process_policy ############################
+# local shell function to process policy extension parameters and
+# generate input for certutil
+########################################################################
+process_policy()
+{
+ if [ -n "${POLICY}" ]; then
+ OPTIONS="${OPTIONS} --extCP"
+
+ NEXT=
+ for ITEM in ${POLICY}; do
+ if [ -n "${NEXT}" ]; then
+ DATA="${DATA}y
+"
+ fi
+
+ NEXT=1
+ DATA="${DATA}${ITEM}
+1
+
+n
+"
+ done
+
+ DATA="${DATA}n
+n
+"
+ fi
+}
+
+########################### process_mapping ############################
+# local shell function to process policy mapping parameters and
+# generate input for certutil
+########################################################################
+process_mapping()
+{
+ if [ -n "${MAPPING}" ]; then
+ OPTIONS="${OPTIONS} --extPM"
+
+ NEXT=
+ for ITEM in ${MAPPING}; do
+ if [ -n "${NEXT}" ]; then
+ DATA="${DATA}y
+"
+ fi
+
+ NEXT=1
+ IDP=`echo ${ITEM} | cut -d: -f1`
+ SDP=`echo ${ITEM} | cut -d: -f2`
+ DATA="${DATA}${IDP}
+${SDP}
+"
+ done
+
+ DATA="${DATA}n
+n
+"
+ fi
+}
+
+########################### process_inhibit#############################
+# local shell function to process inhibit extension and generate input
+# for certutil
+########################################################################
+process_inhibit()
+{
+ if [ -n "${INHIBIT}" ]; then
+ OPTIONS="${OPTIONS} --extIA"
+
+ DATA="${DATA}${INHIBIT}
+n
+"
+ fi
+}
+
+############################# process_aia ##############################
+# local shell function to process AIA extension parameters and
+# generate input for certutil
+########################################################################
+process_aia()
+{
+ if [ -n "${AIA}" ]; then
+ OPTIONS="${OPTIONS} --extAIA"
+
+ DATA="${DATA}1
+"
+
+ for ITEM in ${AIA}; do
+ PK7_NONCE=`expr $PK7_NONCE + 1`
+
+ echo ${ITEM} | grep ":" > /dev/null
+ if [ $? -eq 0 ]; then
+ CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+ CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+ CERT_LOCAL="${CERT_NICK}${CERT_ISSUER}.der"
+ CERT_PUBLIC="${HOST}-$$-${CERT_NICK}${CERT_ISSUER}-${PK7_NONCE}.der"
+ else
+ CERT_LOCAL="${ITEM}.p7"
+ CERT_PUBLIC="${HOST}-$$-${ITEM}-${PK7_NONCE}.p7"
+ fi
+
+ DATA="${DATA}7
+${NSS_AIA_HTTP}/${CERT_PUBLIC}
+"
+
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ cp ${CERT_LOCAL} ${NSS_AIA_PATH}/${CERT_PUBLIC} 2> /dev/null
+ chmod a+r ${NSS_AIA_PATH}/${CERT_PUBLIC}
+ echo ${NSS_AIA_PATH}/${CERT_PUBLIC} >> ${AIA_FILES}
+ fi
+ done
+
+ DATA="${DATA}0
+n
+n"
+ fi
+}
+
+process_ocsp()
+{
+ if [ -n "${OCSP}" ]; then
+ OPTIONS="${OPTIONS} --extAIA"
+
+ if [ "${OCSP}" = "offline" ]; then
+ MY_OCSP_URL=${NSS_OCSP_UNUSED}
+ else
+ MY_OCSP_URL=${NSS_AIA_OCSP}
+ fi
+
+ DATA="${DATA}2
+7
+${MY_OCSP_URL}
+0
+n
+n
+"
+ fi
+}
+
+process_crldp()
+{
+ if [ -n "${CRLDP}" ]; then
+ OPTIONS="${OPTIONS} -4"
+
+ EXT_DATA="${EXT_DATA}1
+"
+
+ for ITEM in ${CRLDP}; do
+ CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl"
+
+ EXT_DATA="${EXT_DATA}7
+${NSS_AIA_HTTP}/${CRL_PUBLIC}
+"
+ done
+
+ EXT_DATA="${EXT_DATA}-1
+-1
+-1
+n
+n
+"
+ fi
+}
+
+process_ku_ns_eku()
+{
+ if [ -n "${EXT_KU}" ]; then
+ OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}"
+ fi
+ if [ -n "${EXT_NS}" ]; then
+ EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1)
+ EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2)
+
+ OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}"
+ DATA="${DATA}${EXT_NS_CODE}
+-1
+n
+"
+ fi
+ if [ -n "${EXT_EKU}" ]; then
+ OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}"
+ fi
+}
+
+copy_crl()
+
+{
+ if [ -z "${NSS_AIA_PATH}" ]; then
+ return;
+ fi
+
+ CRL_LOCAL="${COPYCRL}.crl"
+ CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl"
+
+ cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
+ chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
+ echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES}
+}
+
+########################## process_extension ###########################
+# local shell function to process entity extension parameters and
+# generate input for certutil
+########################################################################
+process_extensions()
+{
+ OPTIONS=
+ DATA=
+
