summaryrefslogtreecommitdiffstats
path: root/security/nss/tests
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /security/nss/tests
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloadUXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/nss/tests')
-rw-r--r--security/nss/tests/README.txt6
-rwxr-xr-xsecurity/nss/tests/all.sh311
-rwxr-xr-xsecurity/nss/tests/bogo/bogo.sh56
-rwxr-xr-xsecurity/nss/tests/cert/cert.sh2012
-rw-r--r--security/nss/tests/cert/certext.txt130
-rwxr-xr-xsecurity/nss/tests/chains/chains.sh1308
-rwxr-xr-xsecurity/nss/tests/chains/ocspd-config/ocspd-certs.sh116
-rw-r--r--security/nss/tests/chains/ocspd-config/ocspd.conf.template46
-rw-r--r--security/nss/tests/chains/ocspd-config/readme3
-rw-r--r--security/nss/tests/chains/scenarios/aia.cfg35
-rw-r--r--security/nss/tests/chains/scenarios/anypolicy.cfg77
-rw-r--r--security/nss/tests/chains/scenarios/anypolicywithlevel.cfg399
-rw-r--r--security/nss/tests/chains/scenarios/bridge.cfg106
-rw-r--r--security/nss/tests/chains/scenarios/bridgewithaia.cfg54
-rw-r--r--security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg89
-rw-r--r--security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg187
-rw-r--r--security/nss/tests/chains/scenarios/crldp.cfg105
-rw-r--r--security/nss/tests/chains/scenarios/dsa.cfg72
-rw-r--r--security/nss/tests/chains/scenarios/explicitPolicy.cfg78
-rw-r--r--security/nss/tests/chains/scenarios/extension.cfg102
-rw-r--r--security/nss/tests/chains/scenarios/extension2.cfg140
-rw-r--r--security/nss/tests/chains/scenarios/mapping.cfg63
-rw-r--r--security/nss/tests/chains/scenarios/mapping2.cfg71
-rw-r--r--security/nss/tests/chains/scenarios/megabridge_3_2.cfg130
-rw-r--r--security/nss/tests/chains/scenarios/method.cfg25
-rw-r--r--security/nss/tests/chains/scenarios/nameconstraints.cfg161
-rw-r--r--security/nss/tests/chains/scenarios/ocsp.cfg177
-rw-r--r--security/nss/tests/chains/scenarios/ocspd.cfg172
-rw-r--r--security/nss/tests/chains/scenarios/realcerts.cfg29
-rw-r--r--security/nss/tests/chains/scenarios/revoc.cfg86
-rw-r--r--security/nss/tests/chains/scenarios/scenarios24
-rw-r--r--security/nss/tests/chains/scenarios/trustanchors.cfg114
-rwxr-xr-xsecurity/nss/tests/cipher/cipher.sh140
-rw-r--r--security/nss/tests/cipher/cipher.txt57
-rw-r--r--security/nss/tests/cipher/dsa.txt13
-rw-r--r--security/nss/tests/cipher/gcm.txt16
-rw-r--r--security/nss/tests/cipher/hash.txt11
-rwxr-xr-xsecurity/nss/tests/cipher/performance.sh156
-rw-r--r--security/nss/tests/cipher/rsa.txt11
-rw-r--r--security/nss/tests/cipher/symmkey.txt36
-rwxr-xr-xsecurity/nss/tests/clean_tbx172
-rw-r--r--security/nss/tests/cmdtests/cmdtests.sh101
-rw-r--r--security/nss/tests/common/Makefile24
-rwxr-xr-xsecurity/nss/tests/common/cleanup.sh55
-rw-r--r--security/nss/tests/common/init.sh672
-rw-r--r--security/nss/tests/common/parsegtestreport.sed8
-rw-r--r--security/nss/tests/common/results_header.html6
-rwxr-xr-xsecurity/nss/tests/core_watch45
-rw-r--r--security/nss/tests/crmf/crmf.sh89
-rwxr-xr-xsecurity/nss/tests/dbtests/dbtests.sh262
-rwxr-xr-xsecurity/nss/tests/dbupgrade/dbupgrade.sh106
-rwxr-xr-xsecurity/nss/tests/dll_version.sh50
-rw-r--r--security/nss/tests/doc/clean.gifbin0 -> 5503 bytes
-rwxr-xr-xsecurity/nss/tests/doc/nssqa.txt108
-rw-r--r--security/nss/tests/doc/platform_specific_problems110
-rwxr-xr-xsecurity/nss/tests/doc/qa_wrapper.html269
-rw-r--r--security/nss/tests/dummy/dummy.sh19
-rwxr-xr-xsecurity/nss/tests/ec/ec.sh37
-rwxr-xr-xsecurity/nss/tests/ec/ecperf.sh52
-rw-r--r--security/nss/tests/ec/ectest.sh93
-rwxr-xr-xsecurity/nss/tests/fips/fips.sh293
-rwxr-xr-xsecurity/nss/tests/gtests/gtests.sh88
-rw-r--r--security/nss/tests/header1636
-rw-r--r--security/nss/tests/iopr/cert_iopr.sh405
-rw-r--r--security/nss/tests/iopr/ocsp_iopr.sh231
-rw-r--r--security/nss/tests/iopr/server_scr/apache_unix.cfg47
-rw-r--r--security/nss/tests/iopr/server_scr/cert_gen.sh367
-rw-r--r--security/nss/tests/iopr/server_scr/cipher.list98
-rw-r--r--security/nss/tests/iopr/server_scr/client.cgi526
-rw-r--r--security/nss/tests/iopr/server_scr/config17
-rw-r--r--security/nss/tests/iopr/server_scr/iis_windows.cfg33
-rw-r--r--security/nss/tests/iopr/server_scr/iopr_server.cfg67
-rw-r--r--security/nss/tests/iopr/server_scr/sslreq.dat2
-rw-r--r--security/nss/tests/iopr/ssl_iopr.sh643
-rwxr-xr-xsecurity/nss/tests/jss_dll_version.sh22
-rwxr-xr-xsecurity/nss/tests/jssdir28
-rwxr-xr-xsecurity/nss/tests/jssqa220
-rw-r--r--security/nss/tests/libpkix/cert_trust.map6
-rw-r--r--security/nss/tests/libpkix/certs/BrAirWaysBadSig.certbin0 -> 1647 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/CertificatePoliciesCritical.crtbin0 -> 805 bytes
-rw-r--r--security/nss/tests/libpkix/certs/GoodCACert.crtbin0 -> 625 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.ca.certbin0 -> 626 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.dcissallowed.certbin0 -> 888 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.dcissblocked.certbin0 -> 889 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.dcisscopy.certbin0 -> 957 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.intermediate.certbin0 -> 662 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.intermediate2.certbin0 -> 644 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.intermediate3.certbin0 -> 716 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.intermediate4.certbin0 -> 607 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.intermediate5.certbin0 -> 612 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.intermediate6.certbin0 -> 611 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.ncca.certbin0 -> 672 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server1.certbin0 -> 660 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server10.certbin0 -> 560 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server11.certbin0 -> 585 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server12.certbin0 -> 562 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server13.certbin0 -> 574 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server14.certbin0 -> 574 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server15.certbin0 -> 634 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server16.certbin0 -> 612 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server17.certbin0 -> 630 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server2.certbin0 -> 643 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server3.certbin0 -> 660 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server4.certbin0 -> 663 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server5.certbin0 -> 646 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server6.certbin0 -> 663 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server7.certbin0 -> 578 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server8.certbin0 -> 564 bytes
-rw-r--r--security/nss/tests/libpkix/certs/NameConstraints.server9.certbin0 -> 551 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPCA1.certbin0 -> 574 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPCA1.p12bin0 -> 1690 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPCA2.certbin0 -> 574 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPCA2.p12bin0 -> 1690 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPCA3.certbin0 -> 574 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPCA3.p12bin0 -> 1690 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE11.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE12.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE13.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE14.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE15.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE21.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE22.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE23.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE31.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE32.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPEE33.certbin0 -> 552 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPRoot.certbin0 -> 549 bytes
-rw-r--r--security/nss/tests/libpkix/certs/OCSPRoot.p12bin0 -> 1668 bytes
-rw-r--r--security/nss/tests/libpkix/certs/PayPalEE.certbin0 -> 1376 bytes
-rw-r--r--security/nss/tests/libpkix/certs/PayPalICA.certbin0 -> 1205 bytes
-rw-r--r--security/nss/tests/libpkix/certs/PayPalRootCA.certbin0 -> 969 bytes
-rw-r--r--security/nss/tests/libpkix/certs/TestCA.ca.certbin0 -> 628 bytes
-rw-r--r--security/nss/tests/libpkix/certs/TestUser50.certbin0 -> 615 bytes
-rw-r--r--security/nss/tests/libpkix/certs/TestUser51.certbin0 -> 615 bytes
-rw-r--r--security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crtbin0 -> 572 bytes
-rw-r--r--security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crtbin0 -> 622 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/anchor2dsabin0 -> 906 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/crldiff.crlbin0 -> 237 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/crlgood.crlbin0 -> 237 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCertbin0 -> 696 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/extKeyUsage/multiEKUCertbin0 -> 716 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/extKeyUsage/noEKUCertbin0 -> 742 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameDnCertbin0 -> 748 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameDnCert_diffbin0 -> 747 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameDnsCertbin0 -> 700 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameDnsCert_diffbin0 -> 700 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameEdiCertbin0 -> 702 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameEdiCert_diffbin0 -> 700 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameIpCertbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameIpCert_diffbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameNoneCertbin0 -> 742 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameOidCertbin0 -> 691 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameOidCert_diffbin0 -> 694 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameOtherCertbin0 -> 698 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameOtherCert_diffbin0 -> 698 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameRfc822Certbin0 -> 740 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diffbin0 -> 703 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCertbin0 -> 718 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameUriCertbin0 -> 706 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameUriCert_diffbin0 -> 708 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameX400Certbin0 -> 691 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/generalName/altNameX400Cert_diffbin0 -> 691 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/hanfeiyu2hanfeiyubin0 -> 669 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/hy2hc-bcbin0 -> 668 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/hy2hy-bc0bin0 -> 685 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/issuer-hanfei.crlbin0 -> 199 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/issuer-none.crlbin0 -> 196 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCertbin0 -> 536 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCertbin0 -> 906 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/keyUsage/decipherOnlyCertbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/keyUsage/encipherOnlyCertbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCertbin0 -> 742 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCertbin0 -> 675 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/make-ca-u50-u5137
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/make-nc508
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/noExtensionsCertbin0 -> 680 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/nss2alicebin0 -> 602 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/publicKey/dsaWithParamsbin0 -> 906 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/publicKey/dsaWithoutParamsbin0 -> 536 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/publicKey/labs2yassirbin0 -> 676 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/publicKey/yassir2labsbin0 -> 676 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/sun2sunbin0 -> 666 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/yassir2bcnbin0 -> 742 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/certs/yassir2yassirbin0 -> 760 bytes
-rw-r--r--security/nss/tests/libpkix/common/libpkix_init.sh324
-rw-r--r--security/nss/tests/libpkix/common/libpkix_init_nist.sh70
-rwxr-xr-xsecurity/nss/tests/libpkix/libpkix.sh139
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/cert8.dbbin0 -> 65536 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/key3.dbbin0 -> 32768 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crlbin0 -> 237 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crlbin0 -> 237 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crlbin0 -> 199 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crlbin0 -> 196 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crtbin0 -> 774 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crtbin0 -> 732 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crtbin0 -> 726 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crtbin0 -> 694 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crtbin0 -> 734 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh101
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/module/secmod.dbbin0 -> 32768 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README3
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crlbin0 -> 237 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crlbin0 -> 237 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crlbin0 -> 199 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crlbin0 -> 196 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh81
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh67
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh46
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/certsel/keyUsage0
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/certsel/runTests.sh33
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/checker/runTests.sh31
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh33
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/params/runTests.sh36
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/results/runTests.sh36
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/runTests.sh98
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/store/runTests.sh32
-rw-r--r--security/nss/tests/libpkix/pkix_tests/top/anchorcert.crtbin0 -> 694 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crlbin0 -> 169 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crtbin0 -> 689 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crlbin0 -> 153 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crtbin0 -> 671 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crtbin0 -> 656 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crtbin0 -> 555 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crlbin0 -> 155 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crtbin0 -> 675 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crlbin0 -> 173 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crtbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crlbin0 -> 169 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crtbin0 -> 689 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crlbin0 -> 153 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crtbin0 -> 671 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crtbin0 -> 656 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crtbin0 -> 555 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crlbin0 -> 155 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crtbin0 -> 676 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crlbin0 -> 173 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crtbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crlbin0 -> 169 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crtbin0 -> 689 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crlbin0 -> 153 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crtbin0 -> 671 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crtbin0 -> 656 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crtbin0 -> 555 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crlbin0 -> 155 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crtbin0 -> 676 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crlbin0 -> 173 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crtbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crlbin0 -> 169 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crtbin0 -> 689 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crlbin0 -> 153 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crtbin0 -> 671 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crtbin0 -> 656 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crlbin0 -> 173 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crtbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crlbin0 -> 169 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crtbin0 -> 689 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crlbin0 -> 153 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crtbin0 -> 671 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crtbin0 -> 656 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crlbin0 -> 173 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crtbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crtbin0 -> 689 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crtbin0 -> 671 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crtbin0 -> 656 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crtbin0 -> 555 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crtbin0 -> 676 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crtbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crtbin0 -> 520 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crtbin0 -> 671 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crtbin0 -> 656 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crtbin0 -> 555 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crtbin0 -> 669 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crtbin0 -> 676 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crtbin0 -> 692 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crtbin0 -> 520 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crtbin0 -> 671 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crtbin0 -> 656 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crtbin0 -> 555 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crtbin0 -> 669 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crtbin0 -> 676 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crtbin0 -> 692 bytes
-rw-r--r--security/nss/tests/libpkix/pkix_tests/top/cert8.dbbin0 -> 65536 bytes
-rw-r--r--security/nss/tests/libpkix/pkix_tests/top/goodcert.crtbin0 -> 1031 bytes
-rw-r--r--security/nss/tests/libpkix/pkix_tests/top/key3.dbbin0 -> 32768 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crlbin0 -> 239 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crtbin0 -> 709 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crtbin0 -> 707 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crlbin0 -> 201 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crlbin0 -> 203 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crtbin0 -> 691 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crlbin0 -> 200 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crtbin0 -> 707 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crtbin0 -> 703 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crtbin0 -> 703 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crlbin0 -> 205 bytes
-rw-r--r--security/nss/tests/libpkix/pkix_tests/top/revokedcert.crtbin0 -> 1034 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/top/runTests.sh517
-rw-r--r--security/nss/tests/libpkix/pkix_tests/top/secmod.dbbin0 -> 32768 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/pkix_tests/util/runTests.sh33
-rwxr-xr-xsecurity/nss/tests/libpkix/runTests.sh87
-rwxr-xr-xsecurity/nss/tests/libpkix/sample_apps/README77
-rwxr-xr-xsecurity/nss/tests/libpkix/sample_apps/cert8.dbbin0 -> 65536 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/sample_apps/key3.dbbin0 -> 32768 bytes
-rwxr-xr-xsecurity/nss/tests/libpkix/sample_apps/runPerf.sh143
-rwxr-xr-xsecurity/nss/tests/libpkix/sample_apps/secmod.dbbin0 -> 32768 bytes
-rw-r--r--security/nss/tests/libpkix/vfychain_test.lst4
-rw-r--r--security/nss/tests/lowhash/lowhash.sh97
-rw-r--r--security/nss/tests/memleak/ignored58
-rwxr-xr-xsecurity/nss/tests/memleak/memleak.sh915
-rw-r--r--security/nss/tests/memleak/sslreq.dat2
-rwxr-xr-xsecurity/nss/tests/merge/merge.sh277
-rwxr-xr-xsecurity/nss/tests/mksymlinks115
-rw-r--r--security/nss/tests/mpi/mpi.sh40
-rwxr-xr-xsecurity/nss/tests/multinit/multinit.sh158
-rw-r--r--security/nss/tests/multinit/multinit.txt79
-rwxr-xr-xsecurity/nss/tests/nssdir28
-rwxr-xr-xsecurity/nss/tests/nsspath12
-rwxr-xr-xsecurity/nss/tests/nssqa286
-rw-r--r--security/nss/tests/ocsp/ocsp.sh54
-rwxr-xr-xsecurity/nss/tests/path_uniq107
-rwxr-xr-xsecurity/nss/tests/perf/perf.sh61
-rw-r--r--security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.dbbin0 -> 90112 bytes
-rw-r--r--security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.dbbin0 -> 16384 bytes
-rwxr-xr-xsecurity/nss/tests/pkits/pkits.sh1988
-rw-r--r--security/nss/tests/platformlist11
-rw-r--r--security/nss/tests/platformlist.tbx14
-rwxr-xr-xsecurity/nss/tests/qa_stage336
-rwxr-xr-xsecurity/nss/tests/qa_stat938
-rwxr-xr-xsecurity/nss/tests/qaclean144
-rw-r--r--security/nss/tests/remote/Makefile153
-rw-r--r--security/nss/tests/remote/manifest.mn6
-rwxr-xr-xsecurity/nss/tests/run_niscc.sh982
-rwxr-xr-xsecurity/nss/tests/sdr/sdr.sh111
-rw-r--r--security/nss/tests/set_environment234
-rw-r--r--security/nss/tests/smime/alice.txt6
-rw-r--r--security/nss/tests/smime/bob.txt6
-rwxr-xr-xsecurity/nss/tests/smime/smime.sh259
-rwxr-xr-xsecurity/nss/tests/ssl/ssl.sh1199
-rwxr-xr-xsecurity/nss/tests/ssl/ssl_dist_stress.sh313
-rw-r--r--security/nss/tests/ssl/sslauth.txt76
-rw-r--r--security/nss/tests/ssl/sslcov.txt143
-rw-r--r--security/nss/tests/ssl/sslpolicy.txt174
-rw-r--r--security/nss/tests/ssl/sslreq.dat2
-rw-r--r--security/nss/tests/ssl/sslreq.txt2
-rw-r--r--security/nss/tests/ssl/sslstress.txt87
-rwxr-xr-xsecurity/nss/tests/ssl_gtests/ssl_gtests.sh159
-rw-r--r--security/nss/tests/tools/sign.html8
-rw-r--r--security/nss/tests/tools/signjs.html11
-rw-r--r--security/nss/tests/tools/tools.sh498
349 files changed, 26616 insertions, 0 deletions
diff --git a/security/nss/tests/README.txt b/security/nss/tests/README.txt
new file mode 100644
index 000000000..08088b50b
--- /dev/null
+++ b/security/nss/tests/README.txt
@@ -0,0 +1,6 @@
+Hints for running the NSS test suite:
+
+- all.sh is used to run all tests
+
+- if your host is not registered with DNS you may use:
+ HOST=localhost DOMSUF=localdomain ./all.sh
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh
new file mode 100755
index 000000000..8305e6766
--- /dev/null
+++ b/security/nss/tests/all.sh
@@ -0,0 +1,311 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/all.sh
+#
+# Script to start selected available NSS QA suites on one machine
+# this script is called or sourced by NSS QA which runs on all required
+# platforms
+#
+# Needs to work on all Unix and Windows platforms
+#
+# Currently available NSS QA suites:
+# ----------------------------------
+# cipher.sh - tests NSS ciphers
+# libpkix.sh - tests PKIX functionality
+# cert.sh - exercises certutil and creates certs necessary for
+# all other tests
+# dbtests.sh - tests related to certificate databases
+# tools.sh - tests the majority of the NSS tools
+# fips.sh - tests basic functionallity of NSS in FIPS-compliant
+# - mode
+# sdr.sh - tests NSS SDR
+# crmf.sh - CRMF/CMMF testing
+# smime.sh - S/MIME testing
+# ssl.sh - tests SSL V2 SSL V3 and TLS
+# ocsp.sh - OCSP testing
+# merge.sh - tests merging old and new shareable databases
+# pkits.sh - NIST/PKITS tests
+# chains.sh - PKIX cert chains tests
+# dbupgrade.sh - upgrade databases to new shareable version (used
+# only in upgrade test cycle)
+# memleak.sh - memory leak testing (optional)
+# ssl_gtests.sh- Gtest based unit tests for ssl
+# gtests.sh - Gtest based unit tests for everything else
+# bogo.sh - Bogo interop tests (disabled by default)
+# https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md
+#
+# NSS testing is now devided to 4 cycles:
+# ---------------------------------------
+# standard - run test suites with defaults settings
+# pkix - run test suites with PKIX enabled
+# upgradedb - upgrade existing certificate databases to shareable
+# format (creates them if doesn't exist yet) and run
+# test suites with those databases
+# sharedb - run test suites with shareable database format
+# enabled (databases are created directly to this
+# format)
+#
+# Mandatory environment variables (to be set before testing):
+# -----------------------------------------------------------
+# HOST - test machine host name
+# DOMSUF - test machine domain name
+#
+# Optional environment variables to specify build to use:
+# -------------------------------------------------------
+# BUILT_OPT - use optimized/debug build
+# USE_64 - use 64bit/32bit build
+# USE_ASAN - use Address Sanitizer build
+#
+# Optional environment variables to enable specific NSS features:
+# ---------------------------------------------------------------
+# NSS_DISABLE_ECC - disable ECC
+#
+# Optional environment variables to select which cycles/suites to test:
+# ---------------------------------------------------------------------
+# NSS_CYCLES - list of cycles to run (separated by space
+# character)
+# - by default all cycles are tested
+#
+# NSS_TESTS - list of all test suites to run (separated by space
+# character, without trailing .sh)
+# - this list can be reduced for individual test cycles
+#
+# NSS_SSL_TESTS - list of ssl tests to run (see ssl.sh)
+# NSS_SSL_RUN - list of ssl sub-tests to run (see ssl.sh)
+#
+# Testing schema:
+# ---------------
+# all.sh ~ (main)
+# | |
+# +------------+------------+-----------+ ~ run_cycles
+# | | | | |
+# standard pkix upgradedb sharedb ~ run_cycle_*
+# | |
+# +------+------+------+-----> ~ run_tests
+# | | | | |
+# cert tools fips ssl ... ~ . *.sh
+#
+# Special strings:
+# ----------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+# NOTE:
+# -----
+# Unlike the old QA this is based on files sourcing each other
+# This is done to save time, since a great portion of time is lost
+# in calling and sourcing the same things multiple times over the
+# network. Also, this way all scripts have all shell function
+# available and a completely common environment
+#
+########################################################################
+
+############################## run_tests ###############################
+# run test suites defined in TESTS variable, skip scripts defined in
+# TESTS_SKIP variable
+########################################################################
+run_tests()
+{
+ for TEST in ${TESTS}
+ do
+ # NOTE: the spaces are important. If you don't include
+ # the spaces, then turning off ssl_gtests will also turn off ssl
+ # tests.
+ echo " ${TESTS_SKIP} " | grep " ${TEST} " > /dev/null
+ if [ $? -eq 0 ]; then
+ continue
+ fi
+
+ SCRIPTNAME=${TEST}.sh
+ echo "Running tests for ${TEST}"
+ echo "TIMESTAMP ${TEST} BEGIN: `date`"
+ (cd ${QADIR}/${TEST}; . ./${SCRIPTNAME} 2>&1)
+ echo "TIMESTAMP ${TEST} END: `date`"
+ done
+}
+
+########################## run_cycle_standard ##########################
+# run test suites with defaults settings (no PKIX, no sharedb)
+########################################################################
+run_cycle_standard()
+{
+ TEST_MODE=STANDARD
+
+ TESTS="${ALL_TESTS}"
+ TESTS_SKIP=
+
+ run_tests
+}
+
+############################ run_cycle_pkix ############################
+# run test suites with PKIX enabled
+########################################################################
+run_cycle_pkix()
+{
+ TEST_MODE=PKIX
+
+ TABLE_ARGS="bgcolor=cyan"
+ html_head "Testing with PKIX"
+ html "</TABLE><BR>"
+
+ HOSTDIR="${HOSTDIR}/pkix"
+ mkdir -p "${HOSTDIR}"
+ init_directories
+
+ NSS_ENABLE_PKIX_VERIFY="1"
+ export NSS_ENABLE_PKIX_VERIFY
+
+ TESTS="${ALL_TESTS}"
+ TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
+ NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+
+ run_tests
+}
+
+######################### run_cycle_upgrade_db #########################
+# upgrades certificate database to shareable format and run test suites
+# with those databases
+########################################################################
+run_cycle_upgrade_db()
+{
+ TEST_MODE=UPGRADE_DB
+
+ TABLE_ARGS="bgcolor=pink"
+ html_head "Testing with upgraded library"
+ html "</TABLE><BR>"
+
+ OLDHOSTDIR="${HOSTDIR}"
+ HOSTDIR="${HOSTDIR}/upgradedb"
+ mkdir -p "${HOSTDIR}"
+ init_directories
+
+ if [ -r "${OLDHOSTDIR}/cert.log" ]; then
+ DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA stapling tools/copydir cert.log cert.done tests.*"
+ for i in $DIRS
+ do
+ cp -r ${OLDHOSTDIR}/${i} ${HOSTDIR} #2> /dev/null
+ done
+ fi
+
+ # upgrade certs dbs to shared db
+ TESTS="dbupgrade"
+ TESTS_SKIP=
+
+ run_tests
+
+ NSS_DEFAULT_DB_TYPE="sql"
+ export NSS_DEFAULT_DB_TYPE
+
+ # run the subset of tests with the upgraded database
+ TESTS="${ALL_TESTS}"
+ TESTS_SKIP="cipher libpkix cert dbtests sdr ocsp pkits chains"
+
+ NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+ NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"`
+
+ run_tests
+}
+
+########################## run_cycle_shared_db #########################
+# run test suites with certificate databases set to shareable format
+########################################################################
+run_cycle_shared_db()
+{
+ TEST_MODE=SHARED_DB
+
+ TABLE_ARGS="bgcolor=yellow"
+ html_head "Testing with shared library"
+ html "</TABLE><BR>"
+
+ HOSTDIR="${HOSTDIR}/sharedb"
+ mkdir -p "${HOSTDIR}"
+ init_directories
+
+ NSS_DEFAULT_DB_TYPE="sql"
+ export NSS_DEFAULT_DB_TYPE
+
+ # run the tests for native sharedb support
+ TESTS="${ALL_TESTS}"
+ TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits"
+
+ NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+ NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"`
+
+ run_tests
+}
+
+############################# run_cycles ###############################
+# run test cycles defined in CYCLES variable
+########################################################################
+run_cycles()
+{
+ for CYCLE in ${CYCLES}
+ do
+ case "${CYCLE}" in
+ "standard")
+ run_cycle_standard
+ ;;
+ "pkix")
+ if [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+ run_cycle_pkix
+ fi
+ ;;
+ "upgradedb")
+ run_cycle_upgrade_db
+ ;;
+ "sharedb")
+ run_cycle_shared_db
+ ;;
+ esac
+ . ${ENV_BACKUP}
+ done
+}
+
+############################## main code ###############################
+
+cycles="standard pkix upgradedb sharedb"
+CYCLES=${NSS_CYCLES:-$cycles}
+
+tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+TESTS=${NSS_TESTS:-$tests}
+
+ALL_TESTS=${TESTS}
+
+nss_ssl_tests="crl fips_normal normal_fips iopr policy"
+NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"
+
+nss_ssl_run="cov auth stapling stress"
+NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
+
+SCRIPTNAME=all.sh
+CLEANUP="${SCRIPTNAME}"
+cd `dirname $0`
+
+# all.sh should be the first one to try to source the init
+if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd common
+ . ./init.sh
+fi
+
+# NOTE:
+# Lists of enabled tests and other settings are stored to ${ENV_BACKUP}
+# file and are are restored after every test cycle.
+
+ENV_BACKUP=${HOSTDIR}/env.sh
+env_backup > ${ENV_BACKUP}
+
+if [ "${O_CRON}" = "ON" ]; then
+ run_cycles >> ${LOGFILE}
+else
+ run_cycles | tee -a ${LOGFILE}
+fi
+
+SCRIPTNAME=all.sh
+
+. ${QADIR}/common/cleanup.sh
diff --git a/security/nss/tests/bogo/bogo.sh b/security/nss/tests/bogo/bogo.sh
new file mode 100755
index 000000000..7503d230e
--- /dev/null
+++ b/security/nss/tests/bogo/bogo.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/bogo/bogo.sh
+#
+# Script to drive the ssl bogo interop unit tests
+#
+########################################################################
+
+bogo_init()
+{
+ SCRIPTNAME="bogo.sh"
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+
+ mkdir -p "${HOSTDIR}/bogo"
+ cd "${HOSTDIR}/bogo"
+ BORING=${BORING:=boringssl}
+ if [ ! -d "$BORING" ]; then
+ git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
+ git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
+ fi
+
+ SCRIPTNAME="bogo.sh"
+ html_head "bogo test"
+}
+
+bogo_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+# Need to add go to the PATH.
+export PATH=$PATH:/usr/lib/go-1.6/bin
+
+cd "$(dirname "$0")"
+SOURCE_DIR="$PWD"/../..
+bogo_init
+(cd "$BORING"/ssl/test/runner;
+ GOPATH="$PWD" go test -pipe -shim-path "${BINDIR}"/nss_bogo_shim \
+ -loose-errors -allow-unimplemented \
+ -shim-config "${SOURCE_DIR}/gtests/nss_bogo_shim/config.json") \
+ 2>bogo.errors | tee bogo.log
+html_msg "${PIPESTATUS[0]}" 0 "Bogo" "Run successfully"
+grep -i 'FAILED\|Assertion failure' bogo.errors
+html_msg $? 1 "Bogo" "No failures"
+bogo_cleanup
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
new file mode 100755
index 000000000..9b3455747
--- /dev/null
+++ b/security/nss/tests/cert/cert.sh
@@ -0,0 +1,2012 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/cert/rcert.sh
+#
+# Certificate generating and handeling for NSS QA, can be included
+# multiple times from all.sh and the individual scripts
+#
+# needs to work on all Unix and Windows platforms
+#
+# included from (don't expect this to be up to date)
+# --------------------------------------------------
+# all.sh
+# ssl.sh
+# smime.sh
+# tools.sh
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+# FIXME - Netscape - NSS
+########################################################################
+
+############################## cert_init ###############################
+# local shell function to initialize this script
+########################################################################
+cert_init()
+{
+ SCRIPTNAME="cert.sh"
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+ if [ -z "${INIT_SOURCED}" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ -z "${IOPR_CERT_SOURCED}" ]; then
+ . ../iopr/cert_iopr.sh
+ fi
+ SCRIPTNAME="cert.sh"
+ CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ html_head "Certutil and Crlutil Tests with ECC"
+ else
+ html_head "Certutil and Crlutil Tests"
+ fi
+
+ LIBDIR="${DIST}/${OBJDIR}/lib"
+
+ ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
+ if [ ! "${ROOTCERTSFILE}" ] ; then
+ html_failed "Looking for root certs module."
+ cert_log "ERROR: Root certs module not found."
+ Exit 5 "Fatal - Root certs module not found."
+ else
+ html_passed "Looking for root certs module."
+ fi
+
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}`
+ fi
+}
+
+cert_log() ###################### write the cert_status file
+{
+ echo "$SCRIPTNAME $*"
+ echo $* >>${CERT_LOG_FILE}
+}
+
+########################################################################
+# function wraps calls to pk12util, also: writes action and options
+# to stdout.
+# Params are the same as to pk12util.
+# Returns pk12util status
+#
+pk12u()
+{
+ echo "${CU_ACTION} --------------------------"
+
+ echo "pk12util $@"
+ ${BINDIR}/pk12util $@
+ RET=$?
+
+ return $RET
+}
+
+################################ certu #################################
+# local shell function to call certutil, also: writes action and options to
+# stdout, sets variable RET and writes results to the html file results
+########################################################################
+certu()
+{
+ echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+ EXPECTED=${RETEXPECTED-0}
+
+ if [ -n "${CU_SUBJECT}" ]; then
+ #the subject of the cert contains blanks, and the shell
+ #will strip the quotes off the string, if called otherwise...
+ echo "certutil -s \"${CU_SUBJECT}\" $*"
+ ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $*
+ RET=$?
+ CU_SUBJECT=""
+ else
+ echo "certutil $*"
+ ${PROFTOOL} ${BINDIR}/certutil $*
+ RET=$?
+ fi
+ if [ "$RET" -ne "$EXPECTED" ]; then
+ CERTFAILED=$RET
+ html_failed "${CU_ACTION} ($RET=$EXPECTED) "
+ cert_log "ERROR: ${CU_ACTION} failed $RET"
+ else
+ html_passed "${CU_ACTION}"
+ fi
+
+ return $RET
+}
+
+################################ crlu #################################
+# local shell function to call crlutil, also: writes action and options to
+# stdout, sets variable RET and writes results to the html file results
+########################################################################
+crlu()
+{
+ echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+
+ CRLUTIL="crlutil -q"
+ echo "$CRLUTIL $*"
+ ${PROFTOOL} ${BINDIR}/$CRLUTIL $*
+ RET=$?
+ if [ "$RET" -ne 0 ]; then
+ CRLFAILED=$RET
+ html_failed "${CU_ACTION} ($RET) "
+ cert_log "ERROR: ${CU_ACTION} failed $RET"
+ else
+ html_passed "${CU_ACTION}"
+ fi
+
+ return $RET
+}
+
+################################ ocspr ##################################
+# local shell function to call ocsresp, also: writes action and options to
+# stdout, sets variable RET and writes results to the html file results
+#########################################################################
+ocspr()
+{
+ echo "$SCRIPTNAME: ${OR_ACTION} --------------------------"
+
+ OCSPRESP="ocspresp"
+ echo "$OCSPRESP $*"
+ ${PROFTOOL} ${BINDIR}/$OCSPRESP $*
+ RET=$?
+ if [ "$RET" -ne 0 ]; then
+ OCSPFAILED=$RET
+ html_failed "${OR_ACTION} ($RET) "
+ cert_log "ERROR: ${OR_ACTION} failed $RET"
+ else
+ html_passed "${OR_ACTION}"
+ fi
+
+ return $RET
+}
+
+modu()
+{
+ echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+
+ MODUTIL="modutil"
+ echo "$MODUTIL $*"
+ # echo is used to press Enter expected by modutil
+ echo | ${BINDIR}/$MODUTIL $*
+ RET=$?
+ if [ "$RET" -ne 0 ]; then
+ MODFAILED=$RET
+ html_failed "${CU_ACTION} ($RET) "
+ cert_log "ERROR: ${CU_ACTION} failed $RET"
+ else
+ html_passed "${CU_ACTION}"
+ fi
+
+ return $RET
+}
+
+############################# cert_init_cert ##########################
+# local shell function to initialize creation of client and server certs
+########################################################################
+cert_init_cert()
+{
+ CERTDIR="$1"
+ CERTNAME="$2"
+ CERTSERIAL="$3"
+ DOMAIN="$4"
+
+ if [ ! -d "${CERTDIR}" ]; then
+ mkdir -p "${CERTDIR}"
+ else
+ echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
+ fi
+ cd "${CERTDIR}"
+ CERTDIR="."
+
+ PROFILEDIR=`cd ${CERTDIR}; pwd`
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ PROFILEDIR=`cygpath -m ${PROFILEDIR}`
+ fi
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ PROFILEDIR="multiaccess:${DOMAIN}"
+ fi
+
+ noise
+}
+
+############################# hw_acc #################################
+# local shell function to add hw accelerator modules to the db
+########################################################################
+hw_acc()
+{
+ HW_ACC_RET=0
+ HW_ACC_ERR=""
+ if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
+ echo "creating $CERTNAME s cert with hwaccelerator..."
+ #case $ACCELERATOR in
+ #rainbow)
+
+ echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
+ echo " -dbdir ${PROFILEDIR} 2>&1 "
+ echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
+ -dbdir ${PROFILEDIR} 2>&1
+ if [ "$?" -ne 0 ]; then
+ echo "modutil -add rainbow failed in `pwd`"
+ HW_ACC_RET=1
+ HW_ACC_ERR="modutil -add rainbow"
+ fi
+
+ echo "modutil -add ncipher "
+ echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so "
+ echo " -dbdir ${PROFILEDIR} 2>&1 "
+ echo | ${BINDIR}/modutil -add ncipher \
+ -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \
+ -dbdir ${PROFILEDIR} 2>&1
+ if [ "$?" -ne 0 ]; then
+ echo "modutil -add ncipher failed in `pwd`"
+ HW_ACC_RET=`expr $HW_ACC_RET + 2`
+ HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher"
+ fi
+ if [ "$HW_ACC_RET" -ne 0 ]; then
+ html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) "
+ else
+ html_passed "Adding HW accelerators to certDB for ${CERTNAME}"
+ fi
+
+ fi
+ return $HW_ACC_RET
+}
+
+############################# cert_create_cert #########################
+# local shell function to create client certs
+# initialize DB, import
+# root cert
+# add cert to DB
+########################################################################
+cert_create_cert()
+{
+ cert_init_cert "$1" "$2" "$3" "$4"
+
+ CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
+ certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB"
+ modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ hw_acc
+
+ CU_ACTION="Import Root CA for $CERTNAME"
+ certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+ -i "${R_CADIR}/TestCA.ca.cert" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Import DSA Root CA for $CERTNAME"
+ certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \
+ -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Import EC Root CA for $CERTNAME"
+ certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
+ -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+ fi
+
+ cert_add_cert "$5"
+ return $?
+}
+
+############################# cert_add_cert ############################
+# local shell function to add client certs to an existing CERT DB
+# generate request
+# sign request
+# import Cert
+#
+########################################################################
+cert_add_cert()
+{
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Import $CERTNAME's Cert"
+ certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ cert_log "SUCCESS: $CERTNAME's Cert Created"
+
+#
+# Generate and add DSA cert
+#
+ CU_ACTION="Generate DSA Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Sign ${CERTNAME}'s DSA Request"
+ certu -C -c "TestCA-dsa" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" "$1" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Import $CERTNAME's DSA Cert"
+ certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+ cert_log "SUCCESS: $CERTNAME's DSA Cert Created"
+
+# Generate DSA certificate signed with RSA
+ CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Sign ${CERTNAME}'s DSA Request with RSA"
+# Avoid conflicting serial numbers with TestCA issuer by keeping
+# this set far away. A smaller number risks colliding with the
+# extended ssl user certificates.
+ NEWSERIAL=`expr ${CERTSERIAL} + 20000`
+ certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" "$1" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Import $CERTNAME's mixed DSA Cert"
+ certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+ cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created"
+
+#
+# Generate and add EC cert
+#
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CURVE="secp384r1"
+ CU_ACTION="Generate EC Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Sign ${CERTNAME}'s EC Request"
+ certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Import $CERTNAME's EC Cert"
+ certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+ cert_log "SUCCESS: $CERTNAME's EC Cert Created"
+
+# Generate EC certificate signed with RSA
+ CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA"
+# Avoid conflicting serial numbers with TestCA issuer by keeping
+# this set far away. A smaller number risks colliding with the
+# extended ssl user certificates.
+ NEWSERIAL=`expr ${CERTSERIAL} + 10000`
+ certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Import $CERTNAME's mixed EC Cert"
+ certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+ cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
+ fi
+
+ return 0
+}
+
+################################# cert_all_CA ################################
+# local shell function to build the additional Temp. Certificate Authority (CA)
+# used for the "real life" ssl test with 2 different CA's in the
+# client and in the server's dir
+##########################################################################
+cert_all_CA()
+{
+ echo nss > ${PWFILE}
+
+ ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
+
+ ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
+ ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3"
+ ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4"
+
+
+
+ ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
+ ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6"
+ ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
+
+ rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
+
+ # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
+ # in the chain
+
+
+#
+# Create DSA version of TestCA
+ ALL_CU_SUBJECT="CN=NSS Test CA (DSA), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ cert_dsa_CA $CADIR TestCA-dsa -x "CTu,CTu,CTu" ${D_CA} "1"
+#
+# Create DSA versions of the intermediate CA certs
+ ALL_CU_SUBJECT="CN=NSS Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_dsa_CA $SERVER_CADIR serverCA-dsa -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
+ ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_dsa_CA $SERVER_CADIR chain-1-serverCA-dsa "-c serverCA-dsa" "u,u,u" ${D_SERVER_CA} "3"
+ ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_dsa_CA $SERVER_CADIR chain-2-serverCA-dsa "-c chain-1-serverCA-dsa" "u,u,u" ${D_SERVER_CA} "4"
+
+ ALL_CU_SUBJECT="CN=NSS Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_dsa_CA $CLIENT_CADIR clientCA-dsa -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
+ ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_dsa_CA $CLIENT_CADIR chain-1-clientCA-dsa "-c clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "6"
+ ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_dsa_CA $CLIENT_CADIR chain-2-clientCA-dsa "-c chain-1-clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "7"
+
+ rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert
+# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
+# in the chain
+
+
+
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+#
+# Create EC version of TestCA
+ CA_CURVE="secp521r1"
+ ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
+#
+# Create EC versions of the intermediate CA certs
+ ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
+ ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
+ ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
+
+ ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
+ ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
+ ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+ cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
+
+ rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
+# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
+# in the chain
+
+ fi
+}
+
+################################# cert_CA ################################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating a CA Certificate and a root cert
+##########################################################################
+cert_CA()
+{
+ CUR_CADIR=$1
+ NICKNAME=$2
+ SIGNER=$3
+ TRUSTARG=$4
+ DOMAIN=$5
+ CERTSERIAL=$6
+
+ echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
+
+ if [ ! -d "${CUR_CADIR}" ]; then
+ mkdir -p "${CUR_CADIR}"
+ fi
+ cd ${CUR_CADIR}
+ pwd
+
+ LPROFILE=`pwd`
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ LPROFILE=`cygpath -m ${LPROFILE}`
+ fi
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ LPROFILE="multiaccess:${DOMAIN}"
+ fi
+
+ if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
+ CU_ACTION="Creating CA Cert DB"
+ certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1
+ if [ "$RET" -ne 0 ]; then
+ Exit 5 "Fatal - failed to create CA $NICKNAME "
+ fi
+
+ CU_ACTION="Loading root cert module to CA Cert DB"
+ modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ echo "$SCRIPTNAME: Certificate initialized ----------"
+ fi
+
+
+ ################# Creating CA Cert ######################################
+ #
+ CU_ACTION="Creating CA Cert $NICKNAME "
+ CU_SUBJECT=$ALL_CU_SUBJECT
+ certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \
+ -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+ if [ "$RET" -ne 0 ]; then
+ echo "return value is $RET"
+ Exit 6 "Fatal - failed to create CA cert"
+ fi
+
+ ################# Exporting Root Cert ###################################
+ #
+ CU_ACTION="Exporting Root Cert"
+ certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert
+ if [ "$RET" -ne 0 ]; then
+ Exit 7 "Fatal - failed to export root cert"
+ fi
+ cp root.cert ${NICKNAME}.ca.cert
+}
+
+
+
+
+
+################################ cert_dsa_CA #############################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating a CA Certificate and a root cert
+# This is the ECC version of cert_CA.
+##########################################################################
+cert_dsa_CA()
+{
+ CUR_CADIR=$1
+ NICKNAME=$2
+ SIGNER=$3
+ TRUSTARG=$4
+ DOMAIN=$5
+ CERTSERIAL=$6
+
+ echo "$SCRIPTNAME: Creating an DSA CA Certificate $NICKNAME =========================="
+
+ if [ ! -d "${CUR_CADIR}" ]; then
+ mkdir -p "${CUR_CADIR}"
+ fi
+ cd ${CUR_CADIR}
+ pwd
+
+ LPROFILE=.
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ LPROFILE="multiaccess:${DOMAIN}"
+ fi
+
+ ################# Creating an DSA CA Cert ###############################
+ #
+ CU_ACTION="Creating DSA CA Cert $NICKNAME "
+ CU_SUBJECT=$ALL_CU_SUBJECT
+ certu -S -n $NICKNAME -k dsa -t $TRUSTARG -v 600 $SIGNER \
+ -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
+ -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+ if [ "$RET" -ne 0 ]; then
+ echo "return value is $RET"
+ Exit 6 "Fatal - failed to create DSA CA cert"
+ fi
+
+ ################# Exporting DSA Root Cert ###############################
+ #
+ CU_ACTION="Exporting DSA Root Cert"
+ certu -L -n $NICKNAME -r -d ${LPROFILE} -o dsaroot.cert
+ if [ "$RET" -ne 0 ]; then
+ Exit 7 "Fatal - failed to export dsa root cert"
+ fi
+ cp dsaroot.cert ${NICKNAME}.ca.cert
+}
+
+
+
+
+################################ cert_ec_CA ##############################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating a CA Certificate and a root cert
+# This is the ECC version of cert_CA.
+##########################################################################
+cert_ec_CA()
+{
+ CUR_CADIR=$1
+ NICKNAME=$2
+ SIGNER=$3
+ TRUSTARG=$4
+ DOMAIN=$5
+ CERTSERIAL=$6
+ CURVE=$7
+
+ echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
+
+ if [ ! -d "${CUR_CADIR}" ]; then
+ mkdir -p "${CUR_CADIR}"
+ fi
+ cd ${CUR_CADIR}
+ pwd
+
+ LPROFILE=.
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ LPROFILE="multiaccess:${DOMAIN}"
+ fi
+
+ ################# Creating an EC CA Cert ################################
+ #
+ CU_ACTION="Creating EC CA Cert $NICKNAME "
+ CU_SUBJECT=$ALL_CU_SUBJECT
+ certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \
+ -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
+ -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+ if [ "$RET" -ne 0 ]; then
+ echo "return value is $RET"
+ Exit 6 "Fatal - failed to create EC CA cert"
+ fi
+
+ ################# Exporting EC Root Cert ################################
+ #
+ CU_ACTION="Exporting EC Root Cert"
+ certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert
+ if [ "$RET" -ne 0 ]; then
+ Exit 7 "Fatal - failed to export ec root cert"
+ fi
+ cp ecroot.cert ${NICKNAME}.ca.cert
+}
+
+############################## cert_smime_client #############################
+# local shell function to create client Certificates for S/MIME tests
+##############################################################################
+cert_smime_client()
+{
+ CERTFAILED=0
+ echo "$SCRIPTNAME: Creating Client CA Issued Certificates =============="
+
+ cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE}
+ cert_create_cert ${BOBDIR} "Bob" 40 ${D_BOB}
+
+ echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
+ cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
+
+## XXX With this new script merging ECC and non-ECC tests, the
+## call to cert_create_cert ends up creating two separate certs
+## one for Eve and another for Eve-ec but they both end up with
+## the same Subject Alt Name Extension, i.e., both the cert for
+## Eve@bogus.com and the cert for Eve-ec@bogus.com end up
+## listing eve@bogus.net in the Certificate Subject Alt Name extension.
+## This can cause a problem later when cmsutil attempts to create
+## enveloped data and accidently picks up the ECC cert (NSS currently
+## does not support ECC for enveloped data creation). This script
+## avoids the problem by ensuring that these conflicting certs are
+## never added to the same cert database (see comment marked XXXX).
+ echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
+ cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
+
+ #echo "************* Copying CA files to ${SERVERDIR}"
+ #cp ${CADIR}/*.db .
+ #hw_acc
+
+ #########################################################################
+ #
+ #cd ${CERTDIR}
+ #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
+ #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
+ #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
+ # -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
+
+ #CU_ACTION="Export Dave's Cert"
+ #cd ${DAVEDIR}
+ #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
+
+ ################# Importing Certificates for S/MIME tests ###############
+ #
+ echo "$SCRIPTNAME: Importing Certificates =============================="
+ CU_ACTION="Import Bob's cert into Alice's db"
+ certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+ -i ${R_BOBDIR}/Bob.cert 2>&1
+
+ CU_ACTION="Import Dave's cert into Alice's DB"
+ certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+ -i ${R_DAVEDIR}/Dave.cert 2>&1
+
+ CU_ACTION="Import Dave's cert into Bob's DB"
+ certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+ -i ${R_DAVEDIR}/Dave.cert 2>&1
+
+ CU_ACTION="Import Eve's cert into Alice's DB"
+ certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+ -i ${R_EVEDIR}/Eve.cert 2>&1
+
+ CU_ACTION="Import Eve's cert into Bob's DB"
+ certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+ -i ${R_EVEDIR}/Eve.cert 2>&1
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: Importing EC Certificates =============================="
+ CU_ACTION="Import Bob's EC cert into Alice's db"
+ certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+ -i ${R_BOBDIR}/Bob-ec.cert 2>&1
+
+ CU_ACTION="Import Dave's EC cert into Alice's DB"
+ certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+ -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
+
+ CU_ACTION="Import Dave's EC cert into Bob's DB"
+ certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+ -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
+
+## XXXX Do not import Eve's EC cert until we can make sure that
+## the email addresses listed in the Subject Alt Name Extension
+## inside Eve's ECC and non-ECC certs are different.
+# CU_ACTION="Import Eve's EC cert into Alice's DB"
+# certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
+
+# CU_ACTION="Import Eve's EC cert into Bob's DB"
+# certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
+ fi
+
+ if [ "$CERTFAILED" != 0 ] ; then
+ cert_log "ERROR: SMIME failed $RET"
+ else
+ cert_log "SUCCESS: SMIME passed"
+ fi
+}
+
+############################## cert_extended_ssl #######################
+# local shell function to create client + server certs for extended SSL test
+########################################################################
+cert_extended_ssl()
+{
+
+ ################# Creating Certs for extended SSL test ####################
+ #
+ CERTFAILED=0
+ echo "$SCRIPTNAME: Creating Certificates, issued by the last ==============="
+ echo " of a chain of CA's which are not in the same database============"
+
+ echo "Server Cert"
+ cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
+
+ CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
+ certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+ modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+ CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
+ cp ${CERTDIR}/req ${SERVER_CADIR}
+ certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
+ certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
+ certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+ -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
+
+#
+# Repeat the above for DSA certs
+#
+ CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)"
+ cp ${CERTDIR}/req ${SERVER_CADIR}
+ certu -C -c "chain-2-serverCA-dsa" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
+ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)"
+ certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
+
+ CU_ACTION="Import Client DSA Root CA -t T,, for $CERTNAME (ext.)"
+ certu -A -n "clientCA-dsa" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+ -i "${CLIENT_CADIR}/clientCA-dsa.ca.cert" 2>&1
+#
+# done with DSA certs
+#
+# Repeat again for mixed DSA certs
+#
+ CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)"
+ cp ${CERTDIR}/req ${SERVER_CADIR}
+ certu -C -c "chain-2-serverCA" -m 202 -v 60 -d "${P_SERVER_CADIR}" \
+ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)"
+ certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
+
+# CU_ACTION="Import Client mixed DSA Root CA -t T,, for $CERTNAME (ext.)"
+# certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \
+# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
+# 2>&1
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+#
+# Repeat the above for EC certs
+#
+ EC_CURVE="secp256r1"
+ CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
+ cp ${CERTDIR}/req ${SERVER_CADIR}
+ certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
+ -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
+ certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+
+ CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
+ certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+ -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
+#
+# done with EC certs
+#
+# Repeat again for mixed EC certs
+#
+ EC_CURVE="secp256r1"
+ CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
+ cp ${CERTDIR}/req ${SERVER_CADIR}
+ certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \
+ -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
+ certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
+
+# CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)"
+# certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
+# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
+# 2>&1
+ fi
+
+ echo "Importing all the server's own CA chain into the servers DB"
+ for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
+ do
+ N=`basename $CA | sed -e "s/.ca.cert//"`
+ if [ $N = "serverCA" -o $N = "serverCA-ec" -o $N = "serverCA-dsa" ] ; then
+ T="-t C,C,C"
+ else
+ T="-t u,u,u"
+ fi
+ CU_ACTION="Import $N CA $T for $CERTNAME (ext.) "
+ certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+ -i "${CA}" 2>&1
+ done
+#============
+ echo "Client Cert"
+ cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
+
+ CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
+ certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+ modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+ CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
+ -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
+ cp ${CERTDIR}/req ${CLIENT_CADIR}
+ certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
+ certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+ CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
+ certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+ -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
+
+#
+# Repeat the above for DSA certs
+#
+ CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)"
+ cp ${CERTDIR}/req ${CLIENT_CADIR}
+ certu -C -c "chain-2-clientCA-dsa" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
+ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)"
+ certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
+
+ CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)"
+ certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \
+ -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1
+#
+# done with DSA certs
+#
+#
+# Repeat the above for mixed DSA certs
+#
+ CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)"
+ cp ${CERTDIR}/req ${CLIENT_CADIR}
+ certu -C -c "chain-2-clientCA" -m 302 -v 60 -d "${P_CLIENT_CADIR}" \
+ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)"
+ certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
+
+# CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)"
+# certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \
+# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1
+#
+# done with mixed DSA certs
+#
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+#
+# Repeat the above for EC certs
+#
+ CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
+ cp ${CERTDIR}/req ${CLIENT_CADIR}
+ certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
+ -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
+ certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+
+ CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
+ certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
+ -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
+#
+# done with EC certs
+#
+#
+# Repeat the above for mixed EC certs
+#
+ CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
+ cp ${CERTDIR}/req ${CLIENT_CADIR}
+ certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \
+ -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
+ certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
+
+# CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
+# certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
+# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
+#
+# done with mixed EC certs
+#
+ fi
+
+ echo "Importing all the client's own CA chain into the servers DB"
+ for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
+ do
+ N=`basename $CA | sed -e "s/.ca.cert//"`
+ if [ $N = "clientCA" -o $N = "clientCA-ec" -o $N = "clientCA-dsa" ] ; then
+ T="-t T,C,C"
+ else
+ T="-t u,u,u"
+ fi
+ CU_ACTION="Import $N CA $T for $CERTNAME (ext.)"
+ certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+ -i "${CA}" 2>&1
+ done
+ if [ "$CERTFAILED" != 0 ] ; then
+ cert_log "ERROR: EXT failed $RET"
+ else
+ cert_log "SUCCESS: EXT passed"
+ fi
+}
+
+############################## cert_ssl ################################
+# local shell function to create client + server certs for SSL test
+########################################################################
+cert_ssl()
+{
+ ################# Creating Certs for SSL test ###########################
+ #
+ CERTFAILED=0
+ echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
+ cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT}
+
+ echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
+ echo " ${HOSTADDR} ------------------------------------"
+ cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
+ echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
+ echo " ${HOSTADDR}-sni --------------------------------"
+ CERTSERIAL=101
+ CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}"
+ cert_add_cert
+ CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
+ certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+
+ CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC"
+ certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
+ certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+ fi
+# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
+# echo "************* Copying CA files to ${SERVERDIR}"
+# cp ${CADIR}/*.db .
+# hw_acc
+# CU_ACTION="Creating ${CERTNAME}'s Server Cert"
+# CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
+# certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
+# -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
+
+ if [ "$CERTFAILED" != 0 ] ; then
+ cert_log "ERROR: SSL failed $RET"
+ else
+ cert_log "SUCCESS: SSL passed"
+ fi
+
+ echo "$SCRIPTNAME: Creating database for OCSP stapling tests ==============="
+ echo "cp -r ${SERVERDIR} ${STAPLINGDIR}"
+ cp -r ${R_SERVERDIR} ${R_STAPLINGDIR}
+ pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
+ pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
+}
+
+############################## cert_stresscerts ################################
+# local shell function to create client certs for SSL stresstest
+########################################################################
+cert_stresscerts()
+{
+
+ ############### Creating Certs for SSL stress test #######################
+ #
+ CERTDIR="$CLIENTDIR"
+ cd "${CERTDIR}"
+
+ PROFILEDIR=`cd ${CERTDIR}; pwd`
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ PROFILEDIR=`cygpath -m ${PROFILEDIR}`
+ fi
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ PROFILEDIR="multiaccess:${D_CLIENT}"
+ fi
+ CERTFAILED=0
+ echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
+
+ CONTINUE=$GLOB_MAX_CERT
+ CERTSERIAL=10
+
+ while [ $CONTINUE -ge $GLOB_MIN_CERT ]
+ do
+ CERTNAME="TestUser$CONTINUE"
+# cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL
+ cert_add_cert
+ CERTSERIAL=`expr $CERTSERIAL + 1 `
+ CONTINUE=`expr $CONTINUE - 1 `
+ done
+ if [ "$CERTFAILED" != 0 ] ; then
+ cert_log "ERROR: StressCert failed $RET"
+ else
+ cert_log "SUCCESS: StressCert passed"
+ fi
+}
+
+############################## cert_fips #####################################
+# local shell function to create certificates for FIPS tests
+##############################################################################
+cert_fips()
+{
+ CERTFAILED=0
+ echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
+ cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
+
+ CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
+ certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
+
+ CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+ modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+ echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
+ CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
+ echo "modutil -dbdir ${PROFILEDIR} -fips true "
+ ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
+y
+MODSCRIPT
+ RET=$?
+ if [ "$RET" -ne 0 ]; then
+ html_failed "${CU_ACTION} ($RET) "
+ cert_log "ERROR: ${CU_ACTION} failed $RET"
+ else
+ html_passed "${CU_ACTION}"
+ fi
+
+ CU_ACTION="Generate Certificate for ${CERTNAME}"
+ CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
+ certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
+ if [ "$RET" -eq 0 ]; then
+ cert_log "SUCCESS: FIPS passed"
+ fi
+}
+
+############################## cert_eccurves ###########################
+# local shell function to create server certs for all EC curves
+########################################################################
+cert_eccurves()
+{
+ ################# Creating Certs for EC curves test ########################
+ #
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
+ echo " EC Curves Test Certificates ------------------------------------"
+
+ cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
+
+ CU_ACTION="Initializing EC Curve's Cert DB"
+ certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Loading root cert module to EC Curve's Cert DB"
+ modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+ CU_ACTION="Import EC Root CA for $CERTNAME"
+ certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
+ -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
+
+ CURVE_LIST="nistp256 nistp384 nistp521"
+ CERTSERIAL=2000
+
+ for CURVE in ${CURVE_LIST}
+ do
+ CERTFAILED=0
+ CERTNAME="Curve-${CURVE}"
+ CERTSERIAL=`expr $CERTSERIAL + 1 `
+ CU_ACTION="Generate EC Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -z "${R_NOISE_FILE}" -o req 2>&1
+
+ if [ $RET -eq 0 ] ; then
+ CU_ACTION="Sign ${CERTNAME}'s EC Request"
+ certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
+ fi
+
+ if [ $RET -eq 0 ] ; then
+ CU_ACTION="Import $CERTNAME's EC Cert"
+ certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+ fi
+ done
+
+ fi # $NSS_DISABLE_ECC
+}
+
+########################### cert_extensions_test #############################
+# local shell function to test cert extensions generation
+##############################################################################
+cert_extensions_test()
+{
+ COUNT=`expr ${COUNT} + 1`
+ CERTNAME=TestExt${COUNT}
+ CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+
+ echo
+ echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
+ -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
+ -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
+ echo "certutil options:"
+ cat ${TARG_FILE}
+ ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
+ -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
+ -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE}
+ RET=$?
+ if [ "${RET}" -ne 0 ]; then
+ CERTFAILED=1
+ html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate"
+ cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed"
+ return 1
+ fi
+
+ echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}
+ EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}`
+ RET=$?
+ echo "${EXTLIST}"
+ if [ "${RET}" -ne 0 ]; then
+ CERTFAILED=1
+ html_failed "${TESTNAME} (${COUNT}) - List Certificate"
+ cert_log "ERROR: ${TESTNAME} - List Certificate failed"
+ return 1
+ fi
+
+ for FL in `echo ${FILTERLIST} | tr \| ' '`; do
+ FL="`echo ${FL} | tr _ ' '`"
+ EXPSTAT=0
+ if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then
+ EXPSTAT=1
+ FL=`echo ${FL} | tr -d '!'`
+ fi
+ echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1
+ RET=$?
+ if [ "${RET}" -ne "${EXPSTAT}" ]; then
+ CERTFAILED=1
+ html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}"
+ cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed"
+ return 1
+ fi
+ done
+
+ html_passed "${TESTNAME} (${COUNT})"
+ return 0
+}
+
+############################## cert_extensions ###############################
+# local shell function to run cert extensions tests
+##############################################################################
+cert_extensions()
+{
+ CERTNAME=TestExt
+ cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS}
+ TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args
+
+ COUNT=0
+ while read ARG OPT FILTERLIST; do
+ if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then
+ continue
+ fi
+ if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then
+ TESTNAME="${FILTERLIST}"
+ continue
+ fi
+ if [ X"${ARG}" = "X=" ]; then
+ cert_extensions_test
+ rm -f ${TARG_FILE}
+ else
+ echo ${ARG} >> ${TARG_FILE}
+ fi
+ done < ${QADIR}/cert/certext.txt
+}
+
+cert_make_with_param()
+{
+ DIRPASS="$1"
+ CERTNAME="$2"
+ MAKE="$3"
+ SUBJ="$4"
+ EXTRA="$5"
+ EXPECT="$6"
+ TESTNAME="$7"
+
+ echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
+ ${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
+
+ RET=$?
+ if [ "${RET}" -ne "${EXPECT}" ]; then
+ # if we expected failure to create, then delete unexpected certificate
+ if [ "${EXPECT}" -ne 0 ]; then
+ ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
+ fi
+
+ CERTFAILED=1
+ html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}"
+ cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed"
+ return 1
+ fi
+
+ html_passed "${TESTNAME} (${COUNT})"
+ return 0
+}
+
+cert_list_and_count_dns()
+{
+ DIRPASS="$1"
+ CERTNAME="$2"
+ EXPECT="$3"
+ EXPECTCOUNT="$4"
+ TESTNAME="$5"
+
+ echo certutil ${DIRPASS} -L ${CERTNAME}
+ ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME}
+
+ RET=$?
+ if [ "${RET}" -ne "${EXPECT}" ]; then
+ CERTFAILED=1
+ html_failed "${TESTNAME} (${COUNT}) - list and count"
+ cert_log "ERROR: ${TESTNAME} - list and count failed"
+ return 1
+ fi
+
+ LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS`
+ if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then
+ CERTFAILED=1
+ html_failed "${TESTNAME} (${COUNT}) - list and count"
+ cert_log "ERROR: ${TESTNAME} - list and count failed"
+ return 1
+ fi
+
+ html_passed "${TESTNAME} (${COUNT})"
+ return 0
+}
+
+cert_dump_ext_to_file()
+{
+ DIRPASS="$1"
+ CERTNAME="$2"
+ OID="$3"
+ OUTFILE="$4"
+ EXPECT="$5"
+ TESTNAME="$6"
+
+ echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID}
+ echo "writing output to ${OUTFILE}"
+ ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE}
+
+ RET=$?
+ if [ "${RET}" -ne "${EXPECT}" ]; then
+ CERTFAILED=1
+ html_failed "${TESTNAME} (${COUNT}) - dump to file"
+ cert_log "ERROR: ${TESTNAME} - dump to file failed"
+ return 1
+ fi
+
+ html_passed "${TESTNAME} (${COUNT})"
+ return 0
+}
+
+cert_delete()
+{
+ DIRPASS="$1"
+ CERTNAME="$2"
+ EXPECT="$3"
+ TESTNAME="$4"
+
+ echo certutil ${DIRPASS} -D ${CERTNAME}
+ ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
+
+ RET=$?
+ if [ "${RET}" -ne "${EXPECT}" ]; then
+ CERTFAILED=1
+ html_failed "${TESTNAME} (${COUNT}) - delete cert"
+ cert_log "ERROR: ${TESTNAME} - delete cert failed"
+ return 1
+ fi
+
+ html_passed "${TESTNAME} (${COUNT})"
+ return 0
+}
+
+cert_inc_count()
+{
+ COUNT=`expr ${COUNT} + 1`
+}
+
+############################## cert_crl_ssl ############################
+# test adding subject-alt-name, dumping, and adding generic extension
+########################################################################
+cert_san_and_generic_extensions()
+{
+ EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der
+
+ DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}"
+ CERTNAME="-n WithSAN"
+ MAKE="-S -t ,, -x -z ${R_NOISE_FILE}"
+ SUBJ="CN=example.com"
+
+ TESTNAME="san-and-generic-extensions"
+
+ cert_inc_count
+ cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+ "--extSAN example.com" 255 \
+ "create cert with invalid SAN parameter"
+
+ cert_inc_count
+ cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+ "--extSAN example.com,dns:www.example.com" 255 \
+ "create cert with invalid SAN parameter"
+
+ TN="create cert with valid SAN parameter"
+
+ cert_inc_count
+ cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+ "--extSAN dns:example.com,dns:www.example.com" 0 \
+ "${TN}"
+
+ cert_inc_count
+ cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
+ "${TN}"
+
+ cert_inc_count
+ cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \
+ "dump extension 2.5.29.17 to file ${EXTDUMP}"
+
+ cert_inc_count
+ cert_delete "${DIR}" "${CERTNAME}" 0 \
+ "${TN}"
+
+ cert_inc_count
+ cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
+ "expect failure to list cert, because we deleted it"
+
+ cert_inc_count
+ cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+ "--extGeneric ${EXTDUMP}" 255 \
+ "create cert with invalid generic ext parameter"
+
+ cert_inc_count
+ cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+ "--extGeneric not-critical:${EXTDUMP}" 255 \
+ "create cert with invalid generic ext parameter"
+
+ cert_inc_count
+ cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+ "--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \
+ "create cert with invalid generic ext parameter"
+
+ TN="create cert with valid generic ext parameter"
+
+ cert_inc_count
+ cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
+ "--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \
+ "${TN}"
+
+ cert_inc_count
+ cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
+ "${TN}"
+
+ cert_inc_count
+ cert_delete "${DIR}" "${CERTNAME}" 0 \
+ "${TN}"
+
+ cert_inc_count
+ cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
+ "expect failure to list cert, because we deleted it"
+}
+
+############################## cert_crl_ssl ############################
+# local shell function to generate certs and crls for SSL tests
+########################################################################
+cert_crl_ssl()
+{
+
+ ################# Creating Certs ###################################
+ #
+ CERTFAILED=0
+ CERTSERIAL=${CRL_GRP_1_BEGIN}
+
+ cd $CADIR
+
+ PROFILEDIR=`cd ${CLIENTDIR}; pwd`
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ PROFILEDIR=`cygpath -m ${PROFILEDIR}`
+ fi
+ CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1`
+ echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ==="
+ CU_ACTION="Creating client test certs"
+
+ while [ $CERTSERIAL -le $CRL_GRPS_END ]
+ do
+ CERTNAME="TestUser$CERTSERIAL"
+ cert_add_cert
+ CERTSERIAL=`expr $CERTSERIAL + 1 `
+ done
+
+ #################### CRL Creation ##############################
+ CRL_GEN_RES=0
+ echo "$SCRIPTNAME: Creating CA CRL ====================================="
+
+ CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1`
+ CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END}
+ CRL_FILE=${CRL_FILE_GRP_1}
+
+ CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+ CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority"
+ CRL_GRP_END_=`expr ${CRL_GRP_END} - 1`
+ crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \
+ -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
+addext reasonCode 0 4
+addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA"
+EOF_CRLINI
+# This extension should be added to the list, but currently nss has bug
+#addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_1}_or
+
+
+ CU_ACTION="Generating CRL (DSA) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-dsa authority"
+
+# Until Bug 292285 is resolved, do not encode x400 Addresses. After
+# the bug is resolved, reintroduce "x400Address:x400Address" within
+# addext issuerAltNames ...
+ crlu -q -d $CADIR -G -n "TestCA-dsa" -f ${R_PWFILE} \
+ -o ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
+addext reasonCode 0 4
+addext issuerAltNames 0 "rfc822Name:ca-dsaemail@ca.com|dnsName:ca-dsa.com|directoryName:CN=NSS Test CA (DSA),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-dsa.com|ipAddress:192.168.0.1|registerID=reg CA (DSA)"
+EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_1}_or-dsa
+
+
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
+
+# Until Bug 292285 is resolved, do not encode x400 Addresses. After
+# the bug is resolved, reintroduce "x400Address:x400Address" within
+# addext issuerAltNames ...
+ crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
+ -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
+addext reasonCode 0 4
+addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
+EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_1}_or-ec
+ fi
+
+ echo test > file
+ ############################# Modification ##################################
+
+ echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
+ sleep 2
+ CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+ CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+ CU_ACTION="Modify CRL by adding one more cert"
+ crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \
+ -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_END} $CRL_GRP_DATE
+EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_1}_or1
+ TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
+
+
+ CU_ACTION="Modify CRL (DSA) by adding one more cert"
+ crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1-dsa \
+ -i ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_END} $CRL_GRP_DATE
+EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_1}_or1-dsa
+ TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa"
+
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Modify CRL (ECC) by adding one more cert"
+ crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
+ -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_END} $CRL_GRP_DATE
+EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_1}_or1-ec
+ TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
+ fi
+
+ ########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
+ echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
+ CU_ACTION="Modify CRL by removing one cert"
+ sleep 2
+ CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+ crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
+ -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
+update=$CRLUPDATE
+rmcert ${UNREVOKED_CERT_GRP_1}
+EOF_CRLINI
+ chmod 600 ${CRL_FILE_GRP_1}
+ TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
+
+
+ CU_ACTION="Modify CRL (DSA) by removing one cert"
+ sleep 2
+ CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+ crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
+ -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
+update=$CRLUPDATE
+rmcert ${UNREVOKED_CERT_GRP_1}
+EOF_CRLINI
+ chmod 600 ${CRL_FILE_GRP_1}
+ TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-dsa"
+
+
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Modify CRL (ECC) by removing one cert"
+ crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
+ -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
+update=$CRLUPDATE
+rmcert ${UNREVOKED_CERT_GRP_1}
+EOF_CRLINI
+ chmod 600 ${CRL_FILE_GRP_1}-ec
+ TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
+ fi
+
+ ########### Creating second CRL which includes groups 1 and 2 ##############
+ CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
+ CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END}
+
+ echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ==============="
+ sleep 2
+ CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+ CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+ CU_ACTION="Creating CRL for groups 1 and 2"
+ crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2} \
+ -i ${CRL_FILE_GRP_1} <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+addext invalidityDate 0 $CRLUPDATE
+rmcert ${UNREVOKED_CERT_GRP_2}
+EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_2}
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
+ crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
+ -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+addext invalidityDate 0 $CRLUPDATE
+rmcert ${UNREVOKED_CERT_GRP_2}
+EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_2}-ec
+ fi
+
+ ########### Creating second CRL which includes groups 1, 2 and 3 ##############
+ CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
+ CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END}
+
+
+
+ echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3 ==============="
+ sleep 2
+ CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+ CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+ CU_ACTION="Creating CRL for groups 1, 2 and 3"
+ crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3} \
+ -i ${CRL_FILE_GRP_2} <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+rmcert ${UNREVOKED_CERT_GRP_3}
+addext crlNumber 0 2
+EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_3}
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
+ crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
+ -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+rmcert ${UNREVOKED_CERT_GRP_3}
+addext crlNumber 0 2
+EOF_CRLINI
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ chmod 600 ${CRL_FILE_GRP_3}-ec
+ fi
+
+ ############ Importing Server CA Issued CRL for certs of first group #######
+
+ echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
+ CU_ACTION="Importing CRL for groups 1"
+ crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}"
+ crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ CU_ACTION="Importing CRL (ECC) for groups 1"
+ crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}"
+ crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
+ -d "${R_SERVERDIR}"
+ CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+ fi
+
+ if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
+ cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
+ else
+ cert_log "SUCCESS: SSL CRL prep passed"
+ fi
+}
+
+#################
+# Verify the we can successfully change the password on the database
+#
+cert_test_password()
+{
+ CERTFAILED=0
+ echo "$SCRIPTNAME: Create A Password Test Cert =============="
+ cert_init_cert "${DBPASSDIR}" "Password Test Cert" 1000 "${D_DBPASSDIR}"
+
+ echo "$SCRIPTNAME: Create A Password Test Ca --------"
+ ALL_CU_SUBJECT="CN=NSS Password Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1"
+
+ # now change the password
+ CU_ACTION="Changing password on ${CERTNAME}'s Cert DB"
+ certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1
+
+ # finally make sure we can use the old key with the new password
+ CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
+ CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
+ if [ "$RET" -eq 0 ]; then
+ cert_log "SUCCESS: PASSWORD passed"
+ fi
+ CU_ACTION="Verify Certificate for ${CERTNAME} with new password"
+ certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
+}
+
+###############################
+# test if we can distrust a certificate.
+#
+# we create 3 new certs:
+# 1 leaf signed by the trusted root.
+# 1 intermediate signed by the trusted root.
+# 1 leaf signed by the intermediate.
+#
+# we mark the first leaf and the intermediate as explicitly untrusted.
+# we then try to verify the two leaf certs for our possible usages.
+# All verification should fail.
+#
+cert_test_distrust()
+{
+ echo "$SCRIPTNAME: Creating Distrusted Certificate"
+ cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST}
+ CU_ACTION="Mark CERT as unstrusted"
+ certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1
+ echo "$SCRIPTNAME: Creating Distrusted Intermediate"
+ CERTNAME="DistrustedCA"
+ ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1
+ CU_ACTION="Import Distrusted Intermediate"
+ certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+ -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1
+
+ # now create the last leaf signed by our distrusted CA
+ # since it's not signed by TestCA it requires more steps.
+ CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA"
+ CERTNAME="LeafChainedToDistrustedCA"
+ CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+ cp ${CERTDIR}/req ${CADIR}
+ certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert -t u,u,u"
+ certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${CERTNAME}.cert" 2>&1
+
+ RETEXPECTED=255
+ CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
+ certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
+ certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
+ certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
+ certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
+ certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
+ certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+ CERTNAME="Distrusted"
+ CU_ACTION="Verify ${CERTNAME} Cert for SSL Server"
+ certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ CU_ACTION="Verify ${CERTNAME} Cert for SSL Client"
+ certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ CU_ACTION="Verify ${CERTNAME} Cert for Email signer"
+ certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ CU_ACTION="Verify ${CERTNAME} Cert for Email recipient"
+ certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder"
+ certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ CU_ACTION="Verify ${CERTNAME} Cert for Object Signer"
+ certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+ RETEXPECTED=0
+}
+
+cert_test_ocspresp()
+{
+ echo "$SCRIPTNAME: OCSP response creation selftest"
+ OR_ACTION="perform selftest"
+ RETEXPECTED=0
+ ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
+}
+
+############################## cert_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+cert_cleanup()
+{
+ cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+cert_init
+cert_all_CA
+cert_extended_ssl
+cert_ssl
+cert_smime_client
+if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
+ cert_fips
+fi
+cert_eccurves
+cert_extensions
+cert_san_and_generic_extensions
+cert_test_password
+cert_test_distrust
+cert_test_ocspresp
+
+if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+ cert_crl_ssl
+else
+ echo "$SCRIPTNAME: Skipping CRL Tests"
+fi
+
+if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+ cert_stresscerts
+fi
+
+cert_iopr_setup
+
+cert_cleanup
diff --git a/security/nss/tests/cert/certext.txt b/security/nss/tests/cert/certext.txt
new file mode 100644
index 000000000..4bcda814f
--- /dev/null
+++ b/security/nss/tests/cert/certext.txt
@@ -0,0 +1,130 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# File syntax:
+# '#' comments.
+# If the line starts from '!'('! TEST_N Test Name String'),
+# then 'Test Name String' will be the name of a test(starting
+# from second space till the rest of the line).
+# All uncommented lines are hard codded answers to certutil
+# extension questions.
+# Line '= N string1|string2|string3': '=' is a stop sign
+# of certutil inputs and start of the test. 'N' is the number
+# of extension that will be tested. 'string1|string2|string3'
+# are grep patterns for test result verification. '_' in stringN
+# will be replaced to a space.
+# ################################################################
+! TEST_1 Certificate Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+n
+= 1 Certificate_Key_Usage|Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing
+# ################################################################
+! TEST_2 Certificate Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+y
+= 1 Certificate_Key_Usage|Digital_Signature|Critical:_True
+# ################################################################
+! TEST_3 Certificate Basic Constraints Extension
+y
+-1
+n
+= 2 Name:_Certificate_Basic_Constraints|Data:_Is_a_CA_with_no_maximum
+# ################################################################
+! TEST_4 Certificate Basic Constraints Extension
+n
+-1
+y
+= 2 Name:_Certificate_Basic_Constraints|Data:_Is_not_a_CA|Critical:_True
+# ################################################################
+! TEST_5 Certificate Authority Key Identifier Extension
+y
+12341235123
+
+
+y
+= 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Key_ID:|12341235123
+# ################################################################
+! TEST_6 Certificate Authority Key Identifier Extension
+y
+
+3
+test.com
+
+214123
+y
+= 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Issuer:|DNS_name:_"test.com"|Serial_Number:|214123
+# ################################################################
+! TEST_7 CRL Distribution Points Extension
+1
+2
+rfc822@name.tld
+3
+test.com
+8
+1.2.3.4
+9
+OID.0.2.213
+10
+0
+10
+n
+n
+= 4 Name:_CRL_Distribution_Points|rfc822@name.tld
+# #################################################################
+! TEST_8 CRL Distribution Points Extension
+2
+SN=asdfsdf
+4
+3
+test.com
+10
+n
+n
+= 4 Name:_CRL_Distribution_Points|asdfsdf|Reasons:|DNS_name:_"test.com"
+# ################################################################
+! TEST_9 Certificate Type Extension
+0
+1
+2
+10
+n
+= 5 Name:_Certificate_Type|Data:_<SSL_Client,SSL_Server,S/MIME>
+# ################################################################
+! TEST_10 Extended Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+y
+= 6 Name:_Extended_Key_Usage|Critical:_True|TLS_Web_Server_Authentication_Certificate|TLS_Web_Client_Authentication_Certificate|Code_Signing_Certificate|E-Mail_Protection_Certificate|Time_Stamping_Certifcate|OCSP_Responder_Certificate|Strong_Crypto_Export_Approved
+# ################################################################
+! TEST_11 Certificate Key Usage Extension
+
+1
+2
+3
+4
+5
+6
+10
+n
+= 1 Certificate_Key_Usage|!Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing
diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh
new file mode 100755
index 000000000..4c3fa57a0
--- /dev/null
+++ b/security/nss/tests/chains/chains.sh
@@ -0,0 +1,1308 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/cert/chains.sh
+#
+# Script to test certificate chains validity.
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+
+########################### is_httpserv_alive ##########################
+# local shell function to exit with a fatal error if selfserver is not
+# running
+########################################################################
+is_httpserv_alive()
+{
+ if [ ! -f "${HTTPPID}" ]; then
+ echo "$SCRIPTNAME: Error - httpserv PID file ${HTTPPID} doesn't exist"
+ sleep 5
+ if [ ! -f "${HTTPPID}" ]; then
+ Exit 9 "Fatal - httpserv pid file ${HTTPPID} does not exist"
+ fi
+ fi
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_HTTPPID}
+ else
+ PID=`cat ${HTTPPID}`
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
+
+ echo "httpserv with PID ${PID} found at `date`"
+}
+
+########################### wait_for_httpserv ##########################
+# local shell function to wait until httpserver is running and initialized
+########################################################################
+wait_for_httpserv()
+{
+ echo "trying to connect to httpserv at `date`"
+ echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+ ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+ if [ $? -ne 0 ]; then
+ sleep 5
+ echo "retrying to connect to httpserv at `date`"
+ echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+ ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+ if [ $? -ne 0 ]; then
+ html_failed "Waiting for Server"
+ fi
+ fi
+ is_httpserv_alive
+}
+
+########################### kill_httpserv ##############################
+# local shell function to kill the httpserver after the tests are done
+########################################################################
+kill_httpserv()
+{
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_HTTPPID}
+ else
+ PID=`cat ${HTTPPID}`
+ fi
+
+ echo "trying to kill httpserv with PID ${PID} at `date`"
+
+ if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
+ echo "${KILL} ${PID}"
+ ${KILL} ${PID}
+ else
+ echo "${KILL} -USR1 ${PID}"
+ ${KILL} -USR1 ${PID}
+ fi
+ wait ${PID}
+
+ # On Linux httpserv needs up to 30 seconds to fully die and free
+ # the port. Wait until the port is free. (Bug 129701)
+ if [ "${OS_ARCH}" = "Linux" ]; then
+ echo "httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
+ until ${BINDIR}/httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null; do
+ echo "RETRY: httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;"
+ sleep 1
+ done
+ fi
+
+ echo "httpserv with PID ${PID} killed at `date`"
+
+ rm ${HTTPPID}
+ html_detect_core "kill_httpserv core detection step"
+}
+
+########################### start_httpserv #############################
+# local shell function to start the httpserver with the parameters required
+# for this test and log information (parameters, start time)
+# also: wait until the server is up and running
+########################################################################
+start_httpserv()
+{
+ HTTP_METHOD=$1
+
+ if [ -n "$testname" ] ; then
+ echo "$SCRIPTNAME: $testname ----"
+ fi
+ echo "httpserv starting at `date`"
+ ODDIR="${HOSTDIR}/chains/OCSPD"
+ echo "httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \\"
+ echo " -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \\"
+ echo " -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \\"
+ echo " -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \\"
+ echo " -i ${HTTPPID} $verbose &"
+ ${PROFTOOL} ${BINDIR}/httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \
+ -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \
+ -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \
+ -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \
+ -i ${HTTPPID} $verbose &
+ RET=$?
+
+ # The PID $! returned by the MKS or Cygwin shell is not the PID of
+ # the real background process, but rather the PID of a helper
+ # process (sh.exe). MKS's kill command has a bug: invoking kill
+ # on the helper process does not terminate the real background
+ # process. Our workaround has been to have httpserv save its PID
+ # in the ${HTTPPID} file and "kill" that PID instead. But this
+ # doesn't work under Cygwin; its kill command doesn't recognize
+ # the PID of the real background process, but it does work on the
+ # PID of the helper process. So we save the value of $! in the
+ # SHELL_HTTPPID variable, and use it instead of the ${HTTPPID}
+ # file under Cygwin. (In fact, this should work in any shell
+ # other than the MKS shell.)
+ SHELL_HTTPPID=$!
+ wait_for_httpserv
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_HTTPPID}
+ else
+ PID=`cat ${HTTPPID}`
+ fi
+
+ echo "httpserv with PID ${PID} started at `date`"
+}
+
+############################# chains_init ##############################
+# local shell function to initialize this script
+########################################################################
+chains_init()
+{
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+ if [ -z "${INIT_SOURCED}" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+
+ SCRIPTNAME="chains.sh"
+
+ CHAINS_DIR="${HOSTDIR}/chains"
+ mkdir -p ${CHAINS_DIR}
+ cd ${CHAINS_DIR}
+
+ CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
+
+ CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
+ CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
+
+ PK7_NONCE=${CERT_SN_CNT}
+ SCEN_CNT=${CERT_SN_CNT}
+
+ AIA_FILES="${HOSTDIR}/aiafiles"
+
+ CU_DATA=${HOSTDIR}/cu_data
+ CRL_DATA=${HOSTDIR}/crl_data
+
+ DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10)
+ NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT}
+ DEFAULT_UNUSED_PORT=$(expr ${PORT:-8631} + 11)
+ NSS_UNUSED_PORT=${NSS_UNUSED_PORT:-$DEFAULT_UNUSED_PORT}
+ NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"}
+ NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp}
+ NSS_AIA_OCSP=${NSS_AIA_OCSP:-$NSS_AIA_HTTP/ocsp}
+ NSS_OCSP_UNUSED=${NSS_AIA_OCSP_UNUSED:-"http://${HOSTADDR}:${NSS_UNUSED_PORT}"}
+
+ html_head "Certificate Chains Tests"
+}
+
+chains_run_httpserv()
+{
+ HTTP_METHOD=$1
+
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ HTTPPID=${NSS_AIA_PATH}/http_pid.$$
+ mkdir -p "${NSS_AIA_PATH}"
+ SAVEPWD=`pwd`
+ cd "${NSS_AIA_PATH}"
+ # Start_httpserv sets environment variables, which are required for
+ # correct cleanup. (Running it in a subshell doesn't work, the
+ # value of $SHELL_HTTPPID wouldn't arrive in this scope.)
+ start_httpserv ${HTTP_METHOD}
+ cd "${SAVEPWD}"
+ fi
+}
+
+chains_stop_httpserv()
+{
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ kill_httpserv
+ fi
+}
+
+############################ chains_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+chains_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+############################ print_cu_data #############################
+# local shell function to print certutil input data
+########################################################################
+print_cu_data()
+{
+ echo "=== Certutil input data ==="
+ cat ${CU_DATA}
+ echo "==="
+}
+
+set_cert_sn()
+{
+ if [ -z "${SERIAL}" ]; then
+ CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1)
+ CERT_SN=${CERT_SN_CNT}
+ else
+ echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null
+ if [ $? -eq 0 ]; then
+ CERT_SN=$(echo ${SERIAL} | cut -b 2-)
+ CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN})
+ else
+ CERT_SN=${SERIAL}
+ fi
+ fi
+}
+
+############################# create_db ################################
+# local shell function to create certificate database
+########################################################################
+create_db()
+{
+ DB=$1
+
+ [ -d "${DB}" ] && rm -rf ${DB}
+ mkdir -p ${DB}
+
+ echo "${DB}passwd" > ${DB}/dbpasswd
+
+ TESTNAME="Creating DB ${DB}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -N -d ${DB} -f ${DB}/dbpasswd"
+ ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################### create_root_ca #############################
+# local shell function to generate self-signed root certificate
+########################################################################
+create_root_ca()
+{
+ ENTITY=$1
+ ENTITY_DB=${ENTITY}DB
+
+ set_cert_sn
+ date >> ${NOISE_FILE} 2>&1
+
+ CTYPE_OPT=
+ if [ -n "${CTYPE}" ]; then
+ CTYPE_OPT="-k ${CTYPE}"
+ fi
+
+ echo "5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+" > ${CU_DATA}
+
+ TESTNAME="Creating Root CA ${ENTITY}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}"
+ print_cu_data
+ ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+
+ TESTNAME="Exporting Root CA ${ENTITY}.der"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der"
+ ${BINDIR}/certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################### create_cert_req ############################
+# local shell function to generate certificate sign request
+########################################################################
+create_cert_req()
+{
+ ENTITY=$1
+ TYPE=$2
+
+ ENTITY_DB=${ENTITY}DB
+
+ REQ=${ENTITY}Req.der
+
+ date >> ${NOISE_FILE} 2>&1
+
+ CTYPE_OPT=
+ if [ -n "${CTYPE}" ]; then
+ CTYPE_OPT="-k ${CTYPE}"
+ fi
+
+ CA_FLAG=
+ EXT_DATA=
+ OPTIONS=
+
+ if [ "${TYPE}" != "EE" ]; then
+ CA_FLAG="-2"
+ EXT_DATA="y
+-1
+y
+"
+ fi
+
+ process_crldp
+
+ echo "${EXT_DATA}" > ${CU_DATA}
+
+ TESTNAME="Creating ${TYPE} certifiate request ${REQ}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}"
+ print_cu_data
+ ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################ create_entity #############################
+# local shell function to create certificate chain entity
+########################################################################
+create_entity()
+{
+ ENTITY=$1
+ TYPE=$2
+
+ if [ -z "${ENTITY}" ]; then
+ echo "Configuration error: Unnamed entity"
+ exit 1
+ fi
+
+ DB=${ENTITY}DB
+ ENTITY_DB=${ENTITY}DB
+
+ case "${TYPE}" in
+ "Root")
+ create_db "${DB}"
+ create_root_ca "${ENTITY}"
+ ;;
+ "Intermediate" | "Bridge" | "EE")
+ create_db "${DB}"
+ create_cert_req "${ENTITY}" "${TYPE}"
+ ;;
+ "*")
+ echo "Configuration error: Unknown type ${TYPE}"
+ exit 1
+ ;;
+ esac
+}
+
+########################################################################
+# List of global variables related to certificate extensions processing:
+#
+# Generated by process_extensions and functions called from it:
+# OPTIONS - list of command line policy extensions
+# DATA - list of inpud data related to policy extensions
+#
+# Generated by parse_config:
+# POLICY - list of certificate policies
+# MAPPING - list of policy mappings
+# INHIBIT - inhibit flag
+# AIA - AIA list
+########################################################################
+
+############################ process_policy ############################
+# local shell function to process policy extension parameters and
+# generate input for certutil
+########################################################################
+process_policy()
+{
+ if [ -n "${POLICY}" ]; then
+ OPTIONS="${OPTIONS} --extCP"
+
+ NEXT=
+ for ITEM in ${POLICY}; do
+ if [ -n "${NEXT}" ]; then
+ DATA="${DATA}y
+"
+ fi
+
+ NEXT=1
+ DATA="${DATA}${ITEM}
+1
+
+n
+"
+ done
+
+ DATA="${DATA}n
+n
+"
+ fi
+}
+
+########################### process_mapping ############################
+# local shell function to process policy mapping parameters and
+# generate input for certutil
+########################################################################
+process_mapping()
+{
+ if [ -n "${MAPPING}" ]; then
+ OPTIONS="${OPTIONS} --extPM"
+
+ NEXT=
+ for ITEM in ${MAPPING}; do
+ if [ -n "${NEXT}" ]; then
+ DATA="${DATA}y
+"
+ fi
+
+ NEXT=1
+ IDP=`echo ${ITEM} | cut -d: -f1`
+ SDP=`echo ${ITEM} | cut -d: -f2`
+ DATA="${DATA}${IDP}
+${SDP}
+"
+ done
+
+ DATA="${DATA}n
+n
+"
+ fi
+}
+
+########################### process_inhibit#############################
+# local shell function to process inhibit extension and generate input
+# for certutil
+########################################################################
+process_inhibit()
+{
+ if [ -n "${INHIBIT}" ]; then
+ OPTIONS="${OPTIONS} --extIA"
+
+ DATA="${DATA}${INHIBIT}
+n
+"
+ fi
+}
+
+############################# process_aia ##############################
+# local shell function to process AIA extension parameters and
+# generate input for certutil
+########################################################################
+process_aia()
+{
+ if [ -n "${AIA}" ]; then
+ OPTIONS="${OPTIONS} --extAIA"
+
+ DATA="${DATA}1
+"
+
+ for ITEM in ${AIA}; do
+ PK7_NONCE=`expr $PK7_NONCE + 1`
+
+ echo ${ITEM} | grep ":" > /dev/null
+ if [ $? -eq 0 ]; then
+ CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+ CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+ CERT_LOCAL="${CERT_NICK}${CERT_ISSUER}.der"
+ CERT_PUBLIC="${HOST}-$$-${CERT_NICK}${CERT_ISSUER}-${PK7_NONCE}.der"
+ else
+ CERT_LOCAL="${ITEM}.p7"
+ CERT_PUBLIC="${HOST}-$$-${ITEM}-${PK7_NONCE}.p7"
+ fi
+
+ DATA="${DATA}7
+${NSS_AIA_HTTP}/${CERT_PUBLIC}
+"
+
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ cp ${CERT_LOCAL} ${NSS_AIA_PATH}/${CERT_PUBLIC} 2> /dev/null
+ chmod a+r ${NSS_AIA_PATH}/${CERT_PUBLIC}
+ echo ${NSS_AIA_PATH}/${CERT_PUBLIC} >> ${AIA_FILES}
+ fi
+ done
+
+ DATA="${DATA}0
+n
+n"
+ fi
+}
+
+process_ocsp()
+{
+ if [ -n "${OCSP}" ]; then
+ OPTIONS="${OPTIONS} --extAIA"
+
+ if [ "${OCSP}" = "offline" ]; then
+ MY_OCSP_URL=${NSS_OCSP_UNUSED}
+ else
+ MY_OCSP_URL=${NSS_AIA_OCSP}
+ fi
+
+ DATA="${DATA}2
+7
+${MY_OCSP_URL}
+0
+n
+n
+"
+ fi
+}
+
+process_crldp()
+{
+ if [ -n "${CRLDP}" ]; then
+ OPTIONS="${OPTIONS} -4"
+
+ EXT_DATA="${EXT_DATA}1
+"
+
+ for ITEM in ${CRLDP}; do
+ CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl"
+
+ EXT_DATA="${EXT_DATA}7
+${NSS_AIA_HTTP}/${CRL_PUBLIC}
+"
+ done
+
+ EXT_DATA="${EXT_DATA}-1
+-1
+-1
+n
+n
+"
+ fi
+}
+
+process_ku_ns_eku()
+{
+ if [ -n "${EXT_KU}" ]; then
+ OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}"
+ fi
+ if [ -n "${EXT_NS}" ]; then
+ EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1)
+ EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2)
+
+ OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}"
+ DATA="${DATA}${EXT_NS_CODE}
+-1
+n
+"
+ fi
+ if [ -n "${EXT_EKU}" ]; then
+ OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}"
+ fi
+}
+
+copy_crl()
+
+{
+ if [ -z "${NSS_AIA_PATH}" ]; then
+ return;
+ fi
+
+ CRL_LOCAL="${COPYCRL}.crl"
+ CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl"
+
+ cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
+ chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
+ echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES}
+}
+
+########################## process_extension ###########################
+# local shell function to process entity extension parameters and
+# generate input for certutil
+########################################################################
+process_extensions()
+{
+ OPTIONS=
+ DATA=
+
+ process_policy
+ process_mapping
+ process_inhibit
+ process_aia
+ process_ocsp
+ process_ku_ns_eku
+}
+
+############################## sign_cert ###############################
+# local shell function to sign certificate sign reuqest
+########################################################################
+sign_cert()
+{
+ ENTITY=$1
+ ISSUER=$2
+ TYPE=$3
+
+ [ -z "${ISSUER}" ] && return
+
+ ENTITY_DB=${ENTITY}DB
+ ISSUER_DB=${ISSUER}DB
+ REQ=${ENTITY}Req.der
+ CERT=${ENTITY}${ISSUER}.der
+
+ set_cert_sn
+
+ EMAIL_OPT=
+ if [ "${TYPE}" = "Bridge" ]; then
+ EMAIL_OPT="-7 ${ENTITY}@${ISSUER}"
+
+ [ -n "${EMAILS}" ] && EMAILS="${EMAILS},"
+ EMAILS="${EMAILS}${ENTITY}@${ISSUER}"
+ fi
+
+ process_extensions
+
+ echo "${DATA}" > ${CU_DATA}
+
+ TESTNAME="Creating certficate ${CERT} signed by ${ISSUER}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}"
+ print_cu_data
+ ${BINDIR}/certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+
+ TESTNAME="Importing certificate ${CERT} to ${ENTITY_DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}"
+ ${BINDIR}/certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# create_pkcs7##############################
+# local shell function to package bridge certificates into pkcs7
+# package
+########################################################################
+create_pkcs7()
+{
+ ENTITY=$1
+ ENTITY_DB=${ENTITY}DB
+
+ TESTNAME="Generating PKCS7 package from ${ENTITY_DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "cmsutil -O -r \"${EMAILS}\" -d ${ENTITY_DB} > ${ENTITY}.p7"
+ ${BINDIR}/cmsutil -O -r "${EMAILS}" -d ${ENTITY_DB} > ${ENTITY}.p7
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# import_key ###############################
+# local shell function to import private key + cert into database
+########################################################################
+import_key()
+{
+ KEY_NAME=$1.p12
+ DB=$2
+
+ KEY_FILE=../OCSPD/${KEY_NAME}
+
+ TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss"
+ ${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+export_key()
+{
+ KEY_NAME=$1.p12
+ DB=$2
+
+ TESTNAME="Exporting $1 as ${KEY_NAME} from ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss"
+ ${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+############################# import_cert ##############################
+# local shell function to import certificate into database
+########################################################################
+import_cert()
+{
+ IMPORT=$1
+ DB=$2
+
+ CERT_NICK=`echo ${IMPORT} | cut -d: -f1`
+ CERT_ISSUER=`echo ${IMPORT} | cut -d: -f2`
+ CERT_TRUST=`echo ${IMPORT} | cut -d: -f3`
+
+ if [ "${CERT_ISSUER}" = "x" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.cert
+ CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.der
+ CERT_FILE="../OCSPD/${CERT}"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ CERT_FILE=${CERT}
+ fi
+
+ IS_ASCII=`grep -c -- "-----BEGIN CERTIFICATE-----" ${CERT_FILE}`
+
+ ASCII_OPT=
+ if [ "${IS_ASCII}" -gt 0 ]; then
+ ASCII_OPT="-a"
+ fi
+
+ TESTNAME="Importing certificate ${CERT} to ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t \"${CERT_TRUST}\" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}"
+ ${BINDIR}/certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t "${CERT_TRUST}" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+import_crl()
+{
+ IMPORT=$1
+ DB=$2
+
+ CRL_NICK=`echo ${IMPORT} | cut -d: -f1`
+ CRL_FILE=${CRL_NICK}.crl
+
+ if [ ! -f "${CRL_FILE}" ]; then
+ return
+ fi
+
+ TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}"
+ ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+create_crl()
+{
+ ISSUER=$1
+ ISSUER_DB=${ISSUER}DB
+
+ CRL=${ISSUER}.crl
+
+ DATE=$(date -u '+%Y%m%d%H%M%SZ')
+ DATE_LAST="${DATE}"
+
+ UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ')
+
+ echo "update=${DATE}" > ${CRL_DATA}
+ echo "nextupdate=${UPDATE}" >> ${CRL_DATA}
+
+ TESTNAME="Create CRL for ${ISSUER_DB}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
+ echo "=== Crlutil input data ==="
+ cat ${CRL_DATA}
+ echo "==="
+ ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+revoke_cert()
+{
+ ISSUER=$1
+ ISSUER_DB=${ISSUER}DB
+
+ CRL=${ISSUER}.crl
+
+ set_cert_sn
+
+ DATE=$(date -u '+%Y%m%d%H%M%SZ')
+ while [ "${DATE}" = "${DATE_LAST}" ]; do
+ sleep 1
+ DATE=$(date -u '+%Y%m%d%H%M%SZ')
+ done
+ DATE_LAST="${DATE}"
+
+ echo "update=${DATE}" > ${CRL_DATA}
+ echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA}
+
+ TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
+ echo "=== Crlutil input data ==="
+ cat ${CRL_DATA}
+ echo "==="
+ ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+########################################################################
+# List of global variables related to certificate verification:
+#
+# Generated by parse_config:
+# DB - DB used for testing
+# FETCH - fetch flag (used with AIA extension)
+# POLICY - list of policies
+# TRUST - trust anchor
+# TRUST_AND_DB - Examine both trust anchors and the cert db for trust
+# VERIFY - list of certificates to use as vfychain parameters
+# EXP_RESULT - expected result
+# REV_OPTS - revocation options
+########################################################################
+
+############################# verify_cert ##############################
+# local shell function to verify certificate validity
+########################################################################
+verify_cert()
+{
+ ENGINE=$1
+
+ DB_OPT=
+ FETCH_OPT=
+ POLICY_OPT=
+ TRUST_OPT=
+ VFY_CERTS=
+ VFY_LIST=
+ TRUST_AND_DB_OPT=
+
+ if [ -n "${DB}" ]; then
+ DB_OPT="-d ${DB}"
+ fi
+
+ if [ -n "${FETCH}" ]; then
+ FETCH_OPT="-f"
+ if [ -z "${NSS_AIA_HTTP}" ]; then
+ echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined"
+ return
+ fi
+ fi
+
+ if [ -n "${TRUST_AND_DB}" ]; then
+ TRUST_AND_DB_OPT="-T"
+ fi
+
+ for ITEM in ${POLICY}; do
+ POLICY_OPT="${POLICY_OPT} -o ${ITEM}"
+ done
+
+ for ITEM in ${TRUST}; do
+ echo ${ITEM} | grep ":" > /dev/null
+ if [ $? -eq 0 ]; then
+ CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+ CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+
+ TRUST_OPT="${TRUST_OPT} -t ${CERT}"
+ else
+ TRUST_OPT="${TRUST_OPT} -t ${ITEM}"
+ fi
+ done
+
+ for ITEM in ${VERIFY}; do
+ CERT_NICK=`echo ${ITEM} | cut -d: -f1`
+ CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
+
+ if [ "${CERT_ISSUER}" = "x" ]; then
+ CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert"
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT="../OCSPD/${CERT_NICK}.der"
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT}"
+ fi
+ done
+
+ VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+ VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+
+ TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+ echo "vfychain ${VFY_OPTS_ALL}"
+
+ if [ -z "${MEMLEAK_DBG}" ]; then
+ VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1)
+ RESULT=$?
+ echo "${VFY_OUT}"
+ else
+ VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE})
+ RESULT=$?
+ echo "${VFY_OUT}"
+ fi
+
+ echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null
+ E5990=$?
+ echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null
+ E8030=$?
+
+ if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then
+ echo "Result of this test is not valid due to network time out."
+ html_unknown "${SCENARIO}${TESTNAME}"
+ return
+ fi
+
+ echo "Returned value is ${RESULT}, expected result is ${EXP_RESULT}"
+
+ if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then
+ html_passed "${SCENARIO}${TESTNAME}"
+ elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then
+ html_passed "${SCENARIO}${TESTNAME}"
+ else
+ html_failed "${SCENARIO}${TESTNAME}"
+ fi
+}
+
+check_ocsp()
+{
+ OCSP_CERT=$1
+
+ CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1`
+ CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2`
+
+ if [ "${CERT_ISSUER}" = "x" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.cert
+ CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
+ elif [ "${CERT_ISSUER}" = "d" ]; then
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.der
+ CERT_FILE="../OCSPD/${CERT}"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ CERT_FILE=${CERT}
+ fi
+
+ # sample line:
+ # URI: "http://ocsp.server:2601"
+ OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
+ OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
+
+ echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
+ tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
+ return $?
+}
+
+############################ parse_result ##############################
+# local shell function to process expected result value
+# this function was created for case that expected result depends on
+# some conditions - in our case type of cert DB
+#
+# default results are pass and fail
+# this function added parsable values in format:
+# type1:value1 type2:value2 .... typex:valuex
+#
+# allowed types are dbm, sql, all (all means all other cases)
+# allowed values are pass and fail
+#
+# if this format is not used, EXP_RESULT will stay unchanged (this also
+# covers pass and fail states)
+########################################################################
+parse_result()
+{
+ for RES in ${EXP_RESULT}
+ do
+ RESTYPE=$(echo ${RES} | cut -d: -f1)
+ RESSTAT=$(echo ${RES} | cut -d: -f2)
+
+ if [ "${RESTYPE}" = "${NSS_DEFAULT_DB_TYPE}" -o "${RESTYPE}" = "all" ]; then
+ EXP_RESULT=${RESSTAT}
+ break
+ fi
+ done
+}
+
+############################ parse_config ##############################
+# local shell function to parse and process file containing certificate
+# chain configuration and list of tests
+########################################################################
+parse_config()
+{
+ SCENARIO=
+ LOGNAME=
+
+ while read KEY VALUE
+ do
+ case "${KEY}" in
+ "entity")
+ ENTITY="${VALUE}"
+ TYPE=
+ ISSUER=
+ CTYPE=
+ POLICY=
+ MAPPING=
+ INHIBIT=
+ AIA=
+ CRLDP=
+ OCSP=
+ DB=
+ EMAILS=
+ EXT_KU=
+ EXT_NS=
+ EXT_EKU=
+ SERIAL=
+ EXPORT_KEY=
+ ;;
+ "type")
+ TYPE="${VALUE}"
+ ;;
+ "issuer")
+ if [ -n "${ISSUER}" ]; then
+ if [ -z "${DB}" ]; then
+ create_entity "${ENTITY}" "${TYPE}"
+ fi
+ sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
+ fi
+
+ ISSUER="${VALUE}"
+ POLICY=
+ MAPPING=
+ INHIBIT=
+ AIA=
+ EXT_KU=
+ EXT_NS=
+ EXT_EKU=
+ ;;
+ "ctype")
+ CTYPE="${VALUE}"
+ ;;
+ "policy")
+ POLICY="${POLICY} ${VALUE}"
+ ;;
+ "mapping")
+ MAPPING="${MAPPING} ${VALUE}"
+ ;;
+ "inhibit")
+ INHIBIT="${VALUE}"
+ ;;
+ "aia")
+ AIA="${AIA} ${VALUE}"
+ ;;
+ "crldp")
+ CRLDP="${CRLDP} ${VALUE}"
+ ;;
+ "ocsp")
+ OCSP="${VALUE}"
+ ;;
+ "db")
+ DB="${VALUE}DB"
+ create_db "${DB}"
+ ;;
+ "import")
+ IMPORT="${VALUE}"
+ import_cert "${IMPORT}" "${DB}"
+ import_crl "${IMPORT}" "${DB}"
+ ;;
+ "import_key")
+ IMPORT="${VALUE}"
+ import_key "${IMPORT}" "${DB}"
+ ;;
+ "crl")
+ ISSUER="${VALUE}"
+ create_crl "${ISSUER}"
+ ;;
+ "revoke")
+ REVOKE="${VALUE}"
+ ;;
+ "serial")
+ SERIAL="${VALUE}"
+ ;;
+ "export_key")
+ EXPORT_KEY=1
+ ;;
+ "copycrl")
+ COPYCRL="${VALUE}"
+ copy_crl "${COPYCRL}"
+ ;;
+ "verify")
+ VERIFY="${VALUE}"
+ TRUST=
+ TRUST_AND_DB=
+ POLICY=
+ FETCH=
+ EXP_RESULT=
+ REV_OPTS=
+ USAGE_OPT=
+ ;;
+ "cert")
+ VERIFY="${VERIFY} ${VALUE}"
+ ;;
+ "testdb")
+ if [ -n "${VALUE}" ]; then
+ DB="${VALUE}DB"
+ else
+ DB=
+ fi
+ ;;
+ "trust")
+ TRUST="${TRUST} ${VALUE}"
+ ;;
+ "trust_and_db")
+ TRUST_AND_DB=1
+ ;;
+ "fetch")
+ FETCH=1
+ ;;
+ "result")
+ EXP_RESULT="${VALUE}"
+ parse_result
+ ;;
+ "rev_type")
+ REV_OPTS="${REV_OPTS} -g ${VALUE}"
+ ;;
+ "rev_flags")
+ REV_OPTS="${REV_OPTS} -h ${VALUE}"
+ ;;
+ "rev_mtype")
+ REV_OPTS="${REV_OPTS} -m ${VALUE}"
+ ;;
+ "rev_mflags")
+ REV_OPTS="${REV_OPTS} -s ${VALUE}"
+ ;;
+ "scenario")
+ SCENARIO="${VALUE}: "
+
+ CHAINS_DIR="${HOSTDIR}/chains/${VALUE}"
+ mkdir -p ${CHAINS_DIR}
+ cd ${CHAINS_DIR}
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ LOGNAME="libpkix-${VALUE}"
+ LOGFILE="${LOGDIR}/${LOGNAME}"
+ fi
+
+ SCEN_CNT=$(expr ${SCEN_CNT} + 1)
+ ;;
+ "sleep")
+ sleep ${VALUE}
+ ;;
+ "break")
+ break
+ ;;
+ "check_ocsp")
+ TESTNAME="Test that OCSP server is reachable"
+ check_ocsp ${VALUE}
+ if [ $? -ne 0 ]; then
+ html_failed "$TESTNAME"
+ break;
+ else
+ html_passed "$TESTNAME"
+ fi
+ ;;
+ "ku")
+ EXT_KU="${VALUE}"
+ ;;
+ "ns")
+ EXT_NS="${VALUE}"
+ ;;
+ "eku")
+ EXT_EKU="${VALUE}"
+ ;;
+ "usage")
+ USAGE_OPT="-u ${VALUE}"
+ ;;
+ "")
+ if [ -n "${ENTITY}" ]; then
+ if [ -z "${DB}" ]; then
+ create_entity "${ENTITY}" "${TYPE}"
+ fi
+ sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
+ if [ "${TYPE}" = "Bridge" ]; then
+ create_pkcs7 "${ENTITY}"
+ fi
+ if [ -n "${EXPORT_KEY}" ]; then
+ export_key "${ENTITY}" "${DB}"
+ fi
+ ENTITY=
+ fi
+
+ if [ -n "${VERIFY}" ] && \
+ [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+ verify_cert "-pp"
+ if [ -n "${VERIFY_CLASSIC_ENGINE_TOO}" ] && \
+ [ -z "$NSS_DISABLE_LIBPKIX" ]; then
+ verify_cert ""
+ verify_cert "-p"
+ fi
+ VERIFY=
+ fi
+
+ if [ -n "${REVOKE}" ]; then
+ revoke_cert "${REVOKE}" "${DB}"
+ REVOKE=
+ fi
+ ;;
+ *)
+ if [ `echo ${KEY} | cut -b 1` != "#" ]; then
+ echo "Configuration error: Unknown keyword ${KEY}"
+ exit 1
+ fi
+ ;;
+ esac
+ done
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ log_parse
+ html_msg $? 0 "${SCENARIO}Memory leak checking"
+ fi
+}
+
+process_scenario()
+{
+ SCENARIO_FILE=$1
+
+ > ${AIA_FILES}
+
+ parse_config < "${QADIR}/chains/scenarios/${SCENARIO_FILE}"
+
+ while read AIA_FILE
+ do
+ rm ${AIA_FILE} 2> /dev/null
+ done < ${AIA_FILES}
+ rm ${AIA_FILES}
+}
+
+# process ocspd.cfg separately
+chains_ocspd()
+{
+ process_scenario "ocspd.cfg"
+}
+
+# process ocsp.cfg separately
+chains_method()
+{
+ process_scenario "method.cfg"
+}
+
+############################# chains_main ##############################
+# local shell function to process all testing scenarios
+########################################################################
+chains_main()
+{
+ while read LINE
+ do
+ [ `echo ${LINE} | cut -b 1` != "#" ] || continue
+
+ [ ${LINE} != 'ocspd.cfg' ] || continue
+ [ ${LINE} != 'method.cfg' ] || continue
+
+ process_scenario ${LINE}
+ done < "${CHAINS_SCENARIOS}"
+}
+
+################################ main ##################################
+
+chains_init
+VERIFY_CLASSIC_ENGINE_TOO=
+chains_ocspd
+VERIFY_CLASSIC_ENGINE_TOO=1
+chains_run_httpserv get
+chains_method
+chains_stop_httpserv
+chains_run_httpserv post
+chains_method
+chains_stop_httpserv
+VERIFY_CLASSIC_ENGINE_TOO=
+chains_run_httpserv random
+chains_main
+chains_stop_httpserv
+chains_run_httpserv get-unknown
+chains_main
+chains_stop_httpserv
+chains_cleanup
diff --git a/security/nss/tests/chains/ocspd-config/ocspd-certs.sh b/security/nss/tests/chains/ocspd-config/ocspd-certs.sh
new file mode 100755
index 000000000..2f7d45898
--- /dev/null
+++ b/security/nss/tests/chains/ocspd-config/ocspd-certs.sh
@@ -0,0 +1,116 @@
+#!/bin/bash
+
+DATA_DIR=$1
+OCSP_DIR=$2
+CERT_DIR=$3
+
+TEST_PWD="nssnss"
+CONF_TEMPLATE="ocspd.conf.template"
+
+convert_cert()
+{
+ CERT_NAME=$1
+ CERT_SIGNER=$2
+
+ openssl x509 -in ${DATA_DIR}/${CERT_NAME}${CERT_SIGNER}.der -inform DER -out ${DATA_DIR}/${CERT_NAME}.pem -outform PEM
+}
+
+convert_crl()
+{
+ CRL_NAME=$1
+
+ openssl crl -in ${DATA_DIR}/${CRL_NAME}.crl -inform DER -out ${DATA_DIR}/${CRL_NAME}crl.pem -outform PEM
+}
+
+convert_key()
+{
+ KEY_NAME=$1
+
+ pk12util -o ${DATA_DIR}/${KEY_NAME}.p12 -n ${KEY_NAME} -d ${DATA_DIR}/${KEY_NAME}DB -k ${DATA_DIR}/${KEY_NAME}DB/dbpasswd -W ${TEST_PWD}
+ openssl pkcs12 -in ${DATA_DIR}/${KEY_NAME}.p12 -out ${DATA_DIR}/${KEY_NAME}.key.tmp -passin pass:${TEST_PWD} -passout pass:${TEST_PWD}
+
+ STATUS=0
+ cat ${DATA_DIR}/${KEY_NAME}.key.tmp | while read LINE; do
+ echo "${LINE}" | grep "BEGIN ENCRYPTED PRIVATE KEY" > /dev/null && STATUS=1
+ [ ${STATUS} -eq 1 ] && echo "${LINE}"
+ echo "${LINE}" | grep "END ENCRYPTED PRIVATE KEY" > /dev/null && break
+ done > ${DATA_DIR}/${KEY_NAME}.key
+
+ rm ${DATA_DIR}/${KEY_NAME}.key.tmp
+}
+
+create_conf()
+{
+ CONF_FILE=$1
+ CA=$2
+ OCSP=$3
+ PORT=$4
+
+ cat ${CONF_TEMPLATE} | \
+ sed "s:@DIR@:${OCSP_DIR}:" | \
+ sed "s:@CA_CERT@:${DATA_DIR}/${CA}.pem:" | \
+ sed "s:@CA_CRL@:${DATA_DIR}/${CA}crl.pem:" | \
+ sed "s:@CA_KEY@:${DATA_DIR}/${CA}.key:" | \
+ sed "s:@OCSP_PID@:${OCSP}.pid:" | \
+ sed "s:@PORT@:${PORT}:" \
+ > ${CONF_FILE}
+}
+
+copy_cert()
+{
+ CERT_NAME=$1
+ CERT_SIGNER=$2
+
+ cp ${DATA_DIR}/${CERT_NAME}${CERT_SIGNER}.der ${CERT_DIR}/${CERT_NAME}.cert
+}
+
+
+copy_key()
+{
+ KEY_NAME=$1
+
+ cp ${DATA_DIR}/${KEY_NAME}.p12 ${CERT_DIR}/${KEY_NAME}.p12
+}
+
+convert_cert OCSPRoot
+convert_crl OCSPRoot
+convert_key OCSPRoot
+
+convert_cert OCSPCA1 OCSPRoot
+convert_crl OCSPCA1
+convert_key OCSPCA1
+
+convert_cert OCSPCA2 OCSPRoot
+convert_crl OCSPCA2
+convert_key OCSPCA2
+
+convert_cert OCSPCA3 OCSPRoot
+convert_crl OCSPCA3
+convert_key OCSPCA3
+
+create_conf ocspd0.conf OCSPRoot ocspd0 2600
+create_conf ocspd1.conf OCSPCA1 ocspd1 2601
+create_conf ocspd2.conf OCSPCA2 ocspd2 2602
+create_conf ocspd3.conf OCSPCA3 ocspd3 2603
+
+copy_cert OCSPRoot
+copy_cert OCSPCA1 OCSPRoot
+copy_cert OCSPCA2 OCSPRoot
+copy_cert OCSPCA3 OCSPRoot
+copy_cert OCSPEE11 OCSPCA1
+copy_cert OCSPEE12 OCSPCA1
+copy_cert OCSPEE13 OCSPCA1
+copy_cert OCSPEE14 OCSPCA1
+copy_cert OCSPEE15 OCSPCA1
+copy_cert OCSPEE21 OCSPCA2
+copy_cert OCSPEE22 OCSPCA2
+copy_cert OCSPEE23 OCSPCA2
+copy_cert OCSPEE31 OCSPCA3
+copy_cert OCSPEE32 OCSPCA3
+copy_cert OCSPEE33 OCSPCA3
+
+copy_key OCSPRoot
+copy_key OCSPCA1
+copy_key OCSPCA2
+copy_key OCSPCA3
+
diff --git a/security/nss/tests/chains/ocspd-config/ocspd.conf.template b/security/nss/tests/chains/ocspd-config/ocspd.conf.template
new file mode 100644
index 000000000..456c74a16
--- /dev/null
+++ b/security/nss/tests/chains/ocspd-config/ocspd.conf.template
@@ -0,0 +1,46 @@
+[ ocspd ]
+
+default_ocspd = OCSPD_default
+
+[ OCSPD_default ]
+
+dir = @DIR@
+db = $dir/index.txt
+md = sha1
+
+ca_certificate = $dir/@CA_CERT@
+ocspd_certificate = $dir/@CA_CERT@
+ocspd_key = $dir/@CA_KEY@
+pidfile = $dir/@OCSP_PID@
+
+user = nobody
+group = nobody
+
+bind = *
+port = @PORT@
+
+max_req_size = 8192
+threads_num = 150
+max_timeout_secs = 5
+crl_auto_reload = 3600
+crl_check_validity = 600
+crl_reload_expired = yes
+response = ocsp_response
+dbms = dbms_file
+
+[ ocsp_response ]
+
+dir = @DIR@
+next_update_days = 0
+next_update_mins = 5
+
+[ dbms_file ]
+
+0.ca = @first_ca
+
+[ first_ca ]
+
+crl_url = file:///@DIR@/@CA_CRL@
+ca_url = file:///@DIR@/@CA_CERT@
+server_cert = file:///@DIR@/@CA_CERT@
+
diff --git a/security/nss/tests/chains/ocspd-config/readme b/security/nss/tests/chains/ocspd-config/readme
new file mode 100644
index 000000000..5069af6fe
--- /dev/null
+++ b/security/nss/tests/chains/ocspd-config/readme
@@ -0,0 +1,3 @@
+OBSOLETE
+
+tests have been changed to use a local ocsp server (using httpserv)
diff --git a/security/nss/tests/chains/scenarios/aia.cfg b/security/nss/tests/chains/scenarios/aia.cfg
new file mode 100644
index 000000000..df3b1ef02
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/aia.cfg
@@ -0,0 +1,35 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AIA
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ aia CA1:Root
+
+entity User
+ type EE
+ issuer CA2
+
+testdb User
+
+verify User:CA2
+ cert CA2:CA1
+ trust Root:
+ result fail
+
+verify User:CA2
+ cert CA2:CA1
+ trust Root:
+ fetch
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/anypolicy.cfg b/security/nss/tests/chains/scenarios/anypolicy.cfg
new file mode 100644
index 000000000..fd647ad23
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/anypolicy.cfg
@@ -0,0 +1,77 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AnyPolicy
+
+entity RootCA
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer RootCA
+ policy any
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+ inhibit 0
+
+entity CA3
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+
+entity User1
+ type EE
+ issuer CA2
+ policy OID.1.0
+
+entity User2
+ type EE
+ issuer CA2
+ policy any
+
+entity User3
+ type EE
+ issuer CA3
+ policy any
+
+db All
+
+import RootCA::
+import CA1:RootCA:
+import CA2:CA1:
+import CA3:CA1:
+
+verify User1:CA2
+ trust RootCA
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust RootCA
+ policy OID.2.0
+ result fail
+
+verify User2:CA2
+ trust RootCA
+ policy OID.1.0
+ result fail
+
+verify User2:CA2
+ trust RootCA
+ policy OID.2.0
+ result fail
+
+verify User3:CA3
+ trust RootCA
+ policy OID.1.0
+ result pass
+
+verify User3:CA3
+ trust RootCA
+ policy OID.2.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg
new file mode 100644
index 000000000..9dd84a797
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg
@@ -0,0 +1,399 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AnyPolicyWithLevel
+
+entity RootCA
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer RootCA
+ policy any
+ inhibit 1
+
+entity CA12
+ type Intermediate
+ issuer CA1
+ policy any
+
+entity CA13
+ type Intermediate
+ issuer CA12
+ policy OID.1.0
+
+entity EE1
+ type EE
+ issuer CA13
+ policy OID.1.0
+
+entity CA22
+ type Intermediate
+ issuer CA1
+ policy any
+
+entity CA23
+ type Intermediate
+ issuer CA22
+ policy any
+
+entity EE2
+ type EE
+ issuer CA23
+ policy OID.1.0
+
+entity CA32
+ type Intermediate
+ issuer CA1
+ policy any
+ inhibit 1
+
+entity CA33
+ type Intermediate
+ issuer CA32
+ policy any
+
+entity EE3
+ type EE
+ issuer CA33
+ policy OID.1.0
+
+entity CA42
+ type Intermediate
+ issuer CA1
+ policy any
+ policy OID.1.0
+
+entity CA43
+ type Intermediate
+ issuer CA42
+ policy any
+ policy OID.1.0
+
+entity EE4
+ type EE
+ issuer CA43
+ policy OID.1.0
+
+entity CA52
+ type Intermediate
+ issuer CA1
+ policy any
+ policy OID.1.0
+
+entity CA53
+ type Intermediate
+ issuer CA52
+ policy any
+
+entity EE5
+ type EE
+ issuer CA53
+ policy OID.1.0
+
+entity CA61
+ type Intermediate
+ issuer RootCA
+ policy any
+ inhibit 5
+
+entity CA62
+ type Intermediate
+ issuer CA61
+ policy any
+
+entity EE62
+ type EE
+ issuer CA62
+ policy OID.1.0
+
+entity CA63
+ type Intermediate
+ issuer CA62
+ policy any
+
+entity EE63
+ type EE
+ issuer CA63
+ policy OID.1.0
+
+entity CA64
+ type Intermediate
+ issuer CA63
+ policy any
+
+entity EE64
+ type EE
+ issuer CA64
+ policy OID.1.0
+
+entity CA65
+ type Intermediate
+ issuer CA64
+ policy any
+
+entity EE65
+ type EE
+ issuer CA65
+ policy OID.1.0
+
+entity CA66
+ type Intermediate
+ issuer CA65
+ policy any
+
+entity EE66
+ type EE
+ issuer CA66
+ policy OID.1.0
+
+entity CA67
+ type Intermediate
+ issuer CA66
+ policy any
+
+entity EE67
+ type EE
+ issuer CA67
+ policy OID.1.0
+
+db All
+
+verify EE1:CA13
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA12:CA1
+ cert CA13:CA12
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE1:CA13
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA12:CA1
+ cert CA13:CA12
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE1:CA13
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA12:CA1
+ cert CA13:CA12
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result pass
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result fail
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ result pass
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result fail
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ result pass
+
+verify EE4:CA43
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA42:CA1
+ cert CA43:CA42
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE4:CA43
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA42:CA1
+ cert CA43:CA42
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE4:CA43
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA42:CA1
+ cert CA43:CA42
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result pass
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result fail
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ result pass
+
+verify EE62:CA62
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE63:CA63
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE64:CA64
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE65:CA65
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE66:CA66
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE67:CA67
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/bridge.cfg b/security/nss/tests/chains/scenarios/bridge.cfg
new file mode 100644
index 000000000..14dba6adc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridge.cfg
@@ -0,0 +1,106 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Bridge
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity Bridge
+ type Bridge
+ issuer Army
+ issuer Navy
+
+entity User
+ type EE
+ issuer Bridge
+
+db All
+
+import Army::
+import Navy::
+
+verify User:Bridge
+ cert Bridge:Navy
+ trust Navy
+ result pass
+
+verify User:Bridge
+ cert Bridge:Army
+ trust Army
+ result pass
+
+verify User:Bridge
+ cert Bridge:Navy
+ trust Army
+ result fail
+
+import Bridge:Army:
+import Bridge:Navy:
+
+verify User:Bridge
+ trust Army
+ result pass
+
+verify User:Bridge
+ trust Navy
+ result pass
+
+db ArmyOnly
+
+import Army::C,,
+
+verify User:Bridge
+ result fail
+
+verify User:Bridge
+ cert Bridge:Navy
+ result fail
+
+verify User:Bridge
+ cert Bridge:Navy
+ cert Navy:
+ result fail
+
+verify User:Bridge
+ cert Bridge:Navy
+ cert Navy:
+ trust Navy:
+ result pass
+
+verify User:Bridge
+ cert Bridge:Navy
+ trust Navy:
+ result pass
+
+db NavyOnly
+
+import Navy::C,,
+
+verify User:Bridge
+ result fail
+
+verify User:Bridge
+ cert Bridge:Army
+ result fail
+
+verify User:Bridge
+ cert Bridge:Army
+ cert Army:
+ result fail
+
+verify User:Bridge
+ cert Bridge:Army
+ cert Army:
+ trust Army:
+ result pass
+
+verify User:Bridge
+ cert Bridge:Army
+ trust Army:
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithaia.cfg b/security/nss/tests/chains/scenarios/bridgewithaia.cfg
new file mode 100644
index 000000000..640edb87a
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithaia.cfg
@@ -0,0 +1,54 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithAIA
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity Bridge
+ type Bridge
+ issuer Army
+ issuer Navy
+
+entity CA1
+ type Intermediate
+ issuer Bridge
+ aia Bridge
+
+entity EE1
+ type EE
+ issuer CA1
+
+testdb EE1
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ fetch
+# should pass, bug 435314
+# temporary result - test fails only with dbm cert db
+ result dbm:fail all:pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Navy:
+ fetch
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:Army
+ trust Navy:
+ fetch
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg
new file mode 100644
index 000000000..914828ea1
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg
@@ -0,0 +1,89 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithHalfAIA
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity Bridge
+ type Bridge
+ issuer Army
+ issuer Navy
+
+entity CA1
+ type Intermediate
+ issuer Bridge
+ aia Bridge
+
+entity EE1
+ type EE
+ issuer CA1
+
+entity CA2
+ type Intermediate
+ issuer Bridge
+ aia Bridge:Navy
+
+entity EE2
+ type EE
+ issuer CA2
+
+testdb EE1
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ fetch
+# should pass, bug 435314
+# temporary result - test fails only with dbm cert db
+ result dbm:fail all:pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Navy:
+ fetch
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:Army
+ trust Navy:
+ fetch
+ result pass
+
+verify EE2:CA2
+ cert Bridge:Army
+ trust Army:
+ fetch
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:Army
+ trust Army:
+ fetch
+ result pass
+
+verify EE2:CA2
+ cert CA2:Bridge
+ trust Navy:
+ fetch
+ result pass
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:Army
+ trust Navy:
+ fetch
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg
new file mode 100644
index 000000000..f7554cabc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg
@@ -0,0 +1,187 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithPolicyExtensionAndMapping
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity CAArmy
+ type Intermediate
+ issuer Army
+ policy OID.1.0
+ policy OID.1.1
+
+entity CANavy
+ type Intermediate
+ issuer Navy
+ policy OID.2.0
+ policy OID.2.1
+
+entity Bridge
+ type Bridge
+ issuer CAArmy
+ policy OID.1.0
+ policy OID.1.1
+ mapping OID.1.1:OID.2.1
+ issuer CANavy
+ policy OID.2.0
+ policy OID.2.1
+ mapping OID.2.1:OID.1.1
+
+entity CA1
+ type Intermediate
+ issuer Bridge
+ policy OID.1.1
+ policy OID.2.1
+
+entity CA2
+ type Intermediate
+ issuer Bridge
+ policy OID.1.0
+ policy OID.2.0
+
+entity EE1
+ type EE
+ issuer CA1
+ policy OID.2.1
+
+entity EE2
+ type EE
+ issuer CA2
+ policy OID.2.0
+
+testdb
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.1
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.1
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.1
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.0
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.0
+ result pass
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.0
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.0
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.1
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/crldp.cfg b/security/nss/tests/chains/scenarios/crldp.cfg
new file mode 100644
index 000000000..a9949ae40
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/crldp.cfg
@@ -0,0 +1,105 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario CRLDP
+
+entity Root
+ type Root
+
+entity CA0
+ type Intermediate
+ issuer Root
+
+entity CA1
+ type Intermediate
+ crldp CA0
+ issuer CA0
+ serial 10
+ aia CA0:Root
+
+entity EE11
+ type EE
+ crldp CA0
+ issuer CA1
+
+entity CA2
+ type Intermediate
+ crldp CA0
+ issuer CA0
+ serial 20
+ aia CA0:Root
+
+entity EE21
+ type EE
+ issuer CA2
+
+entity EE1
+ type EE
+ crldp CA0
+ issuer CA0
+ serial 30
+ aia CA0:Root
+
+entity EE2
+ type EE
+ crldp CA0
+ issuer CA0
+ serial 40
+ aia CA0:Root
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA0
+ serial 20
+
+revoke CA0
+ serial 40
+
+copycrl CA0
+
+db All
+
+import Root::CTu,CTu,CTu
+
+# intermediate CA - OK, EE - OK
+verify EE11:CA1
+ cert CA1:CA0
+ trust Root:
+ fetch
+ rev_type chain
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result pass
+
+# intermediate CA - revoked, EE - OK
+verify EE21:CA2
+ cert CA2:CA0
+ trust Root:
+ fetch
+ rev_type chain
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result fail
+
+# direct EE - OK
+verify EE1:CA0
+ trust Root:
+ fetch
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result pass
+
+# direct EE - revoked
+verify EE2:CA0
+ trust Root:
+ fetch
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/dsa.cfg b/security/nss/tests/chains/scenarios/dsa.cfg
new file mode 100644
index 000000000..896e455fe
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/dsa.cfg
@@ -0,0 +1,72 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario DSA
+
+entity Root
+ type Root
+ ctype dsa
+
+entity CA1
+ type Intermediate
+ issuer Root
+ ctype dsa
+
+entity EE1
+ type EE
+ issuer CA1
+ ctype dsa
+
+entity CA2
+ type Intermediate
+ issuer Root
+ ctype dsa
+
+entity EE2
+ type EE
+ issuer CA2
+ ctype rsa
+
+entity CA3
+ type Intermediate
+ issuer Root
+ ctype rsa
+
+entity EE3
+ type EE
+ issuer CA3
+ ctype dsa
+
+entity CA4
+ type Intermediate
+ issuer Root
+ ctype rsa
+
+entity EE4
+ type EE
+ issuer CA4
+ ctype rsa
+
+db All
+
+verify EE1:CA1
+ cert CA1:Root
+ trust Root:
+ result pass
+
+verify EE2:CA2
+ cert CA2:Root
+ trust Root:
+ result pass
+
+verify EE3:CA3
+ cert CA3:Root
+ trust Root:
+ result pass
+
+verify EE4:CA4
+ cert CA4:Root
+ trust Root:
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/explicitPolicy.cfg b/security/nss/tests/chains/scenarios/explicitPolicy.cfg
new file mode 100644
index 000000000..20f79c45b
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/explicitPolicy.cfg
@@ -0,0 +1,78 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario explicitPolicy
+
+entity Root
+ type Root
+
+entity nonEVCA
+ type Intermediate
+ issuer Root
+
+entity EVCA
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+
+entity otherEVCA
+ type Intermediate
+ issuer Root
+ policy OID.2.0
+
+entity validEV
+ type EE
+ issuer EVCA
+ policy OID.1.0
+
+entity invalidEV
+ type EE
+ issuer nonEVCA
+ policy OID.1.0
+
+entity wrongEVOID
+ type EE
+ issuer otherEVCA
+ policy OID.1.0
+
+db All
+
+verify validEV:EVCA
+ cert EVCA:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result pass
+
+verify invalidEV:nonEVCA
+ cert nonEVCA:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result fail
+
+verify wrongEVOID:otherEVCA
+ cert otherEVCA:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result fail
+
+import Root::C,C,C
+
+verify validEV:EVCA
+ cert EVCA:Root
+ policy OID.1.0
+ result pass
+
+verify invalidEV:nonEVCA
+ cert nonEVCA:Root
+ policy OID.1.0
+ result fail
+
+verify wrongEVOID:otherEVCA
+ cert otherEVCA:Root
+ policy OID.1.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/extension.cfg b/security/nss/tests/chains/scenarios/extension.cfg
new file mode 100644
index 000000000..fd1c3a0da
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/extension.cfg
@@ -0,0 +1,102 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Extension
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+
+entity User
+ type EE
+ issuer CA2
+ policy OID.1.0
+
+db All
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.2.0
+ result fail
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User:CA2
+ trust Root
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ trust Root
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ trust CA1
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ trust CA1
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ trust CA2
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ trust CA2
+ policy OID.2.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/extension2.cfg b/security/nss/tests/chains/scenarios/extension2.cfg
new file mode 100644
index 000000000..9a6a7cd2d
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/extension2.cfg
@@ -0,0 +1,140 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Extension2
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+ policy OID.2.0
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+ policy OID.2.0
+
+entity User1
+ type EE
+ issuer CA2
+ policy OID.1.0
+
+entity User2
+ type EE
+ issuer CA2
+ policy OID.1.0
+ policy OID.2.0
+
+db All
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.2.0
+ result fail
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User1:CA2
+ trust Root
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust Root
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ trust CA1
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust CA1
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ trust CA2
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust CA2
+ policy OID.2.0
+ result fail
+
+verify User2:CA2
+ trust Root
+ policy OID.1.0
+ result pass
+
+verify User2:CA2
+ trust Root
+ policy OID.2.0
+ result pass
+
+verify User2:CA2
+ trust CA1
+ policy OID.1.0
+ result pass
+
+verify User2:CA2
+ trust CA1
+ policy OID.2.0
+ result pass
+
+verify User2:CA2
+ trust CA2
+ policy OID.1.0
+ result pass
+
+verify User2:CA2
+ trust CA2
+ policy OID.2.0
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/mapping.cfg b/security/nss/tests/chains/scenarios/mapping.cfg
new file mode 100644
index 000000000..d4e4a296d
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/mapping.cfg
@@ -0,0 +1,63 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Mapping
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+ mapping OID.1.0:OID.1.1
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.1
+
+entity User
+ type EE
+ issuer CA2
+ policy OID.1.1
+
+db All
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User:CA2
+ trust Root
+ policy OID.1.0
+# should fail, bug 430859
+ result pass
+
+verify User:CA2
+ trust Root
+ policy OID.1.1
+# should pass, bug 430859
+ result fail
+
+verify User:CA2
+ trust CA1
+ policy OID.1.0
+ result fail
+
+verify User:CA2
+ trust CA1
+ policy OID.1.1
+ result pass
+
+verify User:CA2
+ trust CA2
+ policy OID.1.0
+ result fail
+
+verify User:CA2
+ trust CA2
+ policy OID.1.1
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/mapping2.cfg b/security/nss/tests/chains/scenarios/mapping2.cfg
new file mode 100644
index 000000000..cae1daf07
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/mapping2.cfg
@@ -0,0 +1,71 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Mapping2
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+ mapping OID.1.0:OID.1.1
+
+entity CA3
+ type Intermediate
+ issuer CA2
+ policy OID.1.1
+
+entity User
+ type EE
+ issuer CA3
+ policy OID.1.1
+
+db All
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+import CA3:CA2:
+
+verify User:CA3
+ trust Root
+ policy OID.1.0
+# should fail, bug 430859
+ result pass
+
+verify User:CA3
+ trust Root
+ policy OID.1.1
+# should pass, bug 430859
+ result fail
+
+verify User:CA3
+ trust CA1
+ policy OID.1.0
+# should fail, bug 430859
+ result pass
+
+verify User:CA3
+ trust CA1
+ policy OID.1.1
+# should pass, bug 430859
+ result fail
+
+verify User:CA3
+ trust CA2
+ policy OID.1.0
+ result fail
+
+verify User:CA3
+ trust CA2
+ policy OID.1.1
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/megabridge_3_2.cfg b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg
new file mode 100644
index 000000000..f1d4545fc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg
@@ -0,0 +1,130 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario MegaBridge_3_2
+
+entity Root1
+ type Root
+
+entity Root2
+ type Root
+
+entity Root3
+ type Root
+
+entity Root4
+ type Root
+
+entity Root5
+ type Root
+
+entity Root6
+ type Root
+
+entity Root7
+ type Root
+
+entity Root8
+ type Root
+
+entity Root9
+ type Root
+
+entity Bridge11
+ type Bridge
+ issuer Root1
+ issuer Root2
+ issuer Root3
+
+entity Bridge12
+ type Bridge
+ issuer Root4
+ issuer Root5
+ issuer Root6
+
+entity Bridge13
+ type Bridge
+ issuer Root7
+ issuer Root8
+ issuer Root9
+
+entity Bridge21
+ type Bridge
+ issuer Bridge11
+ issuer Bridge12
+ issuer Bridge13
+
+entity CA1
+ type Intermediate
+ issuer Bridge21
+
+entity EE1
+ type EE
+ issuer CA1
+
+testdb EE1
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge11
+ cert Bridge11:Root1
+ trust Root1:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge11
+ cert Bridge11:Root2
+ trust Root2:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge11
+ cert Bridge11:Root3
+ trust Root3:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge12
+ cert Bridge12:Root4
+ trust Root4:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge12
+ cert Bridge12:Root5
+ trust Root5:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge12
+ cert Bridge12:Root6
+ trust Root6:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge13
+ cert Bridge13:Root7
+ trust Root7:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge13
+ cert Bridge13:Root8
+ trust Root8:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge13
+ cert Bridge13:Root9
+ trust Root9:
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/method.cfg b/security/nss/tests/chains/scenarios/method.cfg
new file mode 100644
index 000000000..4223c39cc
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/method.cfg
@@ -0,0 +1,25 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Method
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+testdb ../OCSPD/Client
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
diff --git a/security/nss/tests/chains/scenarios/nameconstraints.cfg b/security/nss/tests/chains/scenarios/nameconstraints.cfg
new file mode 100644
index 000000000..6eda441ce
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg
@@ -0,0 +1,161 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+db trustanchors
+
+import NameConstraints.ca:x:CT,C,C
+# Name Constrained CA: Name constrained to permited DNSName ".example"
+import NameConstraints.ncca:x:CT,C,C
+import NameConstraints.dcisscopy:x:CT,C,C
+
+# Intermediate 1: Name constrained to permited DNSName ".example"
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server1:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server3:x
+ cert NameConstraints.intermediate:x
+ result pass
+
+# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server4:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server5:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server6:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result pass
+
+# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
+# Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
+# and a permitted DNSName of "foo.example"
+
+# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
+# No name constraints present
+# Signed by Intermediate 3 (inherits name constraints)
+
+# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
+verify NameConstraints.server7:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
+verify NameConstraints.server8:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
+# Fail: ST is missing in the DirectoryName, thus not matching name constraints
+verify NameConstraints.server9:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
+# Fail: CN not in name constraints
+verify NameConstraints.server10:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
+# altDNS:foo.example
+# Pass: Ignores CN constraint name violation because SAN is present
+verify NameConstraints.server11:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
+# Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
+verify NameConstraints.server12:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
+# No name constraints present
+# Signed by Intermediate 3.