+ process_policy
+ process_mapping
+ process_inhibit
+ process_aia
+ process_ocsp
+ process_ku_ns_eku
+}
+
+############################## sign_cert ###############################
+# local shell function to sign certificate sign reuqest
+########################################################################
+sign_cert()
+{
+ ENTITY=$1
+ ISSUER=$2
+ TYPE=$3
+
+ [ -z "${ISSUER}" ] && return
+
+ ENTITY_DB=${ENTITY}DB
+ ISSUER_DB=${ISSUER}DB
+ REQ=${ENTITY}Req.der
+ CERT=${ENTITY}${ISSUER}.der
+
+ set_cert_sn
+
+ EMAIL_OPT=
+ if [ "${TYPE}" = "Bridge" ]; then
+ EMAIL_OPT="-7 ${ENTITY}@${ISSUER}"
+
+ [ -n "${EMAILS}" ] && EMAILS="${EMAILS},"
+ EMAILS="${EMAILS}${ENTITY}@${ISSUER}"
+ fi
+
+ process_extensions
+
+ echo "${DATA}" > ${CU_DATA}
+
+ TESTNAME="Creating certficate ${CERT} signed by ${ISSUER}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}"
+ print_cu_data
+ ${BINDIR}/certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+
+ TESTNAME="Importing certificate ${CERT} to ${ENTITY_DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}"
+ ${BINDIR}/certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# create_pkcs7##############################
+# local shell function to package bridge certificates into pkcs7
+# package
+########################################################################
+create_pkcs7()
+{
+ ENTITY=$1
+ ENTITY_DB=${ENTITY}DB
+
+ TESTNAME="Generating PKCS7 package from ${ENTITY_DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "cmsutil -O -r \"${EMAILS}\" -d ${ENTITY_DB} > ${ENTITY}.p7"
+ ${BINDIR}/cmsutil -O -r "${EMAILS}" -d ${ENTITY_DB} > ${ENTITY}.p7
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# import_key ###############################
+# local shell function to import private key + cert into database
+########################################################################
+import_key()
+{
+ KEY_NAME=$1.p12
+ DB=$2
+
+ KEY_FILE=../OCSPD/${KEY_NAME}
+
+ TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss"
+ ${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+export_key()
+{
+ KEY_NAME=$1.p12
+ DB=$2
+
+ TESTNAME="Exporting $1 as ${KEY_NAME} from ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss"
+ ${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# import_cert ##############################
+# local shell function to import certificate into database
+########################################################################
+import_cert()
+{
+ IMPORT=$1
+ DB=$2
+
+ CERT_NICK=`echo ${IMPORT} | cut -d: -f1`
+ CERT_ISSUER=`echo ${IMPORT} | cut -d: -f2`
+ CERT_TRUST=`echo ${IMPORT} | cut -d: -f3`
+
+ if [ "${CERT_ISSUER}" = "x" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.cert
+ CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.der
+ CERT_FILE="../OCSPD/${CERT}"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ CERT_FILE=${CERT}
+ fi
+
+ IS_ASCII=`grep -c -- "-----BEGIN CERTIFICATE-----" ${CERT_FILE}`
+
+ ASCII_OPT=
+ if [ "${IS_ASCII}" -gt 0 ]; then
+ ASCII_OPT="-a"
+ fi
+
+ TESTNAME="Importing certificate ${CERT} to ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t \"${CERT_TRUST}\" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}"
+ ${BINDIR}/certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t "${CERT_TRUST}" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+import_crl()
+{
+ IMPORT=$1
+ DB=$2
+
+ CRL_NICK=`echo ${IMPORT} | cut -d: -f1`
+ CRL_FILE=${CRL_NICK}.crl
+
+ if [ ! -f "${CRL_FILE}" ]; then
+ return
+ fi
+
+ TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}"
+ ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+create_crl()
+{
+ ISSUER=$1
+ ISSUER_DB=${ISSUER}DB
+
+ CRL=${ISSUER}.crl
+
+ DATE=$(date -u '+%Y%m%d%H%M%SZ')
+ DATE_LAST="${DATE}"
+
+ UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ')
+
+ echo "update=${DATE}" > ${CRL_DATA}
+ echo "nextupdate=${UPDATE}" >> ${CRL_DATA}
+
+ TESTNAME="Create CRL for ${ISSUER_DB}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
+ echo "=== Crlutil input data ==="
+ cat ${CRL_DATA}
+ echo "==="
+ ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+revoke_cert()
+{
+ ISSUER=$1
+ ISSUER_DB=${ISSUER}DB
+
+ CRL=${ISSUER}.crl
+
+ set_cert_sn
+