+# Intermediate 5's subject is not in Intermediate 3's permitted
+# names, so all certs issued by it are invalid.
+
+# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
+# Fail: Org matches Intermediate 5's name constraints, but does not match
+# Intermediate 3' name constraints
+verify NameConstraints.server13:x
+ cert NameConstraints.intermediate5:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
+# Fail: Matches Intermediate 5's name constraints, but fails because
+# Intermediate 5 does not match Intermediate 3's name constraints
+verify NameConstraints.server14:x
+ cert NameConstraints.intermediate5:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
+# No name constraints present
+# Signed by Named Constrained CA (inherits root name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
+# altDNS: testfoo.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server15:x
+ cert NameConstraints.intermediate6:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server16:x
+ cert NameConstraints.intermediate6:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
+# altDNS: test4.example
+verify NameConstraints.server17:x
+ cert NameConstraints.intermediate6:x
+ result pass
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
+verify NameConstraints.dcissblocked:x
+ result fail
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
+verify NameConstraints.dcissallowed:x
+ result pass
+
+
diff --git a/security/nss/tests/chains/scenarios/ocsp.cfg b/security/nss/tests/chains/scenarios/ocsp.cfg
new file mode 100644
index 000000000..cdfff89fe
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ocsp.cfg
@@ -0,0 +1,177 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario OCSP
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+db OCSPRoot
+import OCSPRoot:d:CT,C,C
+
+db OCSPCA1
+import_key OCSPCA1
+
+crl OCSPCA1
+
+revoke OCSPCA1
+ serial 3
+
+revoke OCSPCA1
+ serial 4
+
+testdb OCSPRoot
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - unknown
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+#EE - unknown, requireFreshInfo
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - OK, CA - revoked, leaf, no fresh info
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+#EE - OK, CA - revoked, leaf, requireFreshInfo
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - OK, CA - revoked, chain, requireFreshInfo
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - OK, CA - unknown
+verify OCSPEE31OCSPCA3:d
+ cert OCSPCA3OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+#EE - OK, CA - unknown, requireFreshInfo
+verify OCSPEE31OCSPCA3:d
+ cert OCSPCA3OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - revoked, doNotUse
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags doNotUse
+ result pass
+
+#EE - revoked, forbidFetching
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags forbidFetching
+ result pass
+
+#EE - unknown status, failIfNoInfo
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags failIfNoInfo
+ result fail
+
+#EE - OK, CA - revoked, leaf, failIfNoInfo
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags failIfNoInfo
+ result fail
+
+testdb OCSPCA1
+
+#EE - OK on OCSP, revoked locally - should fail ??
+# two things about this test: crl is not imported into the db and
+# cert 13 is not revoked by crl.
+verify OCSPEE13OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPCA1
+ rev_type leaf
+ rev_flags testLocalInfoFirst
+ rev_mtype ocsp
+ result pass
+
+db OCSPRoot1
+import OCSPRoot:d:CT,C,C
+
+verify OCSPEE23OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_mtype ocsp
+ rev_type leaf
+ rev_mtype ocsp
+ result fail
+
+db OCSPRoot2
+import OCSPRoot:d:T,,
+
+# bug 527438
+# expected result of this test is FAIL
+verify OCSPEE23OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_mtype ocsp
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/ocspd.cfg b/security/nss/tests/chains/scenarios/ocspd.cfg
new file mode 100644
index 000000000..e48f9068e
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ocspd.cfg
@@ -0,0 +1,172 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario OCSPD
+
+#root CA
+entity OCSPRoot
+ type Root
+ export_key
+
+#CA - OK
+entity OCSPCA1
+ type Intermediate
+ issuer OCSPRoot
+ serial 1
+ ocsp online
+ export_key
+
+#CA - revoked
+entity OCSPCA2
+ type Intermediate
+ issuer OCSPRoot
+ serial 2
+ ocsp online
+ export_key
+
+#CA - unknown status
+entity OCSPCA3
+ type Intermediate
+ issuer OCSPRoot
+ serial 3
+ ocsp offline
+ export_key
+
+#EE - OK
+entity OCSPEE11
+ type EE
+ issuer OCSPCA1
+ serial 1
+ ocsp online
+
+#EE - revoked on OCSP
+entity OCSPEE12
+ type EE
+ issuer OCSPCA1
+ serial 2
+ ocsp online
+
+#EE - revoked on CRL
+entity OCSPEE13
+ type EE
+ issuer OCSPCA1
+ serial 3
+ ocsp online
+
+#EE - revoked on OCSP and CRL
+entity OCSPEE14
+ type EE
+ issuer OCSPCA1
+ serial 4
+ ocsp online
+
+#EE - unknown status
+entity OCSPEE15
+ type EE
+ issuer OCSPCA1
+ serial 5
+ ocsp offline
+
+#EE - valid EE, revoked CA
+entity OCSPEE21
+ type EE
+ issuer OCSPCA2
+ serial 1
+ ocsp online
+
+#EE - revoked EE, revoked CA
+entity OCSPEE22
+ type EE
+ issuer OCSPCA2
+ serial 2
+ ocsp online
+
+#EE - revoked EE, CA pointing to invalid OCSP
+entity OCSPEE23
+ type EE
+ issuer OCSPCA2
+ serial 3
+ ocsp offline
+
+#EE - valid EE, CA pointing to invalid OCSP
+entity OCSPEE31
+ type EE
+ issuer OCSPCA3
+ serial 1
+ ocsp online
+
+#EE - revoked EE, CA pointing to invalid OCSP
+entity OCSPEE32
+ type EE
+ issuer OCSPCA3
+ serial 2
+ ocsp online
+
+#EE - EE pointing to invalid OCSP, CA pointing to invalid OCSP
+entity OCSPEE33
+ type EE
+ issuer OCSPCA3
+ serial 3
+ ocsp offline
+
+crl OCSPRoot
+
+revoke OCSPRoot
+ serial 2
+
+crl OCSPCA1
+
+revoke OCSPCA1
+ serial 2
+
+revoke OCSPCA1
+ serial 4
+
+crl OCSPCA2
+
+revoke OCSPCA2
+ serial 2
+
+revoke OCSPCA2
+ serial 3
+
+crl OCSPCA3
+
+revoke OCSPCA3
+ serial 2
+
+revoke OCSPCA3
+ serial 3
+
+# Used for running a single OCSP server (httpserv) instance that can
+# handle multiple CAs, e.g.:
+# httpserv -p 8641 -d . -f dbpasswd \
+# -A OCSPRoot -C OCSPRoot.crl -A OCSPCA1 -C OCSPCA1.crl \
+# -A OCSPCA2 -C OCSPCA2.crl -A OCSPCA3 -C OCSPCA3.crl
+db Server
+import OCSPRoot::CT,C,C
+import_key OCSPRoot
+import_key OCSPCA1
+import_key OCSPCA2
+import_key OCSPCA3
+
+# A DB containing all certs, but no keys.
+# Useful for manual OCSP client testing, e.g.:
+# ocspclnt -d . -S OCSPEE12OCSPCA1 -u s
+db Client
+import OCSPRoot::CT,C,C
+import OCSPCA1OCSPRoot::
+import OCSPCA2OCSPRoot::
+import OCSPCA3OCSPRoot::
+import OCSPEE11OCSPCA1::
+import OCSPEE12OCSPCA1::
+import OCSPEE13OCSPCA1::
+import OCSPEE14OCSPCA1::
+import OCSPEE15OCSPCA1::
+import OCSPEE21OCSPCA2::
+import OCSPEE22OCSPCA2::
+import OCSPEE23OCSPCA2::
+import OCSPEE31OCSPCA3::
+import OCSPEE32OCSPCA3::
+import OCSPEE33OCSPCA3::
diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg
new file mode 100644
index 000000000..d2a8c7143
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/realcerts.cfg
@@ -0,0 +1,29 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario RealCerts
+
+db All
+
+import TestCA.ca:x:CT,C,C
+import TestUser50:x:
+import TestUser51:x:
+import PayPalRootCA:x:CT,C,C
+import PayPalICA:x:
+import PayPalEE:x:
+import BrAirWaysBadSig:x:
+
+verify TestUser50:x
+ result pass
+
+verify TestUser51:x
+ result pass
+
+verify PayPalEE:x
+ policy OID.2.16.840.1.114412.1.1
+ result pass
+
+verify BrAirWaysBadSig:x
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/revoc.cfg b/security/nss/tests/chains/scenarios/revoc.cfg
new file mode 100644
index 000000000..a4ec78622
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/revoc.cfg
@@ -0,0 +1,86 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Revocation
+
+entity Root
+ type Root
+ serial 10
+
+entity CA0
+ type Intermediate
+ issuer Root
+ serial 11
+
+entity CA1
+ type Intermediate
+ issuer CA0
+ serial 12
+
+entity EE11
+ type EE
+ issuer CA1
+ serial 13
+
+entity EE12
+ type EE
+ issuer CA1
+ serial 14
+
+entity CA2
+ type Intermediate
+ issuer CA0
+ serial 15
+
+entity EE21
+ type EE
+ issuer CA2
+ serial 16
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA1
+ serial 14
+
+revoke CA0
+ serial 15
+
+db All
+
+import Root::CTu,CTu,CTu
+import CA0:Root:
+import CA1:CA0:
+import CA2:CA0:
+
+# EE11 - not revoked
+verify EE11:CA1
+ trust Root:
+ rev_type leaf
+ rev_mtype crl
+ result pass
+
+# EE12 - revoked
+verify EE12:CA1
+ trust Root:
+ rev_type leaf
+ rev_mtype crl
+ result fail
+
+# EE11 - CA1 not revoked
+verify EE11:CA1
+ trust Root:
+ rev_type chain
+ rev_mtype crl
+ result pass
+
+# EE21 - CA2 revoked
+verify EE21:CA2
+ trust Root:
+ rev_type chain
+ rev_mtype crl
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios
new file mode 100644
index 000000000..d26c3f92e
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -0,0 +1,24 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+bridge.cfg
+megabridge_3_2.cfg
+extension.cfg
+extension2.cfg
+anypolicy.cfg
+anypolicywithlevel.cfg
+explicitPolicy.cfg
+mapping.cfg
+mapping2.cfg
+aia.cfg
+bridgewithaia.cfg
+bridgewithhalfaia.cfg
+bridgewithpolicyextensionandmapping.cfg
+realcerts.cfg
+dsa.cfg
+revoc.cfg
+ocsp.cfg
+crldp.cfg
+trustanchors.cfg
+nameconstraints.cfg
diff --git a/security/nss/tests/chains/scenarios/trustanchors.cfg b/security/nss/tests/chains/scenarios/trustanchors.cfg
new file mode 100644
index 000000000..db18990ac
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/trustanchors.cfg
@@ -0,0 +1,114 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+entity RootCA
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer RootCA
+
+entity CA2
+ type Intermediate
+ issuer CA1
+
+entity EE1
+ type EE
+ issuer CA2
+
+entity OtherRoot
+ type Root
+
+entity OtherIntermediate
+ type Intermediate
+ issuer OtherRoot
+
+entity EE2
+ type EE
+ issuer OtherIntermediate
+
+# Scenarios where trust only comes from the DB
+db DBOnly
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Simple chaining - no trust anchors
+verify EE1:CA2
+ cert CA2:CA1
+ result pass
+
+# Simple trust anchors - ignore the Cert DB
+verify EE1:CA2
+ trust CA2:CA1
+ result pass
+
+# Redundant trust - trust anchor and DB
+verify EE1:CA2
+ cert CA2:CA1
+ trust RootCA
+ result pass
+
+
+# Scenarios where trust only comes from trust anchors
+db TrustOnly
+
+# Simple checking - direct trust anchor
+verify EE1:CA2
+ cert CA2:CA1
+ cert CA1:RootCA:
+ trust RootCA:
+ result pass
+
+# Partial chain (not self-signed), with a trust anchor
+verify EE1:CA2
+ trust CA2:CA1
+ result pass
+
+
+# Scenarios where trust comes from both trust anchors and the DB
+db TrustAndDB
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Check that trust in the DB works
+verify EE1:CA2
+ cert CA2:CA1
+ result pass
+
+# Check that trust anchors work
+verify EE2:OtherIntermediate
+ cert OtherIntermediate:OtherRoot
+ trust OtherRoot:
+ result pass
+
+# Check that specifying a trust anchor still allows searching the cert DB
+verify EE1:CA2
+ trust_and_db
+ cert CA2:CA1
+ trust OtherIntermediate:OtherRoot
+ trust OtherRoot:
+ result pass
+
+# Scenarios where the trust DB has explicitly distrusted one or more certs,
+# even when the trust anchors indicate trust
+db ExplicitDistrust
+
+import RootCA::CT,C,C
+import CA1:RootCA:p,p,p
+import OtherRoot::p,p,p
+
+# Verify that a distrusted intermediate, but trusted root, is rejected.
+verify EE1:CA2
+ cert CA2:CA1
+ trust CA1:RootCA
+ result fail
+
+# Verify that a trusted intermediate, but distrusted root, is accepted.
+verify EE2:OtherIntermediate
+ trust OtherIntermediate:OtherRoot
+ result pass
diff --git a/security/nss/tests/cipher/cipher.sh b/security/nss/tests/cipher/cipher.sh
new file mode 100755
index 000000000..1d2561d9c
--- /dev/null
+++ b/security/nss/tests/cipher/cipher.sh
@@ -0,0 +1,140 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/cipher/cipher.sh
+#
+# Script to test NSS ciphers
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## cipher_init #############################
+# local shell function to initialize this script
+########################################################################
+cipher_init()
+{
+ SCRIPTNAME="cipher.sh"
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+ if [ -z "${INIT_SOURCED}" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+ SCRIPTNAME="cipher.sh"
+ html_head "Cipher Tests"
+
+ CIPHERDIR=${HOSTDIR}/cipher
+ CIPHERTESTDIR=${QADIR}/../cmd/bltest
+ GCMTESTDIR=${QADIR}/../cmd/pk11gcmtest
+ D_CIPHER="Cipher.$version"
+
+ CIPHER_TXT=${QADIR}/cipher/cipher.txt
+ GCM_TXT=${QADIR}/cipher/gcm.txt
+
+ mkdir -p ${CIPHERDIR}
+
+ cd ${CIPHERDIR}
+ P_CIPHER=.
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ P_CIPHER="multiaccess:${D_CIPHER}"
+ fi
+}
+
+############################## cipher_main #############################
+# local shell function to test NSS ciphers
+########################################################################
+cipher_main()
+{
+ while read EXP_RET PARAM TESTNAME
+ do
+ if [ -n "$EXP_RET" -a "$EXP_RET" != "#" ] ; then
+ PARAM=`echo $PARAM | sed -e "s/_-/ -/g"`
+ TESTNAME=`echo $TESTNAME | sed -e "s/_/ /g"`
+ echo "$SCRIPTNAME: $TESTNAME --------------------------------"
+ failedStr=""
+ inOff=0
+ res=0
+ while [ $inOff -lt 8 ]
+ do
+ outOff=0
+ while [ $outOff -lt 8 ]
+ do
+ echo "bltest -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff"
+ ${PROFTOOL} ${BINDIR}/bltest${PROG_SUFFIX} -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff
+ if [ $? -ne 0 ]; then
+ failedStr="$failedStr[$inOff:$outOff]"
+ fi
+ outOff=`expr $outOff + 1`
+ done
+ inOff=`expr $inOff + 1`
+ done
+ if [ -n "$failedStr" ]; then
+ html_msg 1 $EXP_RET "$TESTNAME (Failed in/out offset pairs:" \
+ " $failedStr)"
+ else
+ html_msg $res $EXP_RET "$TESTNAME"
+ fi
+ fi
+ done < ${CIPHER_TXT}
+}
+
+############################## cipher_gcm #############################
+# local shell function to test NSS AES GCM
+########################################################################
+cipher_gcm()
+{
+ while read EXP_RET INPUT_FILE TESTNAME
+ do
+ if [ -n "$EXP_RET" -a "$EXP_RET" != "#" ] ; then
+ TESTNAME=`echo $TESTNAME | sed -e "s/_/ /g"`
+ echo "$SCRIPTNAME: $TESTNAME --------------------------------"
+ echo "pk11gcmtest aes kat gcm $GCMTESTDIR/tests/$INPUT_FILE"
+ ${PROFTOOL} ${BINDIR}/pk11gcmtest aes kat gcm $GCMTESTDIR/tests/$INPUT_FILE
+ html_msg $? $EXP_RET "$TESTNAME"
+ fi
+ done < ${GCM_TXT}
+}
+
+############################## cipher_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+cipher_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+# When building without softoken, bltest isn't built. It was already
+# built and the cipher suite run as part of an nss-softoken build.
+if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
+ echo "bltest not built, skipping this test." >> ${LOGFILE}
+ res=0
+ html_msg $res $EXP_RET "$TESTNAME"
+ return 0
+fi
+cipher_init
+# Skip cipher_main if this an NSS without softoken build.
+if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then
+ cipher_main
+fi
+# Skip cipher_gcm if this is a softoken only build.
+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" != "1" ]; then
+ cipher_gcm
+fi
+cipher_cleanup
diff --git a/security/nss/tests/cipher/cipher.txt b/security/nss/tests/cipher/cipher.txt
new file mode 100644
index 000000000..4e47a9f97
--- /dev/null
+++ b/security/nss/tests/cipher/cipher.txt
@@ -0,0 +1,57 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the cipher tests
+#
+# expected
+# return bltest Test Case name
+# value params
+# ------- ---------- ---------------
+ 0 des_ecb_-E DES_ECB_Encrypt
+ 0 des_ecb_-D DES_ECB_Decrypt
+ 0 des_cbc_-E DES_CBC_Encrypt
+ 0 des_cbc_-D DES_CBC_Decrypt
+ 0 des3_ecb_-E DES3_ECB_Encrypt
+ 0 des3_ecb_-D DES3_ECB_Decrypt
+ 0 des3_cbc_-E DES3_CBC_Encrypt
+ 0 des3_cbc_-D DES3_CBC_Decrypt
+ 0 aes_ecb_-E AES_ECB_Encrypt
+ 0 aes_ecb_-D AES_ECB_Decrypt
+ 0 aes_cbc_-E AES_CBC_Encrypt
+ 0 aes_cbc_-D AES_CBC_Decrypt
+ 0 aes_ctr AES_CTR
+ 0 aes_cts AES_CTS
+ 0 aes_gcm AES_GCM
+ 0 camellia_ecb_-E Camellia_ECB_Encrypt
+ 0 camellia_ecb_-D Camellia_ECB_Decrypt
+ 0 camellia_cbc_-E Camellia_CBC_Encrypt
+ 0 camellia_cbc_-D Camellia_CBC_Decrypt
+ 0 seed_ecb_-E SEED_ECB_Encrypt
+ 0 seed_ecb_-D SEED_ECB_Decrypt
+ 0 seed_cbc_-E SEED_CBC_Encrypt
+ 0 seed_cbc_-D SEED_CBC_Decrypt
+ 0 chacha20_poly1305_-E ChaCha20_Poly1305_Encrypt
+ 0 chacha20_poly1305_-D ChaCha20_Poly1305_Decrypt
+ 0 rc2_ecb_-E RC2_ECB_Encrypt
+ 0 rc2_ecb_-D RC2_ECB_Decrypt
+ 0 rc2_cbc_-E RC2_CBC_Encrypt
+ 0 rc2_cbc_-D RC2_CBC_Decrypt
+ 0 rc4_-E RC4_Encrypt
+ 0 rc4_-D RC4_Decrypt
+ 0 rsa_-E RSA_Encrypt
+ 0 rsa_-D RSA_Decrypt
+ 0 rsa_oaep_-E RSA_EncryptOAEP
+ 0 rsa_oaep_-D RSA_DecryptOAEP
+ 0 rsa_pss_-S RSA_SignPSS
+ 0 rsa_pss_-V RSA_CheckSignPSS
+ 0 rsa_-K RSA_Populate
+ 0 dsa_-S DSA_Sign
+ 0 dsa_-V DSA_Verify
+ 0 md2_-H MD2_Hash
+ 0 md5_-H MD5_Hash
+ 0 sha1_-H SHA1_Hash
+ 0 sha224_-H SHA224_Hash
+ 0 sha256_-H SHA256_Hash
+ 0 sha384_-H SHA384_Hash
+ 0 sha512_-H SHA512_Hash
diff --git a/security/nss/tests/cipher/dsa.txt b/security/nss/tests/cipher/dsa.txt
new file mode 100644
index 000000000..f2d3401f4
--- /dev/null
+++ b/security/nss/tests/cipher/dsa.txt
@@ -0,0 +1,13 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the dsa performance tests
+#
+#
+# mode keysize bufsize repetitions cxrepetitions
+ dsa 64 20 200 5
+ dsa 96 20 200 3
+ dsa 128 20 200 3
+ dsa 256 20 200 3
+ dsa 384 20 200 3
diff --git a/security/nss/tests/cipher/gcm.txt b/security/nss/tests/cipher/gcm.txt
new file mode 100644
index 000000000..4550faf49
--- /dev/null
+++ b/security/nss/tests/cipher/gcm.txt
@@ -0,0 +1,16 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the AES GCM tests
+#
+# expected
+# return pk11gcmtest Test Case name
+# value input file
+# ------- ---------------------- -----------------------
+ 0 gcmDecrypt128.rsp NIST_AES128_GCM_Decrypt
+ 0 gcmDecrypt192.rsp NIST_AES192_GCM_Decrypt
+ 0 gcmDecrypt256.rsp NIST_AES256_GCM_Decrypt
+ 0 gcmEncryptExtIV128.rsp NIST_AES128_GCM_Encrypt
+ 0 gcmEncryptExtIV192.rsp NIST_AES192_GCM_Encrypt
+ 0 gcmEncryptExtIV256.rsp NIST_AES256_GCM_Encrypt
diff --git a/security/nss/tests/cipher/hash.txt b/security/nss/tests/cipher/hash.txt
new file mode 100644
index 000000000..9bee5ba11
--- /dev/null
+++ b/security/nss/tests/cipher/hash.txt
@@ -0,0 +1,11 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the cryptographic hash performance tests
+#
+#
+# mode bufsize repetitions
+ md2 10240 5000
+ md5 10240 100000
+ sha1 10240 100000
diff --git a/security/nss/tests/cipher/performance.sh b/security/nss/tests/cipher/performance.sh
new file mode 100755
index 000000000..dd7c74ee2
--- /dev/null
+++ b/security/nss/tests/cipher/performance.sh
@@ -0,0 +1,156 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This is just a quick script so we can still run our testcases.
+# Longer term we need a scriptable test environment..
+#
+. ../common/init.sh
+CURDIR=`pwd`
+if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ CURDIR=`cygpath -m ${CURDIR}`
+fi
+
+CIPHERDIR=${HOSTDIR}/cipher
+SKTESTS=${CURDIR}/symmkey.txt
+RSATESTS=${CURDIR}/rsa.txt
+DSATESTS=${CURDIR}/dsa.txt
+HASHTESTS=${CURDIR}/hash.txt
+SKPERFOUT=${CIPHERDIR}/skperfout.data
+RSAPERFOUT=${CIPHERDIR}/rsaperfout.data
+DSAPERFOUT=${CIPHERDIR}/dsaperfout.data
+HASHPERFOUT=${CIPHERDIR}/hashperfout.data
+PERFRESULTS=${HOSTDIR}/performance.html
+
+echo "<HTML><BODY>" >> ${PERFRESULTS}
+
+mkdir -p ${CIPHERDIR}
+cd ${CIPHERDIR}
+
+if [ -z $1 ]; then
+ TESTSET="all"
+else
+ TESTSET=$1
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "symmkey" ]; then
+echo "<TABLE BORDER=1><TR><TH COLSPAN=6>Symmetric Key Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>SYMMETRIC KEY SIZE (bits)</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read mode keysize bufsize reps cxreps
+do
+ if [ $mode != "#" ]; then
+ echo "bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps"
+ ${BINDIR}/bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${SKPERFOUT}
+ mv "tmp.in.0" "$mode.in"
+ mv tmp.key $mode.key
+ if [ -f tmp.iv ]; then
+ mv tmp.iv $mode.iv
+ fi
+ echo "bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out"
+ ${BINDIR}/bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out >> ${SKPERFOUT}
+ echo "bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv"
+ ${BINDIR}/bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv >> ${SKPERFOUT}
+ fi
+done < ${SKTESTS}
+
+while read md buf sk rps cxrps cx op
+do
+ if [ $md != "#" ]; then
+ echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$sk</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+ fi
+done < ${SKPERFOUT}
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "rsa" ]; then
+while read mode keysize bufsize exp reps cxreps
+do
+ if [ $mode != "#" ]; then
+ echo "bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps"
+ ${BINDIR}/bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps >> ${RSAPERFOUT}
+ mv "tmp.in.0" "$mode.in"
+ mv tmp.key $mode.key
+ echo "bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out"
+ ${BINDIR}/bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${RSAPERFOUT}
+ echo "bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv"
+ ${BINDIR}/bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv >> ${RSAPERFOUT}
+ fi
+done < ${RSATESTS}
+
+echo "<TABLE BORDER=1><TR><TH COLSPAN=7>RSA Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>KEY SIZE (bits)</TH><TH>PUBLIC EXPONENT</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read md buf mod pe rps cxrps cx op
+do
+ if [ $md != "#" ]; then
+ echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$mod</TD><TD align=right>$pe</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+ fi
+done < ${RSAPERFOUT}
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "dsa" ]; then
+
+while read mode keysize bufsize reps cxreps
+do
+ if [ $mode != "#" ]; then
+ echo "bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps"
+ ${BINDIR}/bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${DSAPERFOUT}
+ mv "tmp.in.0" "$mode.in"
+ mv tmp.key $mode.key
+ rm -f $mode.out
+ echo "bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out"
+ ${BINDIR}/bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT}
+ echo "bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out"
+ ${BINDIR}/bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT}
+ fi
+done < ${DSATESTS}
+
+echo "<TABLE BORDER=1><TR><TH COLSPAN=6>DSA Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>KEY SIZE (bits)</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read md buf mod rps cxrps cx op
+do
+ if [ $md != "#" ]; then
+ echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$mod</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+ fi
+done < ${DSAPERFOUT}
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "hash" ]; then
+while read mode bufsize reps
+do
+ if [ $mode != "#" ]; then
+ echo "bltest -N -m $mode -b $bufsize"
+ ${BINDIR}/bltest -N -m $mode -b $bufsize
+ mv "tmp.in.0" "$mode.in"
+ echo "bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out"
+ ${BINDIR}/bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out >> ${HASHPERFOUT}
+ fi
+done < ${HASHTESTS}
+
+echo "<TABLE BORDER=1><TR><TH COLSPAN=6>Hash Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>REPETITIONS</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read md buf rps cxrps cx op
+do
+ if [ $md != "#" ]; then
+ echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$rps</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+ fi
+done < ${HASHPERFOUT}
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+fi
+
+#rm -f ${TEMPFILES}
+cd ${CURDIR}
+
+echo "</BODY></HTML>" >> ${PERFRESULTS}
diff --git a/security/nss/tests/cipher/rsa.txt b/security/nss/tests/cipher/rsa.txt
new file mode 100644
index 000000000..aad71261b
--- /dev/null
+++ b/security/nss/tests/cipher/rsa.txt
@@ -0,0 +1,11 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the rsa performance tests
+#
+#
+# mode keysize bufsize exponent repetitions cxrepetitions
+ rsa 32 32 17 1000 5
+ rsa 64 64 3 500 3
+ rsa 128 128 65537 200 3
diff --git a/security/nss/tests/cipher/symmkey.txt b/security/nss/tests/cipher/symmkey.txt
new file mode 100644
index 000000000..ad4b11ab4
--- /dev/null
+++ b/security/nss/tests/cipher/symmkey.txt
@@ -0,0 +1,36 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the symmetric key performance tests
+#
+#
+# mode keysize bufsize repetitions cxrepetitions
+ des_ecb 8 8192 1000 100000
+ des_cbc 8 8192 1000 100000
+ des3_ecb 24 8192 1000 100000
+ des3_cbc 24 8192 1000 100000
+ rc2_ecb 5 8192 1000 100000
+ rc2_ecb 8 8192 1000 100000
+ rc2_ecb 16 8192 1000 100000
+ rc2_cbc 5 8192 1000 100000
+ rc2_cbc 8 8192 1000 100000
+ rc2_cbc 16 8192 1000 100000
+ rc4 5 8192 10000 100000
+ rc4 8 8192 10000 100000
+ rc4 16 8192 10000 100000
+ rc4 24 8192 10000 100000
+ aes_ecb 16 8192 10000 100000
+ aes_cbc 16 8192 10000 100000
+ aes_ecb 32 8192 10000 100000
+ aes_cbc 32 8192 10000 100000
+ aes_ctr 16 8192 10000 100000
+ aes_ctr 32 8192 10000 100000
+ aes_gcm 16 8192 10000 100000
+ aes_gcm 32 8192 10000 100000
+ camellia_ecb 16 8192 10000 100000
+ camellia_cbc 16 8192 10000 100000
+ camellia_ecb 32 8192 10000 100000
+ camellia_cbc 32 8192 10000 100000
+ seed_ecb 16 8192 10000 100000
+ seed_cbc 16 8192 10000 100000
diff --git a/security/nss/tests/clean_tbx b/security/nss/tests/clean_tbx
new file mode 100755
index 000000000..4de955576
--- /dev/null
+++ b/security/nss/tests/clean_tbx
@@ -0,0 +1,172 @@
+#! /bin/perl
+
+#######################################################################
+#
+# /u/sonmi/bin/clean_tbx.pl
+#
+# this script is supposed to remove tinderbox QA if:
+# QA has passed, there are 2+ newer QA dirs of the same machine and
+# platform (32/64) and it is older than 2 hours
+# QA has failed, there are 2+ newer QA dirsof the same machine and
+# platform (32/64) with _identical failures and it is older than
+# 2 hours
+# directory is older than 48 hours
+#
+#######################################################################
+
+use Time::Local;
+
+$ANY_TBX_KEEP_HOURS=48;
+$NOT_FAILED_TBX_KEEP_HOURS=24;
+$PASSED_TBX_KEEP_HOURS=2;
+$IF_TBX_KEEP_HOURS=2;
+$PASSED_NEWER_DIRS=2;
+$IF_NEWER_DIRS=2;
+$verbose = 1;
+
+$TBX_TESTDIR="/share/builds/mccrel3/nss/nsstip/tinderbox/tests_results/security";
+$FTP_STAGE="/u/sonmi/tmp/ftp_stage/tinderbox";
+
+@tbx_dirs = ();
+
+$eANY_TBX_KEEP=$ANY_TBX_KEEP_HOURS*60*60;
+$ePASSED_TBX_KEEP=$PASSED_TBX_KEEP_HOURS*60*60;
+$eIF_TBX_KEEP=$IF_TBX_KEEP_HOURS*60*60;
+$eNOT_FAILED_TBX_KEEP=$NOT_FAILED_TBX_KEEP_HOURS*60*60;
+
+$year, $month, $days, $hours, $minutes, $seconds;
+$efulldate=0;
+
+$fulldate=0;
+
+$no_bits="";
+$last_no_bits="";
+
+$host="";
+$last_host="";
+
+@tbx_dirs = `ls -r $TBX_TESTDIR`; #sort first by host,
+ #then 64,
+ #then newest - oldest
+debug ("found $#tbx_dirs directories ");
+
+($seconds, $minutes, $hours, $days, $month, $year) = localtime;
+
+debug ("$seconds, $minutes, $hours, $days, $month, $year");
+
+$enow = timelocal(localtime);
+
+sub debug;
+sub warning;
+sub error;
+sub msg;
+sub init;
+sub check_tbx_dirs;
+
+sub check_tbx_dirs
+{
+ my $platform_idx=0; # counts directories per platform, newest
+ # to oldest (ignores incomplete)
+ my $passed_idx=0; # counts passed directories newest to oldest
+ my $QAstatus="unknown";
+ foreach $tbx_dir (@tbx_dirs) {
+ $tbx_dir =~ s/\n//g;
+ $fulldate = $tbx_dir;
+ $fulldate =~ s/^.*-(20.*-..\...$)/$1/;
+ $day = $month = $year = $hour = $min = $fulldate;
+ $host = $tbx_dir;
+ $host =~ s/-20.*//;
+ $no_bits = $host;
+ $host =~ s/64$//;
+ $no_bits =~ s/.*64$/64/;
+ $no_bits =~ s/^[^6].*/other/;
+ $year =~ s/(....).*/$1/;
+ $month =~ s/....(..).*/$1/;
+ $day =~ s/......(..).*/$1/;
+ $hour =~ s/........-(..).*/$1/;
+ $min =~ s/.*\.(..)$/$1/;
+
+
+ if ( -f "$TBX_TESTDIR/$tbx_dir/QAstatus" ) {
+ $QAstatus=`cat $TBX_TESTDIR/$tbx_dir/QAstatus 2>/dev/null`;
+ $QAstatus =~ s/\n$//g;
+ } else {
+ $QAstatus="unknown";
+ }
+
+ $efulldate = timelocal( 0, $min, $hour, $day, $month-1, $year-1900);
+ if ( "$host" !~ "$last_host" || "$no_bits" !~ "$last_no_bits" ) {
+ if ( $QAstatus !~ "QA running" ) {
+ $platform_idx = 0;
+ } else {
+ $platform_idx = -1;
+ }
+ $passed_idx = 0;
+
+ $last_host = $host;
+ $last_no_bits = $no_bits;
+ } else {
+ $platform_idx ++;
+ $passed_idx++ if ( $QAstatus =~ "QA passed" ) ;
+ }
+
+ debug ("$tbx_dir host $host date $fulldate bits $no_bits $year/$month/$day $hour:$min QAstatus $QAstatus pli $platform_idx pai $passed_idx");
+
+ if ( $passed_idx > $PASSED_NEWER_DIRS && $QAstatus =~ "QA passed" ) {
+ $ekeeptime=$efulldate + $ePASSED_TBX_KEEP;
+ #($s, $m, $h, $d, $mo, $y) = localtime($ekeeptime);
+ #debug ("$passed_idx > $PASSED_NEWER_DIRS ekeeptime ($s, $m, $h, $d, $mo, $y) == $ekeeptime");
+ rm_tbx ("Passed $PASSED_TBX_KEEP_HOURS + hours old") if ( $ekeeptime <= $enow );
+ } elsif ( $QAstatus !~ "QA failed" ) {
+ $ekeeptime=$efulldate + $eNOT_FAILED_TBX_KEEP;
+ rm_tbx ("Not failed $NOT_FAILED_TBX_KEEP_HOURS + hours old") if ( $ekeeptime <= $enow );
+ } else {
+ $ekeeptime=$efulldate + $eANY_TBX_KEEP;
+ rm_tbx ("Passed 2+ hours old") if ( $ekeeptime <= $enow );
+ }
+ if ( $QAstatus =~ "QA failed" ) {
+ $ekeeptime=$efulldate + $eIF_TBX_KEEP;
+ #FIXME - compare to the previous failure by filtering and
+ #FIXME diffing the results.html files (first grep failed)
+ }
+ }
+
+}
+
+sub rm_tbx()
+{
+
+debug ("DELETING $tbx_dir... (@_[0]) ");
+system("rm -rf $TBX_TESTDIR/$tbx_dir");
+#debug ("rm -rf $TBX_TESTDIR/$tbx_dir");
+
+}
+
+sub msg
+{
+ my $i;
+ for ($i = 0; $i <= $#_ ; $i++ ) {
+ print "@_[$i] ";
+ }
+ print "\n";
+
+}
+sub error
+{
+ msg ("ERROR: " ,@_ );
+}
+
+sub warning
+{
+ msg ("WARNING:" ,@_ );
+}
+sub debug
+{
+ if ( $verbose == 1 ) {
+ msg ("DEBUG: " ,@_ );
+ } elsif ( $verbose == 2 ) {
+ msg (@_ );
+ }
+}
+
+check_tbx_dirs;
diff --git a/security/nss/tests/cmdtests/cmdtests.sh b/security/nss/tests/cmdtests/cmdtests.sh
new file mode 100644
index 000000000..cc925b213
--- /dev/null
+++ b/security/nss/tests/cmdtests/cmdtests.sh
@@ -0,0 +1,101 @@
+#! /bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+# Script to run small tests to test specific crashes of NSS
+#
+# needs to work on all Unix and Windows platforms
+#
+# included from
+# --------------
+# all.sh
+#
+# tests implemented:
+# vercrt (verify encryption cert - bugzilla bug 119059)
+# vercrtfps (verify encryption cert in fips mode - bugzilla bug 119214)
+# test3 (CERT_FindUserCertByUsage called 2nd time - bug 118864)
+#
+# special strings
+# ---------------
+#
+########################################################################
+
+############################## cmdtests_init ###########################
+# local shell function to initialize this script
+########################################################################
+cmdtests_init()
+{
+ SCRIPTNAME=cmdtests.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ SCRIPTNAME=cmdtests.sh
+ html_head "Tests in cmd/tests"
+
+# grep "SUCCESS: cmd/tests passed" $CERT_LOG_FILE >/dev/null || {
+# Exit 15 "Fatal - cert.sh needs to pass first"
+# }
+
+ CMDTESTSDIR=${HOSTDIR}/cmd/tests
+ COPYDIR=${CMDTESTSDIR}/copydir
+
+ R_CMDTESTSDIR=../cmd/tests
+ R_COPYDIR=../cmd/tests/copydir
+ P_R_COPYDIR=${R_COPYDIR}
+
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ P_R_COPYDIR="multiaccess:Cmdtests.$version"
+ fi
+
+ mkdir -p ${CMDTESTSDIR}
+ mkdir -p ${COPYDIR}
+ mkdir -p ${CMDTESTSDIR}/html
+
+ cd ${CMDTESTSDIR}
+}
+
+############################## ct_vercrt ##################################
+# CERT_VerifyCert should not fail when verifying encryption cert
+# Bugzilla Bug 119059
+########################################################################
+#ct_vercrt()
+#{
+ # echo "$SCRIPTNAME: Verify encryption certificate ----------------------"
+ # echo "vercrt"
+ # vercrt
+ # ret=$?
+ # html_msg $ret 0 "Verify encryption certificate (vercrt)"
+#
+#}
+
+
+############################## cmdtests_cleanup ########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+cmdtests_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+cmdtests_init
+
+#ct_vercrt
+cmdtests_cleanup
diff --git a/security/nss/tests/common/Makefile b/security/nss/tests/common/Makefile
new file mode 100644
index 000000000..7faa677d2
--- /dev/null
+++ b/security/nss/tests/common/Makefile
@@ -0,0 +1,24 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CORE_DEPTH = ../..
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+objdir_name:
+ @echo $(OBJDIR_NAME)
+
+os_arch:
+ @echo $(OS_ARCH)
+
+dll_prefix:
+ @echo $(DLL_PREFIX)
+
+dll_suffix:
+ @echo $(DLL_SUFFIX)
+
+freebl_lowhash:
+ @echo $(FREEBL_LOWHASH)
diff --git a/security/nss/tests/common/cleanup.sh b/security/nss/tests/common/cleanup.sh
new file mode 100755
index 000000000..40d8bc40f
--- /dev/null
+++ b/security/nss/tests/common/cleanup.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+if [ -z "${CLEANUP}" -o "${CLEANUP}" = "${SCRIPTNAME}" ]; then
+ echo
+ echo "SUMMARY:"
+ echo "========"
+ echo "NSS variables:"
+ echo "--------------"
+ echo "HOST=${HOST}"
+ echo "DOMSUF=${DOMSUF}"
+ echo "BUILD_OPT=${BUILD_OPT}"
+ if [ "${OS_ARCH}" = "Linux" ]; then
+ echo "USE_X32=${USE_X32}"
+ fi
+ echo "USE_64=${USE_64}"
+ echo "NSS_CYCLES=\"${NSS_CYCLES}\""
+ echo "NSS_TESTS=\"${NSS_TESTS}\""
+ echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
+ echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
+ echo "NSS_AIA_PATH=${NSS_AIA_PATH}"
+ echo "NSS_AIA_HTTP=${NSS_AIA_HTTP}"
+ echo "NSS_AIA_OCSP=${NSS_AIA_OCSP}"
+ echo "IOPR_HOSTADDR_LIST=${IOPR_HOSTADDR_LIST}"
+ echo "PKITS_DATA=${PKITS_DATA}"
+ echo
+ echo "Tests summary:"
+ echo "--------------"
+ LINES_CNT=$(cat ${RESULTS} | grep ">Passed<" | wc -l | sed s/\ *//)
+ echo "Passed: ${LINES_CNT}"
+ FAILED_CNT=$(cat ${RESULTS} | grep ">Failed<" | wc -l | sed s/\ *//)
+ echo "Failed: ${FAILED_CNT}"
+ CORE_CNT=$(cat ${RESULTS} | grep ">Failed Core<" | wc -l | sed s/\ *//)
+ echo "Failed with core: ${CORE_CNT}"
+ ASAN_CNT=$(cat $LOGFILE | grep "SUMMARY: AddressSanitizer" | wc -l | sed s/\ *//)
+ echo "ASan failures: ${ASAN_CNT}"
+ LINES_CNT=$(cat ${RESULTS} | grep ">Unknown<" | wc -l | sed s/\ *//)
+ echo "Unknown status: ${LINES_CNT}"
+ if [ ${LINES_CNT} -gt 0 ]; then
+ echo "TinderboxPrint:Unknown: ${LINES_CNT}"
+ fi
+ echo
+
+ html "END_OF_TEST<BR>"
+ html "</BODY></HTML>"
+ rm -f ${TEMPFILES} 2>/dev/null
+ if [ ${FAILED_CNT} -gt 0 ] || [ ${ASAN_CNT} -gt 0 ]; then
+ exit 1
+ fi
+
+fi
diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh
new file mode 100644
index 000000000..3598e8223
--- /dev/null
+++ b/security/nss/tests/common/init.sh
@@ -0,0 +1,672 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/common/init.sh
+#
+# initialization for NSS QA, can be included multiple times
+# from all.sh and the individual scripts
+#
+# variables, utilities and shellfunctions global to NSS QA
+# needs to work on all Unix and Windows platforms
+#
+# included from
+# -------------
+# all.sh
+# ssl.sh
+# sdr.sh
+# cipher.sh
+# perf.sh
+# cert.sh
+# smime.sh
+# tools.sh
+# fips.sh
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+# NOTE:
+# -----
+# Unlike the old QA this is based on files sourcing each other
+# This is done to save time, since a great portion of time is lost
+# in calling and sourcing the same things multiple times over the
+# network. Also, this way all scripts have all shell function available
+# and a completely common environment
+#
+########################################################################
+
+NSS_STRICT_SHUTDOWN=1
+export NSS_STRICT_SHUTDOWN
+
+# Init directories based on HOSTDIR variable
+if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ init_directories()
+ {
+ TMP=${HOSTDIR} #TMP=${TMP-/tmp}
+ TEMP=${TMP}
+ TMPDIR=${TMP}
+
+ CADIR=${HOSTDIR}/CA
+ SERVERDIR=${HOSTDIR}/server
+ CLIENTDIR=${HOSTDIR}/client
+ ALICEDIR=${HOSTDIR}/alicedir
+ BOBDIR=${HOSTDIR}/bobdir
+ DAVEDIR=${HOSTDIR}/dave
+ EVEDIR=${HOSTDIR}/eve
+ FIPSDIR=${HOSTDIR}/fips
+ DBPASSDIR=${HOSTDIR}/dbpass
+ ECCURVES_DIR=${HOSTDIR}/eccurves
+ DISTRUSTDIR=${HOSTDIR}/distrust
+
+ SERVER_CADIR=${HOSTDIR}/serverCA
+ CLIENT_CADIR=${HOSTDIR}/clientCA
+ EXT_SERVERDIR=${HOSTDIR}/ext_server
+ EXT_CLIENTDIR=${HOSTDIR}/ext_client
+
+ IOPR_CADIR=${HOSTDIR}/CA_iopr
+ IOPR_SSL_SERVERDIR=${HOSTDIR}/server_ssl_iopr
+ IOPR_SSL_CLIENTDIR=${HOSTDIR}/client_ssl_iopr
+ IOPR_OCSP_CLIENTDIR=${HOSTDIR}/client_ocsp_iopr
+
+ CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
+ STAPLINGDIR=${HOSTDIR}/stapling
+ SSLGTESTDIR=${HOSTDIR}/ssl_gtests
+ GTESTDIR=${HOSTDIR}/gtests
+
+ PWFILE=${HOSTDIR}/tests.pw
+ NOISE_FILE=${HOSTDIR}/tests_noise
+ CORELIST_FILE=${HOSTDIR}/clist
+
+ FIPSPWFILE=${HOSTDIR}/tests.fipspw
+ FIPSBADPWFILE=${HOSTDIR}/tests.fipsbadpw
+ FIPSP12PWFILE=${HOSTDIR}/tests.fipsp12pw
+
+ echo "fIps140" > ${FIPSPWFILE}
+ echo "fips104" > ${FIPSBADPWFILE}
+ echo "pKcs12fips140" > ${FIPSP12PWFILE}
+
+ noise
+
+ P_SERVER_CADIR=${SERVER_CADIR}
+ P_CLIENT_CADIR=${CLIENT_CADIR}
+
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ P_SERVER_CADIR="multiaccess:${D_SERVER_CA}"
+ P_CLIENT_CADIR="multiaccess:${D_CLIENT_CA}"
+ fi
+
+
+ # a new log file, short - fast to search, mostly for tools to
+ # see if their portion of the cert has succeeded, also for me -
+ CERT_LOG_FILE=${HOSTDIR}/cert.log #the output.log is so crowded...
+
+ TEMPFILES=foobar # keep "${PWFILE} ${NOISE_FILE}" around
+
+ export HOSTDIR
+ }
+
+# Generate noise file
+ noise()
+ {
+ # NOTE: these keys are only suitable for testing, as this whole thing
+ # bypasses the entropy gathering. Don't use this method to generate
+ # keys and certs for product use or deployment.
+ ps -efl > ${NOISE_FILE} 2>&1
+ ps aux >> ${NOISE_FILE} 2>&1
+ date >> ${NOISE_FILE} 2>&1
+ }
+
+# Print selected environment variable (used for backup)
+ env_backup()
+ {
+ echo "HOSTDIR=\"${HOSTDIR}\""
+ echo "TABLE_ARGS="
+ echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}"
+ echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
+ echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
+ echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
+ echo "export NSS_DEFAULT_DB_TYPE"
+ echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
+ echo "export NSS_ENABLE_PKIX_VERIFY"
+ echo "init_directories"
+ }
+
+# Exit shellfunction to clean up at exit (error, regular or signal)
+ Exit()
+ {
+ if [ -n "$1" ] ; then
+ echo "$SCRIPTNAME: Exit: $* - FAILED"
+ html_failed "$*"
+ fi
+ echo "</TABLE><BR>" >> ${RESULTS}
+ if [ -n "${SERVERPID}" -a -f "${SERVERPID}" ]; then
+ ${KILL} `cat ${SERVERPID}`
+ fi
+ cd ${QADIR}
+ . common/cleanup.sh
+ case $1 in
+ [0-4][0-9]|[0-9])
+ exit $1;
+ ;;
+ *)
+ exit 1
+ ;;
+ esac
+ }
+
+ detect_core()
+ {
+ [ ! -f $CORELIST_FILE ] && touch $CORELIST_FILE
+ mv $CORELIST_FILE ${CORELIST_FILE}.old
+ coreStr=`find $HOSTDIR -type f -name '*core*'`
+ res=0
+ if [ -n "$coreStr" ]; then
+ sum $coreStr > $CORELIST_FILE
+ res=`cat $CORELIST_FILE ${CORELIST_FILE}.old | sort | uniq -u | wc -l`
+ fi
+ return $res
+ }
+
+#html functions to give the resultfiles a consistant look
+ html() ######################### write the results.html file
+ { # 3 functions so we can put targets in the output.log easier
+ echo $* >>${RESULTS}
+ }
+ increase_msg_id()
+ {
+ MSG_ID=`cat ${MSG_ID_FILE}`
+ MSG_ID=`expr ${MSG_ID} + 1`
+ echo ${MSG_ID} > ${MSG_ID_FILE}
+ }
+ html_passed_ignore_core()
+ {
+ increase_msg_id
+ html "<TR><TD>#${MSG_ID}: $1 ${HTML_PASSED}"
+ echo "${SCRIPTNAME}: #${MSG_ID}: $* - PASSED"
+ }
+ html_passed()
+ {
+ html_detect_core "$@" || return
+ html_passed_ignore_core "$@"
+ }
+ html_failed_ignore_core()
+ {
+ increase_msg_id
+ html "<TR><TD>#${MSG_ID}: $1 ${HTML_FAILED}"
+ echo "${SCRIPTNAME}: #${MSG_ID}: $* - FAILED"
+ }
+ html_failed()
+ {
+ html_detect_core "$@" || return
+ html_failed_ignore_core "$@" || return
+ }
+ html_unknown_ignore_core()
+ {
+ increase_msg_id
+ html "<TR><TD>#${MSG_ID}: $1 ${HTML_UNKNOWN}"
+ echo "${SCRIPTNAME}: #${MSG_ID}: $* - UNKNOWN"
+ }
+ html_unknown()
+ {
+ html_detect_core "$@" || return
+ increase_msg_id
+ html "<TR><TD>#${MSG_ID}: $1 ${HTML_UNKNOWN}"
+ echo "${SCRIPTNAME}: #${MSG_ID}: $* - UNKNOWN"
+ }
+ html_detect_core()
+ {
+ detect_core
+ if [ $? -ne 0 ]; then
+ increase_msg_id
+ html "<TR><TD>#${MSG_ID}: $* ${HTML_FAILED_CORE}"
+ echo "${SCRIPTNAME}: #${MSG_ID}: $* - Core file is detected - FAILED"
+ return 1
+ fi
+ return 0
+ }
+ html_head()
+ {
+
+ html "<TABLE BORDER=1 ${TABLE_ARGS}><TR><TH COLSPAN=3>$*</TH></TR>"
+ html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>"
+ echo "$SCRIPTNAME: $* ==============================="
+ }
+ html_msg()
+ {
+ if [ $1 -ne $2 ] ; then
+ html_failed "$3" "$4"
+ else
+ html_passed "$3" "$4"
+ fi
+ }
+ HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
+ HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>'
+ HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
+ HTML_UNKNOWN='</TD><TD>Unknown</TD><TR>'
+ TABLE_ARGS=
+
+
+#directory name init
+ SCRIPTNAME=init.sh
+
+ mozilla_root=`(cd ../../..; pwd)`
+ MOZILLA_ROOT=${MOZILLA_ROOT-$mozilla_root}
+
+ qadir=`(cd ..; pwd)`
+ QADIR=${QADIR-$qadir}
+
+ common=${QADIR}/common
+ COMMON=${TEST_COMMON-$common}
+ export COMMON
+
+ DIST=${DIST-${MOZILLA_ROOT}/dist}
+ TESTDIR=${TESTDIR-${MOZILLA_ROOT}/tests_results/security}
+
+ # Allow for override options from a config file
+ if [ -n "${OBJDIR}" -a -f ${DIST}/${OBJDIR}/platform.cfg ]; then
+ . ${DIST}/${OBJDIR}/platform.cfg
+ fi
+
+ # only need make if we don't already have certain variables set
+ if [ -z "${OBJDIR}" -o -z "${OS_ARCH}" -o -z "${DLL_PREFIX}" -o -z "${DLL_SUFFIX}" ]; then
+ MAKE=gmake
+ $MAKE -v >/dev/null 2>&1 || MAKE=make
+ $MAKE -v >/dev/null 2>&1 || { echo "You are missing make."; exit 5; }
+ MAKE="$MAKE --no-print-directory"
+ fi
+
+ if [ "${OBJDIR}" = "" ]; then
+ if [ -f ${DIST}/latest ]; then
+ OBJDIR=$(cat ${DIST}/latest)
+ else
+ OBJDIR=`($MAKE -s -C $COMMON objdir_name)`
+ fi
+ fi
+ if [ "${OS_ARCH}" = "" ]; then
+ OS_ARCH=`(cd $COMMON; $MAKE os_arch)`
+ fi
+ if [ "${DLL_PREFIX}" = "" ]; then
+ DLL_PREFIX=`(cd $COMMON; $MAKE dll_prefix)`
+ fi
+ if [ "${DLL_SUFFIX}" = "" ]; then
+ DLL_SUFFIX=`(cd $COMMON; $MAKE dll_suffix)`
+ fi
+ OS_NAME=`uname -s | sed -e "s/-[0-9]*\.[0-9]*//" | sed -e "s/-WOW64//"`
+
+ BINDIR="${DIST}/${OBJDIR}/bin"
+
+ # Pathnames constructed from ${TESTDIR} are passed to NSS tools
+ # such as certutil, which don't understand Cygwin pathnames.
+ # So we need to convert ${TESTDIR} to a Windows pathname (with
+ # regular slashes).
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ TESTDIR=`cygpath -m ${TESTDIR}`
+ QADIR=`cygpath -m ${QADIR}`
+ fi
+
+ # Same problem with MSYS/Mingw, except we need to start over with pwd -W
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "MINGW32_NT" ]; then
+ mingw_mozilla_root=`(cd ../../..; pwd -W)`
+ MINGW_MOZILLA_ROOT=${MINGW_MOZILLA_ROOT-$mingw_mozilla_root}
+ TESTDIR=${MINGW_TESTDIR-${MINGW_MOZILLA_ROOT}/tests_results/security}
+ fi
+
+ # Same problem with MSYS/Mingw, except we need to start over with pwd -W
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "MINGW32_NT" ]; then
+ mingw_mozilla_root=`(cd ../../..; pwd -W)`
+ MINGW_MOZILLA_ROOT=${MINGW_MOZILLA_ROOT-$mingw_mozilla_root}
+ TESTDIR=${MINGW_TESTDIR-${MINGW_MOZILLA_ROOT}/tests_results/security}
+ fi
+ echo testdir is $TESTDIR
+
+#in case of backward comp. tests the calling scripts set the
+#PATH and LD_LIBRARY_PATH and do not want them to be changed
+ if [ -z "${DON_T_SET_PATHS}" -o "${DON_T_SET_PATHS}" != "TRUE" ] ; then
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" != "CYGWIN_NT" -a "$OS_NAME" != "MINGW32_NT" ]; then
+ PATH=.\;${DIST}/${OBJDIR}/bin\;${DIST}/${OBJDIR}/lib\;$PATH
+ PATH=`perl ../path_uniq -d ';' "$PATH"`
+ elif [ "${OS_ARCH}" = "Android" ]; then
+ # android doesn't have perl, skip the uniq step
+ PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:$PATH
+ else
+ PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:/bin:/usr/bin:$PATH
+ # added /bin and /usr/bin in the beginning so a local perl will
+ # be used
+ PATH=`perl ../path_uniq -d ':' "$PATH"`
+ fi
+
+ LD_LIBRARY_PATH=${DIST}/${OBJDIR}/lib:$LD_LIBRARY_PATH
+ SHLIB_PATH=${DIST}/${OBJDIR}/lib:$SHLIB_PATH
+ LIBPATH=${DIST}/${OBJDIR}/lib:$LIBPATH
+ DYLD_LIBRARY_PATH=${DIST}/${OBJDIR}/lib:$DYLD_LIBRARY_PATH
+ fi
+
+ if [ ! -d "${TESTDIR}" ]; then
+ echo "$SCRIPTNAME init: Creating ${TESTDIR}"
+ mkdir -p ${TESTDIR}
+ fi
+
+#HOST and DOMSUF are needed for the server cert
+
+ DOMAINNAME=`which domainname`
+ if [ -z "${DOMSUF}" -a $? -eq 0 -a -n "${DOMAINNAME}" ]; then
+ DOMSUF=`domainname`
+ fi
+
+ case $HOST in
+ *\.*)
+ if [ -z "${DOMSUF}" ]; then
+ DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
+ fi
+ HOST=`echo $HOST | sed -e "s/\..*//"`
+ ;;
+ ?*)
+ ;;
+ *)
+ HOST=`uname -n`
+ case $HOST in
+ *\.*)
+ if [ -z "${DOMSUF}" ]; then
+ DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
+ fi
+ HOST=`echo $HOST | sed -e "s/\..*//"`
+ ;;
+ ?*)
+ ;;
+ *)
+ echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
+ exit 1 #does not need to be Exit, very early in script
+ ;;
+ esac
+ ;;
+ esac
+
+ if [ -z "${DOMSUF}" -a "${OS_ARCH}" != "Android" ]; then
+ echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined."
+ exit 1 #does not need to be Exit, very early in script
+ fi
+
+#HOSTADDR was a workaround for the dist. stress test, and is probably
+#not needed anymore (purpose: be able to use IP address for the server
+#cert instead of PC name which was not in the DNS because of dyn IP address
+ if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then
+ if [ -z "${DOMSUF}" ]; then
+ HOSTADDR=${HOST}
+ else
+ HOSTADDR=${HOST}.${DOMSUF}
+ fi
+ else
+ HOSTADDR=${IP_ADDRESS}
+ fi
+
+#if running remote side of the distributed stress test we need to use
+#the files that the server side gives us...
+ if [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
+ for w in `ls -rtd ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null |
+ sed -e "s/.*${HOST}.//"` ; do
+ version=$w
+ done
+ HOSTDIR=${TESTDIR}/${HOST}.$version
+ echo "$SCRIPTNAME init: HOSTDIR $HOSTDIR"
+ echo $HOSTDIR
+ if [ ! -d $HOSTDIR ] ; then
+ echo "$SCRIPTNAME: Fatal: Remote side of dist. stress test "
+ echo " - server HOSTDIR $HOSTDIR does not exist"
+ exit 1 #does not need to be Exit, very early in script
+ fi
+ fi
+
+#find the HOSTDIR, where the results are supposed to go
+ if [ -n "${HOSTDIR}" ]; then
+ version=`echo $HOSTDIR | sed -e "s/.*${HOST}.//"`
+ else
+ if [ -f "${TESTDIR}/${HOST}" ]; then
+ version=`cat ${TESTDIR}/${HOST}`
+ else
+ version=1
+ fi
+#file has a tendency to disappear, messing up the rest of QA -
+#workaround to find the next higher number if version file is not there
+ if [ -z "${version}" ]; then # for some strange reason this file
+ # gets truncated at times... Windos
+ for w in `ls -d ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null |
+ sort -t '.' -n | sed -e "s/.*${HOST}.//"` ; do
+ version=`expr $w + 1`
+ done
+ if [ -z "${version}" ]; then
+ version=1
+ fi
+ fi
+ expr $version + 1 > ${TESTDIR}/${HOST}
+
+ HOSTDIR=${TESTDIR}/${HOST}'.'$version
+
+ mkdir -p ${HOSTDIR}
+ fi
+
+#result and log file and filename init,
+ if [ -z "${LOGFILE}" ]; then
+ LOGFILE=${HOSTDIR}/output.log
+ fi
+ if [ ! -f "${LOGFILE}" ]; then
+ touch ${LOGFILE}
+ fi
+ if [ -z "${RESULTS}" ]; then
+ RESULTS=${HOSTDIR}/results.html
+ fi
+ if [ ! -f "${RESULTS}" ]; then
+ cp ${COMMON}/results_header.html ${RESULTS}
+ html "<H4>Platform: ${OBJDIR}<BR>"
+ html "Test Run: ${HOST}.$version</H4>"
+ html "${BC_ACTION}"
+ html "<HR><BR>"
+ html "<HTML><BODY>"
+
+ echo "********************************************" | tee -a ${LOGFILE}
+ echo " Platform: ${OBJDIR}" | tee -a ${LOGFILE}
+ echo " Results: ${HOST}.$version" | tee -a ${LOGFILE}
+ echo "********************************************" | tee -a ${LOGFILE}
+ echo "$BC_ACTION" | tee -a ${LOGFILE}
+#if running remote side of the distributed stress test
+# let the user know who it is...
+ elif [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
+ echo "********************************************" | tee -a ${LOGFILE}
+ echo " Platform: ${OBJDIR}" | tee -a ${LOGFILE}
+ echo " Results: ${HOST}.$version" | tee -a ${LOGFILE}
+ echo " remote side of distributed stress test " | tee -a ${LOGFILE}
+ echo " `uname -n -s`" | tee -a ${LOGFILE}
+ echo "********************************************" | tee -a ${LOGFILE}
+ fi
+
+ echo "$SCRIPTNAME init: Testing PATH $PATH against LIB $LD_LIBRARY_PATH" |\
+ tee -a ${LOGFILE}
+
+ KILL="kill"
+
+ if [ `uname -s` = "SunOS" ]; then
+ PS="/usr/5bin/ps"
+ else
+ PS="ps"
+ fi
+#found 3 rsh's so far that do not work as expected - cygnus mks6
+#(restricted sh) and mks 7 - if it is not in c:/winnt/system32 it
+#needs to be set in the environ.ksh
+ if [ -z "$RSH" ]; then
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ RSH=/cygdrive/c/winnt/system32/rsh
+ elif [ "${OS_ARCH}" = "WINNT" ]; then
+ RSH=c:/winnt/system32/rsh
+ else
+ RSH=rsh
+ fi
+ fi
+
+
+#more filename and directoryname init
+ CURDIR=`pwd`
+
+ CU_ACTION='Unknown certutil action'
+
+ # would like to preserve some tmp files, also easier to see if there
+ # are "leftovers" - another possibility ${HOSTDIR}/tmp
+
+ init_directories
+
+ FIPSCERTNICK="FIPS_PUB_140_Test_Certificate"
+
+ # domains to handle ipc based access to databases
+ D_CA="TestCA.$version"
+ D_ALICE="Alice.$version"
+ D_BOB="Bob.$version"
+ D_DAVE="Dave.$version"
+ D_EVE="Eve.$version"
+ D_SERVER_CA="ServerCA.$version"
+ D_CLIENT_CA="ClientCA.$version"
+ D_SERVER="Server.$version"
+ D_CLIENT="Client.$version"
+ D_FIPS="FIPS.$version"
+ D_DBPASS="DBPASS.$version"
+ D_ECCURVES="ECCURVES.$version"
+ D_EXT_SERVER="ExtendedServer.$version"
+ D_EXT_CLIENT="ExtendedClient.$version"
+ D_CERT_EXTENSTIONS="CertExtensions.$version"
+ D_DISTRUST="Distrust.$version"
+
+ # we need relative pathnames of these files abd directories, since our
+ # tools can't handle the unix style absolut pathnames on cygnus
+
+ R_CADIR=../CA
+ R_SERVERDIR=../server
+ R_CLIENTDIR=../client
+ R_IOPR_CADIR=../CA_iopr
+ R_IOPR_SSL_SERVERDIR=../server_ssl_iopr
+ R_IOPR_SSL_CLIENTDIR=../client_ssl_iopr
+ R_IOPR_OCSP_CLIENTDIR=../client_ocsp_iopr
+ R_ALICEDIR=../alicedir
+ R_BOBDIR=../bobdir
+ R_DAVEDIR=../dave
+ R_EVEDIR=../eve
+ R_EXT_SERVERDIR=../ext_server
+ R_EXT_CLIENTDIR=../ext_client
+ R_CERT_EXT=../cert_extensions
+ R_STAPLINGDIR=../stapling
+ R_SSLGTESTDIR=../ssl_gtests
+ R_GTESTDIR=../gtests
+
+ #
+ # profiles are either paths or domains depending on the setting of
+ # MULTIACCESS_DBM
+ #
+ P_R_CADIR=${R_CADIR}
+ P_R_ALICEDIR=${R_ALICEDIR}
+ P_R_BOBDIR=${R_BOBDIR}
+ P_R_DAVEDIR=${R_DAVEDIR}
+ P_R_EVEDIR=${R_EVEDIR}
+ P_R_SERVERDIR=${R_SERVERDIR}
+ P_R_CLIENTDIR=${R_CLIENTDIR}
+ P_R_EXT_SERVERDIR=${R_EXT_SERVERDIR}
+ P_R_EXT_CLIENTDIR=${R_EXT_CLIENTDIR}
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ P_R_CADIR="multiaccess:${D_CA}"
+ P_R_ALICEDIR="multiaccess:${D_ALICE}"
+ P_R_BOBDIR="multiaccess:${D_BOB}"
+ P_R_DAVEDIR="multiaccess:${D_DAVE}"
+ P_R_EVEDIR="multiaccess:${D_EVE}"
+ P_R_SERVERDIR="multiaccess:${D_SERVER}"
+ P_R_CLIENTDIR="multiaccess:${D_CLIENT}"
+ P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
+ P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
+ fi
+
+ R_PWFILE=../tests.pw
+ R_NOISE_FILE=../tests_noise
+
+ R_FIPSPWFILE=../tests.fipspw
+ R_FIPSBADPWFILE=../tests.fipsbadpw
+ R_FIPSP12PWFILE=../tests.fipsp12pw
+
+ trap "Exit $0 Signal_caught" 2 3
+
+ export PATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH DYLD_LIBRARY_PATH
+ export DOMSUF HOSTADDR
+ export KILL PS
+ export MOZILLA_ROOT DIST TESTDIR OBJDIR QADIR
+ export LOGFILE SCRIPTNAME
+
+#used for the distributed stress test, the server generates certificates
+#from GLOB_MIN_CERT to GLOB_MAX_CERT
+# NOTE - this variable actually gets initialized by directly by the
+# ssl_dist_stress.shs sl_ds_init() before init is called - need to change
+# in both places. speaking of data encapsulatioN...
+
+ if [ -z "$GLOB_MIN_CERT" ] ; then
+ GLOB_MIN_CERT=0
+ fi
+ if [ -z "$GLOB_MAX_CERT" ] ; then
+ GLOB_MAX_CERT=200
+ fi
+ if [ -z "$MIN_CERT" ] ; then
+ MIN_CERT=$GLOB_MIN_CERT
+ fi
+ if [ -z "$MAX_CERT" ] ; then
+ MAX_CERT=$GLOB_MAX_CERT
+ fi
+
+ #################################################
+ # CRL SSL testing constatnts
+ #
+
+
+ CRL_GRP_1_BEGIN=40
+ CRL_GRP_1_RANGE=3
+ UNREVOKED_CERT_GRP_1=41
+
+ CRL_GRP_2_BEGIN=43
+ CRL_GRP_2_RANGE=6
+ UNREVOKED_CERT_GRP_2=46
+
+ CRL_GRP_3_BEGIN=49
+ CRL_GRP_3_RANGE=4
+ UNREVOKED_CERT_GRP_3=51
+
+ TOTAL_CRL_RANGE=`expr ${CRL_GRP_1_RANGE} + ${CRL_GRP_2_RANGE} + \
+ ${CRL_GRP_3_RANGE}`
+
+ TOTAL_GRP_NUM=3
+
+ RELOAD_CRL=1
+
+ NSS_DEFAULT_DB_TYPE="dbm"
+ export NSS_DEFAULT_DB_TYPE
+
+ MSG_ID_FILE="${HOSTDIR}/id"
+ MSG_ID=0
+ echo ${MSG_ID} > ${MSG_ID_FILE}
+
+ #################################################
+ # Interoperability testing constatnts
+ #
+ # if suite is setup for testing, IOPR_HOSTADDR_LIST should have
+ # at least one host name(FQDN)
+ # Example IOPR_HOSTADDR_LIST="goa1.SFBay.Sun.COM"
+
+ if [ -z "`echo ${IOPR_HOSTADDR_LIST} | grep '[A-Za-z]'`" ]; then
+ IOPR=0
+ else
+ IOPR=1
+ fi
+ #################################################
+
+ if [ "${OS_ARCH}" != "WINNT" -a "${OS_ARCH}" != "Android" ]; then
+ ulimit -c unlimited
+ fi
+
+ SCRIPTNAME=$0
+ INIT_SOURCED=TRUE #whatever one does - NEVER export this one please
+fi
diff --git a/security/nss/tests/common/parsegtestreport.sed b/security/nss/tests/common/parsegtestreport.sed
new file mode 100644
index 000000000..d7c6ddada
--- /dev/null
+++ b/security/nss/tests/common/parsegtestreport.sed
@@ -0,0 +1,8 @@
+/\<testcase/{
+ s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/
+ t end
+ s/^.* name="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/
+ t end
+}
+d
+: end
diff --git a/security/nss/tests/common/results_header.html b/security/nss/tests/common/results_header.html
new file mode 100644
index 000000000..c09685b11
--- /dev/null
+++ b/security/nss/tests/common/results_header.html
@@ -0,0 +1,6 @@
+<HTML>
+<HEAD>
+<TITLE>Test Report for NSS</TITLE>
+</HEAD>
+<BODY BGCOLOR="#FFFFFF">
+<CENTER><H3>Test Report for NSS</H3></CENTER>
diff --git a/security/nss/tests/core_watch b/security/nss/tests/core_watch
new file mode 100755
index 000000000..a627983a3
--- /dev/null
+++ b/security/nss/tests/core_watch
@@ -0,0 +1,45 @@
+#############################################################
+# script to watch for cores during QA runs, so they won't overwrite one
+# another
+# Not activated for efficiency reasons, and problems on MKS, us
+# only when needed and remember to remove afterwards
+#############################################################
+
+#############################################################
+# to activate put the following into all.sh (after the HOSTDIR
+# has been exported
+#############################################################
+# sh `dirname $0`/core_watch $HOSTDIR ${HOSTDIR} &
+# CORE_WATCH_PID=$!
+# if [ -n "${KILLPIDS}" ]
+# then
+# echo $CORE_WATCH_PID >>"${KILLPIDS}"
+# fi
+#############################################################
+
+#############################################################
+# or put the following into nssqa to watch the whole RESULTDIR
+# start it shortly before run_all
+#
+# NOTE: the more efficient way is above, this is potentially going
+# thru 1000ds of files every 30 seconds
+#############################################################
+# sh `dirname $0`/core_watch $RESULTDIR &
+# echo $! >>"${KILLPIDS}" #so Exit() can hopefully kill the core_watch
+#############################################################
+
+# in both cases remember to kill the process when done, since
+# the PIDs that end up in ${KILLPIDS} might not work for all OS
+# something like "kill_by_name core_watch
+
+echo $$ >>"${KILLPIDS}" #so Exit() can hopefully kill this shell
+while [ 1 ]
+do
+ for w in `find $1 -name "core" -print`
+ do
+ echo "Found core $w"
+ mv $w $w.`date +%H%M%S`
+ done
+ sleep 30
+done
+
diff --git a/security/nss/tests/crmf/crmf.sh b/security/nss/tests/crmf/crmf.sh
new file mode 100644
index 000000000..6059c1991
--- /dev/null
+++ b/security/nss/tests/crmf/crmf.sh
@@ -0,0 +1,89 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/crmf/crmf.sh
+#
+# Script to test NSS crmf library (a static library)
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## smime_init ##############################
+# local shell function to initialize this script
+########################################################################
+crmf_init()
+{
+ SCRIPTNAME=crmf.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ html_head "CRMF/CMMF Tests"
+
+ # cmrf uses the S/MIME certs to test with
+ grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+ Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+ }
+
+ CRMFDIR=${HOSTDIR}/crmf
+ R_CRMFDIR=../crmf
+ mkdir -p ${CRMFDIR}
+ cd ${CRMFDIR}
+}
+
+############################## crmf_main ##############################
+# local shell function to test basic CRMF request and CMMF responses
+# from 1 --> 2"
+########################################################################
+crmf_main()
+{
+ echo "$SCRIPTNAME: CRMF/CMMF Tests ------------------------------"
+ echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode"
+ ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode
+ html_msg $? 0 "CRMF test" "."
+
+ echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf"
+ ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf
+ html_msg $? 0 "CMMF test" "."
+
+# Add tests for key recovery and challange as crmftest's capabilities increase
+
+}
+
+############################## crmf_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+crmf_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+crmf_init
+crmf_main
+crmf_cleanup
+
diff --git a/security/nss/tests/dbtests/dbtests.sh b/security/nss/tests/dbtests/dbtests.sh
new file mode 100755
index 000000000..7b1ee351f
--- /dev/null
+++ b/security/nss/tests/dbtests/dbtests.sh
@@ -0,0 +1,262 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/dbtest/dbtest.sh
+#
+# Certificate generating and handeling for NSS QA, can be included
+# multiple times from all.sh and the individual scripts
+#
+# needs to work on all Unix and Windows platforms
+#
+# included from (don't expect this to be up to date)
+# --------------------------------------------------
+# all.sh
+# ssl.sh
+# smime.sh
+# tools.sh
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+# FIXME - Netscape - NSS
+########################################################################
+
+############################## dbtest_init ###############################
+# local shell function to initialize this script
+########################################################################
+dbtest_init()
+{
+ SCRIPTNAME="dbtests.sh"
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+ if [ -z "${INIT_SOURCED}" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+
+ SCRIPTNAME="dbtests.sh"
+ RONLY_DIR=${HOSTDIR}/ronlydir
+ EMPTY_DIR=${HOSTDIR}/emptydir
+ CONFLICT_DIR=${HOSTDIR}/conflictdir
+
+ html_head "CERT and Key DB Tests"
+
+}
+
+############################## dbtest_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+dbtest_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ chmod a+rw $RONLY_DIR
+ . common/cleanup.sh
+}
+
+Echo()
+{
+ echo
+ echo "---------------------------------------------------------------"
+ echo "| $*"
+ echo "---------------------------------------------------------------"
+}
+dbtest_main()
+{
+ cd ${HOSTDIR}
+
+
+ Echo "test opening the database read/write in a nonexisting directory"
+ ${BINDIR}/certutil -L -X -d ./non_existent_dir
+ ret=$?
+ if [ $ret -ne 255 ]; then
+ html_failed "Certutil succeeded in a nonexisting directory $ret"
+ else
+ html_passed "Certutil didn't work in a nonexisting dir $ret"
+ fi
+ ${BINDIR}/dbtest -r -d ./non_existent_dir
+ ret=$?
+ if [ $ret -ne 46 ]; then
+ html_failed "Dbtest readonly succeeded in a nonexisting directory $ret"
+ else
+ html_passed "Dbtest readonly didn't work in a nonexisting dir $ret"
+ fi
+
+ Echo "test force opening the database in a nonexisting directory"
+ ${BINDIR}/dbtest -f -d ./non_existent_dir
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Dbtest force failed in a nonexisting directory $ret"
+ else
+ html_passed "Dbtest force succeeded in a nonexisting dir $ret"
+ fi
+
+ Echo "test opening the database readonly in an empty directory"
+ mkdir $EMPTY_DIR
+ ${BINDIR}/tstclnt -h ${HOST} -d $EMPTY_DIR
+ ret=$?
+ if [ $ret -ne 1 ]; then
+ html_failed "Tstclnt succeded in an empty directory $ret"
+ else
+ html_passed "Tstclnt didn't work in an empty dir $ret"
+ fi
+ ${BINDIR}/dbtest -r -d $EMPTY_DIR
+ ret=$?
+ if [ $ret -ne 46 ]; then
+ html_failed "Dbtest readonly succeeded in an empty directory $ret"
+ else
+ html_passed "Dbtest readonly didn't work in an empty dir $ret"
+ fi
+ rm -rf $EMPTY_DIR/* 2>/dev/null
+ ${BINDIR}/dbtest -i -d $EMPTY_DIR
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Dbtest logout after empty DB Init loses key $ret"
+ else
+ html_passed "Dbtest logout after empty DB Init has key"
+ fi
+ rm -rf $EMPTY_DIR/* 2>/dev/null
+ ${BINDIR}/dbtest -i -p pass -d $EMPTY_DIR
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Dbtest password DB Init loses needlogin state $ret"
+ else
+ html_passed "Dbtest password DB Init maintains needlogin state"
+ fi
+ rm -rf $EMPTY_DIR/* 2>/dev/null
+ ${BINDIR}/certutil -D -n xxxx -d $EMPTY_DIR #created DB
+ ret=$?
+ if [ $ret -ne 255 ]; then
+ html_failed "Certutil succeeded in deleting a cert in an empty directory $ret"
+ else
+ html_passed "Certutil didn't work in an empty dir $ret"
+ fi
+ rm -rf $EMPTY_DIR/* 2>/dev/null
+ Echo "test force opening the database readonly in a empty directory"
+ ${BINDIR}/dbtest -r -f -d $EMPTY_DIR
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Dbtest force readonly failed in an empty directory $ret"
+ else
+ html_passed "Dbtest force readonly succeeded in an empty dir $ret"
+ fi
+
+ Echo "test opening the database r/w in a readonly directory"
+ mkdir $RONLY_DIR
+ cp -r ${CLIENTDIR}/* $RONLY_DIR
+ chmod -w $RONLY_DIR $RONLY_DIR/*
+
+ # On Mac OS X 10.1, if we do a "chmod -w" on files in an
+ # NFS-mounted directory, it takes several seconds for the
+ # first open to see the files are readonly, but subsequent
+ # opens immediately see the files are readonly. As a
+ # workaround we open the files once first. (Bug 185074)
+ if [ "${OS_ARCH}" = "Darwin" ]; then
+ cat $RONLY_DIR/* > /dev/null
+ fi
+
+ # skipping the next two tests when user is root,
+ # otherwise they would fail due to rooty powers
+ if [ $UID -ne 0 ]; then
+ ${BINDIR}/dbtest -d $RONLY_DIR
+ ret=$?
+ if [ $ret -ne 46 ]; then
+ html_failed "Dbtest r/w succeeded in a readonly directory $ret"
+ else
+ html_passed "Dbtest r/w didn't work in an readonly dir $ret"
+ fi
+ else
+ html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
+ fi
+ if [ $UID -ne 0 ]; then
+ ${BINDIR}/certutil -D -n "TestUser" -d .
+ ret=$?
+ if [ $ret -ne 255 ]; then
+ html_failed "Certutil succeeded in deleting a cert in a readonly directory $ret"
+ else
+ html_passed "Certutil didn't work in an readonly dir $ret"
+ fi
+ else
+ html_passed "Skipping Certutil delete cert in a readonly directory test because user is root"
+ fi
+
+ Echo "test opening the database ronly in a readonly directory"
+
+ ${BINDIR}/dbtest -d $RONLY_DIR -r
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Dbtest readonly failed in a readonly directory $ret"
+ else
+ html_passed "Dbtest readonly succeeded in a readonly dir $ret"
+ fi
+
+ Echo "test force opening the database r/w in a readonly directory"
+ ${BINDIR}/dbtest -d $RONLY_DIR -f
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Dbtest force failed in a readonly directory $ret"
+ else
+ html_passed "Dbtest force succeeded in a readonly dir $ret"
+ fi
+
+ Echo "ls -l $RONLY_DIR"
+ ls -ld $RONLY_DIR $RONLY_DIR/*
+
+ mkdir ${CONFLICT_DIR}
+ Echo "test creating a new cert with a conflicting nickname"
+ cd ${CONFLICT_DIR}
+ pwd
+ ${BINDIR}/certutil -N -d ${CONFLICT_DIR} -f ${R_PWFILE}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Nicknane conflict test failed, couldn't create database $ret"
+ else
+ ${BINDIR}/certutil -A -n alice -t ,, -i ${R_ALICEDIR}/Alice.cert -d ${CONFLICT_DIR}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Nicknane conflict test failed, couldn't import alice cert $ret"
+ else
+ ${BINDIR}/certutil -A -n alice -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR}
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ html_failed "Nicknane conflict test failed, could import conflict nickname $ret"
+ else
+ html_passed "Nicknane conflict test, could not import conflict nickname $ret"
+ fi
+ fi
+ fi
+
+ Echo "test importing an old cert to a conflicting nickname"
+ # first, import the certificate
+ ${BINDIR}/certutil -A -n bob -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR}
+ # now import with a different nickname
+ ${BINDIR}/certutil -A -n alice -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR}
+ # the old one should still be there...
+ ${BINDIR}/certutil -L -n bob -d ${CONFLICT_DIR}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Nicknane conflict test-setting nickname conflict incorrectly worked"
+ else
+ html_passed "Nicknane conflict test-setting nickname conflict was correctly rejected"
+ fi
+
+}
+
+################## main #################################################
+
+dbtest_init
+dbtest_main 2>&1
+dbtest_cleanup
diff --git a/security/nss/tests/dbupgrade/dbupgrade.sh b/security/nss/tests/dbupgrade/dbupgrade.sh
new file mode 100755
index 000000000..0302e6143
--- /dev/null
+++ b/security/nss/tests/dbupgrade/dbupgrade.sh
@@ -0,0 +1,106 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/dbupgrade/dbupgrade.sh
+#
+# Script to upgrade databases to Shared DB
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################ dbupgrade_init ############################
+# local shell function to initialize this script
+########################################################################
+dbupgrade_init()
+{
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ${QADIR}/common
+ . ./init.sh
+ fi
+
+ if [ ! -r "${CERT_LOG_FILE}" ]; then # we need certificates here
+ cd ${QADIR}/cert
+ . ./cert.sh
+ fi
+
+ if [ ! -d ${HOSTDIR}/SDR ]; then # we also need sdr as well
+ cd ${QADIR}/sdr
+ . ./sdr.sh
+ fi
+
+ SCRIPTNAME=dbupgrade.sh
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ echo "$SCRIPTNAME: DB upgrade tests ==============================="
+}
+
+############################ dbupgrade_main ############################
+# local shell function to upgrade certificate databases
+########################################################################
+dbupgrade_main()
+{
+ # 'reset' the databases to initial values
+ echo "Reset databases to their initial values:"
+ cd ${HOSTDIR}
+ ${BINDIR}/certutil -D -n objsigner -d alicedir 2>&1
+ ${BINDIR}/certutil -M -n FIPS_PUB_140_Test_Certificate -t "C,C,C" -d fips -f ${FIPSPWFILE} 2>&1
+ ${BINDIR}/certutil -L -d fips 2>&1
+ rm -f smime/alicehello.env
+
+ # test upgrade to the new database
+ echo "nss" > ${PWFILE}
+ html_head "Legacy to shared Library update"
+ dirs="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server SDR server serverCA ssl_gtests stapling tools/copydir"
+ for i in $dirs
+ do
+ echo $i
+ if [ -d $i ]; then
+ echo "upgrading db $i"
+ ${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
+ html_msg $? 0 "Upgrading $i"
+ else
+ echo "skipping db $i"
+ html_msg 0 0 "No directory $i"
+ fi
+ done
+
+ if [ -d fips ]; then
+ echo "upgrading db fips"
+ ${BINDIR}/certutil -S -g 1024 -n tmprsa -t "u,u,u" -s "CN=tmprsa, C=US" -x -d sql:fips -f ${FIPSPWFILE} -z ${NOISE_FILE} 2>&1
+ html_msg $? 0 "Upgrading fips"
+ # remove our temp certificate we created in the fist token
+ ${BINDIR}/certutil -F -n tmprsa -d sql:fips -f ${FIPSPWFILE} 2>&1
+ ${BINDIR}/certutil -L -d sql:fips 2>&1
+ fi
+
+ html "</TABLE><BR>"
+}
+
+########################## dbupgrade_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+dbupgrade_cleanup()
+{
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################################# main #################################
+
+dbupgrade_init
+dbupgrade_main
+dbupgrade_cleanup
diff --git a/security/nss/tests/dll_version.sh b/security/nss/tests/dll_version.sh
new file mode 100755
index 000000000..79a128585
--- /dev/null
+++ b/security/nss/tests/dll_version.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# version controll for DLLs
+# ToDo: make version parameter or find version from first occurance of 3.x
+# make the 3 a variable..., include the header
+
+#OS=`uname -s`
+#DSO_SUFFIX=so
+#if [ "$OS" = "HP-UX" ]; then
+ #DSO_SUFFIX=sl
+#fi
+#what libnss3.$DSO_SUFFIX | grep NSS
+#what libsmime3.$DSO_SUFFIX | grep NSS
+#what libssl3.$DSO_SUFFIX | grep NSS
+#ident libnss3.$DSO_SUFFIX | grep NSS
+#ident libsmime3.$DSO_SUFFIX | grep NSS
+#ident libssl3.$DSO_SUFFIX | grep NSS
+
+for w in `find . -name "libnss3.s[ol]" ; find . -name "libsmime3.s[ol]"; find . -name "libssl3.s[ol]"`
+do
+ NOWHAT=FALSE
+ NOIDENT=FALSE
+ echo $w
+ what $w | grep NSS || NOWHAT=TRUE
+ ident $w | grep NSS || NOIDENT=TRUE
+ if [ $NOWHAT = TRUE ]
+ then
+ echo "ERROR what $w does not contain NSS"
+ fi
+ if [ $NOIDENT = TRUE ]
+ then
+ echo "ERROR ident $w does not contain NSS"
+ fi
+done
+#for w in `find . -name "libnss3.s[ol]" ; find . -name "libsmime3.s[ol]"; find .
+#-name "libssl3.s[ol]"`
+#do
+ #NOWHAT=FALSE
+ #NOIDENT=FALSE
+ #echo $w
+ #what $w | grep NSS || NOWHAT=TRUE
+ #ident $w | grep NSS || NOIDENT=TRUE
+ #if [ $NOWHAT = TRUE -a $NOIDENT = TRUE ]
+ #then
+ #echo "WARNING what and ident $w does not contain NSS"
+ #strings $w | grep NSS | grep '3.2' || echo "ERROR strings does
+#not either..."
+ #fi
+#done
+
diff --git a/security/nss/tests/doc/clean.gif b/security/nss/tests/doc/clean.gif
new file mode 100644
index 000000000..08781cb2b
--- /dev/null
+++ b/security/nss/tests/doc/clean.gif
Binary files differ
diff --git a/security/nss/tests/doc/nssqa.txt b/security/nss/tests/doc/nssqa.txt
new file mode 100755
index 000000000..34fa0955b
--- /dev/null
+++ b/security/nss/tests/doc/nssqa.txt
@@ -0,0 +1,108 @@
+The new QA wrapper consistst mainly of 2 scripts, nssqa and qa_stat, both
+include a common header (header) and a common environment (set_environment).
+Also used is mksymlinks and path_uniq.
+
+The scripts that are used on a daily basis are located in /u/sonmi/bin.
+
+Parameters and Options are the same for both scripts.
+
+Parameters
+----------
+ nssversion (supported: 30b, 31, tip)
+ builddate (default - today, format mmdd)
+
+Options
+-------
+ -y answer all questions with y - use at your own risk... ignores warnings
+ -s silent (only usefull with -y)
+ -h, -? -help you guessed right - displays the usage
+ -d debug
+ -f <filename> - write the (error)output to filename
+ -m <mailinglist> - send filename to mailinglist (csl) only useful
+ with -f on nssqa
+ -l <mozroot> run on a local build - does not work at this time
+ -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.<scriptname>
+
+nssqa and qa_stat are Beta at the most
+--------------------------
+Please be aware that
+
+-) machinenames are still hardcoded --FIXED
+-) other very iPlanet specific environments and features are being used.
+
+-d Debug option will be removed from cron in a few weeks - or maybe not
+-l QA on local build is not fully implemented yet
+
+Please do not use on Windows 95 and 98, ME platforms yet.
+
+use -d if script behaves strange or exits unexpectedly
+
+How to use QA
+-------------
+To test a build, first run nssqa on the required QA platforms (some
+buildplatforms require QA to be run on additional platforms - for
+example Solaris 2.6 has to be tested on 2.8 32 and 64bit) If QA has
+been run on multiple or all required platforms it makes sense to run
+qa_stat on the output of nssqa as well.
+Before used on a new system (even if the same platform has been
+tested before) please use completely interactive, to see what the
+variables are being initialized to, and read the warnings. Same is
+true if being run from a different user account than svbld.
+
+In any case, if you are using it, please let me know the results.
+
+Pseudocode Description of nssqa:
+--------------------------------
+not quite up to date
+
+ header:init (global)
+ set flags and variables to default values
+ signal trap (for interupts and kills)
+ set HOST and DOMSUF variables if running from cron
+ parse parameters and options
+ determine os and set up the environment (espec. PATH)
+ set the directories to run in (influenced by parameters and -l option)
+ set and initialize the tmp / debugging / output files
+
+ nssqa:init (local)
+ locking: if nssqa is already running on this systems (yes-exit,
+ no-lockfile)
+ set HOST and DOMSUF variables if running interavtively
+ set flag to kill remaining selfserv processes during cleanup
+ if QA platform different from build platform create neccessary
+ symbolic links
+ wait for the build to finish (max of 5h)
+
+ main:
+ repeated per test (optimized, debug, 32, 64 bit)
+ set flags for this run of all.sh (optimized, debug, 32, 64 bit)
+ set the DIST directory (where the binaries reside)
+ kill running selfservers (sorry - just don't use the svbld
+ account if you need to do your own testing... I will fix
+ selfserv as soon as I can - but it hangs too often and
+ disturbs all following QA)
+ run all.sh
+
+ header:exit (global)
+ remove temporary files
+ kill remaining selfservers
+ send email to the list
+
+
+ errorhandling
+ Option / Parameter errors: Exit with usage information
+
+ Severe errors: Exit wit errormessage
+ example: directory in which all.sh resides does not exist
+ can't create files or directories
+ build not done after 5 hours
+ is already running
+
+ Other errors: User is prompted with the "errormessage - continue (y/n)?"
+ example: local DIST dir does not exist (continues with next all.sh)
+ outputdirectory does not exist (user can specify other)
+
+ Signals 2, 3, 15 are treated as severe errors
+
+
+
diff --git a/security/nss/tests/doc/platform_specific_problems b/security/nss/tests/doc/platform_specific_problems
new file mode 100644
index 000000000..92a22ca03
--- /dev/null
+++ b/security/nss/tests/doc/platform_specific_problems
@@ -0,0 +1,110 @@
+I will, eventually convert all files here to html - just right now I have no
+time to do it. Anyone who'd like to - please feel free, mail me the file and
+I will check it in
+sonmi@netscape.com
+
+
+The NSS 3.1 SSL Stress Tests fail for me on FreeBSD 3.5. The end of the output
+of './ssl.sh stress' looks like this:
+
+********************* Stress Test ****************************
+********************* Stress SSL2 RC4 128 with MD5 ****************************
+selfserv -p 8443 -d
+/local/llennox/NSS-PSM/mozilla/tests_results/security/conrail.20/server -n
+conrail.cs.columbia.edu -w nss -i /tmp/tests_pid.5505 & strsclnt -p 8443 -d . -w nss -c 1000 -C A conrail.cs.columbia.edu
+strsclnt: -- SSL: Server Certificate Validated.
+strsclnt: PR_NewTCPSocket returned error -5974:
+Insufficient system resources.
+Terminated
+********************* Stress SSL3 RC4 128 with MD5 ****************************
+selfserv -p 8443 -d
+/local/llennox/NSS-PSM/mozilla/tests_results/security/conrail.20/server -n
+conrail.cs.columbia.edu -w nss -i /tmp/tests_pid.5505 & strsclnt -p 8443 -d . -w nss -c 1000 -C c conrail.cs.columbia.edu
+strsclnt: -- SSL: Server Certificate Validated.
+strsclnt: PR_NewTCPSocket returned error -5974:
+Insufficient system resources.
+Terminated
+
+Running ktrace on the process (ktrace is a system-call tracer, the equivalent of
+Linux's strace) reveals that socket() failed with ENOBUFS after it was called
+for the 953rd time for the first test, and it failed after the 27th time it was
+called for the second test.
+
+The failure is consistent, both for debug and optimized builds; I haven't tested
+to see whether the count of socket() failures is consistent.
+
+All the other NSS tests pass successfully.
+
+
+------- Additional Comments From Nelson Bolyard 2000-11-01 23:08 -------
+
+I see no indication of any error on NSS's part from this description.
+It sounds like an OS kernel configuration problem on the
+submittor's system. The stress test is just that. It stresses
+the server by pounding it with SSL connections. Apparently this
+test exhausts some kernel resource on the submittor's system.
+
+The only change to NSS that might be beneficial to this test
+would be to respond to this error by waiting and trying again
+for some limited number of times, rather than immediately
+treating it as a fatal error.
+
+However, while such a change might make the test appear to pass,
+it would merely be hiding a very serious problem, namely,
+chronic system resource exhaustion.
+
+So, I suggest that, in this case, the failure serves the useful
+purpose of revealing the system problem, which needs to be
+cured apart from any changes to NSS.
+
+I'll leave this bug open for a few more days, to give others
+a chance to persuade me that some NSS change would and should
+solve this problem.
+
+
+------- Additional Comments From Jonathan Lennox 2000-11-02 13:13 -------
+
+Okay, some more investigation leads me to agree with you. What's happening is
+that the TCP connections from the stress test stick around in TIME_WAIT for two
+minutes; my kernel is only configured to support 1064 simultaneous open sockets,
+which isn't enough for the 2K sockets opened by the stress test plus the 100 or
+so normally in use on my system.
+
+So I'd just suggest adding a note to the NSS test webpage to the effect of "The
+SSL stress test opens 2,048 TCP connections in quick succession. Kernel data
+structures may remain allocated for these connections for up to two minutes.
+Some systems may not be configured to allow this many simulatenous connections
+by default; if the stress tests fail, try increasing the number of simultaneous
+sockets supported."
+
+On FreeBSD, you can display the number of simultaneous sockets with the command
+ sysctl kern.ipc.maxsockets
+which on my system returns 1064.
+
+It looks like this can be fixed with the kernel config option
+ options NMBCLUSTERS=[something-large]
+or by increasing the 'maxusers' parameter.
+
+It looks like more recent FreeBSD implementations still have this limitation,
+and the same solutions apply, plus you can alternatively specify the maxsockets
+parameter in the boot loader.
+
+
+---------------------------------
+
+hpux HP-UX hp64 B.11.00 A 9000/800 2014971275 two-user license
+
+we had to change following kernelparameters to make our tests pass
+
+1. maxfiles. old value = 60. new value = 100.
+2. nkthread. old value = 499. new value = 1328.
+3. max_thread_proc. old value = 64. new value = 512.
+4. maxusers. old value = 32. new value = 64.
+5. maxuprc. old value = 75. new value = 512.
+6. nproc. old formula = 20+8*MAXUSERS, which evaluated to 276.
+ new value (note: not a formula) = 750.
+
+A few other kernel parameters were also changed automatically
+as a result of the above changes.
+
+
diff --git a/security/nss/tests/doc/qa_wrapper.html b/security/nss/tests/doc/qa_wrapper.html
new file mode 100755
index 000000000..755cca236
--- /dev/null
+++ b/security/nss/tests/doc/qa_wrapper.html
@@ -0,0 +1,269 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+ <meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; U; SunOS 5.8 sun4u) [Netscape]">
+</head>
+<body text="#000000" bgcolor="#FFFFFF" link="#0000EE" vlink="#551A8B" alink="#FF0000">
+
+<h3>
+<b><font face="Times New Roman,Times">Author Sonja Mirtitsch</font></b></h3>
+
+<h3>
+<b><font face="Times New Roman,Times">Last updated: 4/4/2001</font></b></h3>
+
+<h1>
+<b><font face="Times New Roman,Times">NSS 3.2.QA Wrapper</font></b></h1>
+
+<p><br>The QA&nbsp; wrapper tests the nightly builds of NSS. The actual
+tests are being run are called from the QA script all.sh. I will add documentation
+for the actual QA soon. The main purpose of the wrapper is: find out which
+build (NSS version, date, Build Platform) to test on which machine (OS,
+OS version) and construct a summary report, which is then mailed to the
+nss developers (aka mailing list nss-qa-report@netscape.com). Please see
+also the <a href="#advertisement">feature</a> section.
+<p><a href="#nssqa">nssqa</a>&nbsp; - the script that calls the actual
+qa script all.sh
+<br><a href="#qa_stat">qa_stat</a> - sends out status reports
+<br><a href="#qaclean">qaclean</a>&nbsp; - if everything else fails
+<p>Sample <a href="/u/sonmi/doc/publish/glob_result.html">global result</a>,
+<a href="/u/sonmi/doc/publish/results.html">individual result </a>and <a href="/u/sonmi/doc/publish/output.log">log
+files</a>
+<p>The QA wrapper consistst mainly of scripts, most located in security/nss/tests
+and subdirectories, but run from /u/sonmi/bin
+<p>nssqa and qa_stat, the main scripts both include a common header (<a href="../header">header</a>)
+and a common environment (<a href="../set_environment">set_environment</a>).
+<br>Also used is <a href="../mksymlinks">mksymlinks</a> and <a href="../path_uniq">path_uniq</a>
+and <a href="#qaclean">qaclean</a>.
+<p>The scripts that are used on a daily basis are located in /u/sonmi/bin
+and checked into security/nss/tests
+<p>Parameters and Options are the same for most scripts.
+<p><a NAME="Parameters"></a><b><u><font size=+1>Parameters</font></u></b>
+<br>&nbsp;&nbsp;&nbsp; nssversion (supported: 30b, 31, tip, default tip)
+<br>&nbsp;&nbsp;&nbsp; builddate (default - today, format mmdd)
+<p><a NAME="Options"></a><b><u><font size=+1>Options</font></u></b>
+<br>&nbsp;&nbsp;&nbsp; -y answer all questions with y - use at your own
+risk... ignores warnings
+<br>&nbsp;&nbsp;&nbsp; -s silent (only usefull with -y)
+<br>&nbsp;&nbsp;&nbsp; -h, -? -help you guessed right - displays the usage
+<br>&nbsp;&nbsp;&nbsp; -d debug
+<br>&nbsp;&nbsp;&nbsp; -f &lt;filename> - write the (error)output to filename
+<br>&nbsp;&nbsp;&nbsp; -fcron writes resultfile in the same location as
+would the -cron
+<br>&nbsp;&nbsp;&nbsp; -m &lt;mailinglist> - send filename to mailinglist
+(csl) only useful
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; with -f on nssqa
+<br>&nbsp;&nbsp;&nbsp; -l &lt;mozroot> run on a local build - does not
+work at this time
+<br>&nbsp;&nbsp;&nbsp; -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.&lt;scriptname>
+<br>&nbsp;
+<p>Please be aware that some iPlanet specific environments and features
+are being used.
+<p>-d Debug option might be removed from cron in a few weeks - or maybe
+not
+<br>-l QA on local build is not fully implemented yet - will not be implemented,
+all.sh can be called directly instead
+<p>Please do not use on Windows 95 and 98, ME platforms yet.
+<p>use -d if script behaves strange or exits unexpectedly
+<p><b><font size=+1>How to use the QA-wrapper</font></b>
+<br>To test a build, first run nssqa on the required QA platforms (some
+buildplatforms require QA to be run on additional platforms - for example
+Solaris 2.6 has to be tested on 2.8 32 and 64bit) If QA has been run on
+multiple or all required platforms it makes sense to run qa_stat on the
+output of nssqa as well.
+<br>Before used on a new system (even if the same platform has been tested
+before) please use completely interactive, to see what the variables are
+being initialized to, and read the warnings. Same is true if being run
+from a different user account than svbld.
+<p>In any case, if you are using it, please let me know the results.
+<p><a NAME="nssqa"></a><b><u><font size=+1>nssqa:</font></u></b>
+<p>the script that calls the actual qa script all.sh
+<p>nssqa <a href="#Parameters">parameters</a> and&nbsp; <a href="#Options">options</a>
+<p><a href="../nssqa">view the script</a>
+<p><b><u><font size=+1>Pseudocode Description of nssqa</font></u></b>
+<br>not quite up to date
+<p>&nbsp;&nbsp;&nbsp; header:init (global)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set flags and variables
+to default values
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; signal trap (for interupts
+and kills)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set HOST and DOMSUF variables
+if running from cron
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; parse parameters and options
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; determine os and set up
+the environment (espec. PATH)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set the directories to run
+in (influenced by parameters and -l option)<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set the directories for backward
+compatibility testing
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set and initialize the tmp
+/ debugging / output files
+<p>&nbsp;&nbsp;&nbsp; nssqa:init (local)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; locking: if nssqa is already
+running on this systems (yes-exit,
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+no-lockfile)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set HOST and DOMSUF variables
+if running interavtively
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set flag to kill remaining
+selfserv processes during cleanup
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if QA platform different
+from build platform create neccessary
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+symbolic links
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wait for the build to finish
+(max of 5h)
+<p>&nbsp;&nbsp;&nbsp; main:
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; repeated per test (optimized,
+debug, 32, 64 bit)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+set flags for this run of all.sh (optimized, debug, 32, 64 bit)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+set the DIST directory (where the binaries reside)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+kill running selfservers (sorry - just don't use the svbld
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+account if you need to do your own testing... I will fix
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+selfserv as soon as I can - but it hangs too often and
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+disturbs all following QA)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+run all.sh
+<p>&nbsp;&nbsp;&nbsp; header:exit (global)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; remove temporary files
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; kill remaining selfservers
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; send email to the list
+<br>&nbsp;
+<p>&nbsp;&nbsp;&nbsp; errorhandling
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Option / Parameter errors:
+Exit with usage information
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Severe errors: Exit wit errormessage
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+example: directory in which all.sh resides does not exist
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+can't create files or directories
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+build not done after 5 hours
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+is already running
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Other errors: User is prompted
+with the "errormessage - continue (y/n)?"
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+example: local DIST dir does not exist (continues with next all.sh)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+outputdirectory does not exist (user can specify other)
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Signals 2, 3, 15 are treated
+as severe errors
+<br>&nbsp;
+<br>&nbsp;
+<br>&nbsp;
+<p><img SRC="clean.gif" height=129 width=92 align=LEFT><a NAME="qaclean"></a><b><u><font size=+2>qaclean:</font></u></b>/u/sonmi/bin/qaclean
+<br>&nbsp;
+<p>Use qaclean as user "svbld" to get the propper permissions. It is supposed
+to clean up after a "hanging" QA and will also brutally kill, interupt
+and disturb any other nss related test or performance meassurement on the
+named machine. NT and 2000 might require an additional reboot, since the
+ps is not so good about telling us the actual programmname - so we can't
+kill them... Please note that this is a brute force script, it should not
+be used on a regular basis, file a bug whenever you have to use it, since
+hanging QA is nothing that should occur frequently
+<p>&nbsp;<a href="../qaclean">view the script</a>
+<p>What it does:
+<ol>
+<li>
+see if there is a lockfile (/tmp/nssqa.$$ or $TMP/nssqa.$$)</li>
+
+<br>if yes:
+<ol>kill the process of the lockfile <font color="#666666">(future expansion
+and if possible it's children )</font>
+<br>rm the lockfile</ol>
+
+<li>
+kill selfservers</li>
+
+<li>
+kill whatever other qa related processes might be hanging</li>
+
+<li>
+clean up tmp files</li>
+</ol>
+<b>QAClean Parameters:</b>
+<br>&nbsp;&nbsp;&nbsp; machinename.
+<br>&nbsp;&nbsp;&nbsp; for example
+<br>&nbsp;&nbsp;&nbsp; qaclean kentuckyderby
+<br>&nbsp;&nbsp;&nbsp; started on any machine, will clean up on kentuckyderby
+<p><a NAME="qa_stat"></a><b><u><font size=+2>qa_stat</font></u></b>
+<p>qa_stat is the script that is being started from the svbld cron on kentuckyderby
+every morning at 10:00 and runs some (very primitive) analysis on the qa
+results.
+<br>I'd like to rewrite the whole thing in perl, and in a few weeks I might
+just do this...
+<p>&nbsp;<a href="../qa_stat">view the script</a>
+<p>qa_stat <a href="#Parameters">parameters</a> and&nbsp; <a href="#Options">options</a>
+<p><a NAME="advertisement"></a><b><u><font size=+1>Why we need the QA wrapper</font></u></b>
+<p>We need the new QA wrapper, because we have to test on so many platforms,
+that running the tests and evaluating the results for the nightly builds
+took about an average workday.
+<p><b><font size=+1>New Features:</font></b>
+<ul>
+<li>
+runs from <b>cron</b> / rsh or <b>interactive</b> if desired</li>
+
+<li>
+generates <b>summary</b> (no need to look through 60-90 directories)</li>
+
+<li>
+sends <b>email</b> about results</li>
+
+<li>
+automatically <b>recognizes common errors</b> and problems and conflicts
+and corrects them</li>
+
+<br>(or attempts to correct them :-)
+<li>
+automatically determines <b>which build </b>to test (waits if build in
+progress, exits if no build)</li>
+
+<li>
+runs on <b>all required platforms</b> (Windows 98 and before not functional
+yet)</li>
+
+<li>
+Windows version runs on <b>free Cygnus</b> as well as on MKS</li>
+
+<li>
+debug mode, normal mode and silent mode</li>
+
+<li>
+<b>locking</b> mechanism so it won't run twice</li>
+
+<li>
+<b>cleanup</b> after being killed and most errors (no remaining selfservers,
+tmpfiles, lock files)</li>
+</ul>
+The 1st script is started via cron between 5:00 and 8:00 am on different
+systems, and starts QA on the nightly build. At 10:00 the next script is
+started, and sends a QA summary to the nss developers.
+<p><b>Cygnus Advantages</b>:
+<ul>
+<li>
+<b>free</b></li>
+
+<li>
+better handling of <b>processes</b> (background, processIDs, Signals)</li>
+
+<li>
+Unix / Linux <b>compatible</b> sh / bash</li>
+</ul>
+<b>Disadvantages</b>
+<ul>
+<li>
+MKS functionality needs to be preserved (makes <b>8 Windows platforms</b>
+instead of 4 for the QA suites - makes 32 testruns on Windows alone)</li>
+
+<br>In certain functionality's <b>slow</b>
+<br><b></b>&nbsp;</ul>
+<b>Porting the windows QA&nbsp;to Uwin as well is also being considered</b>
+</body>
+</html>
diff --git a/security/nss/tests/dummy/dummy.sh b/security/nss/tests/dummy/dummy.sh
new file mode 100644
index 000000000..27d3c9cf4
--- /dev/null
+++ b/security/nss/tests/dummy/dummy.sh
@@ -0,0 +1,19 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/dummy/dummy.sh
+#
+# Minimal test that doesn't do anything
+#
+# NSS_TESTS="dummy" can be used for quick testing of the
+# test script infrastructure, without running any of the tests
+#
+########################################################################
+
+# html_failed "dummy test fail"
+html_passed "dummy test ok"
diff --git a/security/nss/tests/ec/ec.sh b/security/nss/tests/ec/ec.sh
new file mode 100755
index 000000000..9869b6590
--- /dev/null
+++ b/security/nss/tests/ec/ec.sh
@@ -0,0 +1,37 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/ec/ec.sh
+#
+# needs to work on all Unix and Windows platforms
+# this is a meta script to drive all ec tests
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## run_tests ###############################
+# run test suites defined in ECTESTS variable
+########################################################################
+run_ec_tests()
+{
+ for ECTEST in ${ECTESTS}
+ do
+ SCRIPTNAME=${ECTEST}.sh
+ echo "Running ec tests for ${ECTEST}"
+ echo "TIMESTAMP ${ECTEST} BEGIN: `date`"
+ (cd ${QADIR}/ec; . ./${SCRIPTNAME} 2>&1)
+ echo "TIMESTAMP ${ECTEST} END: `date`"
+ done
+}
+
+ECTESTS="ecperf ectest"
+run_ec_tests
diff --git a/security/nss/tests/ec/ecperf.sh b/security/nss/tests/ec/ecperf.sh
new file mode 100755
index 000000000..501488e08
--- /dev/null
+++ b/security/nss/tests/ec/ecperf.sh
@@ -0,0 +1,52 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/ec/ecperf.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ecperf_init #############################
+# local shell function to initialize this script
+########################################################################
+
+ecperf_init()
+{
+ SCRIPTNAME="ecperf.sh"
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+ SCRIPTNAME="ecperf.sh"
+ html_head "ecperf test"
+}
+
+ecperf_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+ecperf_init
+ECPERF_OUT=$(ecperf 2>&1)
+echo "$ECPERF_OUT"
+ECPERF_OUT=`echo $ECPERF_OUT | grep -i 'failed\|Assertion failure'`
+# TODO: this is a perf test we don't check for performance here but only failed
+if [ -n "$ECPERF_OUT" ] ; then
+ html_failed "ec(perf) test"
+else
+ html_passed "ec(perf) test"
+fi
+ecperf_cleanup
diff --git a/security/nss/tests/ec/ectest.sh b/security/nss/tests/ec/ectest.sh
new file mode 100644
index 000000000..e10760565
--- /dev/null
+++ b/security/nss/tests/ec/ectest.sh
@@ -0,0 +1,93 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/ec/ectest.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ectest_init #############################
+# local shell function to initialize this script
+########################################################################
+
+ectest_init()
+{
+ SCRIPTNAME="ectest.sh"
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+ SCRIPTNAME="ectest.sh"
+ html_head "freebl and pk11 ectest tests"
+}
+
+ectest_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+ectest_genkeydb_test()
+{
+ certutil -N -d "${HOSTDIR}" -f "${R_PWFILE}" 2>&1
+ if [ $? -ne 0 ]; then
+ return $?
+ fi
+ curves=( \
+ "curve25519" \
+ "secp256r1" \
+ "secp384r1" \
+ "secp521r1" \
+ )
+ for curve in "${curves[@]}"; do
+ echo "Test $curve key generation using certutil ..."
+ certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
+ if [ $? -ne 0 ]; then
+ html_failed "ec test certutil keygen - $curve"
+ else
+ html_passed "ec test certutil keygen - $curve"
+ fi
+ done
+ echo "Test sect571r1 key generation using certutil that should fail because it's not implemented ..."
+ certutil -G -d "${HOSTDIR}" -k ec -q sect571r1 -f "${R_PWFILE}" -z ${NOISE_FILE}
+ if [ $? -eq 0 ]; then
+ html_failed "ec test certutil keygen - $curve"
+ else
+ html_passed "ec test certutil keygen - $curve"
+ fi
+}
+
+ectest_init
+ectest_genkeydb_test
+# TODO: expose individual tests and failures instead of overall
+if [ -f ${BINDIR}/fbectest ]; then
+ FB_ECTEST_OUT=$(fbectest -n -d 2>&1)
+ FB_ECTEST_OUT=`echo $FB_ECTEST_OUT | grep -i 'not okay\|Assertion failure'`
+ if [ -n "$FB_ECTEST_OUT" ] ; then
+ html_failed "freebl ec tests"
+ else
+ html_passed "freebl ec tests"
+ fi
+fi
+if [ -f ${BINDIR}/pk11ectest ]; then
+ PK11_ECTEST_OUT=$(pk11ectest -n -d 2>&1)
+ PK11_ECTEST_OUT=`echo $PK11_ECTEST_OUT | grep -i 'not okay\|Assertion failure'`
+ if [ -n "$PK11_ECTEST_OUT" ] ; then
+ html_failed "pk11 ec tests"
+ else
+ html_passed "pk11 ec tests"
+ fi
+fi
+ectest_cleanup
diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh
new file mode 100755
index 000000000..4153e61aa
--- /dev/null
+++ b/security/nss/tests/fips/fips.sh
@@ -0,0 +1,293 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+# mozilla/security/nss/tests/fips/fips.sh
+#
+# Script to test basic functionallity of NSS in FIPS-compliant mode
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+#
+# special strings
+# ---------------
+#
+########################################################################
+
+############################## fips_init ##############################
+# local shell function to initialize this script
+########################################################################
+fips_init()
+{
+ SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ SCRIPTNAME=fips.sh
+ html_head "FIPS 140 Compliance Tests"
+
+ grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
+ Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
+ }
+
+ COPYDIR=${FIPSDIR}/copydir
+
+ R_FIPSDIR=../fips
+ P_R_FIPSDIR=../fips
+ R_COPYDIR=../fips/copydir
+
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ P_R_FIPSDIR="multiaccess:${D_FIPS}"
+ fi
+
+ mkdir -p ${FIPSDIR}
+ mkdir -p ${COPYDIR}
+
+ cd ${FIPSDIR}
+}
+
+############################## fips_140 ##############################
+# local shell function to test basic functionality of NSS while in
+# FIPS 140 compliant mode
+########################################################################
+fips_140()
+{
+ echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------"
+ echo "modutil -dbdir ${P_R_FIPSDIR} -list"
+ ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
+ ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
+ html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
+
+ echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+ echo "certutil -d ${P_R_FIPSDIR} -L"
+ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1
+ html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
+
+ echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
+ echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+ html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+ echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
+ echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
+ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
+ RET=$?
+ html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
+ echo "certutil -K returned $RET"
+
+ echo "$SCRIPTNAME: Validate the certificate --------------------------"
+ echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
+ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
+ html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
+
+ echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
+ echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+ ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+ html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
+
+ echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
+ echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
+ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
+ html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
+
+ echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+ echo "certutil -d ${P_R_FIPSDIR} -L"
+ certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+ ret=$?
+ echo "${certs}"
+ if [ ${ret} -eq 0 ]; then
+ echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+ ret=$?
+ fi
+ html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+
+ echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
+ echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
+ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
+ html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
+
+ echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+ echo "certutil -d ${P_R_FIPSDIR} -L"
+ certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+ ret=$?
+ echo "${certs}"
+ if [ ${ret} -eq 0 ]; then
+ echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+ if [ $? -eq 0 ]; then
+ ret=255
+ fi
+ fi
+ html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+ echo "$SCRIPTNAME: List the FIPS module keys."
+ echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+ # certutil -K now returns a failure if no keys are found. This verifies that
+ # our delete succeded.
+ html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
+
+
+ echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
+ echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+ ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+ html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
+
+ echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+ echo "certutil -d ${P_R_FIPSDIR} -L"
+ certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+ ret=$?
+ echo "${certs}"
+ if [ ${ret} -eq 0 ]; then
+ echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+ ret=$?
+ fi
+ html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+ echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
+ echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+ html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+
+ echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
+ echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
+ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
+ html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
+
+ echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+ echo "certutil -d ${P_R_FIPSDIR} -L"
+ certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+ ret=$?
+ echo "${certs}"
+ if [ ${ret} -eq 0 ]; then
+ echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+ if [ $? -eq 0 ]; then
+ ret=255
+ fi
+ fi
+ html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+
+ echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
+ echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+ ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+ html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
+
+ echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+ echo "certutil -d ${P_R_FIPSDIR} -L"
+ certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+ ret=$?
+ echo "${certs}"
+ if [ ${ret} -eq 0 ]; then
+ echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+ ret=$?