+ DATE=$(date -u '+%Y%m%d%H%M%SZ')
+ while [ "${DATE}" = "${DATE_LAST}" ]; do
+ sleep 1
+ DATE=$(date -u '+%Y%m%d%H%M%SZ')
+ done
+ DATE_LAST="${DATE}"
+
+ echo "update=${DATE}" > ${CRL_DATA}
+ echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA}
+
+ TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
+ echo "=== Crlutil input data ==="
+ cat ${CRL_DATA}
+ echo "==="
+ ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################################################################
+# List of global variables related to certificate verification:
+#
+# Generated by parse_config:
+# DB - DB used for testing
+# FETCH - fetch flag (used with AIA extension)
+# POLICY - list of policies
+# TRUST - trust anchor
+# TRUST_AND_DB - Examine both trust anchors and the cert db for trust
+# VERIFY - list of certificates to use as vfychain parameters
+# EXP_RESULT - expected result
+# REV_OPTS - revocation options
+########################################################################
+
+############################# verify_cert ##############################
+# local shell function to verify certificate validity
+########################################################################
+verify_cert()
+{
+ ENGINE=$1
+
+ DB_OPT=
+ FETCH_OPT=
+ POLICY_OPT=
+ TRUST_OPT=
+ VFY_CERTS=
+ VFY_LIST=
+ TRUST_AND_DB_OPT=
+
+ if [ -n "${DB}" ]; then
+ DB_OPT="-d ${DB}"
+ fi
+
+ if [ -n "${FETCH}" ]; then
+ FETCH_OPT="-f"
+ if [ -z "${NSS_AIA_HTTP}" ]; then
+ echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined"
+ return
+ fi
+ fi
+
+ if [ -n "${TRUST_AND_DB}" ]; then
+ TRUST_AND_DB_OPT="-T"
+ fi
+
+ for ITEM in ${POLICY}; do
+ POLICY_OPT="${POLICY_OPT} -o ${ITEM}"
+ done
+
+ for ITEM in ${TRUST}; do
+ echo ${ITEM} | grep ":" > /dev/null
+ if [ $? -eq 0 ]; then
+ CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+ CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+
+ TRUST_OPT="${TRUST_OPT} -t ${CERT}"
+ else
+ TRUST_OPT="${TRUST_OPT} -t ${ITEM}"
+ fi
+ done
+
+ for ITEM in ${VERIFY}; do
+ CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+ CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+
+ if [ "${CERT_ISSUER}" = "x" ]; then
+ CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert"
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT="../OCSPD/${CERT_NICK}.der"
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT}"
+ fi
+ done
+
+ VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+ VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+
+ TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "vfychain ${VFY_OPTS_ALL}"
+
+ if [ -z "${MEMLEAK_DBG}" ]; then
+ VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1)
+ RESULT=$?
+ echo "${VFY_OUT}"
+ else
+ VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE})
+ RESULT=$?
+ echo "${VFY_OUT}"
+ fi
+
+ echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null
+ E5990=$?
+ echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null
+ E8030=$?
+
+ if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then
+ echo "Result of this test is not valid due to network time out."
+ html_unknown "${SCENARIO}${TESTNAME}"
+ return
+ fi
+
+ echo "Returned value is ${RESULT}, expected result is ${EXP_RESULT}"
+
+ if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then
+ html_passed "${SCENARIO}${TESTNAME}"
+ elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then
+ html_passed "${SCENARIO}${TESTNAME}"
+ else
+ html_failed "${SCENARIO}${TESTNAME}"
+ fi
+}
+
+check_ocsp()
+{
+ OCSP_CERT=$1
+
+ CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1`
+ CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2`
+
+ if [ "${CERT_ISSUER}" = "x" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.cert
+ CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.der
+ CERT_FILE="../OCSPD/${CERT}"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ CERT_FILE=${CERT}
+ fi
+
+ # sample line:
+ # URI: "http://ocsp.server:2601"
+ OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
+ OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
+
+ echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
+ tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
+ return $?