+ fi
+ html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+ echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
+ echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+ html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+
+ echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------"
+ echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
+ ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1
+ html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
+
+ echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------"
+ echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
+ ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
+ html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
+
+ LIBDIR="${DIST}/${OBJDIR}/lib"
+ MANGLEDIR="${FIPSDIR}/mangle"
+
+ # There are different versions of cp command on different systems, some of them
+ # copies only symlinks, others doesn't have option to disable links, so there
+ # is needed to copy files one by one.
+ echo "mkdir ${MANGLEDIR}"
+ mkdir ${MANGLEDIR}
+ for lib in `ls ${LIBDIR}`; do
+ echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
+ cp ${LIBDIR}/${lib} ${MANGLEDIR}
+ done
+
+ echo "$SCRIPTNAME: Detect mangled softoken--------------------------"
+ SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
+
+ echo "mangling ${SOFTOKEN}"
+ echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
+ # If nss was built without softoken use the system installed one.
+ # It's location must be specified by the package maintainer.
+ if [ ! -e ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then
+ echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}"
+ cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}
+ fi
+ ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
+ if [ $? -eq 0 ]; then
+ if [ "${OS_ARCH}" = "WINNT" ]; then
+ DBTEST=`which dbtest`
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ DBTEST=`cygpath -m ${DBTEST}`
+ MANGLEDIR=`cygpath -u ${MANGLEDIR}`
+ fi
+ echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
+ PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+ RESULT=$?
+ elif [ "${OS_ARCH}" = "HP-UX" ]; then
+ echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+ LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+ RESULT=$?
+ elif [ "${OS_ARCH}" = "AIX" ]; then
+ echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+ LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+ RESULT=$?
+ elif [ "${OS_ARCH}" = "Darwin" ]; then
+ echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+ DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+ RESULT=$?
+ else
+ echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+ LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+ RESULT=$?
+ fi
+
+ html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
+ else
+ html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
+ fi
+}
+
+############################## fips_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+fips_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+fips_init
+fips_140
+fips_cleanup
+echo "fips.sh done"
diff --git a/security/nss/tests/gtests/gtests.sh b/security/nss/tests/gtests/gtests.sh
new file mode 100755
index 000000000..f91349b9e
--- /dev/null
+++ b/security/nss/tests/gtests/gtests.sh
@@ -0,0 +1,88 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# similar to all.sh this file runs drives gtests.
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## gtest_init ##############################
+# local shell function to initialize this script
+########################################################################
+gtest_init()
+{
+ cd "$(dirname "$1")"
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd common
+ . ./init.sh
+ fi
+
+ SCRIPTNAME=gtests.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+}
+
+########################## gtest_start #############################
+# Local function to actually start the test
+####################################################################
+gtest_start()
+{
+ echo "gtests: ${GTESTS}"
+ for i in ${GTESTS}; do
+ if [ ! -f ${BINDIR}/$i ]; then
+ html_unknown "Skipping $i (not built)"
+ continue
+ fi
+ GTESTDIR="${HOSTDIR}/$i"
+ html_head "$i"
+ if [ ! -d "$GTESTDIR" ]; then
+ mkdir -p "$GTESTDIR"
+ fi
+ cd "$GTESTDIR"
+ GTESTREPORT="$GTESTDIR/report.xml"
+ PARSED_REPORT="$GTESTDIR/report.parsed"
+ echo "executing $i"
+ ${BINDIR}/$i -d "$GTESTDIR" --gtest_output=xml:"${GTESTREPORT}" \
+ --gtest_filter="${GTESTFILTER-*}"
+ html_msg $? 0 "$i run successfully"
+ echo "test output dir: ${GTESTREPORT}"
+ echo "executing sed to parse the xml report"
+ sed -f ${COMMON}/parsegtestreport.sed "${GTESTREPORT}" > "${PARSED_REPORT}"
+ echo "processing the parsed report"
+ cat "${PARSED_REPORT}" | while read result name; do
+ if [ "$result" = "notrun" ]; then
+ echo "$name" SKIPPED
+ elif [ "$result" = "run" ]; then
+ html_passed_ignore_core "$name"
+ else
+ html_failed_ignore_core "$name"
+ fi
+ done
+ done
+}
+
+gtest_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+GTESTS="der_gtest pk11_gtest util_gtest"
+gtest_init $0
+gtest_start
+gtest_cleanup
diff --git a/security/nss/tests/header b/security/nss/tests/header
new file mode 100644
index 000000000..5a1dead72
--- /dev/null
+++ b/security/nss/tests/header
@@ -0,0 +1,1636 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/header - /u/svbld/bin/init/nss/header
+#
+# variables, utilities and shellfunctions global to NSS QA
+# needs to work on all Unix platforms
+#
+# included from (don't expect this to be up to date)
+# --------------------------------------------------
+# qa_stat
+# mksymlinks
+# nssqa
+#
+# parameters
+# ----------
+# nssversion (supported: 30b, 31, 332, tip 32)
+# builddate (default - today)
+#
+# options
+# -------
+# -y answer all questions with y - use at your own risk... ignores warnings
+# -s silent (only usefull with -y)
+# -h, -? - you guessed right - displays this text
+# -d debug
+# -f <filename> - write the (error)output to filename
+# -fcronfile produces the resultfiles in the same locations
+# as would have been produced with -cron
+# -m <mailinglist> - send filename to mailinglist (csl) only useful
+# with -f
+# -ml <mailinglist> - send link to filename to mailinglist (csl)
+# only useful with -f
+# -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.<scriptname>
+# -t run on a tinderbox build that means: local, from the startlocation
+# -l <mozroot directory> run on a local build mozroot
+# -ln <mozroot> copy a networkbuild to a local directory mozroot,
+# used for networkindipendend QA
+# -lt try to copy a networkbuild to a local directory, if not possible
+# run on the network
+# used for networkindipendend QA
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+# moduls (not yet)
+# ----------------
+# --# INIT
+# --# USERCOM
+# --# UTILS
+#
+# FIXME - split in init / usercom / utils
+#
+########################################################################
+
+#------------------------------# INIT #------------------------------
+
+# below the option flags get initialized
+
+if [ -z "$QASCRIPT_DIR" ]
+then
+ QASCRIPT_DIR=`dirname $0`
+ if [ "$QASCRIPT_DIR" = '.' ]
+ then
+ QASCRIPT_DIR=`pwd`
+ fi
+fi
+export QASCRIPT_DIR
+
+O_HWACC=OFF
+if [ -z "$O_ALWAYS_YES" ] ; then
+ O_ALWAYS_YES=OFF # turned on by -y answer all questions with y
+fi
+
+if [ -z "$O_INIT" ] # header is global, some including scripts may not
+then # want the init to run, the others don't need to bother
+ O_INIT=ON
+fi
+if [ -z "$O_PARAM" ] # header is global, some including scripts may not
+then # require parameters, the others don't need to bother
+ O_PARAM=ON
+fi
+if [ -z "$O_OPTIONS" ] # header is global, some including scripts may not
+then # permit options, they don't need to bother
+ O_OPTIONS=OFF
+fi
+O_SILENT=OFF # turned on by -s silent (only usefull with -y)
+if [ -z "$O_DEBUG" ] ; then
+ O_DEBUG=OFF # turned on by -d - calls to Debug produce output when ON
+fi
+O_FILE=OFF # turned on by -f echo all output to a file $FILENAME
+O_CRON=OFF # turned on by -cron cron use only
+O_CRONFILE=OFF # turned on by -cron cron and -fcron
+O_LOCAL=OFF # turned on by -l* run on a local build in $LOCAL_MOZROOT
+O_LN=OFF # turned on by -ln and -lt, test a networkbuild locally
+O_MAIL=OFF # turned on by -m - sends email
+O_MAIL_LINK=OFF # turned on by -ml - sends email
+O_TBX=OFF # turned on by -t run on a tinderbox build
+ # that means: local, from the startlocation
+
+if [ -z "$DOMSUF" ]
+then
+
+ DOMSUF=red.iplanet.com
+ DS_WAS_SET=FALSE
+else
+ DS_WAS_SET=TRUE
+fi
+
+TMPFILES=""
+
+WAIT_FOR=600 # if waiting for an event sleep n seconds before rechecking
+ # recomended value 10 minutes 600
+WAIT_TIMES=30 # recheck n times before giving up - recomended 30 - total of 5h
+
+if [ -z "$QAYEAR" ] # may I introduce - the y2k+1 bug? QA for last year
+then # might not work
+ QAYEAR=`date +%Y`
+fi
+
+if [ -z "$TMP" ]
+then
+ if [ -z "$TEMP" ]
+ then
+ TMP="/tmp"
+ else
+ TMP=$TEMP
+ fi
+fi
+if [ ! -w "$TMP" ]
+then
+ echo "Can't write to tmp directory $TMP - exiting"
+ echo "Can't write to tmp directory $TMP - exiting" >&2
+ exit 1
+fi
+
+KILLPIDS="$TMP/killpids.$$"
+export KILLERPIDS
+TMPFILES="$TMPFILES $KILLPIDS"
+
+KILL_SELFSERV=OFF # if sourcing script sets this to on cleanup will also
+ # kill the running selfserv processes
+
+ # Set the masterbuilds
+if [ -z "$UX_MASTERBUILD" ]
+then
+ UX_MASTERBUILD=booboo_Solaris8
+ #if [ ! -d $UX_MASTERBUILD ] ; then
+ #UX_MASTERBUILD=booboo_Solaris8_forte6
+ #fi
+ UX_MB_WAS_SET=FALSE
+else
+ UX_MB_WAS_SET=TRUE
+fi
+if [ -z "$NT_MASTERBUILD" ]
+then
+ NT_MASTERBUILD=blowfish_NT4.0_Win95
+ NT_MB_WAS_SET=FALSE # in this case later functions can override if
+ # they find a different build that looks like NT
+else
+ NT_MB_WAS_SET=TRUE
+fi
+if [ -z "$MASTERBUILD" ]
+then
+ MASTERBUILD=$UX_MASTERBUILD
+fi
+
+ # Set the default build
+if [ -z "$BUILDNUMBER" ]
+then
+ BUILDNUMBER=1
+fi
+export BUILDNUMBER
+O_LDIR=OFF #local QA dir for NT, temporary
+
+if [ -z "$WIN_WAIT_FOREVER" ] # header is global, some including scripts
+then # want the init to wait forever for directories to
+ # appear (windows only) if OFF exit, if ON wait forever
+ WIN_WAIT_FOREVER=OFF
+fi
+
+ # NOTE: following variables have to change
+ # from release to release
+if [ -z "$BC_MASTER" ] # master directory for backwardscompatibility testing
+then
+ RH="NO"
+ grep 7.1 /etc/redhat-release > /dev/null 2>/dev/null && RH="YES"
+ grep 7.2 /etc/redhat-release > /dev/null 2>/dev/null && RH="YES"
+
+ if [ "$RH" = "YES" ]
+ then # NSS-3-3-1RTM
+ BC_UX_MASTER=nss331/builds/20010928.2.331-RTM/booboo_Solaris8
+ BC_NT_MASTER=nss331/builds/20010928.2.331-RTM/blowfish_NT4.0_Win95
+ else # NSS-3-2-2RTM
+ BC_UX_MASTER=nss322/builds/20010820.1/y2sun2_Solaris8
+ BC_NT_MASTER=nss322/builds/20010820.1/blowfish_NT4.0_Win95
+ fi
+ BC_MASTER=$BC_UX_MASTER
+ BC_MASTER_WAS_SET=FALSE
+else
+ BC_MASTER_WAS_SET=TRUE
+fi
+BC_RELEASE=3.2
+export BC_RELEASE
+
+EARLY_EXIT=TRUE #before the report file has been created, causes Exit to
+ #create it
+
+UX_D0=/share/builds/mccrel3/nss
+
+################################### glob_init ##########################
+# global shell function, main initialisation function
+########################################################################
+glob_init()
+{
+ if [ $O_PARAM = "ON" ] ; then
+ eval_opts $* # parse parameters and options - set flags
+ fi
+ # if running from cron HOST needs to be known early,
+ init_host # so the output file name can be constructed.
+ Debug "Setting up environment...( $QASCRIPT_DIR/set_environment) "
+ . $QASCRIPT_DIR/set_environment #finds out if we are running on Windows
+ Debug "OPerating system: $os_name $os_full"
+ umask 0
+ init_dirs
+ init_files
+ init_vars
+}
+
+################################### init_vars ###########################
+# global shell function, sets the environment variables, part of init
+########################################################################
+init_vars()
+{
+ if [ -z "$LOGNAME" ]
+ then
+ if [ $O_WIN = "ON" ]
+ then
+ LOGNAME=$USERNAME
+ else
+ LOGNAME=$USER
+ fi
+ if [ -z "$LOGNAME" ]
+ then
+ LOGNAME=$UNAME
+ if [ -z "$LOGNAME" ]
+ then
+ LOGNAME=`basename $HOME`
+ fi
+ fi
+ fi
+ if [ -z "$LOGNAME" ]
+ then
+ Exit "Can't determine current user"
+ fi
+ case $HOST in
+ iws-perf)
+ O_HWACC=ON
+ HWACC_LIST="rainbow ncipher"
+ #MODUTIL="-add rainbow -libfile /usr/lib/libcryptoki22.so"
+ export HWACC_LIST
+ ;;
+ *)
+ O_HWACC=OFF
+ ;;
+ esac
+ export O_HWACC
+}
+
+########################################################################
+# functions below deal with setting up the directories and PATHs for
+# all different flavors of OS (Unix, Linux, NT MKS, NT Cygnus) and QA
+# (Standard, local tinderbox)
+########################################################################
+
+########################## find_nt_masterbuild #########################
+# global shell function, sets the nt masterbuild directories, part of init
+########################################################################
+find_nt_masterbuild()
+{
+ NT_MASTERDIR=${DAILY_BUILD}/${NT_MASTERBUILD}
+ if [ "${NT_MB_WAS_SET}" = "FALSE" -a ! -d $NT_MASTERDIR ] ; then
+ if [ -d ${DAILY_BUILD}/*NT4* ] ; then
+ NT_MASTERBUILD=` cd ${DAILY_BUILD}; ls -d *NT4* `
+ Debug "NT_MASTERBUILD $NT_MASTERBUILD"
+ NT_MASTERDIR=${DAILY_BUILD}/${NT_MASTERBUILD}
+ fi
+ fi
+ Debug "NT_MASTERDIR $NT_MASTERDIR"
+}
+
+################################### set_daily_build_dirs ###########################
+# global shell function, sets directories
+########################################################################
+set_daily_build_dirs()
+{
+ if [ "$O_LOCAL" = "ON" -a "$O_LN" = "OFF" ] ; then
+ DAILY_BUILD=${LOCAL_MOZROOT} # on local builds NSS_VER_DIR and DAILY_BUILD are
+ # set to the LOCAL_MOZROOT, since it is not sure
+ # if ../.. (DAILY_BUILD) even exists
+ LOCALDIST=${LOCAL_MOZROOT}/dist
+ elif [ "$O_TBX" = "ON" ] ; then
+ DAILY_BUILD="$TBX_DAILY_BUILD"
+ LOCALDIST=${UXDIST}
+ else
+ DAILY_BUILD=${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.${BUILDNUMBER}
+ LOCALDIST=${DAILY_BUILD}/${MASTERBUILD}/mozilla/dist
+ fi
+}
+
+map_os64()
+{
+ IS_64=""
+ case `uname -s` in
+ #OSF1) has been done already - always 64 bit
+ SunOS)
+ MAPPED_OS=Solaris*8
+ IS_64=`(isainfo -v | grep 64)>/dev/null 2>/dev/null && echo 64 bit`
+ if [ "$O_TBX" = "OFF" ] ; then
+ set_osdir
+ if [ -n "$IS_64" ]
+ then #Wait for the 64 bit build to finish...
+ Debug Testing build for $MAPPED_OS in $OSDIR
+ Wait ${OSDIR}/SVbuild.InProgress.1 0
+ fi
+ fi
+ ;;
+ AIX)
+ IS_64=`lslpp -l | grep "bos.64bit"> /dev/null && echo 64 bit`
+ ;;
+ HP-UX)
+ IS_64=`getconf KERNEL_BITS | grep 64 >/dev/null && echo 64 bit`
+ ;;
+ esac
+ Debug "Mapped OS to $MAPPED_OS"
+}
+
+
+
+################################### copy_to_local ########################
+# global shell function, copies the necessary directories from the
+# daily build aerea to the local disk
+########################################################################
+copy_to_local()
+{
+ Debug "Copy network directories to local directories"
+ C2L_ERROR=0
+ if [ ! -d ${LOCAL_MOZROOT}/dist ] ; then
+ mkdir -p ${LOCAL_MOZROOT}/dist || C2L_ERROR=1
+ fi
+ if [ ! -d ${LOCAL_MOZROOT}/security/nss ] ; then
+ mkdir -p ${LOCAL_MOZROOT}/security/nss || C2L_ERROR=2
+ fi
+ if [ $C2L_ERROR != 0 ] ; then
+ Exit "copy_to_local: Can t make necesssary directories ($C2L_ERROR ) "
+ fi
+ if [ ! -d ${LOCAL_MOZROOT}/security/nss/tests ] ; then
+ cp -r ${TESTSCRIPTDIR} ${LOCAL_MOZROOT}/security/nss || C2L_ERROR=1
+ fi
+ if [ ! -d ${LOCAL_MOZROOT}/security/coreconf ] ; then
+ cp -r ${MOZILLA_ROOT}/security/coreconf ${LOCAL_MOZROOT}/security || C2L_ERROR=2
+ fi
+
+ NO_DIRS=0;
+ if [ "$O_WIN" = "ON" ] ; then
+ OS_TARGET=WINNT;export OS_TARGET
+ fi
+ unset BUILD_OPT;export BUILD_OPT;
+ unset USE_64;export USE_64;
+#FIXME only tested on 64 bit Solaris and only got 32 bit builds
+ while [ $NO_DIRS -lt 4 ] ; do
+ # first time thru: Debug 32 bit NT
+ set_objdir
+ Debug "Copying ${OBJDIR}..."
+ if [ ! -d ${LOCAL_MOZROOT}/dist/${OBJDIR} ] ; then
+ cp -r ${LOCALDIST}/${OBJDIR} ${LOCAL_MOZROOT}/dist || C2L_ERROR=3
+ fi
+ NO_DIRS=`expr $NO_DIRS + 1`
+ if [ $NO_DIRS = 1 ] ; then # 2nd time: OPT 32 bit NT
+ BUILD_OPT=1; export BUILD_OPT;
+ elif [ $NO_DIRS = 2 ] ; then # 3rd time: OPT, either 64 bit or Win95 or force exit
+ if [ "$O_WIN" = "ON" ] ; then
+ OS_TARGET=WIN95;export OS_TARGET
+ else
+ map_os64
+ if [ -z "$IS_64" ] ; then #32 bit platform
+ NO_DIRS=4
+ else
+ USE_64=1; export USE_64
+ fi
+ fi
+ elif [ $NO_DIRS = 3 ] ; then # 4th time: Debug either 64 bit or Win95
+ unset BUILD_OPT;export BUILD_OPT;
+ fi
+
+
+ done
+ if [ $C2L_ERROR != 0 ] ; then
+ Exit "copy_to_local: Can t copy necesssary directories ($C2L_ERROR ) "
+ fi
+ unset TESTSCRIPTDIR
+ unset TESTDIR
+ unset RESULTDIR
+ O_LN=OFF #from here on pretend it is regular -l local QA FIXME, might cause
+ #problems with the backwardcompatibility tests
+ Debug "Successfully copied network directories to local directories"
+}
+
+################################### local_dirs ###########################
+# global shell function, sets the directories for local QA
+########################################################################
+local_dirs()
+{
+ Debug "Set directories for local QA"
+ #if [ "$O_WIN" = "ON" ] ; then
+ #win_set_tmp
+ #fi
+ NSS_VER_DIR=${LOCAL_MOZROOT} # on local builds NSS_VER_DIR and DAILY_BUILD are
+ # set to the LOCAL_MOZROOT, since it is not sure
+ # if ../../../.. (NSS_VER_DIR) even exists
+ if [ -z "${RESULTDIR}" ] ; then # needs to be local as well
+ Debug "Setting RESULTDIR for local QA"
+ RESULTDIR="${LOCAL_MOZROOT}/tests_results/security/${HOST}-`date +%Y%m%d-%H.%M`"
+ fi
+ set_daily_build_dirs
+ UX_MASTERDIR=`dirname ${LOCAL_MOZROOT}`
+ NT_MASTERDIR=$UX_MASTERDIR
+ MOZILLA_ROOT=${LOCAL_MOZROOT}
+
+ UXDIST=${MOZILLA_ROOT}/dist
+ NTDIST=${UXDIST}
+
+ if [ -z "${TESTDIR}" ] ; then
+ Debug "Setting TESTDIR for local QA"
+ TESTDIR=${RESULTDIR}
+ fi
+ if [ -n "$TESTDIR" ] ; then
+ if [ ! -d $TESTDIR ] ; then
+ Debug "Making TESTDIR for local QA"
+ mkdir -p $TESTDIR
+ fi
+ fi
+ export TESTDIR
+ Debug "RESULTDIR $RESULTDIR TESTDIR $TESTDIR"
+
+ TESTSCRIPTDIR=${LOCAL_MOZROOT}/security/nss/tests
+ COMMON=${TESTSCRIPTDIR}/common
+
+ set_objdir
+ debug_dirs
+ export_dirs
+}
+
+
+################################### tbx_dirs ###########################
+# global shell function, sets the directories for tinderbox QA
+########################################################################
+tbx_dirs()
+{
+ Debug "Set directories for tinderbox"
+ if [ "$O_WIN" = "ON" ] ; then
+ win_set_d1 # we need the NSS_VER_DIR later
+ else
+ NSS_VER_DIR="$UX_D0"/nss$NSSVER
+ fi
+ if [ -z "${RESULTDIR}" ] ; then # needs to be different for tinderbox
+ Debug "Setting RESULTDIR for tinderbox"
+ TBX_NOBITS=""
+ echo $QASCRIPT_DIR | grep 64 >/dev/null && TBX_NOBITS=64
+ TRD="${HOST}${TBX_NOBITS}-`date +%Y%m%d-%H.%M`"
+ RESULTDIR="${NSS_VER_DIR}/tinderbox/tests_results/security/${TRD}"
+ if [ ${DOMSUF} = "mcom.com" -o ${DOMSUF} = "netscape.com" -o ${DOMSUF} = "nscp.aoltw.net" ] ; then
+ URL="sbs-rel.nscp.aoltw.net"
+ else
+ URL="cindercone.red.iplanet.com"
+ fi
+ if [ "$O_WIN" = "ON" ] ; then
+ RESULTDIRURL="<a title=\"QA Results\" href=\"http://${URL}${UX_D0}/nsstip/tinderbox/tests_results/security/${TRD}\">QA</a>"
+ else
+ RESULTDIRURL="<a title=\"QA Results\" href=\"http://${URL}${RESULTDIR}\">QA</a>"
+ fi
+ Debug "RESULTDIRURL TinderboxPrint:$RESULTDIRURL"
+ fi
+ TBX_DAILY_BUILD=`cd ../../../../..;pwd`
+ NSS_VER_DIR="${TBX_DAILY_BUILD}/../.."
+ TBX_LOGFILE_DIR=`ls ${NSS_VER_DIR}/logs/tinderbox | sed -e 's/ .*//g'`
+ if [ -z "$TBX_LOGFILE_DIR" ] ; then
+ TBX_LOGFILE_DIR=`ls ${NSS_VER_DIR}/logs/tbx | sed -e 's/ .*//g'`
+ TBX_LOGFILE_DIR="${NSS_VER_DIR}/logs/tbx/${TBX_LOGFILE_DIR}"
+ else
+ TBX_LOGFILE_DIR="${NSS_VER_DIR}/logs/tinderbox/${TBX_LOGFILE_DIR}"
+ fi
+ Debug "Set TBX_LOGFILE_DIR ${TBX_LOGFILE_DIR}"
+
+ set_daily_build_dirs
+ UX_MASTERDIR=`cd ../../../..;pwd`
+ NT_MASTERDIR=$UX_MASTERDIR
+ MOZILLA_ROOT=$UX_MASTERDIR/mozilla
+
+ UXDIST=${MOZILLA_ROOT}/dist
+ NTDIST=${UXDIST}
+
+ if [ -z "${TESTDIR}" ] ; then
+ Debug "Setting TESTDIR for tinderbox"
+ TESTDIR=${RESULTDIR}
+ fi
+ if [ -n "$TESTDIR" ] ; then
+ if [ ! -d $TESTDIR ] ; then
+ Debug "Making TESTDIR for tinderbox"
+ mkdir -p $TESTDIR
+ fi
+ fi
+ Debug "Making QAstatus file"
+ echo "QA running" >${TESTDIR}/QAstatus
+ export TESTDIR
+ Debug "RESULTDIR $RESULTDIR TESTDIR $TESTDIR"
+
+ TESTSCRIPTDIR=`pwd`
+ COMMON=${TESTSCRIPTDIR}/common
+
+ set_objdir
+ debug_dirs
+ export_dirs
+}
+
+################################### init_mcom ###########################
+# global shell function, sets domain specific variables for AOL's
+# domains according to Bishakha's instructions
+########################################################################
+init_mcom()
+{
+ Debug "Running in mcom or netscape domain - changing directories..."
+ if [ "${UX_MB_WAS_SET}" = "FALSE" ] ; then #in case it was set
+ # before script was called use these values
+ UX_MASTERBUILD=spd04_Solaris8
+ fi
+ if [ "${NT_MB_WAS_SET}" = "FALSE" ] ; then
+ NT_MASTERBUILD=spd06_NT4
+ fi
+
+ MASTERBUILD=$UX_MASTERBUILD
+ if [ "${BC_MASTER_WAS_SET}" = "FALSE" ] ; then
+ BC_UX_MASTER=nss322/builds/20010820.1/y2sun2_Solaris8
+ BC_NT_MASTER=nss322/builds/20010820.1/blowfish_NT4.0_Win95
+ BC_MASTER=$BC_UX_MASTER
+ fi
+ UX_D0=/share/builds/sbsrel2/nss
+ URL="sbs-rel.nscp.aoltw.net"
+}
+################################### init_dirs ###########################
+# global shell function, sets the directories for standard QA
+# calls special functions for tinderbox, windows or local QA, part of init
+########################################################################
+init_dirs()
+{
+ if [ ${DOMSUF} = "mcom.com" -o ${DOMSUF} = "netscape.com" -o ${DOMSUF} = "nscp.aoltw.net" ] ; then
+ init_mcom
+ fi
+ if [ $O_WIN = "ON" ] ; then
+ win_set_tmp
+ write_to_tmpfile
+ MASTERBUILD=$NT_MASTERBUILD
+ BC_MASTER=$BC_NT_MASTER
+ fi
+ if [ "$O_LOCAL" = "ON" -a $O_LN = "OFF" ] ; then # if it is a LN we need to know
+ # all the directories off the network first to copy them
+ local_dirs # O_LOCAL alone assumes that all the directories are already there
+ return
+ elif [ "$O_TBX" = "ON" ] ; then
+ tbx_dirs
+ return
+ elif [ "$O_WIN" = "ON" ] ; then
+ win_set_d1
+ else
+ NSS_VER_DIR="$UX_D0"/nss$NSSVER
+ fi
+ #set -x
+
+ set_daily_build_dirs
+
+ if [ -z "${BCDIST}" ] ; then
+ #BCDIST=/share/builds/mccrel3/nss/${BC_MASTER}/mozilla/dist
+ BCDIST=${NSS_VER_DIR}/../${BC_MASTER}/mozilla/dist
+ if [ ! -d $BCDIST -a `basename $0` != jssqa ] ; then
+ ask "Backward compatibility directory $BCDIST does not exist, continue" "y" "n" || Exit
+ fi
+ fi
+
+ UX_MASTERDIR=${DAILY_BUILD}/${UX_MASTERBUILD}
+ find_nt_masterbuild
+
+ if [ "$O_WIN" = "ON" ]
+ then
+ MOZILLA_ROOT=${NT_MASTERDIR}/mozilla
+ else
+ MOZILLA_ROOT=${UX_MASTERDIR}/mozilla
+ fi
+
+ UXDIST=${UX_MASTERDIR}/mozilla/dist
+ NTDIST=${NT_MASTERDIR}/mozilla/dist
+
+ if [ -z "${RESULTDIR}" ] ; then
+ RESULTDIR=${UX_MASTERDIR}/mozilla/tests_results/security
+ fi
+
+ if [ -n "$PRODUCT_TO_TEST" -a "$PRODUCT_TO_TEST" = "JSS" ] ; then
+
+ if [ "$O_WIN" = "ON" ] ; then
+ JSS_NSS_SRC_DIR=$JSS_NSS_NT_SRC_DIR
+ fi
+ TESTSCRIPTDIR=${NSS_VER_DIR}/../${JSS_NSS_SRC_DIR}/mozilla/security/nss/tests
+ else
+ TESTSCRIPTDIR=${MOZILLA_ROOT}/security/nss/tests
+ fi
+
+ if [ ! -d $TESTSCRIPTDIR -a `basename $0` != jssqa ] ; then
+ if [ "$O_WIN" = "ON" -a "$WIN_WAIT_FOREVER" = "ON" ]
+ then
+ WaitForever $TESTSCRIPTDIR/all.sh 1
+ else
+ Exit "Test directory $TESTSCRIPTDIR does not exist"
+ fi
+ fi
+
+ COMMON=${TESTSCRIPTDIR}/common
+ if [ "$O_LOCAL" = "ON" -a $O_LN = "ON" ] ; then # if it is a LN we need to know
+ # all the directories off the network first to copy them
+ copy_to_local
+ local_dirs
+ fi
+ #set +x
+
+
+ set_objdir
+ debug_dirs
+ export_dirs
+}
+
+debug_dirs()
+{
+ Debug "NTDIST $NTDIST"
+ Debug "UXDIST $UXDIST"
+ Debug "TESTSCRIPTDIR $TESTSCRIPTDIR"
+ Debug "RESULTDIR $RESULTDIR"
+ Debug "TMP $TMP"
+ Debug "LOCALDIST_BIN $LOCALDIST_BIN"
+ Debug "COMMON $COMMON"
+ Debug "MOZILLA_ROOT $MOZILLA_ROOT"
+ Debug "BCDIST $BCDIST"
+}
+
+export_dirs()
+{
+ export NSS_VER_DIR DAILY_BUILD NTDIST UXDIST RESULTDIR TESTSCRIPTDIR BCDIST
+ export UX_MASTERDIR NT_MASTERDIR COMMON MOZILLA_ROOT
+}
+
+set_osdir()
+{
+ OSDIR=${DAILY_BUILD}/*${MAPPED_OS}*
+}
+
+################################### init_files ###########################
+# global shell function, sets filenames, initializes files, part of init
+########################################################################
+init_files()
+{
+ if [ $O_CRONFILE = "ON" ]
+ then
+ Debug "attempting to create resultfiles"
+ if [ "$O_TBX" = "ON" ] ; then
+ NEWFILENAME=${TBX_LOGFILE_DIR}/qa.log
+ if [ ! -w ${TBX_LOGFILE_DIR} ] ; then
+ Exit "can't touch $NEWFILENAME"
+ fi
+ else
+ NEWFILENAME=$RESULTDIR/$HOST.`basename $0`
+ fi
+ if [ ! -d $RESULTDIR ]
+ then
+ mkdir -p $RESULTDIR || Exit "Error: can't make $RESULTDIR"
+ fi
+ if [ ! -w $RESULTDIR ] ; then
+ Exit "can't touch $NEWFILENAME"
+ fi
+ Debug "About to touch $NEWFILENAME "
+ touch $NEWFILENAME || Exit "Error: can't touch $NEWFILENAME"
+ if [ "$O_TBX" = "ON" ] ; then
+ echo "QA results in $RESULTDIR" >>$NEWFILENAME || Exit "Error: can't write to $NEWFILENAME"
+ fi
+ Debug "About to cat $FILENAME >>$NEWFILENAME "
+ cat $FILENAME >>$NEWFILENAME || Exit "Error: can't append $FILENAME to $NEWFILENAME"
+ TMPFILES="$TMPFILES $FILENAME"
+ FILENAME=$NEWFILENAME
+ Debug "Writing output to $FILENAME"
+ fi
+
+}
+
+################################### write_to_tmpfile ##########################
+# global shell function, for NT and cron operation, first a tmpfile
+# needs to be created
+########################################################################
+write_to_tmpfile()
+{
+ O_CRONFILE=ON
+ O_FILE=ON
+ FILENAME=${TMP}/nsstmp.$$ # for now write to the temporary file
+ # since we don't know the hostname yet
+ # will be inserted to the real file later
+ TMPFILES="$TMPFILES nsstmp.$$"
+ touch $FILENAME || Exit "Error: can't touch $FILENAME"
+ Debug "Writing output to $FILENAME"
+}
+
+############################# turn_on_cronoptions ######################
+# global shell function, turns on options needed for cron and tinderbox
+########################################################################
+turn_on_cronoptions()
+{
+ O_CRON=ON
+ O_SILENT=ON
+ O_DEBUG=ON # FIXME take out!
+ O_ALWAYS_YES=ON
+ write_to_tmpfile
+}
+
+########################## test_mozroot ##########################
+# global shell function, determines if the variable LOCAL_MOZROOT is set,
+# and is usable as mozilla root diretory for a local QA
+###################################################################
+test_mozroot()
+{
+ PWD=`pwd`
+ Debug "LOCAL_MOZROOT = $LOCAL_MOZROOT"
+ case "$LOCAL_MOZROOT" in
+ [0-9-]*|tip)
+ glob_usage "Error: -"$1" requires a directoryname to follow (start with a letter) "
+ ;;
+ \.\.)
+ LOCAL_MOZROOT=`dirname $PWD`
+ ;;
+ \.)
+ LOCAL_MOZROOT=$PWD
+ ;;
+ \.\/*)
+ LOCAL_MOZROOT=`echo $LOCAL_MOZROOT | sed -e "s/^\.//"`
+ LOCAL_MOZROOT="${PWD}${LOCAL_MOZROOT}"
+ ;;
+ \.\.\/*)
+ LOCAL_MOZROOT="${PWD}/${LOCAL_MOZROOT}"
+ ;;
+ \/*|[a-zA-Z]:\/*)
+ ;;
+ ?*)
+ LOCAL_MOZROOT="${PWD}/${LOCAL_MOZROOT}"
+ ;;
+ *)
+ glob_usage "Error: -"$1" requires a directoryname to follow"
+ ;;
+ esac
+ Debug "Reformated MOZROOT to $LOCAL_MOZROOT"
+ if [ "$1" = "ln" ] ; then
+ LOCAL_MOZROOT_PARENT=`dirname $LOCAL_MOZROOT`
+ if [ ! -d $LOCAL_MOZROOT_PARENT -o ! -w $LOCAL_MOZROOT_PARENT -o \
+ ! -x $LOCAL_MOZROOT_PARENT ] ; then
+ Exit "Error: Can't create $LOCAL_MOZROOT (permissions)"
+ fi
+ if [ ! -d "$LOCAL_MOZROOT" ] ; then
+ mkdir $LOCAL_MOZROOT ||
+ Exit "Error: Can't create mozroot $LOCAL_MOZROOT (mkdir failed)"
+ else
+ ask "mozroot $LOCAL_MOZROOT exists - continue (y will remove dir) ?" \
+ "y" "n" || Exit
+ rm -rf $LOCAL_MOZROOT/dist $LOCAL_MOZROOT/security $LOCAL_MOZROOT/tests_results ||
+ Exit "Error: Can't clean mozroot $LOCAL_MOZROOT"
+ fi
+ fi
+ if [ ! -d "$LOCAL_MOZROOT" ] ; then
+ glob_usage "Error: mozilla root $LOCAL_MOZROOT not a valid directory"
+ fi
+}
+
+################################### eval_opts ##########################
+# global shell function, evapuates options and parameters, sets flags
+# variables and defaults
+########################################################################
+eval_opts()
+{
+ while [ -n "$1" ]
+ do
+ case $1 in
+ -cron)
+ turn_on_cronoptions
+ ;;
+ -T*|-t*)
+ O_TBX=ON
+ turn_on_cronoptions
+ O_SILENT=OFF #FIXME debug only
+ ;;
+ -S*|-s*)
+ O_SILENT=ON
+ ;;
+ -Y*|-y)
+ Debug "Option -y dedectet"
+ O_ALWAYS_YES=ON
+ ;;
+ -d*|-D)
+ O_DEBUG=ON
+ #set -x
+ ;;
+ -ml|-ML)
+ O_MAIL_LINK=ON
+ shift
+ MAILINGLIST=$1
+ if [ -z "$MAILINGLIST" ]
+ then
+ glob_usage "Error: -m requires a mailinglist to follow, for example sonmi,wtc,nelsonb "
+ fi
+ Debug "Sending link to result to $MAILINGLIST"
+ ;;
+ -m|-M)
+ O_MAIL=ON
+ shift
+ MAILINGLIST=$1
+ if [ -z "$MAILINGLIST" ]
+ then
+ glob_usage "Error: -m requires a mailinglist to follow, for example sonmi,wtc,nelsonb "
+ fi
+ Debug "Sending result to $MAILINGLIST"
+ ;;
+ -fcron*|-F[Cc][Rr][Oo][Nn]*)
+ write_to_tmpfile
+ ;;
+ -f|-F)
+ O_FILE=ON
+ shift
+ FILENAME=$1
+ if [ -z "$FILENAME" ]
+ then
+ glob_usage "Error: -f requires a filename to follow"
+ fi
+ #rm -f $FILENAME 2>/dev/null
+ touch $FILENAME || Exit "Error: can't touch $FILENAME"
+ #NOTE we append rather that creating
+ Debug "Writing output to $FILENAME"
+ ;;
+ -h|-help|"-?")
+ glob_usage
+ ;;
+ -ln)
+ if [ `basename $0` != nssqa ] ; then
+ glob_usage "Error: Can't handle option $1"
+ fi
+ O_LOCAL=ON
+ O_LN=ON
+ shift
+ LOCAL_MOZROOT=$1
+ test_mozroot ln
+ ;;
+ -lt)
+ if [ `basename $0` != nssqa ] ; then
+ glob_usage "Error: Can't handle option $1"
+ fi
+ O_LN=ON
+ O_LOCAL=ON
+ ;;
+ -l)
+ if [ `basename $0` != nssqa ] ; then
+ glob_usage "Error: Can't handle option $1"
+ fi
+ O_LOCAL=ON
+ shift
+ LOCAL_MOZROOT=$1
+ test_mozroot l
+ ;;
+ -p)
+ shift
+ PORT=$1
+ export PORT
+ ;;
+ -*)
+ glob_usage "Error: Can't handle option $1"
+ ;;
+ tip|3.|3..)
+ NSSVER=$1
+ if [ -z "$NSSVER" ] ; then
+ glob_usage "Error: illegal parameter"
+ fi
+ ;;
+ [01][0-9][0123][0-9])
+ BUILDDATE=$1
+ if [ -z "$BUILDDATE" ] ; then
+ glob_usage "Error: illegal parameter"
+ fi
+ ;;
+ ?*)
+ glob_usage "Error: Can't handle parameter $1"
+ ;;
+ esac
+ shift
+ done
+
+ if [ -z "$PORT" -a "$O_TBX" = "ON" ] ; then
+ PORT=8444
+ export PORT
+ if [ -z "$NSSVER" ] ; then
+ NSSVER="tip"
+ Debug "NSS Version: Parameters missing - defaulting to tip!"
+ fi
+ elif [ -z "$NSSVER" ] ; then
+ NSSVER="tip"
+ Debug "NSS Version: Parameters missing - defaulting to tip!"
+ fi
+ if [ -z "$BUILDDATE" ] ; then
+ BUILDDATE=`date +%m%d`
+ Debug "Builddate: Parameters missing - defaulting to today!"
+ fi
+
+ Debug "Builddate $BUILDDATE NssVersion $NSSVER"
+ export BUILDDATE NSSVER
+ export O_CRON O_SILENT O_DEBUG O_ALWAYS_YES O_TBX
+}
+
+win_set_tmp()
+{
+ TMP=`echo "$TMP" | sed -e 's/ /\/t/g' -e 's//\/b/' -e 's/\\\/\//g'`
+ Debug "TMP reformated to $TMP"
+}
+
+######################### win_set_d1 ################################
+# global shell function, interactively finds the directories in case
+# windows can't get to the default
+########################################################################
+win_set_d1()
+{
+ Debug "set Windows Directories..."
+ #win_set_tmp
+ if [ "$O_CYGNUS" = ON ]
+ then
+ NSS_VER_DIR=/cygdrive/w/nss/nss$NSSVER
+ else
+ NSS_VER_DIR=w:/nss/nss$NSSVER
+ fi
+ if [ ! -w $NSS_VER_DIR ]
+ then
+ Echo "Windows special... can't write in $NSS_VER_DIR"
+ if [ "$O_CYGNUS" = ON ]
+ then
+ NSS_VER_DIR=/cygdrive/u/nss/nss$NSSVER
+ else
+ NSS_VER_DIR="u:/nss/nss$NSSVER"
+ fi
+ else
+ Debug "NSS_VER_DIR set to $NSS_VER_DIR"
+ return
+ fi
+
+ while [ ! -w $NSS_VER_DIR ]
+ do
+ if [ "$O_CRONFILE" = "ON" ]
+ then
+ Exit "cant write in $NSS_VER_DIR"
+ fi
+ Warning "cant write in $NSS_VER_DIR"
+ Echo "input start directory (u:/nss, d:/src/nss, f:/shared/nss) "
+ read D
+ if [ -n "$D" ]
+ then
+ NSS_VER_DIR=$D/nss$NSSVER
+ fi
+ done
+ Debug "NSS_VER_DIR set to $NSS_VER_DIR"
+}
+
+########################### init_host ##################################
+# global shell function, sets required variables HOST and DOMSUF, and asks
+# the user if it has been set right
+########################################################################
+set_host()
+{
+ init_host
+}
+init_host()
+{
+ if [ `basename $0` != nssqa ] ; then
+ return
+ fi
+
+ init_host_done=0
+
+ if [ $DS_WAS_SET = FALSE ] #give chance to overwrite, espec. for NT
+ then
+ Debug "Domainname was not set..."
+ DOMSUF=`domainname 2>/dev/null`
+ if [ -z "$DOMSUF" ]
+ then
+ Debug "domainname command did not work ..."
+ DOMSUF=`echo $HOST | grep '\.' | sed -e "s/[^\.]*\.//"`
+
+ if [ -z "$DOMSUF" ]
+ then
+ Debug "Domainname not part of the hostname"
+ DOMSUF=`cat /etc/defaultdomain 2>/dev/null`
+ if [ -z "$DOMSUF" ]
+ then
+ Debug "Domainname needs to be hardcoded to red.iplanet.com"
+ DOMSUF="red.iplanet.com"
+ fi
+ fi
+ fi
+ fi
+ case $HOST in
+ *\.*)
+ Debug "HOSTNAME $HOST contains Dot"
+ HOST=`echo $HOST | sed -e "s/\..*//"`
+ ;;
+ esac
+ if [ -z "$HOST" ]
+ then
+ HOST=`uname -n`
+ case $HOST in
+ *\.*)
+ Debug "HOSTNAME $HOST contains Dot"
+ HOST=`echo $HOST | sed -e "s/\..*//"`
+ ;;
+ esac
+ fi
+ if [ $O_DEBUG = "ON" ]
+ then
+ while [ $init_host_done -eq 0 ]
+ do
+ Echo
+ ask "DOMSUF=$DOMSUF, HOST=$HOST - OK", "y" "n" &&
+ init_host_done=1
+ if [ $init_host_done -eq 0 ]
+ then
+ Echo "input DOMSUF: "
+ read D
+ if [ -n "$D" ]
+ then
+ DOMSUF=$D
+ fi
+ Echo "input HOST: "
+ read H
+ if [ -n "$H" ]
+ then
+ HOST=$H
+ fi
+ fi
+ done
+ fi
+ export HOST DOMSUF
+ Debug "HOST: $HOST, DOMSUF: $DOMSUF"
+}
+
+#-----------------------------# UTILS #----------------------------------
+
+########################### qa_stat_get_sysinfo ########################
+# local shell function, tries to determine the QA operating system
+########################################################################
+qa_stat_get_sysinfo()
+{
+ case $1 in
+ ?*) REM_SYS=$1
+ GET_SYSINFO="rsh $1"
+ ;;
+ *) REM_SYS=""
+ GET_SYSINFO=""
+ ;;
+ esac
+ QA_SYS=`$GET_SYSINFO uname -sr`
+ echo $QA_SYS | grep Linux >/dev/null &&
+ QA_RHVER=`$GET_SYSINFO cat /etc/redhat-release`
+ if [ -n "$QA_RHVER" ]
+ then
+ QA_OS=`echo $REM_SYS $QA_RHVER | sed -e "s/Red Hat /RH /" \
+ -e "s/ release//"`
+ else
+ case $QA_SYS in
+ *SunOS*5.[89]*)
+ ISAINFO=`$GET_SYSINFO isainfo -v`
+ IS_64=`echo $ISAINFO | grep 64 >/dev/null && \
+ echo 64 bit`
+ IS_I386=`echo $ISAINFO | grep i386 >/dev/null && \
+ echo i86pc`
+ if [ -n "$IS_I386" ] ; then IS_64="$IS_I386"; fi;
+ if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi;
+ ;;
+ *HP*)
+ IS_64=`$GET_SYSINFO getconf KERNEL_BITS |
+ grep 64 >/dev/null && echo 64 bit`
+ if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi;
+ ;;
+ *AIX*)
+ IS_64=`$GET_SYSINFO lslpp -l |
+ grep "bos.64bit"> /dev/null && echo 64 bit`
+ if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi;
+ ;;
+ esac
+ QA_OS=`echo "$REM_SYS $QA_SYS $IS_64"`
+ fi
+ if [ "$O_SILENT" != ON ] ; then
+ echo $QA_OS
+ fi
+ QA_OS_STRING=`echo $QA_OS | sed -e "s/^[_ ]//" -e "s/ /_/g"`
+}
+
+################################### set_objdir #########################
+# global shell function, sets the object directories and DIST
+########################################################################
+set_objdir()
+{
+ Debug "set object dir"
+ OBJDIR=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name`
+ OS_ARCH=`cd ${TESTSCRIPTDIR}/common; gmake os_arch`
+
+ #at this point $MASTERBUILD needs to be either NT or unix
+
+ set_daily_build_dirs
+ LOCALDIST_BIN=${LOCALDIST}/${OBJDIR}/bin
+ DIST=$LOCALDIST
+
+ if [ -z "${TEST_LEVEL}" ] ; then
+ TEST_LEVEL=0
+ fi
+ bc ${TEST_LEVEL} #set the path for the backward compatibility test
+
+ PATH_CONTAINS_BIN="TRUE"
+ export PATH_CONTAINS_BIN
+
+ export OBJDIR OS_ARCH LOCALDIST LOCALDIST_BIN DIST PATH
+}
+
+########################### bc #########################################
+# global shell function , sets paths for the backward compatibility test
+########################################################################
+bc()
+{
+ if [ -n "$PRODUCT_TO_TEST" -a "$PRODUCT_TO_TEST" = "JSS" ] ; then
+ TESTDIR=${RESULTDIR}
+ BC_ACTION=""
+ DON_T_SET_PATHS="FALSE" #let init.sh override - FIXME - check if necessary
+ return
+ fi
+ DON_T_SET_PATHS="TRUE"
+ case $1 in
+ 0)
+ #unset TESTDIR
+ TESTDIR=${RESULTDIR}
+ if [ "$O_WIN" = "ON" -a "$O_CYGNUS" != ON ] ; then
+ PATH="$TESTSCRIPTDIR;$LOCALDIST_BIN;$BASEPATH"
+ else
+ PATH=$TESTSCRIPTDIR:$LOCALDIST_BIN:$BASEPATH
+ fi
+ BC_ACTION=""
+ DON_T_SET_PATHS="FALSE" #let init.sh override - FIXME - check if necessary
+ ;;
+ *)
+ if [ "$O_LOCAL" = "ON" ] ; then
+ Exit "FIXME Can't run backwardcompatibility tests locally yet"
+ fi
+ TESTSCRIPTDIR=${BCDIST}/../security/nss/tests
+ COMMON=${TESTSCRIPTDIR}/common
+ TESTDIR=${RESULTDIR}/bct
+ BC_ACTION="backward compatibility of binaries in $BC_MASTER to new libs"
+ BCDIST_BIN=${BCDIST}/${OBJDIR}/bin
+ LD_LIBRARY_PATH=${LOCALDIST}/${OBJDIR}/lib
+ if [ "$O_WIN" = "ON" ] ; then
+ if [ "$O_CYGNUS" = ON ] ; then
+ PATH=$TESTSCRIPTDIR:$BCDIST_BIN:$BASEPATH:$LD_LIBRARY_PATH
+ else
+ PATH="$TESTSCRIPTDIR;$BCDIST_BIN;$BASEPATH;$LD_LIBRARY_PATH"
+ fi
+ else
+ PATH=$TESTSCRIPTDIR:$BCDIST_BIN:$BASEPATH
+ fi
+ Debug "1st stage of backward compatibility test"
+ ;;
+ esac
+ if [ -n "$TESTDIR" ] ; then
+ if [ ! -d $TESTDIR ] ; then
+ mkdir -p $TESTDIR
+ fi
+ export TESTDIR
+ fi
+ SHLIB_PATH=${LD_LIBRARY_PATH}
+ LIBPATH=${LD_LIBRARY_PATH}
+ Debug "PATH $PATH"
+ Debug "LD_LIBRARY_PATH $LD_LIBRARY_PATH"
+ export PATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH
+ export DON_T_SET_PATHS BC_ACTION
+ export TESTSCRIPTDIR COMMON
+}
+
+########################### Ps #########################################
+# global shell function , attempts a platform specific ps
+########################################################################
+Ps()
+{
+#AIX, OSF ps -ef, solaris /usr/5bin/ps -ef, win ps -ef but no user id
+#linux ps -ef, HP
+
+ if [ $os_name = "SunOS" ]
+ then
+ /usr/5bin/ps -ef
+ else
+ ps -ef
+ fi
+}
+
+########################### kill_by_name ################################
+# global shell function , kills the process whose name is given as
+# parameter
+########################################################################
+kill_by_name()
+{
+ for PID in `Ps | grep "$1" | grep -v grep | \
+ sed -e "s/^ *//g" -e "s/^[^ ]* //" -e "s/^ *//g" -e "s/ .*//g"`
+ do
+ if [ $O_WIN = "ON" -a $O_CYGNUS = "ON" ]
+ then
+ ask "Do you want to kill Process $PID (`Ps | grep $PID | \
+ grep -v grep | awk '{ print $1, $2, $6, $7, $8, $9 }' | \
+ sed -e "s/[0-9]:[0-6][0-9]//g" | grep $PID `)" \
+ "y" "n" && {
+ kill $PID
+ sleep 1
+ kill -9 $PID 2>/dev/null
+ }
+ else
+ ask "Do you want to kill Process $PID (`Ps | grep $PID | \
+ grep -v grep | awk '{ print $1, $2, $8, $9, $10, $11 }' | \
+ sed -e "s/[0-9]:[0-6][0-9]//g" | grep $PID `)" \
+ "y" "n" && {
+ kill $PID
+ sleep 1
+ kill -9 $PID 2>/dev/null
+ }
+ fi
+ done
+}
+
+############################### early_exit ###################################
+# global shell function , attempts a little more usefull user notification
+# of a complete failure
+########################################################################
+
+early_exit()
+{
+ if [ -z "$DOCDIR" ]
+ then
+ DOCDIR=`dirname $0`/../doc
+ fi
+ if [ -f $DOCDIR/QAerror.html ]
+ then
+ Debug "Found QA errorheader"
+ rm ${FILENAME}.err 2>/dev/null
+ cp $DOCDIR/QAerror.html ${FILENAME}.err
+ echo "$1" >>${FILENAME}.err
+ echo '</font></b></h1>' >>${FILENAME}.err
+ if [ -n "$FILENAME" -a -f "$FILENAME" ]
+ then
+ cat $FILENAME | sed -e "s/^/<br>/" >>${FILENAME}.err
+ fi
+ echo '</body></html>' >>${FILENAME}.err
+ cat ${FILENAME}.err | $RMAIL $MAILINGLIST
+
+ rm ${FILENAME}.err 2>/dev/null
+ #echo "cat ${FILENAME}.err | $RMAIL $MAILINGLIST "
+ fi
+}
+
+############################### Exit ###################################
+# global shell function , central exiting point
+# cleanup: temporary files, kill the remaining selfservers if sourcing
+# script sets KILL_SELFSERV
+########################################################################
+Exit()
+{
+ Echo $1
+ if [ "$O_CRON" = "OFF" ]
+ then
+ echo $1 >&2
+ fi
+ if [ -f "${KILLPIDS}" ]
+ then
+ Debug "Attempting to kill background processes...`cat ${KILLPIDS}`"
+ kill `cat "${KILLPIDS}"`
+ sleep 1
+ kill -9 `cat "${KILLPIDS}"`
+ fi
+ if [ -n "${TMPFILES}" ]
+ then
+ Debug "rm -f ${TMPFILES}"
+ rm -f $TMPFILES 2>/dev/null
+ fi
+ O_ALWAYS_YES=ON # set to non-interactive - don't ask anymore questions here
+ if [ $KILL_SELFSERV = "ON" ]
+ then
+ kill_by_name selfserv
+ fi
+ if [ $O_MAIL_LINK = "ON" -a $O_FILE = "ON" ]
+ then
+ if [ $EARLY_EXIT = TRUE ] #before the report file has been created
+ then
+ early_exit "$1"
+ else
+ head -3 $FILENAME >$ML_FILE
+ echo "Content-Type: text/plain; charset=us-ascii; format=flowed
+ Content-Transfer-Encoding: 7bit
+
+" >>$ML_FILE
+ echo $HREF_TMP_HTML_FILE >>$ML_FILE
+ cat $ML_FILE | $RMAIL $MAILINGLIST
+ fi
+
+#FIXME - early exit etc
+ elif [ $O_MAIL = "ON" -a $O_FILE = "ON" ]
+ then
+ if [ $EARLY_EXIT = TRUE ] #before the report file has been created
+ then
+ early_exit "$1"
+ elif [ -n "$FILENAME" -a -f "$FILENAME" ]
+ then
+ cat $FILENAME | $RMAIL $MAILINGLIST
+ fi
+ #rm $FILENAME 2>/dev/null
+ elif [ $O_MAIL = "ON" -a $EARLY_EXIT = TRUE ]
+ then
+ early_exit "$1"
+ rm $FILENAME 2>/dev/null
+ fi
+ #chmod a+rw ${RESULTDIR} ${RESULTDIR}/* ${RESULTDIR}/*/* &
+ if [ -n "$O_TBX" -a "$O_TBX" = "ON" ] ; then
+ rm ${TESTDIR}/QAstatus
+
+ if [ "$1" = "killed... cleaning up..." ] ; then
+ echo "QA killed" >${TESTDIR}/QAstatus
+ elif [ "$TBX_EXIT" = 0 ] ; then
+ echo "QA passed" >${TESTDIR}/QAstatus
+ else
+ echo "QA failed" >${TESTDIR}/QAstatus
+ fi
+
+ exit $TBX_EXIT
+
+ else
+ exit
+ fi
+}
+
+trap "rm -f ${TMPFILES} 2>/dev/null; Exit 'killed... cleaning up...'" 2 3 15
+
+################################ Wait ##################################
+# global shell function to wait for an event to happen, 1st parameter
+# filename to watch, 2nd parameter 0 - wait for it to disappear, 1 wait
+# for it to be created.
+# uses the variables WAIT_FOR and WAIT_TIMES
+# WAIT_FOR: if waiting for an event sleep n seconds before rechecking
+# recomended value 10 minutes 600
+# WAIT_TIMES: recheck n times before giving up to prevent endless loop
+# recomended 30 - total of 5h
+########################################################################
+
+Wait()
+{
+ i=0
+ Debug "Waiting for $1"
+ while [ $i -lt $WAIT_TIMES ]
+ do
+ i=`expr $i + 1`
+ if [ -f "$1" -a $2 -eq 1 ] # if file exists and is supposed to
+ then
+ return
+ fi
+ if [ ! -f "$1" -a $2 -eq 0 ] # not exists and not supposed to exist
+ then
+ return
+ fi
+ Debug "Waiting for $1, loop #$i, about to sleep $WAIT_FOR seconds zzzz..."
+ sleep $WAIT_FOR
+ done
+ TOTAL=`expr $WAIT_TIMES \* $WAIT_FOR / 60`
+ Exit "I HAVE WAITED LONG ENOUGH FOR $1 NOW, I'M GONE! (THAT WAS A TOTAL OF $TOTAL MINUTES) I have better things to do... "
+}
+
+################################ WaitForever ##################################
+# global shell function to wait for an event to happen, 1st parameter
+# filename to watch, 2nd parameter 0 - wait for it to disappear, 1 wait
+# for it to be created.
+# because we daon't have any relyable cron on NT...
+########################################################################
+
+WaitForever()
+{
+ i=0
+ Debug "Waiting for $1"
+ TOTAL=0
+ while [ 1 ]
+ do
+ i=`expr $i + 1`
+ if [ -f "$1" -a $2 -eq 1 ] # if file exists and is supposed to
+ then
+ return
+ fi
+ if [ ! -f "$1" -a $2 -eq 0 ] # not exists and not supposed to exist
+ then
+ return
+ fi
+ Debug "Waiting for $1, loop #$i, about to sleep $WAIT_FOR seconds Total $TOTAL"
+ sleep $WAIT_FOR
+ TOTAL=`expr $i \* $WAIT_FOR / 60`
+ if [ -n "$MAX_FOREVER" ] # we are cheating. Forever can be very short...
+ then
+ if [ "$TOTAL" -gt "$MAX_FOREVER" ]
+ then
+ Exit "I HAVE WAITED LONG ENOUGH FOR $1 NOW, I'M GONE! (THAT WAS A TOTAL OF $TOTAL MINUTES) I have better things to do... "
+ fi
+ fi
+ done
+}
+################################### is_running #########################
+# global shell function , implements primitive locking mechanism
+# filename is passed as a parameter, if filename.* exists we assume calling
+# script is running already and exit, otherwise filename.processid is
+# created
+########################################################################
+is_running()
+{
+ Debug "Testing if $0 is already running... file ${1} - ${1}.$$"
+ if [ -f ${1}.* ]
+ then
+ Exit "$0 seems to be running already ($1 exists) - Exiting"
+ fi
+ TMPFILES="$TMPFILES ${1}.$$"
+ echo "running $0 on `date` PID $$" >${1}.$$
+ Debug "wrote \"running $0 on `date` PID $$\" to ${1}.$$"
+
+}
+
+#---------------------------# USERCOM #---------------------------------
+############################## Echo #####################################
+# global shell function , depending on the options the output gets written
+# to a file, or is being discarded
+# FIXME \n and \c are mistreates by differnet shells, and linux has /bin/echo
+# instead of /usr/bin/echo
+########################################################################
+Echo ()
+{
+ if [ $O_SILENT = OFF ]
+ then
+ echo "$*"
+ #/usr/bin/echo "$*"
+ fi
+ if [ $O_FILE = ON ]
+ then
+ echo "$*" >>$FILENAME
+ fi
+}
+
+################################### ask ################################
+# global shell function, Asks the a question, and gives the returns 0
+# on the 1st choice, 1 on the 2nd choice
+#
+# PARAMETERS:
+# $1 question text
+# $2 1st choice
+# $3 2nd choice
+#
+# MODIFIERS:
+# -y O_ALWAYS_YES will assume a first choice always (not neccessaryly "y")
+#
+# RETURN:
+# 0 - User picked 1st choice
+# 1 - User picked 2nd choice
+#
+# EXAMPLE
+# ask "Would you like to continue" "y" "n" || Exit
+# will produce the string "Would you like to continue (y/n) ?",
+# read input from keyboard (or assume a yes with option -y)
+# - on a yes it will return 0, on a no it will return 1, the
+# shell interprets it as error and the || Exit will be executed
+#
+# NOTE: NEVER use "n" as the second parameter - it will mess up -y
+# don't ask "Continue" "n" "y" || Exit # it will Exit on a "y"
+#
+########################################################################
+Ask()
+{
+ ask $*
+}
+
+ask()
+{
+ if [ $O_ALWAYS_YES = ON ]
+ then
+ Echo "$1 ($2/$3) ?"
+ Echo "YES!"
+ return 0
+ fi
+ A=""
+ while [ 1 ]
+ do
+
+ Echo "$1 ($2/$3) ?"
+ read A
+ if [ -n "$A" ]
+ then
+ if [ $A = $2 ]
+ then
+ return 0
+ elif [ $A = $3 ]
+ then
+ return 1
+ fi
+ fi
+ done
+ return 0
+}
+
+################################### Warning ############################
+# global shell function, Asks the user a "... continue? (y/n)" question,
+# and exits when the user answers with no
+# NOTE -y will answer the warnings always with yes
+########################################################################
+Warning ()
+{
+ ask "WARNING: $0: \n $* continue " "y" "n" || Exit
+}
+
+################################### Debug ############################
+# global shell function, when option -d Debugging output is written
+########################################################################
+Debug()
+{
+ if [ $O_DEBUG = ON ]
+ then
+ Echo "DEBUG: (`date +%H:%M`) $0: $*"
+ fi
+}
+
+################################### line ###############################
+# global shell function, supposed to make output more readable...
+########################################################################
+line()
+{
+Echo
+#Echo "======================================================================="
+#Echo
+}
+
+################################### opt_usage ##########################
+# global shell function, tells user about available options
+########################################################################
+opt_usage()
+{
+ if [ $O_OPTIONS = "ON" ]
+ then
+ Echo
+ line
+ Echo
+ Echo " -y answer all questions with y - use at your own risk..."