+}
+
+############################ parse_result ##############################
+# local shell function to process expected result value
+# this function was created for case that expected result depends on
+# some conditions - in our case type of cert DB
+#
+# default results are pass and fail
+# this function added parsable values in format:
+# type1:value1 type2:value2 .... typex:valuex
+#
+# allowed types are dbm, sql, all (all means all other cases)
+# allowed values are pass and fail
+#
+# if this format is not used, EXP_RESULT will stay unchanged (this also
+# covers pass and fail states)
+########################################################################
+parse_result()
+{
+ for RES in ${EXP_RESULT}
+ do
+ RESTYPE=$(echo ${RES} | cut -d: -f1)
+ RESSTAT=$(echo ${RES} | cut -d: -f2)
+
+ if [ "${RESTYPE}" = "${NSS_DEFAULT_DB_TYPE}" -o "${RESTYPE}" = "all" ]; then
+ EXP_RESULT=${RESSTAT}
+ break
+ fi
+ done
+}
+
+############################ parse_config ##############################
+# local shell function to parse and process file containing certificate
+# chain configuration and list of tests
+########################################################################
+parse_config()
+{
+ SCENARIO=
+ LOGNAME=
+
+ while read KEY VALUE
+ do
+ case "${KEY}" in
+ "entity")
+ ENTITY="${VALUE}"
+ TYPE=
+ ISSUER=
+ CTYPE=
+ POLICY=
+ MAPPING=
+ INHIBIT=
+ AIA=
+ CRLDP=
+ OCSP=
+ DB=
+ EMAILS=
+ EXT_KU=
+ EXT_NS=
+ EXT_EKU=
+ SERIAL=
+ EXPORT_KEY=
+ ;;
+ "type")
+ TYPE="${VALUE}"
+ ;;
+ "issuer")
+ if [ -n "${ISSUER}" ]; then
+ if [ -z "${DB}" ]; then
+ create_entity "${ENTITY}" "${TYPE}"
+ fi
+ sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
+ fi
+
+ ISSUER="${VALUE}"
+ POLICY=
+ MAPPING=
+ INHIBIT=
+ AIA=
+ EXT_KU=
+ EXT_NS=
+ EXT_EKU=
+ ;;
+ "ctype")
+ CTYPE="${VALUE}"
+ ;;
+ "policy")
+ POLICY="${POLICY} ${VALUE}"
+ ;;
+ "mapping")
+ MAPPING="${MAPPING} ${VALUE}"
+ ;;
+ "inhibit")
+ INHIBIT="${VALUE}"
+ ;;
+ "aia")
+ AIA="${AIA} ${VALUE}"
+ ;;
+ "crldp")
+ CRLDP="${CRLDP} ${VALUE}"
+ ;;
+ "ocsp")
+ OCSP="${VALUE}"
+ ;;
+ "db")
+ DB="${VALUE}DB"
+ create_db "${DB}"
+ ;;
+ "import")
+ IMPORT="${VALUE}"
+ import_cert "${IMPORT}" "${DB}"
+ import_crl "${IMPORT}" "${DB}"
+ ;;
+ "import_key")
+ IMPORT="${VALUE}"
+ import_key "${IMPORT}" "${DB}"
+ ;;
+ "crl")
+ ISSUER="${VALUE}"
+ create_crl "${ISSUER}"
+ ;;
+ "revoke")
+ REVOKE="${VALUE}"
+ ;;
+ "serial")
+ SERIAL="${VALUE}"
+ ;;
+ "export_key")
+ EXPORT_KEY=1
+ ;;
+ "copycrl")
+ COPYCRL="${VALUE}"
+ copy_crl "${COPYCRL}"
+ ;;
+ "verify")
+ VERIFY="${VALUE}"
+ TRUST=
+ TRUST_AND_DB=
+ POLICY=
+ FETCH=
+ EXP_RESULT=
+ REV_OPTS=
+ USAGE_OPT=
+ ;;
+ "cert")
+ VERIFY="${VERIFY} ${VALUE}"
+ ;;
+ "testdb")
+ if [ -n "${VALUE}" ]; then
+ DB="${VALUE}DB"
+ else
+ DB=
+ fi
+ ;;
+ "trust")
+ TRUST="${TRUST} ${VALUE}"
+ ;;
+ "trust_and_db")
+ TRUST_AND_DB=1
+ ;;
+ "fetch")
+ FETCH=1
+ ;;
+ "result")
+ EXP_RESULT="${VALUE}"
+ parse_result
+ ;;
+ "rev_type")
+ REV_OPTS="${REV_OPTS} -g ${VALUE}"
+ ;;
+ "rev_flags")
+ REV_OPTS="${REV_OPTS} -h ${VALUE}"