+ Echo " -s silent (only usefull with -y)"
+ Echo " -h, -? - you guessed right - displays this text"
+ Echo " -d debug"
+ Echo " -f <filename> - write the (error)output to filename"
+ Echo " -fcronfile produces the resultfiles in the same locations"
+ Echo " as would have been produced with -cron"
+ Echo " -m <mailinglist> - send filename to mailinglist (csl "
+ Echo " example sonmi,nelsonb,wtc) only useful with -f"
+ Echo " -ml <mailinglist> - send link to filename to mailinglist "
+ Echo " (csl example sonmi,nelsonb,wtc) only useful with -f"
+ Echo " -cron equivalient to -y -s -d -f \$RESULTDIR/\$HOST.nssqa"
+ Echo " -t run on a tinderbox build (included -cron)"
+ if [ `basename $0` = nssqa ] ; then
+ Echo " -l <mozroot> run on a local build"
+ Echo " -ln <mozroot> copy a networkbuild to a local directory "
+ Echo " mozroot, used for networkindipendend QA "
+ Echo " -lt try to copy a networkbuild to a local directory, if"
+ Echo " not possible run on the network
+ Echo " used for networkindipendend QA
+ fi
+#
+# special strings
+ fi
+
+}
+
+################################### glob_usage #########################
+# global shell function, how to use the calling script (parameters, options)
+########################################################################
+glob_usage()
+{
+ line
+ Echo $1
+ Echo
+ if [ $O_OPTIONS = "ON" ]
+ then
+ Echo "usage $0 [options] nssversion builddate"
+ else
+ Echo "usage $0 nssversion builddate"
+ fi
+
+ Echo " for example: $0 30b 0926"
+ Echo " $0 31 1002"
+ opt_usage
+ Echo
+ Exit "$1"
+}
+
+tell()
+{
+ if [ $O_SILENT = OFF ]
+ then
+ line
+ pwd
+ ls -CF
+ line
+ fi
+ if [ $O_FILE = ON ]
+ then
+ line
+ pwd >>$FILENAME
+ ls -CF >>$FILENAME
+ line
+ fi
+}
+
+if [ $O_INIT = "ON" ]
+then
+ glob_init $*
+fi
+EARLY_EXIT=FALSE
diff --git a/security/nss/tests/iopr/cert_iopr.sh b/security/nss/tests/iopr/cert_iopr.sh
new file mode 100644
index 000000000..bb1bf047c
--- /dev/null
+++ b/security/nss/tests/iopr/cert_iopr.sh
@@ -0,0 +1,405 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/cert_iopr.sh
+#
+# Certificate generating and handeling for NSS interoperability QA. This file
+# is included from cert.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+
+IOPR_CERT_SOURCED=1
+
+########################################################################
+# function wraps calls to pk12util, also: writes action and options
+# to stdout.
+# Params are the same as to pk12util.
+# Returns pk12util status
+#
+pk12u()
+{
+ echo "${CU_ACTION} --------------------------"
+
+ echo "pk12util $@"
+ ${BINDIR}/pk12util $@
+ RET=$?
+
+ return $RET
+}
+
+########################################################################
+# Initializes nss db directory and files if they don't exists
+# Params:
+# $1 - directory location
+#
+createDBDir() {
+ trgDir=$1
+
+ if [ -z "`ls $trgDir | grep db`" ]; then
+ trgDir=`cd ${trgDir}; pwd`
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ trgDir=`cygpath -m ${trgDir}`
+ fi
+
+ CU_ACTION="Initializing DB at ${trgDir}"
+ certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+
+ CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"
+ modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1
+ if [ "$RET" -ne 0 ]; then
+ return $RET
+ fi
+ fi
+}
+########################################################################
+# takes care of downloading config, cert and crl files from remote
+# location.
+# Params:
+# $1 - name of the host file will be downloaded from
+# $2 - path to the file as it appeared in url
+# $3 - target directory the file will be saved at.
+# Returns tstclnt status.
+#
+download_file() {
+ host=$1
+ filePath=$2
+ trgDir=$3
+
+ file=$trgDir/`basename $filePath`
+
+ createDBDir $trgDir || return $RET
+
+# echo wget -O $file http://${host}${filePath}
+# wget -O $file http://${host}${filePath}
+# ret=$?
+
+ req=$file.$$
+ echo "GET $filePath HTTP/1.0" > $req
+ echo >> $req
+
+ echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
+ -v -w ${R_PWFILE} -o
+ ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
+ -v -w ${R_PWFILE} -o < $req > $file
+ ret=$?
+ rm -f $_tmp;
+ return $ret
+}
+
+########################################################################
+# Uses pk12util, certutil of cerlutil to import files to an nss db located
+# at <dir>(the value of $1 parameter). Chooses a utility to use based on
+# a file extension. Initializing a db if it does not exists.
+# Params:
+# $1 - db location directory
+# $2 - file name to import
+# $3 - nick name an object in the file will be associated with
+# $4 - trust arguments
+# Returns status of import
+#
+importFile() {
+ dir=$1\
+ file=$2
+ certName=$3
+ certTrust=$4
+
+ [ ! -d $dir ] && mkdir -p $dir;
+
+ createDBDir $dir || return $RET
+
+ case `basename $file | sed 's/^.*\.//'` in
+ p12)
+ CU_ACTION="Importing p12 $file to DB at $dir"
+ pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr
+ [ $? -ne 0 ] && return 1
+ CU_ACTION="Modifying trust for cert $certName at $dir"
+ certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}"
+ return $?
+ ;;
+
+ crl)
+ CU_ACTION="Importing crl $file to DB at $dir"
+ crlu -d ${dir} -I -n TestCA -i $file
+ return $?
+ ;;
+
+ crt | cert)
+ CU_ACTION="Importing cert $certName with trust $certTrust to $dir"
+ certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \
+ -i "$file"
+ return $?
+ ;;
+
+ *)
+ echo "Unknown file extension: $file:"
+ return 1
+ ;;
+ esac
+}
+
+
+#########################################################################
+# Downloads and installs test certs and crl from a remote webserver.
+# Generates server cert for reverse testing if reverse test run is turned on.
+# Params:
+# $1 - host name to download files from.
+# $2 - directory at which CA cert will be installed and used for
+# signing a server cert.
+# $3 - path to a config file in webserver context.
+# $4 - ssl server db location
+# $5 - ssl client db location
+# $5 - ocsp client db location
+#
+# Returns 0 upon success, otherwise, failed command error code.
+#
+download_install_certs() {
+ host=$1
+ caDir=$2
+ confPath=$3
+ sslServerDir=$4
+ sslClientDir=$5
+ ocspClientDir=$6
+
+ [ ! -d "$caDir" ] && mkdir -p $caDir;
+
+ #=======================================================
+ # Getting config file
+ #
+ download_file $host "$confPath/iopr_server.cfg" $caDir
+ RET=$?
+ if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then
+ html_failed "Fail to download website config file(ws: $host)"
+ return 1
+ fi
+
+ . $caDir/iopr_server.cfg
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to source config file(ws: $host)"
+ return $RET
+ fi
+
+ #=======================================================
+ # Getting CA file
+ #
+
+ #----------------- !!!WARNING!!! -----------------------
+ # Do NOT copy this scenario. CA should never accompany its
+ # cert with the private key when deliver cert to a customer.
+ #----------------- !!!WARNING!!! -----------------------
+
+ download_file $host $certDir/$caCertName.p12 $caDir
+ RET=$?
+ if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then
+ html_failed "Fail to download $caCertName cert(ws: $host)"
+ return 1
+ fi
+ tmpFiles="$caDir/$caCertName.p12"
+
+ importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import $caCertName cert to CA DB(ws: $host)"
+ return $RET
+ fi
+
+ CU_ACTION="Exporting Root CA cert(ws: $host)"
+ certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert
+ if [ "$RET" -ne 0 ]; then
+ Exit 7 "Fatal - failed to export $caCertName cert"
+ fi
+
+ #=======================================================
+ # Check what tests we want to run
+ #
+ doSslTests=0; doOcspTests=0
+ # XXX remove "_new" from variables below
+ [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
+ [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
+
+ if [ $doSslTests -eq 1 ]; then
+ if [ "$reverseRunCGIScript" ]; then
+ [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
+ #=======================================================
+ # Import CA cert to server DB
+ #
+ importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
+ "TC,C,C"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import server-client-CA cert to \
+ server DB(ws: $host)"
+ return $RET
+ fi
+
+ #=======================================================
+ # Creating server cert
+ #
+ CERTNAME=$HOSTADDR
+
+ CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
+ L=Mountain View, ST=California, C=US"
+ certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
+ -o $sslServerDir/req 2>&1
+ tmpFiles="$tmpFiles $sslServerDir/req"
+
+ # NOTE:
+ # For possible time synchronization problems (bug 444308) we generate
+ # certificates valid also some time in past (-w -1)
+
+ CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
+ certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \
+ -d "${caDir}" \
+ -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
+ -f "${R_PWFILE}" 2>&1
+
+ importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import $CERTNAME cert to server\
+ DB(ws: $host)"
+ return $RET
+ fi
+ tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
+
+ #=======================================================
+ # Download and import CA crl to server DB
+ #
+ download_file $host "$certDir/$caCrlName.crl" $sslServerDir
+ RET=$?
+ if [ $? -ne 0 ]; then
+ html_failed "Fail to download $caCertName crl\
+ (ws: $host)"
+ return $RET
+ fi
+ tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
+
+ importFile $sslServerDir $sslServerDir/TestCA.crl
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import TestCA crt to server\
+ DB(ws: $host)"
+ return $RET
+ fi
+ fi # if [ "$reverseRunCGIScript" ]
+
+ [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
+ #=======================================================
+ # Import CA cert to ssl client DB
+ #
+ importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
+ "TC,C,C"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import server-client-CA cert to \
+ server DB(ws: $host)"
+ return $RET
+ fi
+ fi
+
+ if [ $doOcspTests -eq 1 ]; then
+ [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
+ #=======================================================
+ # Import CA cert to ocsp client DB
+ #
+ importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
+ "TC,C,C"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import server-client-CA cert to \
+ server DB(ws: $host)"
+ return $RET
+ fi
+ fi
+
+ #=======================================================
+ # Import client certs to client DB
+ #
+ for fileName in $downloadFiles; do
+ certName=`echo $fileName | sed 's/\..*//'`
+
+ if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
+ clientDir=$ocspClientDir
+ elif [ $doSslTests -eq 1 ]; then
+ clientDir=$sslClientDir
+ else
+ continue
+ fi
+
+ download_file $host "$certDir/$fileName" $clientDir
+ RET=$?
+ if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
+ html_failed "Fail to download $certName cert(ws: $host)"
+ return $RET
+ fi
+ tmpFiles="$tmpFiles $clientDir/$fileName"
+
+ importFile $clientDir $clientDir/$fileName $certName ",,"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ html_failed "Fail to import $certName cert to client DB\
+ (ws: $host)"
+ return $RET
+ fi
+ done
+
+ rm -f $tmpFiles
+
+ return 0
+}
+
+
+#########################################################################
+# Initial point for downloading config, cert, crl files for multiple hosts
+# involved in interoperability testing. Called from nss/tests/cert/cert.sh
+# It will only proceed with downloading if environment variable
+# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise.
+#
+cert_iopr_setup() {
+
+ if [ "$IOPR" -ne 1 ]; then
+ return 1
+ fi
+ num=1
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '`
+ while [ "$IOPR_HOST_PARAM" ]; do
+ IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+ IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+ [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443
+ IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
+ [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
+
+ echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
+ $IOPR_CONF_PATH"
+
+ download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
+ ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
+ ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
+ ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
+ if [ $? -ne 0 ]; then
+ echo "wsFlags=\"NOIOPR $wsParam\"" >> \
+ ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+ fi
+ num=`expr $num + 1`
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+ done
+
+ return 0
+}
diff --git a/security/nss/tests/iopr/ocsp_iopr.sh b/security/nss/tests/iopr/ocsp_iopr.sh
new file mode 100644
index 000000000..dcc6e1ffb
--- /dev/null
+++ b/security/nss/tests/iopr/ocsp_iopr.sh
@@ -0,0 +1,231 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/ocsp_iopr.sh
+#
+# NSS SSL interoperability QA. This file is included from ssl.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+IOPR_OCSP_SOURCED=1
+
+########################################################################
+# The funtion works with variables defined in interoperability
+# configuration file that gets downloaded from a webserver.
+# The function sets test parameters defind for a particular type
+# of testing.
+#
+# No return value
+#
+setTestParam() {
+ type=$1
+ testParam=`eval 'echo $'${type}Param`
+ testDescription=`eval 'echo $'${type}Descr`
+ testProto=`eval 'echo $'${type}Proto`
+ testPort=`eval 'echo $'${type}Port`
+ testResponder=`eval 'echo $'${type}ResponderCert`
+ testValidCertNames=`eval 'echo $'${type}ValidCertNames`
+ testRevokedCertNames=`eval 'echo $'${type}RevokedCertNames`
+ testStatUnknownCertNames=`eval 'echo $'${type}StatUnknownCertNames`
+}
+
+########################################################################
+# The funtion checks status of a cert using ocspclnt.
+# Params:
+# dbDir - nss cert db location
+# cert - cert in question
+# respUrl - responder url is available
+# defRespCert - trusted responder cert
+#
+# Return values:
+# 0 - test passed, 1 - otherwise.
+#
+ocsp_get_cert_status() {
+ dbDir=$1
+ cert=$2
+ respUrl=$3
+ defRespCert=$4
+
+ if [ -n "$respUrl" -o -n "$defRespCert" ]; then
+ if [ -z "$respUrl" -o -z "$defRespCert" ]; then
+ html_failed "Incorrect test params"
+ return 1
+ fi
+ clntParam="-l $respUrl -t $defRespCert"
+ fi
+
+ if [ -z "${MEMLEAK_DBG}" ]; then
+ outFile=$dbDir/ocsptest.out.$$
+ echo "ocspclnt -d $dbDir -S $cert $clntParam"
+ ${BINDIR}/ocspclnt -d $dbDir -S $cert $clntParam >$outFile 2>&1
+ ret=$?
+ echo "ocspclnt output:"
+ cat $outFile
+ [ -z "`grep succeeded $outFile`" ] && ret=1
+
+ rm -f $outFile
+ return $ret
+ fi
+
+ OCSP_ATTR="-d $dbDir -S $cert $clntParam"
+ ${RUN_COMMAND_DBG} ${BINDIR}/ocspclnt ${OCSP_ATTR}
+}
+
+########################################################################
+# The funtion checks status of a cert using ocspclnt.
+# Params:
+# testType - type of the test based on type of used responder
+# servName - FQDM of the responder server
+# dbDir - nss cert db location
+#
+# No return value
+#
+ocsp_iopr() {
+ testType=$1
+ servName=$2
+ dbDir=$3
+
+ setTestParam $testType
+ if [ "`echo $testParam | grep NOCOV`" != "" ]; then
+ echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
+ "run by server configuration"
+ return 0
+ fi
+
+ if [ -z "${MEMLEAK_DBG}" ]; then
+ html_head "OCSP testing with responder at $IOPR_HOSTADDR. <br>" \
+ "Test Type: $testDescription"
+ fi
+
+ if [ -n "$testResponder" ]; then
+ responderUrl="$testProto://$servName:$testPort"
+ else
+ responderUrl=""
+ fi
+
+ if [ -z "${MEMLEAK_DBG}" ]; then
+ for certName in $testValidCertNames; do
+ ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+ "$testResponder"
+ html_msg $? 0 "Getting status of a valid cert ($certName)" \
+ "produced a returncode of $ret, expected is 0."
+ done
+
+ for certName in $testRevokedCertNames; do
+ ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+ "$testResponder"
+ html_msg $? 1 "Getting status of a unvalid cert ($certName)" \
+ "produced a returncode of $ret, expected is 1."
+ done
+
+ for certName in $testStatUnknownCertNames; do
+ ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+ "$testResponder"
+ html_msg $? 1 "Getting status of a cert with unknown status " \
+ "($certName) produced a returncode of $ret, expected is 1."
+ done
+ else
+ for certName in $testValidCertNames $testRevokedCertNames \
+ $testStatUnknownCertName; do
+ ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+ "$testResponder"
+ done
+ fi
+}
+
+#####################################################################
+# Initial point for running ocsp test againt multiple hosts involved in
+# interoperability testing. Called from nss/tests/ocsp/ocsp.sh
+# It will only proceed with test run for a specific host if environment variable
+# IOPR_HOSTADDR_LIST was set, had the host name in the list
+# and all needed file were successfully downloaded and installed for the host.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise.
+#
+ocsp_iopr_run() {
+ NO_ECC_CERTS=1 # disable ECC for interoperability tests
+
+ if [ "$IOPR" -ne 1 ]; then
+ return 1
+ fi
+ cd ${CLIENTDIR}
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ html_head "Memory leak checking - IOPR"
+ fi
+
+ num=1
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+ while [ "$IOPR_HOST_PARAM" ]; do
+ IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+ IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+ [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
+
+ . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+ RES=$?
+
+ num=`expr $num + 1`
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+
+ if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
+ continue
+ fi
+
+ #=======================================================
+ # Check what server is configured to run ssl tests
+ #
+ [ -z "`echo ${supportedTests_new} | grep -i ocsp`" ] && continue;
+
+ # Testing directories defined by webserver.
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ LOGNAME=iopr-${IOPR_HOSTADDR}
+ LOGFILE=${LOGDIR}/${LOGNAME}.log
+ fi
+
+ # Testing directories defined by webserver.
+ echo "Testing ocsp interoperability.
+ Client: local(tstclnt).
+ Responder: remote($IOPR_HOSTADDR)"
+
+ for ocspTestType in ${supportedTests_new}; do
+ if [ -z "`echo $ocspTestType | grep -i ocsp`" ]; then
+ continue
+ fi
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
+ ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} 2>> ${LOGFILE}
+ else
+ ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
+ ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
+ fi
+ done
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ log_parse
+ ret=$?
+ html_msg ${ret} 0 "${LOGNAME}" \
+ "produced a returncode of $ret, expected is 0"
+ fi
+
+ echo "================================================"
+ echo "Done testing ocsp interoperability with $IOPR_HOSTADDR"
+ done
+
+ if [ -n "${MEMLEAK_DBG}" ]; then
+ html "</TABLE><BR>"
+ fi
+
+ NO_ECC_CERTS=0
+ return 0
+}
+
diff --git a/security/nss/tests/iopr/server_scr/apache_unix.cfg b/security/nss/tests/iopr/server_scr/apache_unix.cfg
new file mode 100644
index 000000000..3992bf52d
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/apache_unix.cfg
@@ -0,0 +1,47 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# Apache OPENSSL configuration file
+#
+
+#
+# Define what type of system this is.
+#
+$clientSys = "openssl";
+
+#
+# Cipher conversion table file
+#
+$cipherTableFile = "$certDir/cipher.list";
+
+#--------------------------------------------
+# Web server specific variables start here:
+#
+
+#
+# Location of installed openssl binary
+#
+$opensslb = "/usr/local/bin/openssl";
+
+
+#
+# General location of apache server
+#
+$apacheHttpd="/var/httpd-ssl";
+
+#
+# HTTP Request file
+#
+$reqFile = "$apacheHttpd/cgi-bin/sslreq.dat";
+
+#
+# OpenSSL certificate directory
+#
+$certDir = "$apacheHttpd/cert";
+
+#
+# CA certificate file
+#
+$caCertFile = "$certDir/serverCA.crt";
diff --git a/security/nss/tests/iopr/server_scr/cert_gen.sh b/security/nss/tests/iopr/server_scr/cert_gen.sh
new file mode 100644
index 000000000..17771ade1
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/cert_gen.sh
@@ -0,0 +1,367 @@
+#!/bin/bash
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+######################################################################################
+# Server and client certs and crl generator functions. Generated files placed in a <dir>
+# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
+# This functions is used for manual webserver configuration and it is not a part of
+# nss test run.
+# To create certs use the following command:
+# sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
+# Where:
+# dir - directory where to place created files
+# cert name - name of created server cert(FQDN)
+# cert req - cert request to be used for cert generation.
+#
+repAndExec() {
+ echo
+ if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
+ shift
+ echo certutil -s "$CU_SUBJECT" $@
+ certutil -s "$CU_SUBJECT" $@
+ RET=$?
+ else
+ echo $@
+ $@
+ RET=$?
+ fi
+
+ return $RET
+}
+
+setExtData() {
+ extData=$1
+
+ fldNum=0
+ extData=`echo $extData | sed 's/,/ /g'`
+ for extDT in $extData; do
+ if [ $fldNum -eq 0 ]; then
+ eval extType=$extDT
+ fldNum=1
+ continue
+ fi
+ eval data${fldNum}=$extDT
+ fldNum=`expr $fldNum + 1`
+ done
+}
+
+signCert() {
+ dir=$1
+ crtDir=$2
+ crtName=$3
+ crtSN=$4
+ req=$5
+ cuAddParam=$6
+ extList=$7
+
+ if [ -z "$certSigner" ]; then
+ certSigner=TestCA
+ fi
+
+ extCmdLine=""
+ extCmdFile=$dir/extInFile; rm -f $extCmdFile
+ touch $extCmdFile
+ extList=`echo $extList | sed 's/;/ /g'`
+ for ext in $extList; do
+ setExtData $ext
+ [ -z "$extType" ] && echo "incorrect extention format" && return 1
+ case $extType in
+ ocspDR)
+ extCmdLine="$extCmdLine -6"
+ cat <<EOF >> $extCmdFile
+5
+9
+y
+EOF
+ break
+ exit 1
+ ;;
+ AIA)
+ extCmdLine="$extCmdLine -9"
+ cat <<EOF >> $extCmdFile
+2
+7
+$data1
+0
+n
+n
+EOF
+ break
+ ;;
+ *)
+ echo "Unsupported extension type: $extType"
+ break
+ ;;
+ esac
+ done
+ echo "cmdLine: $extCmdLine"
+ echo "cmdFile: "`cat $extCmdFile`
+ repAndExec \
+ certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
+ -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
+ return $RET
+}
+
+createSignedCert() {
+ dir=$1
+ certDir=$2
+ certName=$3
+ certSN=$4
+ certSubj=$5
+ keyType=$6
+ extList=$7
+
+ echo Creating cert $certName-$keyType with SN=$certSN
+
+ CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ repAndExec \
+ certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
+ -k $keyType -o $dir/req 2>&1
+ [ "$RET" -ne 0 ] && return $RET
+
+ signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ rm -f $dir/req
+
+ repAndExec \
+ certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
+ -i "$dir/${certName}-$keyType.crt" 2>&1
+ [ "$RET" -ne 0 ] && return $RET
+
+ cp "$dir/${certName}-$keyType.crt" $certDir
+
+ repAndExec \
+ pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
+ -k ${PW_FILE} -W iopr
+ [ "$RET" -ne 0 ] && return $RET
+ return 0
+}
+
+generateAndExportSSLCerts() {
+ dir=$1
+ certDir=$2
+ serverName=$3
+ servCertReq=$4
+
+ if [ "$servCertReq" -a -f $servCertReq ]; then
+ grep REQUEST $servCertReq >/dev/null 2>&1
+ signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+ fi
+
+ certName=$serverName
+ createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser510
+ createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser511
+ createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser512
+ createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=TestUser513
+ createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+}
+
+generateAndExportOCSPCerts() {
+ dir=$1
+ certDir=$2
+
+ certName=ocspTrustedResponder
+ createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDesignatedResponder
+ createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspTRTestUser514
+ createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspTRTestUser516
+ createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspRCATestUser518
+ createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2561
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspRCATestUser520
+ createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2561
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDRTestUser522
+ createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2562
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDRTestUser524
+ createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2562
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ generateAndExportCACert $dir "" TestCA-unknown
+ [ $? -ne 0 ] && return $ret
+
+ certSigner=TestCA-unknown
+
+ certName=ocspTRUnkownIssuerCert
+ createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspRCAUnkownIssuerCert
+ createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2561
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certName=ocspDRUnkownIssuerCert
+ createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
+ AIA,http://dochinups.red.iplanet.com:2562
+ ret=$?
+ [ "$ret" -ne 0 ] && return $ret
+
+ certSigner=""
+
+ return 0
+}
+
+generateAndExportCACert() {
+ dir=$1
+ certDirL=$2
+ caName=$3
+
+ certName=TestCA
+ [ "$caName" ] && certName=$caName
+ CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ repAndExec \
+ certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
+ -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
+5
+6
+9
+n
+y
+-1
+n
+EOF
+
+ if [ "$certDirL" ]; then
+ repAndExec \
+ certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
+ [ "$RET" -ne 0 ] && return $RET
+
+ repAndExec \
+ pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
+ [ "$RET" -ne 0 ] && return $RET
+ fi
+}
+
+
+generateCerts() {
+ certDir=$1
+ serverName=$2
+ reuseCACert=$3
+ servCertReq=$4
+
+ [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
+ [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
+
+ mkdir -p $certDir
+ [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
+
+
+ dir=/tmp/db.$$
+ if [ -z "$reuseCACert" ]; then
+ if [ -d "$dir" ]; then
+ rm -f $dir
+ fi
+
+ PW_FILE=$dir/nss.pwd
+ NOISE_FILE=$dir/nss.noise
+
+ mkdir -p $dir
+ [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
+
+ echo nss > $PW_FILE
+ date >> ${NOISE_FILE} 2>&1
+
+ repAndExec \
+ certutil -d $dir -N -f $PW_FILE
+ [ "$RET" -ne 0 ] && return $RET
+
+ generateAndExportCACert $dir $certDir
+ [ "$RET" -ne 0 ] && return $RET
+ else
+ dir=$reuseCACert
+ PW_FILE=$dir/nss.pwd
+ NOISE_FILE=$dir/nss.noise
+ hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
+ [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
+ return $RET;
+ fi
+
+ generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
+ [ "$RET" -ne 0 ] && return $RET
+
+ generateAndExportOCSPCerts $dir $certDir
+ [ "$RET" -ne 0 ] && return $RET
+
+ crlUpdate=`date +%Y%m%d%H%M%SZ`
+ crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
+ repAndExec \
+ crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
+update=$crlUpdate
+nextupdate=$crlNextUpdate
+addcert 509-511 $crlUpdate
+addcert 516 $crlUpdate
+addcert 520 $crlUpdate
+addcert 524 $crlUpdate
+EOF_CRLINI
+ [ "$RET" -ne 0 ] && return $RET
+
+ rm -rf $dir
+ return 0
+}
+
+
+if [ -z "$1" -o -z "$2" ]; then
+ echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
+ exit 1
+fi
+generateCerts $1 $2 "$3" $4
+exit $?
diff --git a/security/nss/tests/iopr/server_scr/cipher.list b/security/nss/tests/iopr/server_scr/cipher.list
new file mode 100644
index 000000000..668084c37
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/cipher.list
@@ -0,0 +1,98 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+nss openssl iis
+
+#
+# SSL v3.0 cipher suites.
+#
+SSL3_RSA_WITH_NULL_MD5 NULL-MD5 i
+SSL3_RSA_WITH_NULL_SHA NULL-SHA z
+SSL3_RSA_WITH_RC4_128_MD5 RC4-MD5 c
+SSL3_RSA_WITH_RC4_128_SHA RC4-SHA n
+SSL3_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
+SSL3_RSA_WITH_DES_CBC_SHA DES-CBC-SHA e
+SSL3_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA d
+
+SSL3_DH_DSS_WITH_DES_CBC_SHA Not_implemented.
+SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented.
+SSL3_DH_RSA_WITH_DES_CBC_SHA Not_implemented.
+SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented.
+SSL3_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA s
+SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA q
+SSL3_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
+SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
+
+SSL3_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
+SSL3_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
+SSL3_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
+
+SSL3_FORTEZZA_KEA_WITH_NULL_SHA Not_implemented.
+SSL3_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not_implemented.
+SSL3_FORTEZZA_KEA_WITH_RC4_128_SHA Not_implemented.
+
+#
+# Next four added to have ciphers below for SSL3 protocol
+#
+SSL3_RSA_WITH_AES_128_CBC_SHA AES128-SHA
+SSL3_RSA_WITH_AES_256_CBC_SHA AES256-SHA
+
+#
+#TLS v1.0 cipher suites.
+#
+TLS_RSA_WITH_NULL_MD5 NULL-MD5
+TLS_RSA_WITH_NULL_SHA NULL-SHA
+TLS_RSA_WITH_RC4_128_MD5 RC4-MD5
+TLS_RSA_WITH_RC4_128_SHA RC4-SHA
+TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
+TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
+TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
+
+TLS_DH_DSS_WITH_DES_CBC_SHA Not_implemented.
+TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented.
+TLS_DH_RSA_WITH_DES_CBC_SHA Not_implemented.
+TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented.
+TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA
+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA
+TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA
+
+TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
+TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
+TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
+
+#
+#AES ciphersuites from RFC3268, extending TLS v1.0
+#
+
+TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
+TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
+
+TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA
+TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA
+TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA
+TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA
+
+TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA
+TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA
+TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA
+TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA
+
+TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA
+TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA
+
+#
+#Additional cipher suites
+#
+#Note: these ciphers can also be used in SSL v3.
+#
+TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA
+
+#
+# FIPS cipher list
+#
+TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented
+TLS_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented
+SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented
+SSL3_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented
diff --git a/security/nss/tests/iopr/server_scr/client.cgi b/security/nss/tests/iopr/server_scr/client.cgi
new file mode 100644
index 000000000..581ad06d1
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/client.cgi
@@ -0,0 +1,526 @@
+#!/usr/bin/perl
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#--------------------------------------------------------------
+# cgi script that parses request argument to appropriate
+# open ssl or tstclntw options and starts ssl client.
+#
+
+use CGI qw/:standard/;
+
+use subs qw(debug);
+
+#--------------------------------------------------------------
+# Prints out an error string and exits the script with an
+# exitStatus.
+# Param:
+# str : an error string
+# exitStat: an exit status of the program
+#
+sub svr_error {
+ my ($str, $exitStat) = @_;
+
+ if (!defined $str || $str eq "") {
+ $str = $ERR;
+ }
+ print "SERVER ERROR: $str\n";
+ if ($exitStat) {
+ print end_html if ($osDataArr{wservRun});
+ exit $exitStat;
+ }
+}
+
+#--------------------------------------------------------------
+# Prints out a debug message
+# Params:
+# str: debug message
+# inVal: additional value to print(optional)
+#
+sub debug {
+ my ($str, $inVal) = @_;
+
+ print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1);
+}
+
+
+#--------------------------------------------------------------
+# Initializes execution context depending on a webserver the
+# script is running under.
+#
+sub init {
+ %osDataArr = (
+ loadSupportedCipthersFn => \&osSpecific,
+ cipherIsSupportedFn => \&verifyCipherSupport,
+ cipherListFn => \&convertCipher,
+ buildCipherTableFn => \&buildCipherTable,
+ execCmdFn => \&osSpecific,
+ );
+
+ $scriptName = $ENV{'SCRIPT_NAME'};
+ if (!defined $scriptName) {
+ $DEBUG=1;
+ debug "Debug is ON";
+ }
+ $DEBUG=1;
+
+ $svrSoft = $ENV{'SERVER_SOFTWARE'};
+ if (defined $svrSoft) {
+ $_ = $svrSoft;
+ /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS");
+ /.*Apache.*/ && ($osDataArr{wserv} = "Apache");
+ $osDataArr{wservRun} = 1;
+ } else {
+ $osDataArr{wserv} = "Apache";
+ $osDataArr{wservRun} = 0;
+ }
+}
+
+#--------------------------------------------------------------
+# Function-spigot to handle errors is OS specific functions are
+# not implemented for a particular OS.
+# Returns:
+# always returns 0(failure)
+#
+sub osSpecific {
+ $ERR = "This function should be swapped to os specific function.";
+ return 0;
+}
+
+#--------------------------------------------------------------
+# Sets os specific execution context values.
+# Returns:
+# 1 upon success, or 0 upon failure(if OS was not recognized)
+#
+sub setFunctRefs {
+
+ debug("Entering setFunctRefs function", $osDataArr{wserv});
+
+ if ($osDataArr{wserv} eq "Apache") {
+ $osDataArr{osConfigFile} = "apache_unix.cfg";
+ $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL';
+ $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile';
+ $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix;
+ $osDataArr{execCmdFn} = \&execClientCmd_Unix;
+ } elsif ($osDataArr{wserv} eq "IIS") {
+ $osDataArr{osConfigFile} = "iis_windows.cfg";
+ $osDataArr{suppCiphersCmd} = '$tstclntwb';
+ $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile';
+ $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win;
+ $osDataArr{execCmdFn} = \&execClientCmd_Win;
+ } else {
+ $ERR = "Unknown Web Server type.";
+ return 0;
+ }
+ return 1;
+}
+
+#--------------------------------------------------------------
+# Parses data from HTTP request. Will print a form if request
+# does not contain sufficient number of parameters.
+# Returns:
+# 1 if request has sufficient number of parameters
+# 0 if not.
+sub getReqData {
+ my $debug = param('debug');
+ $in_host = param('host');
+ $in_port = param('port');
+ $in_cert = param('cert');
+ $in_cipher = param('cipher');
+
+ if (!$osDataArr{wservRun}) {
+ $in_host="goa1";
+ $in_port="443";
+ $in_cert="TestUser511";
+ $in_cipher = "SSL3_RSA_WITH_NULL_SHA";
+ }
+
+ debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher");
+
+ if (defined $debug && $debug == "debug on") {
+ $DEBUG = 1;
+ }
+
+ if (!defined $in_host || $in_host eq "" ||
+ !defined $in_port || $in_port eq "" ||
+ !defined $in_cert || $in_cert eq "") {
+ if ($osDataArr{wservRun}) {
+ print h1('Command description form:'),
+ start_form(-method=>"get"),
+ "Host: ",textfield('host'),p,
+ "Port: ",textfield('port'),p,
+ "Cert: ",textfield('cert'),p,
+ "Cipher: ",textfield('cipher'),p,
+ checkbox_group(-name=>'debug',
+ -values=>['debug on ']),
+ submit,
+ end_form,
+ hr;
+ } else {
+ print "Printing html form to get client arguments\n";
+ }
+ $ERR = "the following parameters are required: host, port, cert";
+ return 0;
+ } else {
+ print "<pre>" if ($osDataArr{wservRun});
+ return 1;
+ }
+}
+
+
+#--------------------------------------------------------------
+# Building cipher conversion table from file based on the OS.
+# Params:
+# tfile: cipher conversion file.
+# sysName: system name
+# tblPrt: returned pointer to a table.
+sub buildCipherTable {
+ my ($tfile, $sysName, $tblPrt) = @_;
+ my @retArr = @$tblPrt;
+ my %table, %rtable;
+ my $strCount = 0;
+
+ debug("Entering getReqData function", "$tfile:$sysName:$tblPrt");
+
+ ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/);
+ if (!open(TFILE, "$tfile")) {
+ $ERR = "Missing cipher conversion table file.";
+ return 0;
+ }
+ foreach (<TFILE>) {
+ chop;
+ /^#.*/ && next;
+ /^\s*$/ && next;
+ if ($strCount++ == 0) {
+ my @sysArr = split /\s+/;
+ $colCount = 0;
+ for (;$colCount <= $#sysArr;$colCount++) {
+ last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/);
+ }
+ next;
+ }
+ my @ciphArr = split /\s+/, $_;
+ $table{$ciphArr[0]} = $ciphArr[$colCount];
+ $rtable{$ciphArr[$colCount]} = $ciphArr[0];
+ }
+ close(TFILE);
+ $cipherTablePtr[0] = \%table;
+ $cipherTablePtr[1] = \%rtable;
+ return 1
+}
+
+#--------------------------------------------------------------
+# Client configuration function. Loads client configuration file.
+# Initiates cipher table. Loads cipher list supported by ssl client.
+#
+sub configClient {
+
+ debug "Entering configClient function";
+
+ my $res = &setFunctRefs();
+ return $res if (!$res);
+
+ open(CFILE, $osDataArr{'osConfigFile'}) ||
+ ($ERR = "Missing configuration file." && return 0);
+ foreach (<CFILE>) {
+ /^#.*/ && next;
+ chop;
+ eval $_;
+ }
+ close(CFILE);
+
+ local @cipherTablePtr = ();
+ $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0;
+ $osDataArr{cipherTable} = $cipherTablePtr[0];
+ $osDataArr{rcipherTable} = $cipherTablePtr[1];
+
+ local $suppCiphersTablePrt;
+ &{$osDataArr{'loadSupportedCipthersFn'}} || return 0;
+ $osDataArr{suppCiphersTable} = $suppCiphersTablePrt;
+}
+
+#--------------------------------------------------------------
+# Verifies that a particular cipher is supported.
+# Params:
+# checkCipher: cipher name
+# Returns:
+# 1 - cipher is supported(also echos the cipher).
+# 0 - not supported.
+#
+sub verifyCipherSupport {
+ my ($checkCipher) = @_;
+ my @suppCiphersTable = @{$osDataArr{suppCiphersTable}};
+
+ debug("Entering verifyCipherSupport", $checkCipher);
+ foreach (@suppCiphersTable) {
+ return 1 if ($checkCipher eq $_);
+ }
+ $ERR = "cipher is not supported.";
+ return 0;
+}
+
+#--------------------------------------------------------------
+# Converts long(?name of the type?) cipher name to
+# openssl/tstclntw cipher name.
+# Returns:
+# 0 if cipher was not listed. 1 upon success.
+#
+sub convertCipher {
+ my ($cipher) = @_;
+ my @retList;
+ my $resStr;
+ my %cipherTable = %{$osDataArr{cipherTable}};
+
+ debug("Entering convertCipher", $cipher);
+ if (defined $cipher) {
+ my $cphr = $cipherTable{$cipher};
+ if (!defined $cphr) {
+ $ERR = "cipher is not listed.";
+ return 0;
+ }
+ &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0;
+ $ciphers = "$cphr";
+ return 1;
+ }
+ return 0;
+}
+
+#################################################################
+# UNIX Apache Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Unix {
+ my @arr, @suppCiphersTable;
+
+ debug "Entering getSupportedCipherList_Unix function";
+
+ eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+ if (!open (OUT, "$sLisrCmd|")) {
+ $ERR="Can not run command to verify supported cipher list.";
+ return 0;
+ }
+ @arr = <OUT>;
+ chop $arr[0];
+ @suppCiphersTable = split /:/, $arr[0];
+ debug("Supported ciphers", $arr[0]);
+ $suppCiphersTablePrt = \@suppCiphersTable;
+ close(OUT);
+ return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Unix {
+ my $proto;
+ local $ciphers;
+
+ debug "Entering execClientCmd_Unix";
+ if (defined $in_cipher && $in_cipher ne "") {
+ my @arr = split /_/, $in_cipher, 2;
+ $proto = "-".$arr[0];
+ $proto =~ tr /SLT/slt/;
+ $proto = "-tls1" if ($proto eq "-tls");
+ return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+ $ciphers = "-cipher $ciphers";
+ debug("Return from cipher conversion", "$ciphers");
+ }
+
+ eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+ debug("Executing command", $command);
+ if (!open CMD_OUT, "$command 2>&1 |") {
+ $ERR = "can not launch client";
+ return 0;
+ }
+
+ my @cmdOutArr = <CMD_OUT>;
+
+ foreach (@cmdOutArr) {
+ print $_;
+ }
+
+ my $haveVerify = 0;
+ my $haveErrors = 0;
+ foreach (@cmdOutArr) {
+ chop;
+ if (/unknown option/) {
+ $haveErrors++;
+ svr_error "unknown option\n";
+ next;
+ }
+ if (/:no ciphers available/) {
+ $haveErrors++;
+ svr_error "no cipthers available\n";
+ next;
+ }
+ if (/verify error:/) {
+ $haveErrors++;
+ svr_error "unable to do verification\n";
+ next;
+ }
+ if (/alert certificate revoked:/) {
+ $haveErrors++;
+ svr_error "attempt to connect with revoked sertificate\n";
+ next;
+ }
+ if (/(error|ERROR)/) {
+ $haveErrors++;
+ svr_error "found errors in server log\n";
+ next;
+ }
+ /verify return:1/ && ($haveVerify = 1);
+ }
+ if ($haveVerify == 0) {
+ svr_error "no 'verify return:1' found in server log\n";
+ $haveErrors++;
+ }
+
+ if ($haveErrors > 0) {
+ $ERR = "Have $haveErrors server errors";
+ debug "Exiting execClientCmd_Unix";
+ return 0;
+ }
+ debug "Exiting execClientCmd_Unix";
+ return 1;
+}
+
+#################################################################
+# Windows IIS Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Win {
+ my @arr, @suppCiphersTable;
+
+ debug "Entering getSupportedCipherList_Win function";
+
+ eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+ if (!open (OUT, "$sLisrCmd|")) {
+ $ERR="Can not run command to verify supported cipher list.";
+ return 0;
+ }
+ my $startCipherList = 0;
+ foreach (<OUT>) {
+ chop;
+ if ($startCipherList) {
+ /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1;
+ next;
+ }
+ /.*from list below.*/ && ($startCipherList = 1);
+ }
+ debug("Supported ciphers", join ':', @suppCiphersTable);
+ $suppCiphersTablePrt = \@suppCiphersTable;
+ close(OUT);
+ return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Win {
+ my $proto;
+ local $ciphers;
+
+ debug "Entering execClientCmd_Win";
+ if (defined $in_cipher && $in_cipher ne "") {
+ my @arr = split /_/, $in_cipher, 2;
+ $proto = "-2 -3 -T";
+
+ $proto =~ s/-T// if ($arr[0] eq "TLS");
+ $proto =~ s/-3// if ($arr[0] eq "SSL3");
+ $proto =~ s/-2// if ($arr[0] eq "SSL2");
+ return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+ $ciphers = "-c $ciphers";
+ debug("Return from cipher conversion", $ciphers);
+ }
+
+ eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+ debug("Executing command", $command);
+ if (!open CMD_OUT, "$command 2>&1 |") {
+ $ERR = "can not launch client";
+ return 0;
+ }
+
+ my @cmdOutArr = <CMD_OUT>;
+
+ foreach (@cmdOutArr) {
+ print $_;
+ }
+
+ my $haveVerify = 0;
+ my $haveErrors = 0;
+ foreach (@cmdOutArr) {
+ chop;
+ if (/unknown option/) {
+ $haveErrors++;
+ svr_error "unknown option\n";
+ next;
+ }
+ if (/Error performing handshake/) {
+ $haveErrors++;
+ svr_error "Error performing handshake\n";
+ next;
+ }
+ if (/Error creating credentials/) {
+ $haveErrors++;
+ svr_error "Error creating credentials\n";
+ next;
+ }
+ if (/Error .* authenticating server credentials!/) {
+ $haveErrors++;
+ svr_error "Error authenticating server credentials\n";
+ next;
+ }
+ if (/(error|ERROR|Error)/) {
+ $haveErrors++;
+ svr_error "found errors in server log\n";
+ next;
+ }
+ }
+
+ if ($haveErrors > 0) {
+ $ERR = "Have $haveErrors server errors";
+ debug "Exiting execClientCmd_Win";
+ return 0;
+ }
+ debug "Exiting execClientCmd_Win";
+ return 1;
+}
+
+#################################################################
+# Main line of execution
+#----------------------------------------------------------------
+&init;
+
+if ($osDataArr{wservRun}) {
+ print header('text/html').
+ start_html('iopr client');
+}
+
+print "SCRIPT=OK\n";
+
+if (!&getReqData) {
+ svr_error($ERR, 1);
+}
+
+if (!&configClient) {
+ svr_error($ERR, 1);
+}
+
+&{$osDataArr{'execCmdFn'}} || svr_error;
+
+if ($osDataArr{wservRun}) {
+ print "</pre>";
+ print end_html;
+}
diff --git a/security/nss/tests/iopr/server_scr/config b/security/nss/tests/iopr/server_scr/config
new file mode 100644
index 000000000..9e65b926c
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/config
@@ -0,0 +1,17 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+certDir=/iopr
+caCertName=TestCA
+caCrlName=TestCA
+userCertNames="TestUser510 TestUser511"
+userRevokedCertNames="TestUser510"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+supportedTests="SslSingleHs"
+# SslSingleHs: ssl single handshake with out client cert auth
+SslSingleHsPort=443
+SslSingleHsUrl=/
+SslSingleHsParam=NOAUTH:NOCOV:NOCRL
+#ParamSslSingleHandshakeWithOutClientCertAuth="443 / NOAUTH:NOCOV:NOCRL"
+#ParamSslSingleHandshakeWithOutClientCertAuth="443 /"
diff --git a/security/nss/tests/iopr/server_scr/iis_windows.cfg b/security/nss/tests/iopr/server_scr/iis_windows.cfg
new file mode 100644
index 000000000..76499b8b6
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/iis_windows.cfg
@@ -0,0 +1,33 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# IIS windows configuration file
+#
+
+#
+# Define what type of system this is.
+#
+$clientSys = "iis";
+
+#
+# Cipher conversion table file
+#
+$cipherTableFile = "cipher.list";
+
+#--------------------------------------------
+# Web server specific variables start here:
+#
+
+#
+# Location of installed tstclntb binary
+#
+$tstclntwb = "./tstclntw.exe";
+
+#
+# HTTP Request file
+#
+$reqFile = "sslreq.dat";
+
+
diff --git a/security/nss/tests/iopr/server_scr/iopr_server.cfg b/security/nss/tests/iopr/server_scr/iopr_server.cfg
new file mode 100644
index 000000000..2b196e015
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/iopr_server.cfg
@@ -0,0 +1,67 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+certDir=/iopr
+caCertName=TestCA
+caCrlName=TestCA
+
+#old values
+userCertNames="TestUser510-rsa TestUser512-rsa"
+userRevokedCertNames="TestUser510-rsa"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+#reverseTestParam=NOREVALL
+supportedTests="SslSingleHs SslSecondHs"
+#supportedTests="SslSecondHs"
+
+
+downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt"
+# Keep a space at the end of
+SslClntValidCertName="TestUser512-rsa"
+SslClntRevokedCertName="TestUser510-rsa"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+#reverseTestParam=NOREVALL
+
+supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder"
+
+#
+# SslSingleHs: ssl single handshake with out client cert auth
+SslSingleHsDescr="ssl with single handshake without client cert auth"
+SslSingleHsPort=443
+SslSingleHsUrl=/iopr_test/test_pg.html
+SslSingleHsParam=NOAUTH
+
+#
+# SslSecondHs: ssl with secondary hs when accessing direcory
+# that requires cert verification
+SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification"
+SslSecondHsPort=443
+SslSecondHsUrl=/iopr_test_2hs/test_pg.html
+SslSecondHsParam=NOCOV
+
+#
+# OcspTrustedResponder - trusted responder key is used to sign OCSP response
+#
+OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response"
+OcspTrustedResponderProto=http
+OcspTrustedResponderPort=2560
+OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa
+OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa"
+OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa"
+OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa"
+
+#
+# OcspResponderCA - CA key is used to sign OCSP response
+#
+OcspResponderCADescr="CA key is used to sign OCSP response"
+OcspResponderCAValidCertNames="ocspRCATestUser518-rsa"
+OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa"
+OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa"
+
+#
+# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response
+#
+OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response"
+OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa"
+OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa"
+OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa"
diff --git a/security/nss/tests/iopr/server_scr/sslreq.dat b/security/nss/tests/iopr/server_scr/sslreq.dat
new file mode 100644
index 000000000..2f7ad7736
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/sslreq.dat
@@ -0,0 +1,2 @@
+GET / HTTP/1.0
+
diff --git a/security/nss/tests/iopr/ssl_iopr.sh b/security/nss/tests/iopr/ssl_iopr.sh
new file mode 100644
index 000000000..0f9742662
--- /dev/null
+++ b/security/nss/tests/iopr/ssl_iopr.sh
@@ -0,0 +1,643 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/ssl_iopr.sh
+#
+# NSS SSL interoperability QA. This file is included from ssl.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+IOPR_SSL_SOURCED=1
+
+########################################################################
+# The functions works with variables defined in interoperability
+# configuration file that was downloaded from a webserver.
+# It tries to find unrevoked cert based on value of variable
+# "SslClntValidCertName" defined in the configuration file.
+# Params NONE.
+# Returns 0 if found, 1 otherwise.
+#
+setValidCert() {
+ testUser=$SslClntValidCertName
+ [ -z "$testUser" ] && return 1
+ return 0
+}
+
+########################################################################
+# The funtions works with variables defined in interoperability
+# configuration file that was downloaded from a webserver.
+# The function sets port, url, param and description test parameters
+# that was defind for a particular type of testing.
+# Params:
+# $1 - supported types of testing. Currently have maximum
+# of two: forward and reverse. But more can be defined.
+# No return value
+#
+setTestParam() {
+ type=$1
+ sslPort=`eval 'echo $'${type}Port`
+ sslUrl=`eval 'echo $'${type}Url`
+ testParam=`eval 'echo $'${type}Param`
+ testDescription=`eval 'echo $'${type}Descr`
+ [ -z "$sslPort" ] && sslPort=443
+ [ -z "$sslUrl" ] && sslUrl="/iopr_test/test_pg.html"
+ [ "$sslUrl" = "/" ] && sslUrl="/test_pg.html"
+}
+
+
+#######################################################################
+# local shell function to perform SSL Cipher Suite Coverage tests
+# in interoperability mode. Tests run against web server by using nss
+# test client
+# Params:
+# $1 - supported type of testing.
+# $2 - testing host
+# $3 - nss db location
+# No return value
+#
+ssl_iopr_cov_ext_server()
+{
+ testType=$1
+ host=$2
+ dbDir=$3
+
+ setTestParam $testType
+ if [ "`echo $testParam | grep NOCOV`" != "" ]; then
+ echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
+ "run by server configuration"
+ return 0
+ fi
+
+ html_head "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR" \
+ "$BYPASS_STRING $NORM_EXT): $testDescription"
+
+ setValidCert; ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Fail to find valid test cert(ws: $host)"
+ return $ret
+ fi
+
+ SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+ echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+ echo >> $SSL_REQ_FILE
+
+ while read ecc tls param testname therest; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "`echo $testname | grep FIPS`" -o \
+ "$ecc" = "ECC" ] && continue;
+
+ echo "$SCRIPTNAME: running $testname ----------------------------"
+ TLS_FLAG=-T
+ if [ "$tls" = "TLS" ]; then
+ TLS_FLAG=""
+ fi
+
+ resFile=${TMP}/$HOST.tmpRes.$$
+ rm $resFile 2>/dev/null
+
+ echo "tstclnt -p ${sslPort} -h ${host} -c ${param} ${TLS_FLAG} \\"
+ echo " -n $testUser -v -w nss ${CLIEN_OPTIONS} -f \\"
+ echo " -d ${dbDir} < ${SSL_REQ_FILE} > $resFile"
+
+ ${BINDIR}/tstclnt -p ${sslPort} -h ${host} -c ${param} \
+ ${TLS_FLAG} ${CLIEN_OPTIONS} -f -n $testUser -v -w nss \
+ -d ${dbDir} < ${SSL_REQ_FILE} >$resFile 2>&1
+ ret=$?
+ grep "ACCESS=OK" $resFile
+ test $? -eq 0 -a $ret -eq 0
+ ret=$?
+ [ $ret -ne 0 ] && cat $resFile
+ rm -f $resFile 2>/dev/null
+ html_msg $ret 0 "${testname}"
+ done < ${SSLCOV}
+ rm -f $SSL_REQ_FILE 2>/dev/null
+
+ html "</TABLE><BR>"
+}
+
+#######################################################################
+# local shell function to perform SSL Client Authentication tests
+# in interoperability mode. Tests run against web server by using nss
+# test client
+# Params:
+# $1 - supported type of testing.
+# $2 - testing host
+# $3 - nss db location
+# No return value
+#
+ssl_iopr_auth_ext_server()
+{
+ testType=$1
+ host=$2
+ dbDir=$3
+
+ setTestParam $testType
+ if [ "`echo $testParam | grep NOAUTH`" != "" ]; then
+ echo "SSL Client Authentication WebServ($IOPR_HOSTADDR) excluded from " \
+ "run by server configuration"
+ return 0
+ fi
+
+ html_head "SSL Client Authentication WebServ($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT):
+ $testDescription"
+
+ setValidCert;ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Fail to find valid test cert(ws: $host)"
+ return $ret
+ fi
+
+ SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+ echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+ echo >> $SSL_REQ_FILE
+
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+ grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" > ${SSLAUTH_TMP}
+
+ while read ecc value sparam cparam testname; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+ cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
+
+ echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \\"
+ echo " -d ${dbDir} -v < ${SSL_REQ_FILE}"
+
+ resFile=${TMP}/$HOST.tmp.$$
+ rm $rsFile 2>/dev/null
+
+ ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \
+ -d ${dbDir} -v < ${SSL_REQ_FILE} >$resFile 2>&1
+ ret=$?
+ grep "ACCESS=OK" $resFile
+ test $? -eq 0 -a $ret -eq 0
+ ret=$?
+ [ $ret -ne 0 ] && cat $resFile
+ rm $resFile 2>/dev/null
+
+ html_msg $ret $value "${testname}. Client params: $cparam"\
+ "produced a returncode of $ret, expected is $value"
+ done < ${SSLAUTH_TMP}
+ rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE}
+
+ html "</TABLE><BR>"
+}
+
+########################################################################
+# local shell function to perform SSL interoperability test with/out
+# revoked certs tests. Tests run against web server by using nss
+# test client
+# Params:
+# $1 - supported type of testing.
+# $2 - testing host
+# $3 - nss db location
+# No return value
+#
+ssl_iopr_crl_ext_server()
+{
+ testType=$1
+ host=$2
+ dbDir=$3
+
+ setTestParam $testType
+ if [ "`echo $testParam | grep NOCRL`" != "" ]; then
+ echo "CRL SSL Client Tests of WebServerv($IOPR_HOSTADDR) excluded from " \
+ "run by server configuration"
+ return 0
+ fi
+
+ html_head "CRL SSL Client Tests of WebServer($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): $testDescription"
+
+ SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+ echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+ echo >> $SSL_REQ_FILE
+
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+ grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" | grep -v bogus | \
+ grep -v none > ${SSLAUTH_TMP}
+
+ while read ecc value sparam _cparam testname; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+ rev_modvalue=254
+ for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
+ cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
+
+ echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} \\"
+ echo " -f -d ${dbDir} -v ${cparam} < ${SSL_REQ_FILE}"
+ resFile=${TMP}/$HOST.tmp.$$
+ rm -f $resFile 2>/dev/null
+ ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \
+ -d ${dbDir} -v < ${SSL_REQ_FILE} \
+ > $resFile 2>&1
+ ret=$?
+ grep "ACCESS=OK" $resFile
+ test $? -eq 0 -a $ret -eq 0
+ ret=$?
+ [ $ret -ne 0 ] && ret=$rev_modvalue;
+ [ $ret -ne 0 ] && cat $resFile
+ rm -f $resFile 2>/dev/null
+
+ if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
+ modvalue=$rev_modvalue
+ testAddMsg="revoked"
+ else
+ testAddMsg="not revoked"
+ modvalue=$value
+ fi
+ html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue"
+ done
+ done < ${SSLAUTH_TMP}
+ rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE}
+
+ html "</TABLE><BR>"
+}
+
+
+########################################################################
+# local shell function to perform SSL Cipher Coverage tests of nss server
+# by invoking remote test client on web server side.
+# Invoked only if reverse testing is supported by web server.
+# Params:
+# $1 - remote web server host
+# $2 - open port to connect to invoke CGI script
+# $3 - host where selfserv is running(name of the host nss tests
+# are running)
+# $4 - port where selfserv is running
+# $5 - selfserv nss db location
+# No return value
+#
+ssl_iopr_cov_ext_client()
+{
+ host=$1
+ port=$2
+ sslHost=$3
+ sslPort=$4
+ serDbDir=$5
+
+ html_head "SSL Cipher Coverage of SelfServ $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+
+ setValidCert
+ ret=$?
+ if [ $res -ne 0 ]; then
+ html_failed "Fail to find valid test cert(ws: $host)"
+ return $ret
+ fi
+
+ # P_R_SERVERDIR switch require for selfserv to work.
+ # Will be restored after test
+ OR_P_R_SERVERDIR=$P_R_SERVERDIR
+ P_R_SERVERDIR=$serDbDir
+ OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+ P_R_CLIENTDIR=$serDbDir
+ testname=""
+ sparam="-vvvc ABCDEFcdefgijklmnvyz"
+ # Launch the server
+ start_selfserv
+
+ while read ecc tls param cipher therest; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+ echo "============= Beginning of the test ===================="
+ echo
+
+ is_selfserv_alive
+
+ TEST_IN=${TMP}/${HOST}_IN.tmp.$$
+ TEST_OUT=${TMP}/$HOST.tmp.$$
+ rm -f $TEST_IN $TEST_OUT 2>/dev/null
+
+ echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser&cipher=$cipher HTTP/1.0" > $TEST_IN
+ echo >> $TEST_IN
+
+ echo "------- Request ----------------------"
+ cat $TEST_IN
+ echo "------- Command ----------------------"
+ echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h $host \< $TEST_IN \>\> $TEST_OUT
+
+ ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h $host <$TEST_IN > $TEST_OUT
+
+ echo "------- Server output Begin ----------"
+ cat $TEST_OUT
+ echo "------- Server output End ----------"
+
+ echo "Checking for errors in log file..."
+ grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+ if [ $? -eq 0 ]; then
+ grep "cipher is not supported" $TEST_OUT 2>&1 >/dev/null
+ if [ $? -eq 0 ]; then
+ echo "Skiping test: no support for the cipher $cipher on server side"
+ continue
+ fi
+
+ grep -i "SERVER ERROR:" $TEST_OUT
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ echo "Found problems. Reseting exit code to failure."
+
+ ret=1
+ else
+ ret=0
+ fi
+ else
+ echo "Script was not executed. Reseting exit code to failure."
+ ret=11
+ fi
+
+ html_msg $ret 0 "Test ${cipher}. Server params: $sparam " \
+ " produced a returncode of $ret, expected is 0"
+ rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+ done < ${SSLCOV}
+ kill_selfserv
+
+ P_R_SERVERDIR=$OR_P_R_SERVERDIR
+ P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+
+ rm -f ${TEST_IN} ${TEST_OUT}
+ html "</TABLE><BR>"
+}
+
+########################################################################
+# local shell function to perform SSL Authentication tests of nss server
+# by invoking remove test client on web server side
+# Invoked only if reverse testing is supported by web server.
+# Params:
+# $1 - remote web server host
+# $2 - open port to connect to invoke CGI script
+# $3 - host where selfserv is running(name of the host nss tests
+# are running)
+# $4 - port where selfserv is running
+# $5 - selfserv nss db location
+# No return value
+#
+ssl_iopr_auth_ext_client()
+{
+ host=$1
+ port=$2
+ sslHost=$3
+ sslPort=$4
+ serDbDir=$5
+
+ html_head "SSL Client Authentication with Selfserv from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+
+ setValidCert
+ ret=$?
+ if [ $res -ne 0 ]; then
+ html_failed "Fail to find valid test cert(ws: $host)"
+ return $ret
+ fi
+
+ OR_P_R_SERVERDIR=$P_R_SERVERDIR
+ P_R_SERVERDIR=${serDbDir}
+ OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+ P_R_CLIENTDIR=${serDbDir}
+
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+
+ grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP}
+
+ while read ecc value sparam cparam testname; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+ echo "Server params: $sparam"
+ sparam=$sparam" -vvvc ABCDEFcdefgijklmnvyz"
+ start_selfserv
+
+ TEST_IN=${TMP}/$HOST_IN.tmp.$$
+ TEST_OUT=${TMP}/$HOST.tmp.$$
+ rm -f $TEST_IN $TEST_OUT 2>/dev/null
+
+ echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN
+ echo >> $TEST_IN
+
+ echo "------- Request ----------------------"
+ cat $TEST_IN
+ echo "------- Command ----------------------"
+ echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h $host \< $TEST_IN \>\> $TEST_OUT
+
+ ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h $host <$TEST_IN > $TEST_OUT
+
+ echo "------- Server output Begin ----------"
+ cat $TEST_OUT
+ echo "------- Server output End ----------"
+
+ echo "Checking for errors in log file..."
+ grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+ if [ $? -eq 0 ]; then
+ echo "Checking for error in log file..."
+ grep -i "SERVER ERROR:" $TEST_OUT
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ echo "Found problems. Reseting exit code to failure."
+ ret=1
+ else
+ ret=0
+ fi
+ else
+ echo "Script was not executed. Reseting exit code to failure."
+ ret=11
+ fi
+
+ html_msg $ret $value "${testname}. Server params: $sparam"\
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+ rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+ done < ${SSLAUTH_TMP}
+
+ P_R_SERVERDIR=$OR_P_R_SERVERDIR
+ P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+
+ rm -f ${SSLAUTH_TMP} ${TEST_IN} ${TEST_OUT}
+ html "</TABLE><BR>"
+}
+
+#########################################################################
+# local shell function to perform SSL CRL testing of nss server
+# by invoking remote test client on web server side
+# Invoked only if reverse testing is supported by web server.
+# Params:
+# $1 - remote web server host
+# $2 - open port to connect to invoke CGI script
+# $3 - host where selfserv is running(name of the host nss tests
+# are running)
+# $4 - port where selfserv is running
+# $5 - selfserv nss db location
+# No return value
+#
+ssl_iopr_crl_ext_client()
+{
+ host=$1
+ port=$2
+ sslHost=$3
+ sslPort=$4
+ serDbDir=$5
+
+ html_head "CRL SSL Selfserv Tests from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+
+ OR_P_R_SERVERDIR=$P_R_SERVERDIR
+ P_R_SERVERDIR=${serDbDir}
+ OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+ P_R_CLIENTDIR=$serDbDir
+
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+ grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP}
+
+ while read ecc value sparam _cparam testname; do
+ [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+ sparam="$sparam -vvvc ABCDEFcdefgijklmnvyz"
+ start_selfserv
+
+ for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
+
+ is_selfserv_alive
+
+ TEST_IN=${TMP}/${HOST}_IN.tmp.$$
+ TEST_OUT=${TMP}/$HOST.tmp.$$
+ rm -f $TEST_IN $TEST_OUT 2>/dev/null
+
+ echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN
+ echo >> $TEST_IN
+
+ echo "------- Request ----------------------"
+ cat $TEST_IN
+ echo "------- Command ----------------------"
+ echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h ${host} \< $TEST_IN \>\> $TEST_OUT
+
+ ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \
+ -h ${host} <$TEST_IN > $TEST_OUT
+ echo "------- Request ----------------------"
+ cat $TEST_IN
+ echo "------- Server output Begin ----------"
+ cat $TEST_OUT
+ echo "------- Server output End ----------"
+
+ echo "Checking for errors in log file..."
+ grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+ if [ $? -eq 0 ]; then
+ grep -i "SERVER ERROR:" $TEST_OUT
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ echo "Found problems. Reseting exit code to failure."
+ ret=1
+ else
+ ret=0
+ fi
+ else
+ echo "Script was not executed. Reseting exit code to failure."
+ ret=11
+ fi
+
+ if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
+ modvalue=1
+ testAddMsg="revoked"
+ else
+ testAddMsg="not revoked"
+ modvalue=0
+ fi
+
+ html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue(selfserv args: $sparam)"
+ rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+ done
+ kill_selfserv
+ done < ${SSLAUTH_TMP}
+
+ P_R_SERVERDIR=$OR_P_R_SERVERDIR
+ P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+
+ rm -f ${SSLAUTH_TMP}
+ html "</TABLE><BR>"
+}
+
+#####################################################################
+# Initial point for running ssl test againt multiple hosts involved in
+# interoperability testing. Called from nss/tests/ssl/ssl.sh
+# It will only proceed with test run for a specific host if environment variable
+# IOPR_HOSTADDR_LIST was set, had the host name in the list
+# and all needed file were successfully downloaded and installed for the host.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise.
+#
+ssl_iopr_run() {
+ if [ "$IOPR" -ne 1 ]; then
+ return 1
+ fi
+ cd ${CLIENTDIR}
+
+ ORIG_ECC_CERT=${NO_ECC_CERTS}
+ NO_ECC_CERTS=1 # disable ECC for interoperability tests
+
+ NSS_SSL_ENABLE_RENEGOTIATION=u
+ export NSS_SSL_ENABLE_RENEGOTIATION
+
+ num=1
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+ while [ "$IOPR_HOST_PARAM" ]; do
+ IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+ IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+ [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
+
+ . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+ RES=$?