+ ;;
+ "rev_mtype")
+ REV_OPTS="${REV_OPTS} -m ${VALUE}"
+ ;;
+ "rev_mflags")
+ REV_OPTS="${REV_OPTS} -s ${VALUE}"
+ ;;
+ "scenario")
+ SCENARIO="${VALUE}: "
+
+ CHAINS_DIR="${HOSTDIR}/chains/${VALUE}"
+ mkdir -p ${CHAINS_DIR}
+ cd ${CHAINS_DIR}
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ LOGNAME="libpkix-${VALUE}"
+ LOGFILE="${LOGDIR}/${LOGNAME}"
+ fi
+
+ SCEN_CNT=$(expr ${SCEN_CNT} + 1)
+ ;;
+ "sleep")
+ sleep ${VALUE}
+ ;;
+ "break")
+ break
+ ;;
+ "check_ocsp")
+ TESTNAME="Test that OCSP server is reachable"
+ check_ocsp ${VALUE}
+ if [ $? -ne 0 ]; then
+ html_failed "$TESTNAME"
+ break;
+ else
+ html_passed "$TESTNAME"
+ fi
+ ;;
+ "ku")
+ EXT_KU="${VALUE}"
+ ;;
+ "ns")
+ EXT_NS="${VALUE}"
+ ;;
+ "eku")
+ EXT_EKU="${VALUE}"
+ ;;
+ "usage")
+ USAGE_OPT="-u ${VALUE}"
+ ;;
+ "")
+ if [ -n "${ENTITY}" ]; then
+ if [ -z "${DB}" ]; then
+ create_entity "${ENTITY}" "${TYPE}"
+ fi
+ sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
+ if [ "${TYPE}" = "Bridge" ]; then
+ create_pkcs7 "${ENTITY}"
+ fi
+ if [ -n "${EXPORT_KEY}" ]; then
+ export_key "${ENTITY}" "${DB}"
+ fi
+ ENTITY=
+ fi
+
+ if [ -n "${VERIFY}" ] && \
+ [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+ verify_cert "-pp"
+ if [ -n "${VERIFY_CLASSIC_ENGINE_TOO}" ] && \
+ [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+ verify_cert ""
+ verify_cert "-p"
+ fi
+ VERIFY=
+ fi
+
+ if [ -n "${REVOKE}" ]; then
+ revoke_cert "${REVOKE}" "${DB}"
+ REVOKE=
+ fi
+ ;;
+ *)
+ if [ `echo ${KEY} | cut -b 1` != "#" ]; then
+ echo "Configuration error: Unknown keyword ${KEY}"
+ exit 1
+ fi
+ ;;
+ esac
+ done
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ log_parse
+ html_msg $? 0 "${SCENARIO}Memory leak checking"
+ fi
+}
+
+process_scenario()
+{
+ SCENARIO_FILE=$1
+
+ > ${AIA_FILES}
+
+ parse_config < "${QADIR}/chains/scenarios/${SCENARIO_FILE}"
+
+ while read AIA_FILE
+ do
+ rm ${AIA_FILE} 2> /dev/null
+ done < ${AIA_FILES}
+ rm ${AIA_FILES}
+}
+
+# process ocspd.cfg separately
+chains_ocspd()
+{
+ process_scenario "ocspd.cfg"
+}
+
+# process ocsp.cfg separately
+chains_method()
+{
+ process_scenario "method.cfg"
+}
+
+############################# chains_main ##############################
+# local shell function to process all testing scenarios
+########################################################################
+chains_main()
+{
+ while read LINE
+ do
+ [ `echo ${LINE} | cut -b 1` != "#" ] || continue
+
+ [ ${LINE} != 'ocspd.cfg' ] || continue
+ [ ${LINE} != 'method.cfg' ] || continue
+
+ process_scenario ${LINE}
+ done < "${CHAINS_SCENARIOS}"
+}
+
+################################ main ##################################
+
+chains_init
+VERIFY_CLASSIC_ENGINE_TOO=
+chains_ocspd
+VERIFY_CLASSIC_ENGINE_TOO=1
+chains_run_httpserv get
+chains_method
+chains_stop_httpserv
+chains_run_httpserv post
+chains_method
+chains_stop_httpserv
+VERIFY_CLASSIC_ENGINE_TOO=
+chains_run_httpserv random
+chains_main
+chains_stop_httpserv
+chains_run_httpserv get-unknown
+chains_main
+chains_stop_httpserv
+chains_cleanup