+
+ if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
+ num=`expr $num + 1`
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+ continue
+ fi
+
+ #=======================================================
+ # Check if server is capable to run ssl tests
+ #
+ [ -z "`echo ${supportedTests_new} | grep -i ssl`" ] && continue;
+
+ # Testing directories defined by webserver.
+ echo "Testing ssl interoperability.
+ Client: local(tstclnt).
+ Server: remote($IOPR_HOSTADDR:$IOPR_OPEN_PORT)"
+
+ for sslTestType in ${supportedTests_new}; do
+ if [ -z "`echo $sslTestType | grep -i ssl`" ]; then
+ continue
+ fi
+ ssl_iopr_cov_ext_server $sslTestType ${IOPR_HOSTADDR} \
+ ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+ ssl_iopr_auth_ext_server $sslTestType ${IOPR_HOSTADDR} \
+ ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+ ssl_iopr_crl_ext_server $sslTestType ${IOPR_HOSTADDR} \
+ ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+ done
+
+
+ # Testing selfserv with client located at the webserver.
+ echo "Testing ssl interoperability.
+ Client: remote($IOPR_HOSTADDR:$PORT)
+ Server: local(selfserv)"
+ ssl_iopr_cov_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+ ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+ ssl_iopr_auth_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+ ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+ ssl_iopr_crl_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+ ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+ echo "================================================"
+ echo "Done testing interoperability with $IOPR_HOSTADDR"
+ num=`expr $num + 1`
+ IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+ done
+ NO_ECC_CERTS=${ORIG_ECC_CERTS}
+ return 0
+}
+
diff --git a/security/nss/tests/jss_dll_version.sh b/security/nss/tests/jss_dll_version.sh
new file mode 100755
index 000000000..cb29c4a1a
--- /dev/null
+++ b/security/nss/tests/jss_dll_version.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# version controll for DLLs
+# ToDo: make version parameter or find version from first occurance of 3.x
+# make the 3 a variable..., include the header
+
+for w in `find . -name "libjss3.s[ol]"`
+do
+ NOWHAT=FALSE
+ NOIDENT=FALSE
+ echo $w
+ what $w | grep JSS || NOWHAT=TRUE
+ ident $w | grep JSS || NOIDENT=TRUE
+ if [ $NOWHAT = TRUE ]
+ then
+ echo "ERROR what $w does not contain JSS"
+ fi
+ if [ $NOIDENT = TRUE ]
+ then
+ echo "ERROR ident $w does not contain JSS"
+ fi
+done
diff --git a/security/nss/tests/jssdir b/security/nss/tests/jssdir
new file mode 100755
index 000000000..1609fbfcf
--- /dev/null
+++ b/security/nss/tests/jssdir
@@ -0,0 +1,28 @@
+if ( "$2" == "" ) then
+ setenv BUILDDATE `date +%m%d`
+else
+ setenv BUILDDATE $2
+endif
+
+if ( "$1" == "" ) then
+ setenv JSSVER tip
+else
+ setenv JSSVER $1
+endif
+
+if ( ! ${?QAYEAR} ) then
+ setenv QAYEAR `date +%Y`
+else if ( "$QAYEAR" == "" ) then
+ setenv QAYEAR `date +%Y`
+
+endif
+
+setenv JSS_VER_DIR /share/builds/mccrel3/jss/jss$JSSVER
+setenv NTDIST ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/blowfish_NT4.0_Win95/mozilla/dist
+setenv UXDIST ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/dist
+setenv TESTSCRIPTDIR ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/security/jss/tests
+setenv RESULTDIR ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/tests_results/security
+
+cd ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8
+pwd
+ls
diff --git a/security/nss/tests/jssqa b/security/nss/tests/jssqa
new file mode 100755
index 000000000..d5356b9e8
--- /dev/null
+++ b/security/nss/tests/jssqa
@@ -0,0 +1,220 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/jssqa
+#
+# this script is supposed to automatically run - now a sanity test, later QA for
+# JSS on all required Unix and Windows (NT and 2000) platforms
+#
+# parameters
+# ----------
+# jssversion (supported: 31, tip)
+# builddate (default - today)
+#
+# options
+# -------
+# -y answer all questions with y - use at your own risk...ignores warnings
+# -s silent (only usefull with -y)
+# -h, -? - you guessed right - displays this text
+# -d debug
+# -f <filename> - write the (error)output to filename
+# -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.nssqa
+#
+########################################################################
+
+O_OPTIONS=ON # accept options (see above for listing)
+WIN_WAIT_FOREVER=OFF # don't wait for the NSS testdir
+PRODUCT_TO_TEST="JSS"
+JSS_NSPR_DIR="/share/builds/components/nspr20/v4.1.2"
+JSS_NSS_DIR="/share/builds/components/nss/NSS_3_3_1_RTM"
+JSS_NSS_UX_SRC_DIR="nss331/builds/20010928.2.331-RTM/booboo_Solaris8"
+JSS_NSS_NT_SRC_DIR="nss331/builds/20010928.2.331-RTM/blowfish_NT4.0_Win95"
+JSS_NSS_SRC_DIR=$JSS_NSS_UX_SRC_DIR
+NATIVE_FLAG=""
+
+. `dirname $0`/header # utilities, shellfunctions etc, global to NSS and JSS QA
+
+if [ -z "$O_TBX" -o "$O_TBX" != "ON" ] ; then
+ is_running ${TMP}/jssqa
+ # checks if the file exists, if yes Exits, if not
+ # creates to implement a primitive locking mechanism
+fi
+
+INTERNAL_TOKEN="NSS Certificate DB"
+SIGTEST_INTERNAL_TOKEN="Internal Key Storage Token"
+
+################################ jss_init #########################
+#
+# Most of the procedure is setting up the test environment.
+# set all necessary dir and file variables, set all paths, copy the shared libs
+# Put all the shared libraries into a lib directory, <libdir>.
+# including the libjss3.so that was built by the build process.
+# set LD_LIBRARY PATH and CLASSPATH
+# The xpclass.jar produced by the JSS build needs to be in the classpath.
+# The classpath must also include the current directory so we can run our test
+# programs.
+################################################################################
+
+jss_init()
+{
+ Debug "Jss init"
+ #correct all directories that the header has set...
+ NTDIST=`echo $NTDIST | sed -e 's/nss/jss/g'`
+ UXDIST=`echo $UXDIST | sed -e 's/nss/jss/g'`
+ RESULTDIR=`echo $RESULTDIR | sed -e 's/nss/jss/g'`
+ mkdir -p ${RESULTDIR} 2>/dev/null
+ JSS_LOGFILE=${RESULTDIR}/${HOST}.txt
+ FILENAME=$JSS_LOGFILE
+ O_FILE=ON
+
+ MOZILLA_ROOT=`echo $MOZILLA_ROOT | sed -e 's/nss/jss/g'`
+
+ JSS_SAMPLES="$MOZILLA_ROOT/security/jss/samples"
+ JSS_CLASSPATH=`echo $MOZILLA_ROOT |
+ sed -e "s/jss$NSSVER.builds/jss$NSSVER\/ships/g" -e "s/mozilla/jss\/${QAYEAR}${BUILDDATE}/"`
+ Debug "JSS_CLASSPATH=$JSS_CLASSPATH"
+ Debug "JSS_SAMPLES=$JSS_SAMPLES"
+
+ if [ ! -d $JSS_SAMPLES ] ; then
+ if [ "$O_WIN" = "ON" -a "$WIN_WAIT_FOREVER" = "ON" ]
+ then
+ WaitForever $JSS_SAMPLES/TestKeyGen.java 1
+ else
+ Exit "Test directory $JSS_SAMPLES does not exist"
+ fi
+ fi
+
+ PWFILE="$JSS_SAMPLES/passwd"
+ EMPTYFILE="$JSS_SAMPLES/emptyfile"
+ rm $PWFILE $EMPTYFILE 2>/dev/null
+ echo "jss" >$PWFILE
+ echo "" >$EMPTYFILE
+ echo "" >>$EMPTYFILE
+ echo "" >>$EMPTYFILE
+
+ INIT_PATH=$PATH
+ INIT_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+}
+
+
+jss_mode_init()
+{
+ OBJDIR=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name`
+
+ LOCALDIST_BIN=`echo $LOCALDIST_BIN | sed -e 's/nss/jss/g'`
+ LOCALDIST_LIB=$LOCALDIST_BIN/../lib
+ debug_dirs
+
+ #make testdir/libdir
+
+ JSS_LIBDIR=${RESULTDIR}/${HOST}.libdir/${OBJDIR}
+ mkdir -p ${JSS_LIBDIR} 2>/dev/null
+ Debug "JSS_LIBDIR=$JSS_LIBDIR"
+
+ #Put all the shared libraries into a lib directory
+ Debug "copy all needed libs to ${JSS_LIBDIR}"
+ cp $JSS_NSPR_DIR/${OBJDIR}/lib/* ${JSS_LIBDIR}
+ cp $JSS_NSS_DIR/${OBJDIR}/lib/* ${JSS_LIBDIR}
+ cp $LOCALDIST_LIB/libjss3.* ${JSS_LIBDIR}
+ #FIXME uncomment above
+
+ if [ $O_DEBUG = ON ] ; then
+ Debug "ls $JSS_LIBDIR"
+ ls $JSS_LIBDIR
+ fi
+
+ #LD_LIBRARY_PATH=$INIT_LD_LIBRARY_PATH:${JSS_LIBDIR}
+ LD_LIBRARY_PATH=${JSS_LIBDIR} #remove to avoid HP coredump
+ CLASSPATH="$JSS_CLASSPATH/xpclass.jar:."
+
+ SHLIB_PATH=${LD_LIBRARY_PATH}
+ LIBPATH=${LD_LIBRARY_PATH}
+
+ PATH=$JSS_NSPR_DIR/${OBJDIR}/bin:$JSS_NSS_DIR/${OBJDIR}//bin:$INIT_PATH
+ Debug "PATH $PATH"
+ Debug "LD_LIBRARY_PATH $LD_LIBRARY_PATH"
+ Debug "CLASSPATH=$CLASSPATH"
+
+ export CLASSPATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH
+ export TESTSCRIPTDIR COMMON
+ export_dirs
+}
+
+
+################################ jss_test #########################
+#
+# go into the build tree. cd to mozilla/security/jss/samples.
+# Create NSS directories in this directory with modutil and set the password
+#
+#6. Create an alias for the "java" and "javac" commands. You'll need to set
+#it to whatever version of the JDK you used to build on this platform. For
+#example,
+ #alias java /share/builds/components/cms_jdk/AIX/1.3.0/jre/bin/java
+ #alias javac /share/builds/components/cms_jdk/AIX/1.3.0/bin/javac
+# instead $JAVA and $JAVAC
+# 7. Compile the tests.
+#####################################################################
+jss_test()
+{
+ O_FILE=OFF
+ Debug "JSS main test"
+ #set -x
+ cd $JSS_SAMPLES
+
+ Debug "Cleaning $JSS_SAMPLES"
+ rm cert7.db key3.db 2>/dev/null
+
+ Debug "echo | modutil -dbdir . -create -force"
+ echo | modutil -dbdir . -create -force
+ Debug "modutil returned $?"
+
+ modutil -dbdir . -list
+
+ Debug "echo | modutil -dbdir . -changepw \"$INTERNAL_TOKEN\" -newpwfile $PWFILE -force"
+ modutil -dbdir . -changepw "$INTERNAL_TOKEN" -newpwfile $PWFILE -force <$EMPTYFILE
+ #modutil -dbdir . -changepw "$INTERNAL_TOKEN" -pwfile $PWFILE -newpwfile $PWFILE <$EMPTYFILE
+ Debug "modutil returned $?"
+
+ Debug "$JAVAC TestKeyGen.java"
+ $JAVAC TestKeyGen.java
+ Debug "$JAVAC TestKeyGen.java returned $?"
+
+ Debug "$JAVAC SigTest.java"
+ $JAVAC SigTest.java
+ Debug "$JAVAC SigTest.java returned $?"
+
+ echo "Starting new jss test on $HOST"
+ date
+
+ # Run the actual tests
+
+ Debug "$JAVA $NATIVE_FLAG TestKeyGen ."
+ $JAVA $NATIVE_FLAG TestKeyGen .
+ Debug "$JAVA TestKeyGen returned $?"
+
+ Debug "$JAVA $NATIVE_FLAG SigTest . \"$SIGTEST_INTERNAL_TOKEN\""
+ $JAVA $NATIVE_FLAG SigTest . "$SIGTEST_INTERNAL_TOKEN"
+ Debug "$JAVA SigTest returned $?"
+
+ O_FILE=ON
+}
+
+jss_init
+jss_mode_init
+
+if [ "$O_CRON" = "ON" -o "$O_WIN" = "ON" ]
+then
+ jss_test >>$JSS_LOGFILE 2>&1
+else
+ jss_test 2>&1 | tee -a $JSS_LOGFILE
+fi
+BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+jss_mode_init
+if [ "$O_CRON" = "ON" -o "$O_WIN" = "ON" ]
+then
+ jss_test >>$JSS_LOGFILE 2>&1
+else
+ jss_test 2>&1 | tee -a $JSS_LOGFILE
+fi
+Exit "jssqa completed. Done `uname -n` $QA_OS_STRING"
diff --git a/security/nss/tests/libpkix/cert_trust.map b/security/nss/tests/libpkix/cert_trust.map
new file mode 100644
index 000000000..c992435f9
--- /dev/null
+++ b/security/nss/tests/libpkix/cert_trust.map
@@ -0,0 +1,6 @@
+TestCA.ca CT,C,C
+TestUser50 ,,
+TestUser51 ,,
+PayPalRootCA CT,C,C
+PayPalICA ,,
+PayPalEE ,,
diff --git a/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert b/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert
new file mode 100644
index 000000000..30d2f18c3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt b/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt
new file mode 100755
index 000000000..efc2f2cd5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/GoodCACert.crt b/security/nss/tests/libpkix/certs/GoodCACert.crt
new file mode 100644
index 000000000..5aecbc0cf
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/GoodCACert.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.ca.cert b/security/nss/tests/libpkix/certs/NameConstraints.ca.cert
new file mode 100644
index 000000000..6d2e8469d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.ca.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.dcissallowed.cert b/security/nss/tests/libpkix/certs/NameConstraints.dcissallowed.cert
new file mode 100644
index 000000000..539adcfee
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.dcissallowed.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.dcissblocked.cert b/security/nss/tests/libpkix/certs/NameConstraints.dcissblocked.cert
new file mode 100644
index 000000000..28f84919d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.dcissblocked.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.dcisscopy.cert b/security/nss/tests/libpkix/certs/NameConstraints.dcisscopy.cert
new file mode 100644
index 000000000..a3fbd91f3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.dcisscopy.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert
new file mode 100644
index 000000000..a310aa1ac
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate2.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate2.cert
new file mode 100644
index 000000000..fc4b7c1c1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate2.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate3.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate3.cert
new file mode 100644
index 000000000..051e55e56
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate3.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate4.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate4.cert
new file mode 100644
index 000000000..6e7efd53e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate4.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate5.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate5.cert
new file mode 100644
index 000000000..823eccc05
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate5.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate6.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate6.cert
new file mode 100644
index 000000000..a2f17054e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate6.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.ncca.cert b/security/nss/tests/libpkix/certs/NameConstraints.ncca.cert
new file mode 100644
index 000000000..ecb24c7d5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.ncca.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server1.cert b/security/nss/tests/libpkix/certs/NameConstraints.server1.cert
new file mode 100644
index 000000000..60e8a1c69
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server1.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server10.cert b/security/nss/tests/libpkix/certs/NameConstraints.server10.cert
new file mode 100644
index 000000000..21d9e8767
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server10.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server11.cert b/security/nss/tests/libpkix/certs/NameConstraints.server11.cert
new file mode 100644
index 000000000..c458c8ce7
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server11.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server12.cert b/security/nss/tests/libpkix/certs/NameConstraints.server12.cert
new file mode 100644
index 000000000..1a4e6fec2
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server12.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server13.cert b/security/nss/tests/libpkix/certs/NameConstraints.server13.cert
new file mode 100644
index 000000000..8b7295fb2
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server13.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server14.cert b/security/nss/tests/libpkix/certs/NameConstraints.server14.cert
new file mode 100644
index 000000000..8a989f996
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server14.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server15.cert b/security/nss/tests/libpkix/certs/NameConstraints.server15.cert
new file mode 100644
index 000000000..69d057c9a
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server15.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server16.cert b/security/nss/tests/libpkix/certs/NameConstraints.server16.cert
new file mode 100644
index 000000000..0b24d7abb
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server16.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server17.cert b/security/nss/tests/libpkix/certs/NameConstraints.server17.cert
new file mode 100644
index 000000000..2fc9437cd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server17.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server2.cert b/security/nss/tests/libpkix/certs/NameConstraints.server2.cert
new file mode 100644
index 000000000..1c6e5510d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server2.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server3.cert b/security/nss/tests/libpkix/certs/NameConstraints.server3.cert
new file mode 100644
index 000000000..bd93572dd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server3.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server4.cert b/security/nss/tests/libpkix/certs/NameConstraints.server4.cert
new file mode 100644
index 000000000..ca9d1b1c3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server4.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server5.cert b/security/nss/tests/libpkix/certs/NameConstraints.server5.cert
new file mode 100644
index 000000000..1798de766
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server5.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server6.cert b/security/nss/tests/libpkix/certs/NameConstraints.server6.cert
new file mode 100644
index 000000000..5698f8ebd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server6.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server7.cert b/security/nss/tests/libpkix/certs/NameConstraints.server7.cert
new file mode 100644
index 000000000..3cf85d047
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server7.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server8.cert b/security/nss/tests/libpkix/certs/NameConstraints.server8.cert
new file mode 100644
index 000000000..f0694ed03
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server8.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server9.cert b/security/nss/tests/libpkix/certs/NameConstraints.server9.cert
new file mode 100644
index 000000000..517c0ae31
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/NameConstraints.server9.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPCA1.cert b/security/nss/tests/libpkix/certs/OCSPCA1.cert
new file mode 100644
index 000000000..cac92b790
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA1.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPCA1.p12 b/security/nss/tests/libpkix/certs/OCSPCA1.p12
new file mode 100644
index 000000000..82cc31034
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA1.p12
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPCA2.cert b/security/nss/tests/libpkix/certs/OCSPCA2.cert
new file mode 100644
index 000000000..3dd31100f
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA2.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPCA2.p12 b/security/nss/tests/libpkix/certs/OCSPCA2.p12
new file mode 100644
index 000000000..1c03d0d7e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA2.p12
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPCA3.cert b/security/nss/tests/libpkix/certs/OCSPCA3.cert
new file mode 100644
index 000000000..7d0645830
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA3.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPCA3.p12 b/security/nss/tests/libpkix/certs/OCSPCA3.p12
new file mode 100644
index 000000000..610eb50a1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPCA3.p12
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE11.cert b/security/nss/tests/libpkix/certs/OCSPEE11.cert
new file mode 100644
index 000000000..093756d3d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE11.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE12.cert b/security/nss/tests/libpkix/certs/OCSPEE12.cert
new file mode 100644
index 000000000..14cd5b9ce
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE12.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE13.cert b/security/nss/tests/libpkix/certs/OCSPEE13.cert
new file mode 100644
index 000000000..058b59d80
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE13.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE14.cert b/security/nss/tests/libpkix/certs/OCSPEE14.cert
new file mode 100644
index 000000000..4f937b9e9
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE14.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE15.cert b/security/nss/tests/libpkix/certs/OCSPEE15.cert
new file mode 100644
index 000000000..fbb2000dd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE15.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE21.cert b/security/nss/tests/libpkix/certs/OCSPEE21.cert
new file mode 100644
index 000000000..a3f1305fd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE21.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE22.cert b/security/nss/tests/libpkix/certs/OCSPEE22.cert
new file mode 100644
index 000000000..198f2068d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE22.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE23.cert b/security/nss/tests/libpkix/certs/OCSPEE23.cert
new file mode 100644
index 000000000..32b3a631d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE23.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE31.cert b/security/nss/tests/libpkix/certs/OCSPEE31.cert
new file mode 100644
index 000000000..3df0f62cb
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE31.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE32.cert b/security/nss/tests/libpkix/certs/OCSPEE32.cert
new file mode 100644
index 000000000..9bf5354ab
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE32.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPEE33.cert b/security/nss/tests/libpkix/certs/OCSPEE33.cert
new file mode 100644
index 000000000..4a3c10228
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPEE33.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPRoot.cert b/security/nss/tests/libpkix/certs/OCSPRoot.cert
new file mode 100644
index 000000000..8abc6bc87
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPRoot.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/OCSPRoot.p12 b/security/nss/tests/libpkix/certs/OCSPRoot.p12
new file mode 100644
index 000000000..166baf3f4
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/OCSPRoot.p12
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/PayPalEE.cert b/security/nss/tests/libpkix/certs/PayPalEE.cert
new file mode 100644
index 000000000..d71fbb501
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/PayPalEE.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/PayPalICA.cert b/security/nss/tests/libpkix/certs/PayPalICA.cert
new file mode 100644
index 000000000..07e025def
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/PayPalICA.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/PayPalRootCA.cert b/security/nss/tests/libpkix/certs/PayPalRootCA.cert
new file mode 100644
index 000000000..dae019650
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/PayPalRootCA.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/TestCA.ca.cert b/security/nss/tests/libpkix/certs/TestCA.ca.cert
new file mode 100644
index 000000000..929b793d3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TestCA.ca.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/TestUser50.cert b/security/nss/tests/libpkix/certs/TestUser50.cert
new file mode 100644
index 000000000..ed71727fa
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TestUser50.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/TestUser51.cert b/security/nss/tests/libpkix/certs/TestUser51.cert
new file mode 100644
index 000000000..1b45db286
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TestUser51.cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt b/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt
new file mode 100644
index 000000000..21f520ee5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt b/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt
new file mode 100644
index 000000000..26985c9f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/anchor2dsa b/security/nss/tests/libpkix/certs/anchor2dsa
new file mode 100755
index 000000000..a1f9e05f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/anchor2dsa
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/crldiff.crl b/security/nss/tests/libpkix/certs/crldiff.crl
new file mode 100755
index 000000000..d076ef89f
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/crldiff.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/crlgood.crl b/security/nss/tests/libpkix/certs/crlgood.crl
new file mode 100755
index 000000000..1ad019ed1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/crlgood.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert
new file mode 100755
index 000000000..a1afd6a2d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert
new file mode 100755
index 000000000..55568917c
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnCert b/security/nss/tests/libpkix/certs/generalName/altNameDnCert
new file mode 100755
index 000000000..43dac7341
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff
new file mode 100755
index 000000000..04d133f74
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnsCert b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert
new file mode 100755
index 000000000..63754141a
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff
new file mode 100755
index 000000000..4fe947e73
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameEdiCert b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert
new file mode 100755
index 000000000..95ec20423
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff
new file mode 100755
index 000000000..50e5440d9
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameIpCert b/security/nss/tests/libpkix/certs/generalName/altNameIpCert
new file mode 100755
index 000000000..5f0e528a1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameIpCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff
new file mode 100755
index 000000000..2407be54f
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameNoneCert b/security/nss/tests/libpkix/certs/generalName/altNameNoneCert
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameNoneCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOidCert b/security/nss/tests/libpkix/certs/generalName/altNameOidCert
new file mode 100755
index 000000000..fa92c9ecd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOidCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff
new file mode 100755
index 000000000..635e4d143
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOtherCert b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert
new file mode 100755
index 000000000..bdfc7cb6a
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff
new file mode 100755
index 000000000..bfc8a7973
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert
new file mode 100755
index 000000000..9ad3271ab
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff
new file mode 100755
index 000000000..b8e5b2e70
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert b/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert
new file mode 100755
index 000000000..89be1811d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameUriCert b/security/nss/tests/libpkix/certs/generalName/altNameUriCert
new file mode 100755
index 000000000..1f46e79f0
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameUriCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff
new file mode 100755
index 000000000..864e86fb5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameX400Cert b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert
new file mode 100755
index 000000000..b0d10cf32
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff
new file mode 100755
index 000000000..652388847
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu b/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu
new file mode 100755
index 000000000..3f3452683
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/hy2hc-bc b/security/nss/tests/libpkix/certs/hy2hc-bc
new file mode 100755
index 000000000..691b8d982
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/hy2hc-bc
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/hy2hy-bc0 b/security/nss/tests/libpkix/certs/hy2hy-bc0
new file mode 100755
index 000000000..18b5fe4a8
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/hy2hy-bc0
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/issuer-hanfei.crl b/security/nss/tests/libpkix/certs/issuer-hanfei.crl
new file mode 100755
index 000000000..6c9f0dbaa
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/issuer-hanfei.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/issuer-none.crl b/security/nss/tests/libpkix/certs/issuer-none.crl
new file mode 100755
index 000000000..c1c83ba2c
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/issuer-none.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert b/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert
new file mode 100755
index 000000000..7eae4863e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert b/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert
new file mode 100755
index 000000000..a1f9e05f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert b/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert
new file mode 100755
index 000000000..11a132d10
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert b/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert
new file mode 100755
index 000000000..9b9377119
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert b/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert b/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert
new file mode 100755
index 000000000..c58d9a2aa
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/make-ca-u50-u51 b/security/nss/tests/libpkix/certs/make-ca-u50-u51
new file mode 100755
index 000000000..5d8f920a9
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/make-ca-u50-u51
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+mkdir tmp
+cd tmp
+dd if=/dev/urandom bs=512 count=1 of=noise
+echo "" > pwfile
+
+certutil -d . -N -f pwfile
+
+certutil -S -z noise -g 1024 -d . -n ca -s "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t C,C,C -x -m 1 -w -1 -v 600 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598
+
+certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598
+
+certutil -d . -L -n ca -r > TestCA.ca.cert
+certutil -d . -L -n u50 -r > TestUser50.cert
+certutil -d . -L -n u51 -r > TestUser51.cert
+
+echo "Created multiple files in subdirectory tmp: TestCA.ca.cert TestUser50.cert TestUser51.cert"
diff --git a/security/nss/tests/libpkix/certs/make-nc b/security/nss/tests/libpkix/certs/make-nc
new file mode 100755
index 000000000..aaab1edfa
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/make-nc
@@ -0,0 +1,508 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+mkdir tmp
+cd tmp
+dd if=/dev/urandom bs=512 count=1 of=noise
+echo "" > pwfile
+
+certutil -d . -N -f pwfile
+
+certutil -S -z noise -g 1024 -d . -n ca -s "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t C,C,C -x -m 1 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica -s "CN=NSS Intermediate CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 20 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+.example
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server1 -s "CN=test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 40 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server2 -s "CN=another_test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server3 -s "CN=test.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 42 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica2 -s "CN=NSS Intermediate CA 2,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 21 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server4 -s "CN=test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 50 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server5 -s "CN=another_test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 51 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
+certutil -S -z noise -g 1024 -d . -n server6 -s "CN=test2.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 52 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica3 -s "CN=NSS Intermediate CA3,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 21 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+foo.example
+1
+y
+5
+O=Foo,st=ca,c=us
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica4 -s "CN=NSS Intermediate CA 2,O=Foo,ST=CA,C=US" -t ,, -c ica3 -m 61 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server7 -s "CN=bat.foo.example,ou=bar,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server8 -s "CN=bat.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 42 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server9 -s "CN=bat.foo.example,O=Foo,C=US" -t ,, -c ica4 -m 43 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server10 -s "CN=bar.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 44 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server11 -s "CN=site.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 45 -v 115 -1 -2 -5 -8 foo.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server12 -s "CN=Honest Achmed,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 46 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica5 -s "CN=NSS Intermediate CA 2,O=OtherOrg,ST=CA,C=US" -t ,, -c ica3 -m 62 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server13 -s "CN=bat.foo.example,O=OtherOrg,ST=CA,C=US" -t ,, -c ica5 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server14 -s "CN=another.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica5 -m 490 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ncca -s "CN=NSS Name Constrained Root CA,O=BOGUS NSS,L=Mountain View,ST=CA,C=US" -t C,C,C -x -m 2 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+.example
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica6 -s "CN=NSS Intermediate CA6,O=OtherOrg,ST=CA,C=US" -t ,, -c ncca -m 63 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server15 -s "CN=testfoo.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 64 -v 115 -1 -2 -5 -8 testfoo.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server16 -s "CN=another_test3.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 65 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server17 -s "CN=test4.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 66 -v 115 -1 -2 -5 -8 test4.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+#DCISS copy certs
+certutil -S -z noise -g 2048 -d . -n dcisscopy -s "E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR" -t C,C,C -x -m 998899 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+#the following cert MUST not pass
+certutil -S -z noise -g 2048 -d . -n dcissblocked -s "CN=foo.example.com,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998900 -v 120 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+#the following cert MUST pass
+certutil -S -z noise -g 2048 -d . -n dcissallowed -s "CN=foo.example.fr,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998901 -v 120 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
+
+certutil -d . -L -n ca -r > NameConstraints.ca.cert
+certutil -d . -L -n ica -r > NameConstraints.intermediate.cert
+certutil -d . -L -n server1 -r > NameConstraints.server1.cert
+certutil -d . -L -n server2 -r > NameConstraints.server2.cert
+certutil -d . -L -n server3 -r > NameConstraints.server3.cert
+certutil -d . -L -n ica2 -r > NameConstraints.intermediate2.cert
+certutil -d . -L -n server4 -r > NameConstraints.server4.cert
+certutil -d . -L -n server5 -r > NameConstraints.server5.cert
+certutil -d . -L -n server6 -r > NameConstraints.server6.cert
+certutil -d . -L -n ica3 -r > NameConstraints.intermediate3.cert
+certutil -d . -L -n ica4 -r > NameConstraints.intermediate4.cert
+certutil -d . -L -n server7 -r > NameConstraints.server7.cert
+certutil -d . -L -n server8 -r > NameConstraints.server8.cert
+certutil -d . -L -n server9 -r > NameConstraints.server9.cert
+certutil -d . -L -n server10 -r > NameConstraints.server10.cert
+certutil -d . -L -n server11 -r > NameConstraints.server11.cert
+certutil -d . -L -n server11 -r > NameConstraints.server11.cert
+certutil -d . -L -n server12 -r > NameConstraints.server12.cert
+certutil -d . -L -n ica5 -r > NameConstraints.intermediate5.cert
+certutil -d . -L -n server13 -r > NameConstraints.server13.cert
+certutil -d . -L -n server14 -r > NameConstraints.server14.cert
+certutil -d . -L -n ncca -r > NameConstraints.ncca.cert
+certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert
+certutil -d . -L -n server15 -r > NameConstraints.server15.cert
+certutil -d . -L -n server16 -r > NameConstraints.server16.cert
+certutil -d . -L -n server17 -r > NameConstraints.server17.cert
+certutil -d . -L -n dcisscopy -r > NameConstraints.dcisscopy.cert
+certutil -d . -L -n dcissblocked -r > NameConstraints.dcissblocked.cert
+certutil -d . -L -n dcissallowed -r > NameConstraints.dcissallowed.cert
+
+echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert"
diff --git a/security/nss/tests/libpkix/certs/noExtensionsCert b/security/nss/tests/libpkix/certs/noExtensionsCert
new file mode 100755
index 000000000..f3dc1c973
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/noExtensionsCert
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/nss2alice b/security/nss/tests/libpkix/certs/nss2alice
new file mode 100755
index 000000000..48172a5ed
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/nss2alice
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/publicKey/dsaWithParams b/security/nss/tests/libpkix/certs/publicKey/dsaWithParams
new file mode 100755
index 000000000..a1f9e05f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/dsaWithParams
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams b/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams
new file mode 100755
index 000000000..7eae4863e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/publicKey/labs2yassir b/security/nss/tests/libpkix/certs/publicKey/labs2yassir
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/labs2yassir
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/publicKey/yassir2labs b/security/nss/tests/libpkix/certs/publicKey/yassir2labs
new file mode 100755
index 000000000..f94385403
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/yassir2labs
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/sun2sun b/security/nss/tests/libpkix/certs/sun2sun
new file mode 100755
index 000000000..c75192be1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/sun2sun
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/yassir2bcn b/security/nss/tests/libpkix/certs/yassir2bcn
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/yassir2bcn
Binary files differ
diff --git a/security/nss/tests/libpkix/certs/yassir2yassir b/security/nss/tests/libpkix/certs/yassir2yassir
new file mode 100755
index 000000000..8444af5a3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/yassir2yassir
Binary files differ
diff --git a/security/nss/tests/libpkix/common/libpkix_init.sh b/security/nss/tests/libpkix/common/libpkix_init.sh
new file mode 100644
index 000000000..01eb070e1
--- /dev/null
+++ b/security/nss/tests/libpkix/common/libpkix_init.sh
@@ -0,0 +1,324 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# libpkix_init.sh
+#
+
+### when the script is exiting, handle it in the Cleanup routine...the result
+### value will get set to 0 if all the tests completed successfully, so we can
+### use that value in the handler
+
+trap 'Cleanup' EXIT
+
+result=1
+checkmem=0
+arenas=0
+quiet=0
+
+doNIST=1
+doNIST_PDTest=0
+doPD=0
+doTop=0
+doModule=0
+doPki=0
+doOCSP=0
+doOCSPTest=0
+
+combinedErrors=0
+totalErrors=0
+prematureTermination=0
+errors=0
+
+if [ -z "${INIT_SOURCED}" ] ; then
+ libpkixCommondir=`pwd`
+ cd ../../common
+ . ./init.sh > /dev/null
+ cd ${libpkixCommondir}
+fi
+
+DIST_BIN=${DIST}/${OBJDIR}/bin
+
+### setup some defaults
+WD=`pwd`
+prog=`basename $0`
+testOut=${HOSTDIR}/${prog}.$$
+testOutMem=${HOSTDIR}/${prog}_mem.$$
+
+####################
+# cleanup from tests
+####################
+Cleanup()
+{
+ if [ ${testOut} != "" ]; then
+ rm -f ${testOut}
+ fi
+
+ if [ ${testOutMem} != "" ]; then
+ rm -f ${testOutMem}
+ fi
+
+ if [ -d ../../nist_pkits/certs ]; then
+ rm -f ../../nist_pkits/certs
+ fi
+
+ if [ ${doTop} -eq 1 ]; then
+ for i in ${linkMStoreNistFiles}; do
+ if [ -f ${HOSTDIR}/rev_data/multiple_certstores/$i ]; then
+ rm -f ${HOSTDIR}/rev_data/multiple_certstores/$i
+ fi
+ done
+ if [ -d ${HOSTDIR}/rev_data/multiple_certstores ]; then
+ rm -fr ${HOSTDIR}/rev_data/multiple_certstores
+ fi
+ fi
+
+ if [ ${doModule} -eq 1 ]; then
+ for i in ${linkModuleNistFiles}; do
+ if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+ rm -f ${HOSTDIR}/rev_data/local/$i
+ fi
+ done
+ for i in ${localCRLFiles}; do
+ if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+ rm -f ${HOSTDIR}/rev_data/local/$i
+ fi
+ done
+ fi
+
+ if [ ${doPki} -eq 1 ]; then
+ for i in ${linkPkiNistFiles}; do
+ if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+ rm -f ${HOSTDIR}/rev_data/local/$i
+ fi
+ done
+ fi
+
+ return ${result}
+}
+
+### ParseArgs
+ParseArgs() # args
+{
+ while [ $# -gt 0 ]; do
+ if [ $1 = "-checkmem" ]; then
+ checkmem=1
+ elif [ $1 = "-quiet" ]; then
+ quiet=1
+ elif [ $1 = "-arenas" ]; then
+ arenas=1
+ fi
+ shift
+ done
+}
+
+Display() # string
+{
+ if [ ${quiet} -eq 0 ]; then
+ echo "$1"
+ fi
+}
+
+testHeadingEcho()
+{
+ echo "*******************************************************************************"
+ echo "START OF TESTS FOR ${testunit}${memText}"
+ echo "*******************************************************************************"
+ echo ""
+}
+
+testEndingEcho()
+{
+ if [ ${totalErrors} -eq 0 ]; then
+ echo ""
+ echo "************************************************************"
+ echo "END OF TESTS FOR ${testunit}: ALL TESTS COMPLETED SUCCESSFULLY"
+ echo "************************************************************"
+ echo ""
+ return 0
+ fi
+
+ if [ ${totalErrors} -eq 1 ]; then
+ plural=""
+ else
+ plural="S"
+ fi
+
+ echo ""
+ echo "************************************************************"
+ echo "END OF TESTS FOR ${testunit}: ${totalErrors} TEST${plural} FAILED"
+ echo "************************************************************"
+ echo ""
+ return ${totalErrors}
+}
+
+###########
+# RunTests
+###########
+RunTests()
+{
+ errors=0
+ memErrors=0
+ prematureErrors=0
+
+ failedpgms=""
+ failedmempgms=""
+ failedprematurepgms=""
+ memText=""
+ arenaCmd=""
+
+ if [ ${checkmem} -eq 1 ]; then
+ memText=" (Memory Checking Enabled)"
+ fi
+
+ if [ ${arenas} -eq 1 ]; then
+ arenaCmd="-arenas"
+ fi
+
+ #
+ # Announce start of tests
+ #
+ Display "*******************************************************************************"
+ Display "START OF TESTS FOR PKIX ${testunit} ${memText}"
+ Display "*******************************************************************************"
+ Display ""
+
+ # run each test specified by the input redirection below
+
+ while read testPgm args; do
+
+ shortTestPurpose=`echo $args | awk '{print $1 " " $2 " "}'`
+ fullTestPurpose=${args}
+ if [ ${doTop} -eq 1 -o ${doModule} -eq 1 -o ${doPki} -eq 1 ]; then
+ testPurpose=${shortTestPurpose}
+ else
+ testPurpose=${fullTestPurpose}
+ fi
+
+ # If we want shorter command printout for NIST tests, delete next line
+ testPurpose=${fullTestPurpose}
+
+ # Skip OCSP tests if OCSP is not defined in the environment
+ if [ ${doOCSPTest} -eq 0 ]; then
+ hasOCSP=`echo ${args} | grep OCSP-Test`
+ if [ ! -z "${hasOCSP}" ]; then
+ Display "SKIPPING ${testPgm} ${testPurpose}"
+ continue
+ fi
+ fi
+
+ if [ ${doNIST} -eq 0 ]; then
+ hasNIST=`echo ${args} | grep NIST-Test`
+ if [ ! -z "${hasNIST}" ]; then
+ Display "SKIPPING ${testPgm} ${testPurpose}"
+ continue
+ fi
+ fi
+
+ # This "if" is not reached when doNIST is not set. The assumption
+ # is that NIST tests are basic, NIST Path Discovery tests are
+ # additional
+ if [ ${doNIST_PDTest} -eq 0 ]; then
+ hasNIST=`echo ${args} | grep NIST-PDTest`
+ if [ ! -z "${hasNIST}" ]; then
+ Display "SKIPPING ${testPgm} ${testPurpose}"
+ continue
+ fi
+ fi
+
+ Display "RUNNING ${testPgm} ${arenaCmd} ${testPurpose}"
+
+ numtests=`expr ${numtests} + 1`
+
+ if [ ${checkmem} -eq 1 ]; then
+ dbx -C -c "runargs ${arenaCmd} ${args};check -all;run;exit" ${DIST_BIN}/${testPgm} > ${testOut} 2>&1
+ else
+ ${DIST_BIN}/${testPgm} ${arenaCmd} ${args} > ${testOut} 2>&1
+ fi
+
+ # Examine output file to see if test failed and keep track of number
+ # of failures and names of failed tests. This assumes that the test
+ # uses our utility library for displaying information
+
+ cat ${testOut} | tail -2 | grep "COMPLETED SUCCESSFULLY" >/dev/null 2>&1
+
+ if [ $? -ne 0 ]; then
+ testFail=1
+ errors=`expr ${errors} + 1`
+ failedpgms="${failedpgms}\n${testPgm} ${testPurpose} "
+# cat ${testOut}
+ else
+ testFail=0
+ passed=`expr ${passed} + 1`
+ fi
+ cat ${testOut}
+ html_msg ${testFail} 0 "${testPgm} ${arenaCmd} ${shortTestPurpose}"
+
+ if [ ${checkmem} -eq 1 ]; then
+ grep "(actual leaks:" ${testOut} > ${testOutMem} 2>&1
+ if [ $? -ne 0 ]; then
+ prematureErrors=`expr ${prematureErrors} + 1`
+ failedprematurepgms="${failedprematurepgms}${testPgm} "
+ Display "...program terminated prematurely (unable to check for memory leak errors) ..."
+ else
+ #grep "(actual leaks: 0" ${testOut} > /dev/null 2>&1
+ # special consideration for memory leak in NSS_NoDB_Init
+ grep "(actual leaks: 1 total size: 4 bytes)" ${testOut} > /dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ memErrors=`expr ${memErrors} + 1`
+ failedmempgms="${failedmempgms}${testPgm} "
+ cat ${testOutMem}
+ fi
+ fi
+ fi
+
+ done
+
+ if [ ${errors} -eq 0 ]; then
+ if [ ${memErrors} -eq 0 ]; then
+ Display ""
+ Display "************************************************************"
+ Display "END OF TESTS FOR PKIX ${testunit}: ALL TESTS COMPLETED SUCCESSFULLY"
+ Display "************************************************************"
+ Display ""
+ return 0
+ fi
+ fi
+
+ if [ ${errors} -eq 1 ]; then
+ plural=""
+ else
+ plural="S"
+ fi
+
+ Display ""
+ Display "*******************************************************************************"
+ Display "END OF TESTS FOR PKIX ${testunit}: ${errors} UNIT TEST${plural} FAILED: ${failedpgms}"
+ Display ""
+ if [ ${checkmem} -eq 1 ]; then
+ if [ ${memErrors} -eq 1 ]; then
+ memPlural=""
+ else
+ memPlural="S"
+ fi
+ Display " ${memErrors} MEMORY LEAK TEST${memPlural} FAILED: ${failedmempgms}"
+
+ if [ ${prematureErrors} -ne 0 ]; then
+ if [ ${prematureErrors} -eq 1 ]; then
+ prematurePlural=""
+ else
+ prematurePlural="S"
+ fi
+ Display " ${prematureErrors} MEMORY LEAK TEST${prematurePlural} INDETERMINATE: ${failedprematurepgms}"
+ fi
+
+ fi
+ Display "*******************************************************************************"
+ Display ""
+ combinedErrors=`expr ${errors} + ${memErrors} + ${prematureErrors}`
+
+ return ${combinedErrors}
+
+}
diff --git a/security/nss/tests/libpkix/common/libpkix_init_nist.sh b/security/nss/tests/libpkix/common/libpkix_init_nist.sh
new file mode 100644
index 000000000..d4dfd2a6c
--- /dev/null
+++ b/security/nss/tests/libpkix/common/libpkix_init_nist.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# libpkix_init_nist.sh
+#
+
+#
+# Any test that uses NIST files should have a tag of either NIST-Test or
+# NIST-Test-Files-Used at the command option so if there are no NIST files
+# installed in the system, the test can be skipped
+#
+
+if [ -z "${NIST_FILES_DIR}" ] ; then
+ Display ""
+ Display "*******************************************************************************"
+ Display "The environment variable NIST_FILES_DIR is not defined. Therefore"
+ Display "tests depending on it will be skipped. To enable these tests set"
+ Display "NIST_FILES_DIR to the directory where NIST Certificates and CRLs"
+ Display "are located."
+ Display "*******************************************************************************"
+ Display ""
+ doNIST=0
+else
+
+ NIST=${NIST_FILES_DIR}
+ doNIST=1
+fi
+
+#
+# Any tests that use NIST Path Discovery files should have a tag of NIST-PDTest
+# at the command option so if there are no NIST Path Discovery files
+# installed in the system, the test can be skipped
+#
+if [ ${doPD} -eq 1 -a -z "${PDVAL}" ] ; then
+
+ Display ""
+ Display "*******************************************************************************"
+ Display "The environment variable PDVAL is not defined. Therefore tests"
+ Display "depending on it will be skipped. To enable these tests set PDVAL to"
+ Display "the directory where NIST Path Discovery Certificates are located."
+ Display "*******************************************************************************"
+ Display ""
+ doNIST_PDTest=0
+else
+
+ NIST_PDTEST=${PDVAL}
+ doNIST_PDTest=1
+fi
+
+#
+# Any tests that use an OCSP Server should have a tag of OCSP-Test at the
+# command option so if there is no OCSP Server installed in the system, the
+# test can be skipped
+#
+if [ ${doOCSP} -eq 1 -a -z "${OCSP}" ] ; then
+
+ Display ""
+ Display "*******************************************************************************"
+ Display "The environment variable OCSP is not defined. Therefore tests"
+ Display "depending on it will be skipped. To enable these tests set OCSP"
+ Display "non-NULL (the actual URI used is taken from the AIA extension)."
+ Display "*******************************************************************************"
+ Display ""
+ doOCSPTest=0
+else
+ doOCSPTest=1
+fi
diff --git a/security/nss/tests/libpkix/libpkix.sh b/security/nss/tests/libpkix/libpkix.sh
new file mode 100755
index 000000000..25d38ccbe
--- /dev/null
+++ b/security/nss/tests/libpkix/libpkix.sh
@@ -0,0 +1,139 @@
+#! /bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+totalErrors=0
+pkixErrors=0
+pkixplErrors=0
+checkMemArg=""
+arenasArg=""
+quietArg=""
+memText=""
+
+############################## libpkix_init ###############################
+# local shell function to initialize this script
+########################################################################
+libpkix_init()
+{
+ SCRIPTNAME="libpkix.sh"
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ LIBPKIX_CURDIR=`pwd`
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+ cd ${LIBPKIX_CURDIR}
+
+ SCRIPTNAME="libpkix.sh"
+}
+
+############################## libpkix_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+libpkix_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+############################## libpkix_UT_main ############################
+# local shell function to run libpkix unit tests
+########################################################################
+ParseArgs ()
+{
+ while [ $# -gt 0 ]; do
+ if [ $1 == "-checkmem" ]; then
+ checkMemArg=$1
+ memText=" (Memory Checking Enabled)"
+ elif [ $1 == "-quiet" ]; then
+ quietArg=$1
+ elif [ $1 == "-arenas" ]; then
+ arenasArg=$1
+ fi
+ shift
+ done
+}
+
+libpkix_UT_main()
+{
+
+html_head "LIBPKIX Unit Tests"
+
+ParseArgs
+
+echo "*******************************************************************************"
+echo "START OF ALL TESTS${memText}"
+echo "*******************************************************************************"
+echo ""
+
+echo "RUNNING tests in pkix_pl_test";
+html_msg 0 0 "Running tests in pkix_pl_test:"
+cd pkix_pl_tests;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixplErrors=$?
+html_msg $? 0 "Results of tests in pkix_pl_test"
+
+echo "RUNNING tests in pkix_test";
+html_msg 0 0 "Running tests in pkix_test:"
+cd ../pkix_tests;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixErrors=$?
+html_msg $? 0 "Results of tests in pkix_test"
+
+echo "RUNNING performance tests in sample_apps";
+html_msg 0 0 "Running performance tests in sample_apps:"
+cd ../sample_apps;
+runPerf.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixPerfErrors=$?
+html_msg $? 0 "Results of performance tests in sample_apps"
+
+totalErrors=`expr ${pkixErrors} + ${pkixplErrors} + ${pkixPerfErrors}`
+
+if [ ${totalErrors} -eq 0 ]; then
+ echo ""
+ echo "************************************************************"
+ echo "END OF ALL TESTS: ALL TESTS COMPLETED SUCCESSFULLY"
+ echo "************************************************************"
+ html_msg ${totalErrors} 0 "ALL LIBPKIX TESTS COMPLETED SUCCESSFULLY"
+
+ return 0
+fi
+
+if [ ${totalErrors} -eq 1 ]; then
+ plural=""
+else
+ plural="S"
+fi
+
+if [ ${totalErrors} -ne 0 ]; then
+ echo ""
+ echo "************************************************************"
+ echo "END OF ALL TESTS: ${totalErrors} TEST${plural} FAILED"
+ echo "************************************************************"
+ html_msg 1 0 "${totalErrors} LIBPKIX TEST${plural} FAILED"
+return 1
+fi
+}
+
+libpkix_run_tests()
+{
+ if [ -n "${BUILD_LIBPKIX_TESTS}" ]; then
+ libpkix_UT_main
+ fi
+}
+
+################## main #################################################
+
+libpkix_init
+libpkix_run_tests
+libpkix_cleanup
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db b/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db
new file mode 100755
index 000000000..f09bebbcf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db b/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db
new file mode 100755
index 000000000..5c3b3ebbb
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl
new file mode 100755
index 000000000..d076ef89f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl
new file mode 100755
index 000000000..1ad019ed1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl
new file mode 100755
index 000000000..6c9f0dbaa
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl
new file mode 100755
index 000000000..c1c83ba2c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt
new file mode 100755
index 000000000..89b59d17d
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt
new file mode 100755
index 000000000..a80c10cd3
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt
new file mode 100755
index 000000000..3cd7bc9bc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt
new file mode 100755
index 000000000..b0119ed26
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt
new file mode 100755
index 000000000..f90df0dac
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh
new file mode 100755
index 000000000..4c4cebe28
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh
@@ -0,0 +1,101 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=MODULE
+doModule=1
+
+### setup NIST files need to link in
+linkModuleNistFiles="InvalidDNnameConstraintsTest3EE.crt
+ InvalidonlySomeReasonsTest21EE.crt
+ indirectCRLCA3cRLIssuerCRL.crl
+ nameConstraintsDN3subCA2Cert.crt
+ nameConstraintsDN4CACert.crt
+ nameConstraintsDN5CACert.crt
+ onlyContainsAttributeCertsCACRL.crl
+ onlyContainsCACertsCACRL.crl
+ onlyContainsUserCertsCACRL.crl
+ onlySomeReasonsCA3compromiseCRL.crl
+ requireExplicitPolicy2CACert.crt
+ inhibitPolicyMapping5CACert.crt
+ inhibitAnyPolicy5CACert.crt
+ inhibitAnyPolicy0CACert.crt
+ P1Mapping1to234CACert.crt
+ UserNoticeQualifierTest15EE.crt
+ UserNoticeQualifierTest16EE.crt
+ UserNoticeQualifierTest17EE.crt
+ UserNoticeQualifierTest18EE.crt
+ CPSPointerQualifierTest20EE.crt"
+
+if [ -n "${NIST_FILES_DIR}" ]; then
+ if [ ! -d ${HOSTDIR}/rev_data/local ]; then
+ mkdir -p ${HOSTDIR}/rev_data/local
+ fi
+
+ for i in ${linkModuleNistFiles}; do
+ if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+ rm ${HOSTDIR}/rev_data/local/$i
+ fi
+ cp ${NIST_FILES_DIR}/$i ${HOSTDIR}/rev_data/local/$i
+ done
+
+ localCRLFiles="crlgood.crl
+ crldiff.crl
+ issuer-hanfei.crl
+ issuer-none.crl"
+
+ for i in ${localCRLFiles}; do
+ cp ${curdir}/rev_data/local/$i ${HOSTDIR}/rev_data/local/$i
+ done
+fi
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+SOCKETTRACE=0
+export SOCKETTRACE
+
+RunTests <<EOF
+pkixutil test_colcertstore NIST-Test-Files-Used rev_data/local ${HOSTDIR}
+pkixutil test_pk11certstore -d ../../pkix_pl_tests/module ../../pkix_tests/top/rev_data/crlchecker
+pkixutil test_ekuchecker "Test-EKU-without-OID" ENE "" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-with-good-OID" ENE "1.3.6.1.5.5.7.3.3" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-with-bad-OID" EE "1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-with-good-and-bad-OID" EE "1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-with-good-OID" ENE "E1.3.6.1.5.5.7.3.3" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-with-bad-OID" EE "E1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-serverAuth" ENE "1.3.6.1.5.5.7.3.1" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-clientAuth" ENE "1.3.6.1.5.5.7.3.2" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-codesigning-without-OID" EE "1.3.6.1.5.5.7.3.3" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-emailProtection" ENE "1.3.6.1.5.5.7.3.4" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-timestamping" ENE "1.3.6.1.5.5.7.3.8" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-OCSPSigning" ENE "1.3.6.1.5.5.7.3.9" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-serverAuth" ENE "E1.3.6.1.5.5.7.3.1" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-clientAuth" ENE "E1.3.6.1.5.5.7.3.2" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-codesigning-without-OID" EE "E1.3.6.1.5.5.7.3.3" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-emailProtection" ENE "E1.3.6.1.5.5.7.3.4" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-timestamping" ENE "E1.3.6.1.5.5.7.3.8" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-ocspSigning" ENE "E1.3.6.1.5.5.7.3.9" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_socket ${HOSTADDR}:2000
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db b/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db
new file mode 100755
index 000000000..772583d58
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README
new file mode 100755
index 000000000..50e1b98ec
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README
@@ -0,0 +1,3 @@
+If the total number of CRL files is changed in this directory,
+the define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS under the
+test directory also need to be changed. \ No newline at end of file
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl
new file mode 100755
index 000000000..d076ef89f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl
new file mode 100755
index 000000000..1ad019ed1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl
new file mode 100755
index 000000000..6c9f0dbaa
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl
new file mode 100755
index 000000000..c1c83ba2c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh
new file mode 100755
index 000000000..7857aad3f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh
@@ -0,0 +1,81 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+doPD=1
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=PKI
+doPki=1
+
+### setup NIST files need to link in
+linkPkiNistFiles="InvalidDNnameConstraintsTest3EE.crt
+ InvalidonlySomeReasonsTest21EE.crt
+ indirectCRLCA3cRLIssuerCRL.crl
+ nameConstraintsDN3subCA2Cert.crt
+ nameConstraintsDN4CACert.crt
+ nameConstraintsDN5CACert.crt
+ onlyContainsAttributeCertsCACRL.crl
+ onlyContainsCACertsCACRL.crl
+ onlyContainsUserCertsCACRL.crl
+ onlySomeReasonsCA3compromiseCRL.crl
+ requireExplicitPolicy2CACert.crt
+ inhibitPolicyMapping5CACert.crt
+ inhibitAnyPolicy5CACert.crt
+ inhibitAnyPolicy0CACert.crt
+ P1Mapping1to234CACert.crt
+ UserNoticeQualifierTest15EE.crt
+ UserNoticeQualifierTest16EE.crt
+ UserNoticeQualifierTest17EE.crt
+ UserNoticeQualifierTest18EE.crt
+ CPSPointerQualifierTest20EE.crt"
+
+if [ -n "${NIST_FILES_DIR}" ]; then
+ if [ ! -d ${HOSTDIR}/rev_data/local ]; then
+ mkdir -p ${HOSTDIR}/rev_data/local
+ fi
+
+ for i in ${linkPkiNistFiles}; do
+ if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+ rm ${HOSTDIR}/rev_data/local/$i
+ fi
+ cp ${NIST_FILES_DIR}/$i ${HOSTDIR}/rev_data/local/$i
+ done
+fi
+
+##########
+# main
+#########
+
+TZ=US/Eastern
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_cert NIST-Test-Files-Used ../../certs ${HOSTDIR}/rev_data/local
+pkixutil test_crl NIST-Test-Files-Used ../../certs
+pkixutil test_x500name
+pkixutil test_generalname
+pkixutil test_date NIST-Test-Files-Used
+pkixutil test_crlentry ../../certs
+pkixutil test_nameconstraints NIST-Test-Files-Used rev_data/local ${HOSTDIR}
+pkixutil test_authorityinfoaccess NIST-PDTest ${NIST_PDTEST} certs/BasicLDAPURIPathDiscoveryOU1EE1.crt certs/BasicHTTPURITrustAnchorRootCert.crt
+pkixutil test_subjectinfoaccess NIST-PDTest ${NIST_PDTEST} certs/BasicHTTPURITrustAnchorRootCert.crt certs/BasicLDAPURIPathDiscoveryOU1EE1.crt
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
+
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh
new file mode 100755
index 000000000..89ad1cb7a
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+testunit="PKIX_PL"
+
+totalErrors=0
+moduleErrors=0
+systemErrors=0
+pkiErrors=0
+quiet=0
+
+checkMemArg=""
+arenasArg=""
+quietArg=""
+
+### ParseArgs
+myParseArgs() # args
+{
+ while [ $# -gt 0 ]; do
+ if [ $1 = "-checkmem" ]; then
+ checkMemArg=$1
+ elif [ $1 = "-quiet" ]; then
+ quietArg=$1
+ quiet=1
+ elif [ $1 = "-arenas" ]; then
+ arenasArg=$1
+ fi
+ shift
+ done
+}
+
+myParseArgs $*
+
+testHeadingEcho
+
+echo "RUNNING tests in pki";
+cd pki;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkiErrors=$?
+
+echo "RUNNING tests in system";
+cd ../system;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+systemErrors=$?
+
+echo "RUNNING tests in module";
+cd ../module;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+moduleErrors=$?
+
+totalErrors=`expr $moduleErrors + $systemErrors + $pkiErrors`
+
+testEndingEcho
+
+exit ${totalErrors}
+
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh
new file mode 100755
index 000000000..ec166cd08
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=SYSTEM
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_mem
+pkixutil test_object
+pkixutil test_string
+pkixutil test_bigint
+pkixutil test_bytearray
+pkixutil test_mutex
+pkixutil test_mutex2
+pkixutil test_mutex3
+pkixutil test_monitorlock
+pkixutil test_oid
+pkixutil test_hashtable
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
+
+
+
diff --git a/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage b/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage
new file mode 100755
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage
diff --git a/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh b/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh
new file mode 100755
index 000000000..050e4aeef
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=CERTSEL
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_comcertselparams ${NIST} NIST-Test-Files-Used
+pkixutil test_certselector ${NIST} NIST-Test-Files-Used ../../pkix_pl_tests/module/rev_data
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh b/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh
new file mode 100755
index 000000000..b63b2c576
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=CHECKER
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_certchainchecker
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh b/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh
new file mode 100755
index 000000000..7f5d2bf66
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=CRLSEL
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_comcrlselparams ../../certs
+pkixutil test_crlselector
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/params/runTests.sh b/security/nss/tests/libpkix/pkix_tests/params/runTests.sh
new file mode 100755
index 000000000..cd0e38a71
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/params/runTests.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=PARAMS
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_valparams ../../certs
+pkixutil test_procparams ../../certs
+pkixutil test_trustanchor ${NIST} ../../certs NIST-Test-Files-Used
+pkixutil test_resourcelimits
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/results/runTests.sh b/security/nss/tests/libpkix/pkix_tests/results/runTests.sh
new file mode 100755
index 000000000..8a8461029
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/results/runTests.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=RESULTS
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_policynode ${NIST} NIST-Test-Files-Used
+pkixutil test_valresult ../../certs
+pkixutil test_buildresult ../../certs
+pkixutil test_verifynode ${NIST} TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/runTests.sh b/security/nss/tests/libpkix/pkix_tests/runTests.sh
new file mode 100755
index 000000000..9f1b895fb
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/runTests.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+testunit="PKIX"
+
+totalErrors=0
+utilErrors=0
+crlselErrors=0
+paramsErrors=0
+resultsErrors=0
+topErrors=0
+checkerErrors=0
+certselErrors=0
+quiet=0
+
+checkMemArg=""
+arenasArg=""
+quietArg=""
+memText=""
+
+### ParseArgs
+ParseArgs() # args
+{
+ while [ $# -gt 0 ]; do
+ if [ $1 = "-checkmem" ]; then
+ checkMemArg=$1
+ memText=" (Memory Checking Enabled)"
+ elif [ $1 = "-quiet" ]; then
+ quietArg=$1
+ quiet=1
+ elif [ $1 = "-arenas" ]; then
+ arenasArg=$1
+ fi
+ shift
+ done
+}
+
+ParseArgs $*
+
+testHeadingEcho
+
+echo "RUNNING tests in certsel";
+cd certsel;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+certselErrors=$?
+
+echo "RUNNING tests in checker";
+cd ../checker;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+checkerErrors=$?
+
+echo "RUNNING tests in results";
+cd ../results;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+resultsErrors=$?
+
+echo "RUNNING tests in params";
+cd ../params;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+paramsErrors=$?
+
+echo "RUNNING tests in crlsel";
+cd ../crlsel;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+crlselErrors=$?
+
+echo "RUNNING tests in store";
+cd ../store;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+storeErrors=$?
+
+echo "RUNNING tests in util";
+cd ../util;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+utilErrors=$?
+
+echo "RUNNING tests in top";
+cd ../top;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+topErrors=$?
+
+totalErrors=`expr ${certselErrors} + ${checkerErrors} + ${resultsErrors} + ${paramsErrors} + ${crlselErrors} + ${storeErrors} + ${utilErrors} + ${topErrors}`
+
+testEndingEcho
+
+exit ${totalErrors}
+
diff --git a/security/nss/tests/libpkix/pkix_tests/store/runTests.sh b/security/nss/tests/libpkix/pkix_tests/store/runTests.sh
new file mode 100755
index 000000000..7b0bb3745
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/store/runTests.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=STORE
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_store genericCertStore rev_data/crlchecker ${HOSTDIR}
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt b/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt
new file mode 100644
index 000000000..1e2f7c7a1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt
new file mode 100755
index 000000000..66563db40
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl
new file mode 100755
index 000000000..6cd8d2577
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl
new file mode 100755
index 000000000..8c96b41dc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt
new file mode 100755
index 000000000..119368ca5
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl
new file mode 100755
index 000000000..8c96b41dc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl
new file mode 100755
index 000000000..8c96b41dc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt
new file mode 100755
index 000000000..66563db40
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt
new file mode 100755
index 000000000..b11826f97
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt
new file mode 100755
index 000000000..2b4387d6c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt
new file mode 100755
index 000000000..b11826f97
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt
new file mode 100755
index 000000000..2b4387d6c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/cert8.db b/security/nss/tests/libpkix/pkix_tests/top/cert8.db
new file mode 100644
index 000000000..a2bb46756
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/cert8.db
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt b/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt
new file mode 100644
index 000000000..c9904f4e0
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/key3.db b/security/nss/tests/libpkix/pkix_tests/top/key3.db
new file mode 100644
index 000000000..fd1bee826
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/key3.db
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl
new file mode 100755
index 000000000..9619c22cf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt
new file mode 100755
index 000000000..0022f3cbf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt
new file mode 100755
index 000000000..50be7df1f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl
new file mode 100755
index 000000000..2deed93ed
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl
new file mode 100755
index 000000000..fa9b2dc69
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt
new file mode 100755
index 000000000..04bc5f16a
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl
new file mode 100755
index 000000000..675e9a53f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt
new file mode 100755
index 000000000..e12232b8a
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt
new file mode 100755
index 000000000..f5a165baa
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt
new file mode 100755
index 000000000..ca09c166e
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl
new file mode 100755
index 000000000..e37aa9c24
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt b/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt
new file mode 100644
index 000000000..0715ceb7b
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/top/runTests.sh b/security/nss/tests/libpkix/pkix_tests/top/runTests.sh
new file mode 100755
index 000000000..1e2080939
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/runTests.sh
@@ -0,0 +1,517 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+
+LDAP='nss.red.iplanet.com:1389'
+export LDAP
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+doPD=1
+doOCSP=1
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=TOP
+doTop=1
+linkMStoreNistFiles="store1/TrustAnchorRootCRL.crl
+ store1/TwoCRLsCABadCRL.crl
+ store2/TwoCRLsCAGoodCRL.crl"
+
+if [ ! -z "${NIST_FILES_DIR}" ] ; then
+ if [ -d ${HOSTDIR}/rev_data/multiple_certstores ]; then
+ rm -fr ${HOSTDIR}/rev_data/multiple_certstores
+ fi
+ mkdir -p ${HOSTDIR}/rev_data/multiple_certstores
+ mkdir -p ${HOSTDIR}/rev_data/multiple_certstores/store1
+ mkdir -p ${HOSTDIR}/rev_data/multiple_certstores/store2
+ for i in ${linkMStoreNistFiles}; do
+ if [ -f ${HOSTDIR}/rev_data/multiple_certstores/$i ]; then
+ rm ${HOSTDIR}/rev_data/multiple_certstores/$i
+ fi
+ fname=`basename $i`
+ cp ${NIST_FILES_DIR}/${fname} ${HOSTDIR}/rev_data/multiple_certstores/$i
+ done
+fi
+
+ocspFiles="goodcert.crt revokedcert.crt anchorcert.crt
+ secmod.db key3.db cert8.db"
+
+if [ ! -z ${doOCSPTest} ] ; then
+ if [ -d ${HOSTDIR}/ocsp ]; then
+ rm -fr ${HOSTDIR}/ocsp
+ fi
+ mkdir -p ${HOSTDIR}/ocsp
+ for i in ${ocspFiles}; do
+ cp $i ${HOSTDIR}/ocsp/$i
+
+ done
+fi
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+Display ""
+Display "# ENE = expect no error (validation should succeed)"
+Display "# EE = expect error (validation should fail)"
+Display ""
+
+LOGGING=1
+SOCKETTRACE=1
+export LOGGING SOCKETTRACE
+
+RunTests <<EOF
+pkixutil test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEESignatureTest3EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEESignatureTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+EOF
+
+tracedErrors=$?
+
+LOGGING=0
+SOCKETTRACE=0
+
+RunTests <<EOF
+pkixutil test_basicchecker ../../certs
+pkixutil test_basicconstraintschecker "Two-Certificates-Chain" ENE ../../certs hy2hy-bc0 hy2hc-bc
+pkixutil test_basicconstraintschecker "Three-Certificates-Chain" ENE ../../certs hy2hy-bc0 hy2hy-bc0 hy2hc-bc
+pkixutil test_basicconstraintschecker "Four-Certificates-Chain-with-error" EE ../../certs hy2hy-bc0 hy2hy-bc0 hy2hc-bc hy2hc-bc
+pkixutil test_validatechain_bc ../../certs/hy2hy-bc0 ../../certs/hy2hc-bc
+pkixutil test_policychecker NIST-Test-Files-Used ENE $NIST ../../certs
+pkixutil test_defaultcrlchecker2stores NIST-Test.4.4.7-with-multiple-CRL-stores ENE $NIST ${HOSTDIR}/rev_data/multiple_certstores/store1 ${HOSTDIR}/rev_data/multiple_certstores/store2 TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt
+pkixutil test_buildchain_resourcelimits ${LDAP} NIST-Test.4.5.1 ENE $NIST ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_customcrlchecker "CRL-test-without-revocation" ENE rev_data/crlchecker sci2sci.crt sci2phy.crt phy2prof.crt prof2test.crt
+pkixutil test_customcrlchecker "CRL-test-with-revocation-reasoncode" EE rev_data/crlchecker sci2sci.crt sci2chem.crt chem2prof.crt prof2test.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0R:testcertificates.gov+R:Test23EE@testcertificates.gov" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0R:TEST.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0N:testcertificates.gov+N:testserver.testcertificates.gov" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0N:notestcertificates.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0U:.gov+U:http://testserver.testcertificates.gov/index.html" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0U:test.testcertificates.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "1D:C=US+D:CN=Certificates,C=US" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0D:O=TestCertificates,C=CN" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt
+pkixutil test_validatechain "CRL-test-without-key-usage-cRLsign-bit-NIST-Test-Files-Used" EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEESignatureTest3EE.crt
+pkixutil test_validatechain NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.1.6 EE $NIST TrustAnchorRootCertificate.crt DSACACert.crt InvalidDSASignatureTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.2.1 EE $NIST TrustAnchorRootCertificate.crt BadnotBeforeDateCACert.crt InvalidCAnotBeforeDateTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.2.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotBeforeDateTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.2.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Validpre2000UTCnotBeforeDateTest3EE.crt
+pkixutil test_validatechain NIST-Test.4.2.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotBeforeDateTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.2.5 EE $NIST TrustAnchorRootCertificate.crt BadnotAfterDateCACert.crt InvalidCAnotAfterDateTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.2.6 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotAfterDateTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.2.7 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+pkixutil test_validatechain NIST-Test.4.2.8 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotAfterDateTest8EE.crt
+pkixutil test_validatechain NIST-Test.4.3.1 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidNameChainingTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.3.2 EE $NIST TrustAnchorRootCertificate.crt NameOrderingCACert.crt InvalidNameChainingOrderTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.3.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest3EE.crt
+pkixutil test_validatechain NIST-Test.4.3.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.3.5 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingCapitalizationTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.3.6 ENE $NIST TrustAnchorRootCertificate.crt UIDCACert.crt ValidNameUIDsTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.3.9 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringEncodedNamesCACert.crt ValidUTF8StringEncodedNamesTest9EE.crt
+pkixutil test_validatechain NIST-Test.4.3.10 ENE $NIST TrustAnchorRootCertificate.crt RolloverfromPrintableStringtoUTF8StringCACert.crt ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+pkixutil test_validatechain NIST-Test.4.3.11 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringCaseInsensitiveMatchCACert.crt ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+pkixutil test_validatechain NIST-Test.4.4.1 EE $NIST TrustAnchorRootCertificate.crt NoCRLCACert.crt InvalidMissingCRLTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.4.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt RevokedsubCACert.crt InvalidRevokedCATest2EE.crt
+pkixutil test_validatechain NIST-Test.4.4.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidRevokedEETest3EE.crt
+pkixutil test_validatechain NIST-Test.4.4.4 EE $NIST TrustAnchorRootCertificate.crt BadCRLSignatureCACert.crt InvalidBadCRLSignatureTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.4.5 EE $NIST TrustAnchorRootCertificate.crt BadCRLIssuerNameCACert.crt InvalidBadCRLIssuerNameTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.4.6 EE $NIST TrustAnchorRootCertificate.crt WrongCRLCACert.crt InvalidWrongCRLTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.4.7 ENE $NIST TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt
+pkixutil test_validatechain NIST-Test.4.4.8 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLEntryExtensionCACert.crt InvalidUnknownCRLEntryExtensionTest8EE.crt
+pkixutil test_validatechain NIST-Test.4.4.9 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest9EE.crt
+pkixutil test_validatechain NIST-Test.4.4.10 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest10EE.crt
+pkixutil test_validatechain NIST-Test.4.4.11 EE $NIST TrustAnchorRootCertificate.crt OldCRLnextUpdateCACert.crt InvalidOldCRLnextUpdateTest11EE.crt
+pkixutil test_validatechain NIST-Test.4.4.12 EE $NIST TrustAnchorRootCertificate.crt pre2000CRLnextUpdateCACert.crt Invalidpre2000CRLnextUpdateTest12EE.crt
+pkixutil test_validatechain NIST-Test.4.4.13 ENE $NIST TrustAnchorRootCertificate.crt GeneralizedTimeCRLnextUpdateCACert.crt ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+pkixutil test_validatechain NIST-Test.4.4.14 ENE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt ValidNegativeSerialNumberTest14EE.crt
+pkixutil test_validatechain NIST-Test.4.4.15 EE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt InvalidNegativeSerialNumberTest15EE.crt
+pkixutil test_validatechain NIST-Test.4.4.16 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest16EE.crt
+pkixutil test_validatechain NIST-Test.4.4.17 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest17EE.crt
+pkixutil test_validatechain NIST-Test.4.4.18 EE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt InvalidLongSerialNumberTest18EE.crt
+pkixutil test_validatechain NIST-Test.4.4.20 EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain NIST-Test.4.5.1 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt ValidBasicSelfIssuedOldWithNewTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.5.2 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.5.5 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.5.7 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+pkixutil test_validatechain NIST-Test.4.5.8 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+pkixutil test_validatechain_NB "CRL-test-without-key-usage-cRLsign-bit-NIST-Test-Files-Used" EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEESignatureTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.6 EE $NIST TrustAnchorRootCertificate.crt DSACACert.crt InvalidDSASignatureTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.1 EE $NIST TrustAnchorRootCertificate.crt BadnotBeforeDateCACert.crt InvalidCAnotBeforeDateTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotBeforeDateTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Validpre2000UTCnotBeforeDateTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotBeforeDateTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.5 EE $NIST TrustAnchorRootCertificate.crt BadnotAfterDateCACert.crt InvalidCAnotAfterDateTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.6 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotAfterDateTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.7 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.8 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotAfterDateTest8EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.1 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidNameChainingTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.2 EE $NIST TrustAnchorRootCertificate.crt NameOrderingCACert.crt InvalidNameChainingOrderTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.5 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingCapitalizationTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.6 ENE $NIST TrustAnchorRootCertificate.crt UIDCACert.crt ValidNameUIDsTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.9 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringEncodedNamesCACert.crt ValidUTF8StringEncodedNamesTest9EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.10 ENE $NIST TrustAnchorRootCertificate.crt RolloverfromPrintableStringtoUTF8StringCACert.crt ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.11 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringCaseInsensitiveMatchCACert.crt ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.1 EE $NIST TrustAnchorRootCertificate.crt NoCRLCACert.crt InvalidMissingCRLTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt RevokedsubCACert.crt InvalidRevokedCATest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidRevokedEETest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.4 EE $NIST TrustAnchorRootCertificate.crt BadCRLSignatureCACert.crt InvalidBadCRLSignatureTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.5 EE $NIST TrustAnchorRootCertificate.crt BadCRLIssuerNameCACert.crt InvalidBadCRLIssuerNameTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.6 EE $NIST TrustAnchorRootCertificate.crt WrongCRLCACert.crt InvalidWrongCRLTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.7 ENE $NIST TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.8 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLEntryExtensionCACert.crt InvalidUnknownCRLEntryExtensionTest8EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.9 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest9EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.10 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest10EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.11 EE $NIST TrustAnchorRootCertificate.crt OldCRLnextUpdateCACert.crt InvalidOldCRLnextUpdateTest11EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.12 EE $NIST TrustAnchorRootCertificate.crt pre2000CRLnextUpdateCACert.crt Invalidpre2000CRLnextUpdateTest12EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.13 ENE $NIST TrustAnchorRootCertificate.crt GeneralizedTimeCRLnextUpdateCACert.crt ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.14 ENE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt ValidNegativeSerialNumberTest14EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.15 EE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt InvalidNegativeSerialNumberTest15EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.16 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest16EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.17 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest17EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.18 EE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt InvalidLongSerialNumberTest18EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.20 EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.1 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt ValidBasicSelfIssuedOldWithNewTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.2 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.5 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.7 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.8 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.1 EE $NIST TrustAnchorRootCertificate.crt MissingbasicConstraintsCACert.crt InvalidMissingbasicConstraintsTest1EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.2 EE $NIST TrustAnchorRootCertificate.crt basicConstraintsCriticalcAFalseCACert.crt InvalidcAFalseTest2EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.3 EE $NIST TrustAnchorRootCertificate.crt basicConstraintsNotCriticalcAFalseCACert.crt InvalidcAFalseTest3EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.4 ENE $NIST TrustAnchorRootCertificate.crt basicConstraintsNotCriticalCACert.crt ValidbasicConstraintsNotCriticalTest4EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.5 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0subCACert.crt InvalidpathLenConstraintTest5EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.6 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0subCACert.crt InvalidpathLenConstraintTest6EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.7 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt ValidpathLenConstraintTest7EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.8 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt ValidpathLenConstraintTest8EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.9 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt InvalidpathLenConstraintTest9EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.10 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt InvalidpathLenConstraintTest10EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.11 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subsubsubCA11XCert.crt InvalidpathLenConstraintTest11EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.12 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subsubsubCA11XCert.crt InvalidpathLenConstraintTest12EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.13 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subsubsubCA41XCert.crt ValidpathLenConstraintTest13EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.14 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subsubsubCA41XCert.crt ValidpathLenConstraintTest14EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.15 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0SelfIssuedCACert.crt ValidSelfIssuedpathLenConstraintTest15EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.16 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0subCA2Cert.crt InvalidSelfIssuedpathLenConstraintTest16EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.17 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint1CACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedsubCACert.crt ValidSelfIssuedpathLenConstraintTest17EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.1" EE $NIST TrustAnchorRootCertificate.crt keyUsageCriticalkeyCertSignFalseCACert.crt InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.2" EE $NIST TrustAnchorRootCertificate.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.3" ENE $NIST TrustAnchorRootCertificate.crt keyUsageNotCriticalCACert.crt ValidkeyUsageNotCriticalTest3EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.4" EE $NIST TrustAnchorRootCertificate.crt keyUsageCriticalcRLSignFalseCACert.crt InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.5" EE $NIST TrustAnchorRootCertificate.crt keyUsageNotCriticalcRLSignFalseCACert.crt InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.1-1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.1-2 ENE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.4 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1:2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.2.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt NoPoliciesCACert.crt AllCertificatesNoPoliciesTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.8.2.2 EE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt NoPoliciesCACert.crt AllCertificatesNoPoliciesTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.8.3.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.8.3.2 EE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.8.3.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1:2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.8.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCACert.crt DifferentPoliciesTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.8.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCA2Cert.crt DifferentPoliciesTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.8.6.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.8.6.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.8.6.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.8.7 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt PoliciesP123subCAP12Cert.crt PoliciesP123subsubCAP12P1Cert.crt DifferentPoliciesTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.8.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt PoliciesP12subCAP1Cert.crt PoliciesP12subsubCAP1P2Cert.crt DifferentPoliciesTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.8.9 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt PoliciesP123subCAP12Cert.crt PoliciesP123subsubCAP12P2Cert.crt PoliciesP123subsubsubCAP12P2P1Cert.crt
+pkixutil test_policychecker NIST-Test.4.8.10.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.8.10.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.8.10.3 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.8.11.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AllCertificatesanyPolicyTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.8.11.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AllCertificatesanyPolicyTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.8.12 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP3CACert.crt DifferentPoliciesTest12EE.crt
+pkixutil test_policychecker NIST-Test.4.8.13.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.8.13.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.8.13.3 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.3}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.8.14.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AnyPolicyTest14EE.crt
+pkixutil test_policychecker NIST-Test.4.8.14.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt anyPolicyCACert.crt AnyPolicyTest14EE.crt
+pkixutil test_policychecker NIST-Test.4.8.15.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt UserNoticeQualifierTest15EE.crt
+pkixutil test_policychecker NIST-Test.4.8.15.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt UserNoticeQualifierTest15EE.crt
+pkixutil test_policychecker NIST-Test.4.8.16.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest16EE.crt
+pkixutil test_policychecker NIST-Test.4.8.16.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest16EE.crt
+pkixutil test_policychecker NIST-Test.4.8.17 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest17EE.crt
+pkixutil test_policychecker NIST-Test.4.8.18.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt UserNoticeQualifierTest18EE.crt
+pkixutil test_policychecker NIST-Test.4.8.18.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt UserNoticeQualifierTest18EE.crt
+pkixutil test_policychecker NIST-Test.4.8.19 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt UserNoticeQualifierTest19EE.crt
+pkixutil test_policychecker NIST-Test.4.8.20 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt CPSPointerQualifierTest20EE.crt
+pkixutil test_policychecker NIST-Test.4.9.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy10CACert.crt requireExplicitPolicy10subCACert.crt requireExplicitPolicy10subsubCACert.crt requireExplicitPolicy10subsubsubCACert.crt ValidrequireExplicitPolicyTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.9.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy5CACert.crt requireExplicitPolicy5subCACert.crt requireExplicitPolicy5subsubCACert.crt requireExplicitPolicy5subsubsubCACert.crt ValidrequireExplicitPolicyTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.9.3 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy4CACert.crt requireExplicitPolicy4subCACert.crt requireExplicitPolicy4subsubCACert.crt requireExplicitPolicy4subsubsubCACert.crt InvalidrequireExplicitPolicyTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.9.4 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy0CACert.crt requireExplicitPolicy0subCACert.crt requireExplicitPolicy0subsubCACert.crt requireExplicitPolicy0subsubsubCACert.crt ValidrequireExplicitPolicyTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.9.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy7CACert.crt requireExplicitPolicy7subCARE2Cert.crt requireExplicitPolicy7subsubCARE2RE4Cert.crt requireExplicitPolicy7subsubsubCARE2RE4Cert.crt InvalidrequireExplicitPolicyTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.9.6 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.9.7 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt requireExplicitPolicy2subCACert.crt InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.9.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt requireExplicitPolicy2subCACert.crt requireExplicitPolicy2SelfIssuedsubCACert.crt InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.10.1.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.10.1.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.10.1.3 EE $NIST ../../certs "{2.5.29.32.0}" P TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.10.2.1 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt InvalidPolicyMappingTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.10.2.2 EE $NIST ../../certs "{2.5.29.32.0}" P TrustAnchorRootCertificate.crt Mapping1to2CACert.crt InvalidPolicyMappingTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.10.3.1 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt ValidPolicyMappingTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.10.3.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt ValidPolicyMappingTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.10.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt InvalidPolicyMappingTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.10.5.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.10.5.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.6}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.10.6.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.10.6.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.6}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest6EE.crt TrustAnchorRootCertificate.crt
+pkixutil test_policychecker NIST-Test.4.10.7.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingFromanyPolicyCACert.crt
+pkixutil test_policychecker NIST-Test.4.10.7.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingFromanyPolicyCACert.crt InvalidMappingFromanyPolicyTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.10.8.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingToanyPolicyCACert.crt
+pkixutil test_policychecker NIST-Test.4.10.8.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingToanyPolicyCACert.crt InvalidMappingToanyPolicyTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.10.9 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PanyPolicyMapping1to2CACert.crt ValidPolicyMappingTest9EE.crt
+pkixutil test_policychecker NIST-Test.4.10.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCAPanyPolicyMapping1to2CACert.crt InvalidPolicyMappingTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.10.11 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCAPanyPolicyMapping1to2CACert.crt ValidPolicyMappingTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.10.12.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt ValidPolicyMappingTest12EE.crt
+pkixutil test_policychecker NIST-Test.4.10.12.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt ValidPolicyMappingTest12EE.crt
+pkixutil test_policychecker NIST-Test.4.10.13 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P1anyPolicyMapping1to2CACert.crt ValidPolicyMappingTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.10.14 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P1anyPolicyMapping1to2CACert.crt ValidPolicyMappingTest14EE.crt
+pkixutil test_policychecker NIST-Test.4.11.1.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping0CACert.crt inhibitPolicyMapping0subCACert.crt
+pkixutil test_policychecker NIST-Test.4.11.1.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping0CACert.crt inhibitPolicyMapping0subCACert.crt InvalidinhibitPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.11.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt ValidinhibitPolicyMappingTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.11.3 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt inhibitPolicyMapping1P12subsubCACert.crt InvalidinhibitPolicyMappingTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.11.4 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt inhibitPolicyMapping1P12subsubCACert.crt ValidinhibitPolicyMappingTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.11.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping5CACert.crt inhibitPolicyMapping5subCACert.crt inhibitPolicyMapping5subsubCACert.crt inhibitPolicyMapping5subsubsubCACert.crt InvalidinhibitPolicyMappingTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.11.6 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCAIPM5Cert.crt inhibitPolicyMapping1P12subsubCAIPM5Cert.crt InvalidinhibitPolicyMappingTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.11.7 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.11.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1subsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.11.9 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1subsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
+pkixutil test_policychecker NIST-Test.4.11.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1SelfIssuedsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.11.11 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1SelfIssuedsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.12.1 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy0CACert.crt InvalidinhibitAnyPolicyTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.12.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy0CACert.crt ValidinhibitAnyPolicyTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.12.3.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt inhibitAnyPolicyTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.12.3.2 EE $NIST ../../certs "{2.5.29.32.0}" A TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt inhibitAnyPolicyTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.12.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt InvalidinhibitAnyPolicyTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.12.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy5CACert.crt inhibitAnyPolicy5subCACert.crt inhibitAnyPolicy5subsubCACert.crt InvalidinhibitAnyPolicyTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.12.6 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCAIAP5Cert.crt InvalidinhibitAnyPolicyTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.12.7 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.12.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt inhibitAnyPolicy1subsubCA2Cert.crt InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.12.9 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
+pkixutil test_policychecker NIST-Test.4.12.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.1 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt ValidDNnameConstraintsTest1EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.2 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest2EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.3 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest3EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.4 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt ValidDNnameConstraintsTest4EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.5 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.6 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt ValidDNnameConstraintsTest6EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.7 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt InvalidDNnameConstraintsTest7EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.8 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN4CACert.crt InvalidDNnameConstraintsTest8EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.9 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN4CACert.crt InvalidDNnameConstraintsTest9EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.10 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN5CACert.crt InvalidDNnameConstraintsTest10EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.11 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN5CACert.crt ValidDNnameConstraintsTest11EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.12 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA1Cert.crt InvalidDNnameConstraintsTest12EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.13 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA2Cert.crt InvalidDNnameConstraintsTest13EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.14 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA2Cert.crt ValidDNnameConstraintsTest14EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.15 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA1Cert.crt InvalidDNnameConstraintsTest15EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.16 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA1Cert.crt InvalidDNnameConstraintsTest16EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.17 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA2Cert.crt InvalidDNnameConstraintsTest17EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.18 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA2Cert.crt ValidDNnameConstraintsTest18EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.19 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1SelfIssuedCACert.crt ValidDNnameConstraintsTest19EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.20 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest20EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.21 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA1Cert.crt ValidRFC822nameConstraintsTest21EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.22 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA1Cert.crt InvalidRFC822nameConstraintsTest22EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.23 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.24 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt InvalidRFC822nameConstraintsTest24EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.25 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA3Cert.crt ValidRFC822nameConstraintsTest25EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.26 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA3Cert.crt InvalidRFC822nameConstraintsTest26EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.27 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA3Cert.crt ValidDNandRFC822nameConstraintsTest27EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.28 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA3Cert.crt InvalidDNandRFC822nameConstraintsTest28EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.29 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA3Cert.crt InvalidDNandRFC822nameConstraintsTest29EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.30 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.31 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt InvalidDNSnameConstraintsTest31EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.32 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS2CACert.crt ValidDNSnameConstraintsTest32EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.33 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS2CACert.crt InvalidDNSnameConstraintsTest33EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.34 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.35 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt InvalidURInameConstraintsTest35EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.36 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI2CACert.crt ValidURInameConstraintsTest36EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.37 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI2CACert.crt InvalidURInameConstraintsTest37EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.38 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt InvalidDNSnameConstraintsTest38EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.16.1 ENE $NIST TrustAnchorRootCertificate.crt ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.16.2 EE $NIST TrustAnchorRootCertificate.crt InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+pkixutil test_buildchain_uchecker NIST-Test.4.1.1-without-OID ENE - $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_uchecker NIST-Test.4.1.1-with-OID-without-forwardSupport ENE 2.5.29.19 $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_uchecker NIST-Test.4.1.1-with-OID-forwardSupport ENE F2.5.29.19 $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.1.1 ENE $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.1.2 EE $NIST InvalidCASignatureTest2EE.crt BadSignedCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.1.3 EE $NIST InvalidEESignatureTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.1.4 ENE $NIST ValidDSASignaturesTest4EE.crt DSACACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.1.5 ENE $NIST ValidDSAParameterInheritanceTest5EE.crt DSAParametersInheritedCACert.crt DSACACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.1.6 EE $NIST InvalidDSASignatureTest6EE.crt DSACACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.2.1 EE $NIST InvalidCAnotBeforeDateTest1EE.crt BadnotBeforeDateCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.2.2 EE $NIST InvalidEEnotBeforeDateTest2EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.2.3 ENE $NIST Validpre2000UTCnotBeforeDateTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.2.4 ENE $NIST ValidGeneralizedTimenotBeforeDateTest4EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.2.5 EE $NIST InvalidCAnotAfterDateTest5EE.crt BadnotAfterDateCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.2.6 EE $NIST InvalidEEnotAfterDateTest6EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.2.7 EE $NIST Invalidpre2000UTCEEnotAfterDateTest7EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.2.8 ENE $NIST ValidGeneralizedTimenotAfterDateTest8EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.3.1 EE $NIST InvalidNameChainingTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.3.2 EE $NIST InvalidNameChainingOrderTest2EE.crt NameOrderingCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.3.3 ENE $NIST ValidNameChainingWhitespaceTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.3.4 ENE $NIST ValidNameChainingWhitespaceTest4EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.3.5 ENE $NIST ValidNameChainingCapitalizationTest5EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.3.6 ENE $NIST ValidNameUIDsTest6EE.crt UIDCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain - NIST-Test.4.3.7 ENE $NIST ValidRFC3280MandatoryAttributeTypesTest7EE.crt RFC3280MandatoryAttributeTypesCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.3.9 ENE $NIST ValidUTF8StringEncodedNamesTest9EE.crt UTF8StringEncodedNamesCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.3.10 ENE $NIST ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt RolloverfromPrintableStringtoUTF8StringCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.3.11 ENE $NIST ValidUTF8StringCaseInsensitiveMatchTest11EE.crt UTF8StringCaseInsensitiveMatchCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.1 EE $NIST InvalidMissingCRLTest1EE.crt NoCRLCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.2 EE $NIST InvalidRevokedCATest2EE.crt RevokedsubCACert.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.3 EE $NIST InvalidRevokedEETest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.4 EE $NIST InvalidBadCRLSignatureTest4EE.crt BadCRLSignatureCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.5 EE $NIST InvalidBadCRLIssuerNameTest5EE.crt BadCRLIssuerNameCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.6 EE $NIST InvalidWrongCRLTest6EE.crt WrongCRLCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.7 ENE $NIST ValidTwoCRLsTest7EE.crt TwoCRLsCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.8 EE $NIST InvalidUnknownCRLEntryExtensionTest8EE.crt UnknownCRLEntryExtensionCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.9 EE $NIST InvalidUnknownCRLExtensionTest9EE.crt UnknownCRLExtensionCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.10 EE $NIST InvalidUnknownCRLExtensionTest10EE.crt UnknownCRLExtensionCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.11 EE $NIST InvalidOldCRLnextUpdateTest11EE.crt OldCRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.12 EE $NIST Invalidpre2000CRLnextUpdateTest12EE.crt pre2000CRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.13 ENE $NIST ValidGeneralizedTimeCRLnextUpdateTest13EE.crt GeneralizedTimeCRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.14 ENE $NIST ValidNegativeSerialNumberTest14EE.crt NegativeSerialNumberCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.15 EE $NIST InvalidNegativeSerialNumberTest15EE.crt NegativeSerialNumberCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.16 ENE $NIST ValidLongSerialNumberTest16EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.17 ENE $NIST ValidLongSerialNumberTest17EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.18 EE $NIST InvalidLongSerialNumberTest18EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.4.20 EE $NIST InvalidSeparateCertificateandCRLKeysTest20EE.crt SeparateCertificateandCRLKeysCRLSigningCert.crt TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.5.1 ENE $NIST ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.5.2 EE $NIST InvalidBasicSelfIssuedOldWithNewTest2EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.1 EE $NIST InvalidMissingbasicConstraintsTest1EE.crt MissingbasicConstraintsCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.2 EE $NIST InvalidcAFalseTest2EE.crt basicConstraintsCriticalcAFalseCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.3 EE $NIST InvalidcAFalseTest3EE.crt basicConstraintsNotCriticalcAFalseCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.4 ENE $NIST ValidbasicConstraintsNotCriticalTest4EE.crt basicConstraintsNotCriticalCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.5 EE $NIST InvalidpathLenConstraintTest5EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.6 EE $NIST InvalidpathLenConstraintTest6EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.7 ENE $NIST ValidpathLenConstraintTest7EE.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.8 ENE $NIST ValidpathLenConstraintTest8EE.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.9 EE $NIST InvalidpathLenConstraintTest9EE.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.10 EE $NIST InvalidpathLenConstraintTest10EE.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.11 EE $NIST InvalidpathLenConstraintTest11EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.12 EE $NIST InvalidpathLenConstraintTest12EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.13 ENE $NIST ValidpathLenConstraintTest13EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.15 ENE $NIST ValidSelfIssuedpathLenConstraintTest15EE.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.16 EE $NIST InvalidSelfIssuedpathLenConstraintTest16EE.crt pathLenConstraint0subCA2Cert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.6.17 ENE $NIST ValidSelfIssuedpathLenConstraintTest17EE.crt pathLenConstraint1SelfIssuedsubCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.7.1 EE $NIST InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt keyUsageCriticalkeyCertSignFalseCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.7.2 EE $NIST InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.7.3 ENE $NIST ValidkeyUsageNotCriticalTest3EE.crt keyUsageNotCriticalCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.7.4 EE $NIST InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt keyUsageCriticalcRLSignFalseCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.7.5 EE $NIST InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt keyUsageNotCriticalcRLSignFalseCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.1 ENE $NIST ValidDNnameConstraintsTest1EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.2 EE $NIST InvalidDNnameConstraintsTest2EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.3 EE $NIST InvalidDNnameConstraintsTest3EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.4 ENE $NIST ValidDNnameConstraintsTest4EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.5 ENE $NIST ValidDNnameConstraintsTest5EE.crt nameConstraintsDN2CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.6 ENE $NIST ValidDNnameConstraintsTest6EE.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.7 EE $NIST InvalidDNnameConstraintsTest7EE.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.8 EE $NIST InvalidDNnameConstraintsTest8EE.crt nameConstraintsDN4CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.9 EE $NIST InvalidDNnameConstraintsTest9EE.crt nameConstraintsDN4CACert.crt nameConstraintsDN4CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.10 EE $NIST InvalidDNnameConstraintsTest10EE.crt nameConstraintsDN5CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.11 ENE $NIST ValidDNnameConstraintsTest11EE.crt nameConstraintsDN5CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.12 EE $NIST InvalidDNnameConstraintsTest12EE.crt nameConstraintsDN1subCA1Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.13 EE $NIST InvalidDNnameConstraintsTest13EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.14 ENE $NIST ValidDNnameConstraintsTest14EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.15 EE $NIST InvalidDNnameConstraintsTest15EE.crt nameConstraintsDN3subCA1Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.16 EE $NIST InvalidDNnameConstraintsTest16EE.crt nameConstraintsDN3subCA1Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.17 EE $NIST InvalidDNnameConstraintsTest17EE.crt nameConstraintsDN3subCA2Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.18 ENE $NIST ValidDNnameConstraintsTest18EE.crt nameConstraintsDN3subCA2Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.19 ENE $NIST ValidDNnameConstraintsTest19EE.crt nameConstraintsDN1SelfIssuedCACert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.20 EE $NIST InvalidDNnameConstraintsTest20EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.21 ENE $NIST ValidRFC822nameConstraintsTest21EE.crt nameConstraintsRFC822CA1Cert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.22 EE $NIST InvalidRFC822nameConstraintsTest22EE.crt nameConstraintsRFC822CA1Cert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.23 ENE $NIST ValidRFC822nameConstraintsTest23EE.crt nameConstraintsRFC822CA2Cert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.24 EE $NIST InvalidRFC822nameConstraintsTest24EE.crt nameConstraintsRFC822CA2Cert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.25 ENE $NIST ValidRFC822nameConstraintsTest25EE.crt nameConstraintsRFC822CA3Cert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.26 EE $NIST InvalidRFC822nameConstraintsTest26EE.crt nameConstraintsRFC822CA3Cert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.27 ENE $NIST ValidDNandRFC822nameConstraintsTest27EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.28 EE $NIST InvalidDNandRFC822nameConstraintsTest28EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.29 EE $NIST InvalidDNandRFC822nameConstraintsTest29EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.30 ENE $NIST ValidDNSnameConstraintsTest30EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.31 EE $NIST InvalidDNSnameConstraintsTest31EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.32 ENE $NIST ValidDNSnameConstraintsTest32EE.crt nameConstraintsDNS2CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.33 EE $NIST InvalidDNSnameConstraintsTest33EE.crt nameConstraintsDNS2CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.34 ENE $NIST ValidURInameConstraintsTest34EE.crt nameConstraintsURI1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.35 EE $NIST InvalidURInameConstraintsTest35EE.crt nameConstraintsURI1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.36 ENE $NIST ValidURInameConstraintsTest36EE.crt nameConstraintsURI2CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.37 EE $NIST InvalidURInameConstraintsTest37EE.crt nameConstraintsURI2CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-Test.4.13.38 EE $NIST InvalidDNSnameConstraintsTest38EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_partialchain ${LDAP} NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_partialchain ${LDAP} NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt TrustAnchorRootCertificate.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_partialchain ${LDAP} NIST-Test.4.13.13 EE $NIST InvalidDNnameConstraintsTest13EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_partialchain ${LDAP} NIST-Test.4.13.27 ENE $NIST ValidDNandRFC822nameConstraintsTest27EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1subCA2Cert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP} NIST-PDTest ENE ${NIST_PDTEST} certs/BasicHTTPURIPathDiscoveryTest2EE.crt certs/BasicHTTPURITrustAnchorRootCert.crt
+pkixutil test_ocsp -d ${HOSTDIR}/ocsp OCSP-Test ENE ${HOSTDIR}/ocsp anchorcert.crt goodcert.crt
+pkixutil test_ocsp -d ${HOSTDIR}/ocsp OCSP-Test EE ${HOSTDIR}/ocsp anchorcert.crt revokedcert.crt
+EOF
+
+totalErrors=$?
+totalErrors=`expr ${totalErrors} + ${tracedErrors}`
+
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
+##########################################################
+#
+# Document NIST tests that are not currently running for builder...
+# 4.3.8 4.4.19 4.4.21
+#
+# Others
+# 4.5.4 4.5.5, 4.5.6, 4.5.7, 4.5.8
+# 4.14.* Distribution Point - functionality not yet implemented
+# 4.15.* Delta CRL - not supported
+##########################################################
+# Following tests are not run because of bugs beyond libpkix:
+#pkixutil test_validatechain NIST-Test.4.3.7 ENE $NIST TrustAnchorRootCertificate.crt RFC3280MandatoryAttributeTypesCACert.crt ValidRFC3280MandatoryAttributeTypesTest7EE.crt
+# pkixutil test_buildchain NIST-Test.4.3.8 ENE $NIST ValidRFC3280OptionalAttributeTypesTest8EE.crt RFC3280OptionalAttributeTypesCACert.crt TrustAnchorRootCertificate.crt
+
+# Following tests are not supported by libpkix : separate certificate
+# NIST test 4.4.19 and 4.4.21
+
+# Following tests are not supported by libpkix : cert dp, cert chain definition
+# NIST tests 4.5.4, 4.5.5
+#pkixutil test_buildchain NIST-Test.4.5.7 EE $NIST InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt
+#pkixutil test_buildchain NIST-Test.4.5.8 EE $NIST InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt TrustAnchorRootCertificate.crt
+
+
+# Following tests are not supported by libpkix : self-issued, multiple keys, one for cert, one for CRL
+#pkixutil test_validatechain NIST-Test.4.5.3 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt ValidBasicSelfIssuedNewWithOldTest3EE.crt
+#pkixutil test_defaultcrlchecker NIST-Test.4.5.4 ENE $NIST/../crls $NIST/TrustAnchorRootCertificate.crt $NIST/BasicSelfIssuedOldKeyCACert.crt $NIST/BasicSelfIssuedOldKeyNewWithOldCACert.crt $NIST/ValidBasicSelfIssuedNewWithOldTest4EE.crt
+#pkixutil test_defaultcrlchecker NIST-Test.4.5.6 ENE $NIST/../crls $NIST/TrustAnchorRootCertificate.crt $NIST/BasicSelfIssuedCRLSigningKeyCACert.crt $NIST/BasicSelfIssuedCRLSigningKeyCRLCert.crt $NIST/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
+
+# Need to recreate certs with BC extension and Key Usage
+#pkixutil test_buildchain single_sig ENE build_data/single_path/signature/pass yassir2hanfei.crt greg2yassir.crt jes2greg.crt jes2jes.crt
+#pkixutil test_buildchain single-sig EE build_data/single_path/signature/fail yassir2hanfei.crt jes2jes.crt
+#pkixutil test_buildchain multi-sig ENE build_data/multi_path/signature/pass yassir2hanfei.crt greg2yassir.crt jes2greg.crt jes2jes.crt
+#pkixutil test_buildchain multi-sig EE build_data/multi_path/signature/fail yassir2hanfei.crt greg2yassir.crt yassir2hanfei.crt
+#pkixutil test_buildchain backtrack-sig ENE build_data/backtracking/signature yassir2hanfei.crt labs2yassir.crt jes2labs.crt jes2jes.crtn
diff --git a/security/nss/tests/libpkix/pkix_tests/top/secmod.db b/security/nss/tests/libpkix/pkix_tests/top/secmod.db
new file mode 100644
index 000000000..772583d58
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/secmod.db
Binary files differ
diff --git a/security/nss/tests/libpkix/pkix_tests/util/runTests.sh b/security/nss/tests/libpkix/pkix_tests/util/runTests.sh
new file mode 100755
index 000000000..a413535ef
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/util/runTests.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=UTIL
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_error
+pkixutil test_list
+pkixutil test_list2
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/runTests.sh b/security/nss/tests/libpkix/runTests.sh
new file mode 100755
index 000000000..190f5de6f
--- /dev/null
+++ b/security/nss/tests/libpkix/runTests.sh
@@ -0,0 +1,87 @@
+#! /bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runTests.sh#
+#
+# This script enables all tests to be run together. It simply cd's into
+# the pkix_tests and pkix_pl_tests directories and runs test scripts
+#
+# This test is the original of libpkix.sh. While libpkix.sh is invoked by
+# all.sh as a /bin/sh script, runTests.sh is a /bin/ksh and provides the
+# options of checking memory and using different memory allcation schemes.
+#
+
+errors=0
+pkixErrors=0
+pkixplErrors=0
+checkMemArg=""
+arenasArg=""
+quietArg=""
+memText=""
+
+### ParseArgs
+ParseArgs() # args
+{
+ while [ $# -gt 0 ]; do
+ if [ $1 = "-checkmem" ]; then
+ checkMemArg=$1
+ memText=" (Memory Checking Enabled)"
+ elif [ $1 = "-quiet" ]; then
+ quietArg=$1
+ elif [ $1 = "-arenas" ]; then
+ arenasArg=$1
+ fi
+ shift
+ done
+}
+
+ParseArgs $*
+
+echo "*******************************************************************************"
+echo "START OF ALL TESTS${memText}"
+echo "*******************************************************************************"
+echo ""
+
+echo "RUNNING tests in pkix_pl_test";
+cd pkix_pl_tests;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixplErrors=$?
+
+echo "RUNNING tests in pkix_test";
+cd ../pkix_tests;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixErrors=$?
+
+echo "RUNNING tests in sample_apps (performance)";
+cd ../sample_apps;
+runPerf.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixPerfErrors=$?
+
+errors=`expr ${pkixplErrors} + ${pkixErrors} + ${pkixPerfErrors}`
+
+if [ ${errors} -eq 0 ]; then
+ echo ""
+ echo "************************************************************"
+ echo "END OF ALL TESTS: ALL TESTS COMPLETED SUCCESSFULLY"
+ echo "************************************************************"
+ exit 0
+fi
+
+if [ ${errors} -eq 1 ]; then
+ plural=""
+else
+ plural="S"
+fi
+
+echo ""
+echo "************************************************************"
+echo "END OF ALL TESTS: ${errors} TEST${plural} FAILED"
+echo "************************************************************"
+exit 1
+
+
+
+
diff --git a/security/nss/tests/libpkix/sample_apps/README b/security/nss/tests/libpkix/sample_apps/README
new file mode 100755
index 000000000..012e7bf7e
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/README
@@ -0,0 +1,77 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+This directory contains both sample applications and performance evaluation
+applications.
+
+SAMPLE APPLICATIONS
+
+Currently, there are two performance applications: libpkix_buildThreads and
+nss_threads. And three sample applications: dumpcert, dumpcrl and
+validateChain..
+
+============================================================================
+
+USAGE: dumpcert <certFile>
+ Parses a certificate located at <certFile> and displays it.
+
+Source: <root>/tests/sample_apps/dumpcert.c
+Binary: <root>/bin/sample_apps/dumpcert
+
+============================================================================
+
+USAGE: dumpcrl <crlFile>
+ Parses a CRL located at <crlFile> and displays it.
+
+Source: <root>/tests/sample_apps/dumpcrl.c
+Binary: <root>/bin/sample_apps/dumpcrl
+
+============================================================================
+
+USAGE: validateChain <trustedCert> <cert_1> <cert_2> ... <cert_n>
+ Validates a chain of n certificates using the given trust anchor.
+
+Source: <root>/tests/sample_apps/validateChain.c
+Binary: <root>/bin/sample_apps/validateChain
+
+============================================================================
+
+PERFORMANCE EVALUATION APPLICATIONS
+
+============================================================================
+
+USAGE: libpkix_buildthreads <duration> <threads> <eecertNickname>
+
+ Sets up and runs a PKIX_BuildChain call for the number of seconds
+ specified by <duration> using the number of threads specified by
+ <threads>. This application assumes that the NSS certutil application
+ has already been run to create the NSS databases and that the
+ various nicknames on the command line have been associated with
+ certificates in the NSS databases. The NSS databases MUST reside
+ in the directory where this file is located and MUST be named
+ "cert8.db", "key3.db", and "secmod.db". There must exist a nickname
+ in the databases which has been marked as trusted.
+
+Source: <root>/perf/libpkix_buildthreads/libpkix_buildthreads.c
+Binary: <root>/perf/libpkix_buildthreads/*.OBJ/libpkix_buildthreads
+
+============================================================================
+
+USAGE: nssThreads <duration> <threads> <eecertNickname>
+
+ Sets up and runs a CERT_VerifyCertificate call for the number of
+ seconds specified by <duration> using the number of threads specified
+ by <threads>. This application assumes that the NSS certutil
+ application has already been run to create the NSS databases and that
+ the various nicknames on the command line have been associated with
+ certificates in the NSS databases. The NSS databases MUST reside
+ in the directory where this file is located and MUST be named
+ "cert8.db", "key3.db", and "secmod.db". There must exist a nickname in
+ the databases which has been marked as trusted.
+
+Source: <root>/perf/nss_threads/nss_threads.c
+Binary: <root>/perf/nss_threads/*.OBJ/nss_threads
+
+============================================================================
+
diff --git a/security/nss/tests/libpkix/sample_apps/cert8.db b/security/nss/tests/libpkix/sample_apps/cert8.db
new file mode 100755
index 000000000..b39de42f1
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/cert8.db
Binary files differ
diff --git a/security/nss/tests/libpkix/sample_apps/key3.db b/security/nss/tests/libpkix/sample_apps/key3.db
new file mode 100755
index 000000000..9c03916ee
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/key3.db
Binary files differ
diff --git a/security/nss/tests/libpkix/sample_apps/runPerf.sh b/security/nss/tests/libpkix/sample_apps/runPerf.sh
new file mode 100755
index 000000000..27b55215e
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/runPerf.sh
@@ -0,0 +1,143 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# runPerf.sh
+#
+
+curdir=`pwd`
+cd ../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=PERFORMANCE
+
+totalErrors=0
+loopErrors=0
+
+ParseArgs $*
+
+testHeadingEcho
+
+Display "\nRunning executables at ${DIST_BIN}"
+Display "Using libraries at ${LD_LIBRARY_PATH}"
+
+
+# Check the performance data ...
+perfTest()
+{
+
+ Display ""
+ Display "*******************************************************************************"
+ Display "START OF PKIX PERFORMANCE SCENARIOS ${memText}"
+Display "*******************************************************************************"
+ Display ""
+
+ while read perfPgm args; do
+ numtests=`expr ${numtests} + 1`
+ Display "Running ${perfPgm} ${args}"
+ if [ ${checkmem} -eq 1 ]; then
+ dbx -C -c "runargs $args; check -all ;run;exit" ${DIST_BIN}/${perfPgm} > ${testOut} 2>&1
+ else
+ ${DIST_BIN}/${perfPgm} ${args} > ${testOut} 2>&1
+ fi
+
+ # Examine output file to see if test failed and keep track of number
+ # of failures and names of failed tests. This assumes that the test
+ # uses our utility library for displaying information
+
+ outputCount=`cat ${testOut} | grep "per second"`
+
+ if [ $? -ne 0 ]; then
+ errors=`expr ${errors} + 1`
+ failedpgms="${failedpgms}${perfPgm} ${args}\n"
+ cat ${testOut}
+ else
+ Display ${outputCount}
+ passed=`expr ${passed} + 1`
+ fi
+
+ if [ ${checkmem} -eq 1 ]; then
+ grep "(actual leaks:" ${testOut} > ${testOutMem} 2>&1
+ if [ $? -ne 0 ]; then
+ prematureErrors=`expr ${prematureErrors} + 1`
+ failedprematurepgms="${failedprematurepgms}${perfPgm} "
+ Display "...program terminated prematurely (unable to check for memory leak errors) ..."
+ else
+ grep "(actual leaks: 1 total size: 4 bytes)" ${testOut} > /dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ memErrors=`expr ${memErrors} + 1`
+ failedmempgms="${failedmempgms}${perfPgm} "
+ Display ${testOutMem}
+ fi
+ fi
+ fi
+ done
+ return ${errors}
+}
+
+
+# If there is race condition bug, may this test catch it...
+loopTest()
+{
+ totalLoop=10
+
+ Display ""
+ Display "*******************************************************************************"
+ Display "START OF TESTS FOR PKIX PERFORMANCE SANITY LOOP (${totalLoop} times)"
+Display "*******************************************************************************"
+ Display ""
+
+ errors=0
+ iLoop=0
+ perfPgm="${DIST_BIN}/pkixutil libpkix_buildthreads -d . 5 8 ValidCertificatePathTest1EE"
+
+ while [ $iLoop -lt $totalLoop ]
+ do
+ iLoop=`expr $iLoop + 1`
+ numtests=`expr ${numtests} + 1`
+
+ Display "Running ${perfPgm}"
+ ${perfPgm} > ${testOut} 2>&1
+ Display `cat ${testOut} | grep "per second"`
+
+ outputCount=`cat ${testOut} | grep "per second"`
+
+ if [ $? -ne 0 ]; then
+ errors=`expr ${errors} + 1`
+ failedpgms="${failedpgms} ${perfPgm}\n"
+ cat ${testOut}
+ else
+ passed=`expr ${passed} + 1`
+ fi
+ done
+
+ return ${errors}
+
+}
+
+#main
+perfTest <<EOF
+pkixutil libpkix_buildthreads -d . 5 1 ValidCertificatePathTest1EE
+pkixutil libpkix_buildthreads -d . 5 8 ValidCertificatePathTest1EE
+pkixutil nss_threads -d . 5 1 ValidCertificatePathTest1EE
+pkixutil nss_threads -d . 5 8 ValidCertificatePathTest1EE
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;performance test: passed ${passed} of ${numtests} tests"
+
+numtests=0
+passed=0
+loopTest
+loopErrors=$?
+totalErrors=`expr ${totalErrors} + ${loopErrors}`
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;loop test: passed ${passed} of ${numtests} tests"
+
+testEndingEcho
+
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/sample_apps/secmod.db b/security/nss/tests/libpkix/sample_apps/secmod.db
new file mode 100755
index 000000000..772583d58
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/secmod.db
Binary files differ
diff --git a/security/nss/tests/libpkix/vfychain_test.lst b/security/nss/tests/libpkix/vfychain_test.lst
new file mode 100644
index 000000000..78d6185c3
--- /dev/null
+++ b/security/nss/tests/libpkix/vfychain_test.lst
@@ -0,0 +1,4 @@
+# Status | Leaf Cert | Policies | Others(undef)
+0 TestUser50 undef
+0 TestUser51 undef
+0 PayPalEE OID.2.16.840.1.114412.1.1
diff --git a/security/nss/tests/lowhash/lowhash.sh b/security/nss/tests/lowhash/lowhash.sh
new file mode 100644
index 000000000..6de255be4
--- /dev/null
+++ b/security/nss/tests/lowhash/lowhash.sh
@@ -0,0 +1,97 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+# mozilla/security/nss/tests/lowhash/lowhash.sh
+#
+# Script to test basic functionallity of the NSSLoHash API
+#
+# included from
+# --------------
+# all.sh
+#
+# needs to work on all Linux platforms
+#
+# tests implemented:
+# lowash (verify encryption cert - bugzilla bug 119059)
+#
+# special strings
+# ---------------
+#
+########################################################################
+
+errors=0
+
+############################## lowhash_init ##############################
+# local shell function to initialize this script
+########################################################################
+lowhash_init()
+{
+ SCRIPTNAME=lowhash.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ LOWHASHDIR=../lowhash
+ mkdir -p ${LOWHASHDIR}
+ if [ -f /proc/sys/crypto/fips_enabled ]; then
+ FVAL=`cat /proc/sys/crypto/fips_enabled`
+ html_head "Lowhash Tests - /proc/sys/crypto/fips_enabled is ${FVAL}"
+ else
+ html_head "Lowhash Tests"
+ fi
+ cd ${LOWHASHDIR}
+}
+
+############################## lowhash_test ##############################
+# local shell function to test basic the NSS Low Hash API both in
+# FIPS 140 compliant mode and not
+########################################################################
+lowhash_test()
+{
+ if [ ! -f ${BINDIR}/lowhashtest -a \
+ ! -f ${BINDIR}/lowhashtest${PROG_SUFFIX} ]; then
+ echo "freebl lowhash not supported in this plaform."
+ else
+ TESTS="MD5 SHA1 SHA224 SHA256 SHA384 SHA512"
+ OLD_MODE=`echo ${NSS_FIPS}`
+ for fips_mode in 0 1; do
+ echo "lowhashtest with fips mode=${fips_mode}"
+ export NSS_FIPS=${fips_mode}
+ for TEST in ${TESTS}
+ do
+ echo "lowhashtest ${TEST}"
+ ${BINDIR}/lowhashtest ${TEST} 2>&1
+ RESULT=$?
+ html_msg ${RESULT} 0 "lowhashtest with fips mode=${fips_mode} for ${TEST}"
+ done
+ done
+ export NSS_FIPS=${OLD_MODE}
+ fi
+}
+
+############################## lowhash_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+lowhash_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+lowhash_init
+lowhash_test
+lowhash_cleanup
+echo "lowhash.sh done"
diff --git a/security/nss/tests/memleak/ignored b/security/nss/tests/memleak/ignored
new file mode 100644
index 000000000..60ed0db84
--- /dev/null
+++ b/security/nss/tests/memleak/ignored
@@ -0,0 +1,58 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#367374
+**/PR_ErrorInstallTable**
+**/_PR_ImplicitInitialization/**
+**/_PR_InitCMon/ExpandMonitorCache/**
+**/_PR_InitCMon/PR_NewLock/**
+**/_PR_InitLinker/**
+**/_PR_InitTPD/**
+**/_PR_InitZones/pr_FindSymbolInProg/**
+**/_PR_UnixInit/PR_NewLock/**
+**/_PR_UnixInit/PR_NewMonitor/**
+
+#367376
+**/_PR_CreateThread/pthread_create@@GLIBC_**
+**/_PR_CreateThread/PR_Calloc/**
+
+#367384
+**/PR_LoadLibraryWithFlags/**
+**/pr_LoadLibraryByPathname/**
+**/PR_LoadLibrary/**
+
+#397487
+**/__rpc_getconfip/setnetconfig/**
+
+#401100
+**/testThreadLockingBehavior/pthread_create@@GLIBC_**
+**/findLockInfo/pthread_create@@GLIBC_**
+
+#430544
+**/PR_CallOnce/InitializeArenas/PR_NewLock/**
+
+#458905
+**/cert_createObject/nssTrustDomain_AddCertsToCache/add_cert_to_cache/**
+**/cert_createObject/nssTrustDomain_AddCertsToCache/nssArena_Create/**
+
+#459237
+**/PR_FormatTime/strftime/**
+**/PR_FormatTime/__strftime_std/**
+
+#463208
+**/sqlite3UnixFullPathname/_getcwd/**
+**/unixFullPathname/_getcwd/**
+
+#463631
+vfychain/main/PL_CreateOptState/**
+
+#486298
+selfserv/main/PORT_Strdup_Util**
+
+#497251
+**/FREEBL_InitStubs/dlopen@@GLIBC_**
+
+#679524
+**/nss_Init/PR_CallOnce/nss_doLockInit/**
+
diff --git a/security/nss/tests/memleak/memleak.sh b/security/nss/tests/memleak/memleak.sh
new file mode 100755
index 000000000..45e432bee
--- /dev/null
+++ b/security/nss/tests/memleak/memleak.sh
@@ -0,0 +1,915 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/memleak/memleak.sh
+#
+# Script to test memory leaks in NSS
+#
+# needs to work on Solaris and Linux platforms, on others just print a message
+# that OS is not supported
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################# memleak_init #############################
+# local shell function to initialize this script
+########################################################################
+memleak_init()
+{
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+
+ if [ ! -r ${CERT_LOG_FILE} ]; then
+ cd ${QADIR}/cert
+ . ./cert.sh
+ fi
+
+ SCRIPTNAME="memleak.sh"
+ if [ -z "${CLEANUP}" ] ; then
+ CLEANUP="${SCRIPTNAME}"
+ fi
+
+ OLD_LIBRARY_PATH=${LD_LIBRARY_PATH}
+ TMP_LIBDIR="${HOSTDIR}/tmp"
+ TMP_STACKS="${HOSTDIR}/stacks"
+ TMP_SORTED="${HOSTDIR}/sorted"
+ TMP_COUNT="${HOSTDIR}/count"
+ DBXOUT="${HOSTDIR}/dbxout"
+ DBXERR="${HOSTDIR}/dbxerr"
+ DBXCMD="${HOSTDIR}/dbxcmd"
+
+ PORT=${PORT:-8443}
+
+ MODE_LIST="NORMAL BYPASS FIPS"
+
+ SERVER_DB="${HOSTDIR}/server_memleak"
+ CLIENT_DB="${HOSTDIR}/client_memleak"
+ cp -r ${HOSTDIR}/server ${SERVER_DB}
+ cp -r ${HOSTDIR}/client ${CLIENT_DB}
+
+ LOGDIR="${HOSTDIR}/memleak_logs"
+ mkdir -p ${LOGDIR}
+
+ FOUNDLEAKS="${LOGDIR}/foundleaks"
+
+ REQUEST_FILE="${QADIR}/memleak/sslreq.dat"
+ IGNORED_STACKS="${QADIR}/memleak/ignored"
+
+ gline=`echo ${OBJDIR} | grep "_64_"`
+ if [ -n "${gline}" ] ; then
+ BIT_NAME="64"
+ else
+ BIT_NAME="32"
+ fi
+
+ case "${OS_NAME}" in
+ "SunOS")
+ DBX=`which dbx`
+ AWK=nawk
+
+ if [ $? -eq 0 ] ; then
+ echo "${SCRIPTNAME}: DBX found: ${DBX}"
+ else
+ echo "${SCRIPTNAME}: DBX not found, skipping memory leak checking."
+ exit 0
+ fi
+
+ PROC_ARCH=`uname -p`
+
+ if [ "${PROC_ARCH}" = "sparc" ] ; then
+ if [ "${BIT_NAME}" = "64" ] ; then
+ FREEBL_DEFAULT="libfreebl_64fpu_3"
+ FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_64int_3"
+ else
+ FREEBL_DEFAULT="libfreebl_32fpu_3"
+ FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_32int64_3"
+ fi
+ else
+ if [ "${BIT_NAME}" = "64" ] ; then
+ echo "${SCRIPTNAME}: OS not supported for memory leak checking."
+ exit 0
+ fi
+
+ FREEBL_DEFAULT="libfreebl_3"
+ FREEBL_LIST="${FREEBL_DEFAULT}"
+ fi
+
+ RUN_COMMAND_DBG="run_command_dbx"
+ PARSE_LOGFILE="parse_logfile_dbx"
+ ;;
+ "Linux")
+ VALGRIND=`which valgrind`
+ AWK=awk
+
+ if [ $? -eq 0 ] ; then
+ echo "${SCRIPTNAME}: Valgrind found: ${VALGRIND}"
+ else
+ echo "${SCRIPTNAME}: Valgrind not found, skipping memory leak checking."
+ exit 0
+ fi
+
+ FREEBL_DEFAULT="libfreebl_3"
+ FREEBL_LIST="${FREEBL_DEFAULT}"
+
+ RUN_COMMAND_DBG="run_command_valgrind"
+ PARSE_LOGFILE="parse_logfile_valgrind"
+ ;;
+ *)
+ echo "${SCRIPTNAME}: OS not supported for memory leak checking."
+ exit 0
+ ;;
+ esac
+
+ if [ "${BUILD_OPT}" = "1" ] ; then
+ OPT="OPT"
+ else
+ OPT="DBG"
+ fi
+
+ NSS_DISABLE_UNLOAD="1"
+ export NSS_DISABLE_UNLOAD
+
+ SELFSERV_ATTR="-D -p ${PORT} -d ${SERVER_DB} -n ${HOSTADDR} -e ${HOSTADDR}-ec -w nss -c :C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz -t 5 -V ssl3:tls1.2"
+ TSTCLNT_ATTR="-p ${PORT} -h ${HOSTADDR} -c j -f -d ${CLIENT_DB} -w nss -o"
+ STRSCLNT_ATTR="-q -p ${PORT} -d ${CLIENT_DB} -w nss -c 1000 -n TestUser ${HOSTADDR}"
+
+ tbytes=0
+ tblocks=0
+ truns=0
+
+ MEMLEAK_DBG=1
+ export MEMLEAK_DBG
+}
+
+########################### memleak_cleanup ############################
+# local shell function to clean up after this script
+########################################################################
+memleak_cleanup()
+{
+ unset MEMLEAK_DBG
+ unset NSS_DISABLE_UNLOAD
+
+ . ${QADIR}/common/cleanup.sh
+}
+
+############################ set_test_mode #############################
+# local shell function to set testing mode for server and for client
+########################################################################
+set_test_mode()
+{
+ if [ "${server_mode}" = "BYPASS" ] ; then
+ echo "${SCRIPTNAME}: BYPASS is ON"
+ SERVER_OPTION="-B -s"
+ CLIENT_OPTION=""
+ elif [ "${client_mode}" = "BYPASS" ] ; then
+ echo "${SCRIPTNAME}: BYPASS is ON"
+ SERVER_OPTION=""
+ CLIENT_OPTION="-B -s"
+ else
+ echo "${SCRIPTNAME}: BYPASS is OFF"
+ SERVER_OPTION=""
+ CLIENT_OPTION=""
+ fi
+
+ if [ "${server_mode}" = "FIPS" ] ; then
+ ${BINDIR}/modutil -dbdir ${SERVER_DB} -fips true -force
+ ${BINDIR}/modutil -dbdir ${SERVER_DB} -list
+ ${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips false -force
+ ${BINDIR}/modutil -dbdir ${CLIENT_DB} -list
+
+ echo "${SCRIPTNAME}: FIPS is ON"
+ cipher_list="c d e i j k n v y z"
+ elif [ "${client_mode}" = "FIPS" ] ; then
+
+ ${BINDIR}/modutil -dbdir ${SERVER_DB} -fips false -force
+ ${BINDIR}/modutil -dbdir ${SERVER_DB} -list
+ ${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips true -force
+ ${BINDIR}/modutil -dbdir ${CLIENT_DB} -list
+
+ echo "${SCRIPTNAME}: FIPS is ON"
+ cipher_list="c d e i j k n v y z"
+ else
+ ${BINDIR}/modutil -dbdir ${SERVER_DB} -fips false -force
+ ${BINDIR}/modutil -dbdir ${SERVER_DB} -list
+ ${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips false -force
+ ${BINDIR}/modutil -dbdir ${CLIENT_DB} -list
+
+ echo "${SCRIPTNAME}: FIPS is OFF"
+ # ciphers l and m removed, see bug 1136095
+ cipher_list=":C001 :C002 :C003 :C004 :C005 :C006 :C007 :C008 :C009 :C00A :C010 :C011 :C012 :C013 :C014 c d e f g i j k n v y z"
+ fi
+}
+
+############################## set_freebl ##############################
+# local shell function to set freebl - sets temporary path for libraries
+########################################################################
+set_freebl()
+{
+ if [ "${freebl}" = "${FREEBL_DEFAULT}" ] ; then
+ LD_LIBRARY_PATH="${OLD_LIBRARY_PATH}"
+ export LD_LIBRARY_PATH
+ else
+ if [ -d "${TMP_LIBDIR}" ] ; then
+ rm -rf ${TMP_LIBDIR}
+ fi
+
+ mkdir ${TMP_LIBDIR}
+ [ $? -ne 0 ] && html_failed "Create temp directory" && return 1
+
+ cp ${DIST}/${OBJDIR}/lib/*.so ${DIST}/${OBJDIR}/lib/*.chk ${TMP_LIBDIR}
+ [ $? -ne 0 ] && html_failed "Copy libraries to temp directory" && return 1
+
+ echo "${SCRIPTNAME}: Using ${freebl} instead of ${FREEBL_DEFAULT}"
+
+ mv ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so.orig
+ [ $? -ne 0 ] && html_failed "Move ${FREEBL_DEFAULT}.so -> ${FREEBL_DEFAULT}.so.orig" && return 1
+
+ cp ${TMP_LIBDIR}/${freebl}.so ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so
+ [ $? -ne 0 ] && html_failed "Copy ${freebl}.so -> ${FREEBL_DEFAULT}.so" && return 1
+
+ mv ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk.orig
+ [ $? -ne 0 ] && html_failed "Move ${FREEBL_DEFAULT}.chk -> ${FREEBL_DEFAULT}.chk.orig" && return 1
+
+ cp ${TMP_LIBDIR}/${freebl}.chk ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk
+ [ $? -ne 0 ] && html_failed "Copy ${freebl}.chk to temp directory" && return 1
+
+ echo "ls -l ${TMP_LIBDIR}"
+ ls -l ${TMP_LIBDIR}
+
+ LD_LIBRARY_PATH="${TMP_LIBDIR}"
+ export LD_LIBRARY_PATH
+ fi
+
+ return 0
+}
+
+############################# clear_freebl #############################
+# local shell function to set default library path and clear temporary
+# directory for libraries created by function set_freebl
+########################################################################
+clear_freebl()
+{
+ LD_LIBRARY_PATH="${OLD_LIBRARY_PATH}"
+ export LD_LIBRARY_PATH
+
+ if [ -d "${TMP_LIBDIR}" ] ; then
+ rm -rf ${TMP_LIBDIR}
+ fi
+}
+
+############################ run_command_dbx ###########################
+# local shell function to run command under dbx tool
+########################################################################
+run_command_dbx()
+{
+ COMMAND=$1
+ shift
+ ATTR=$*
+
+ COMMAND=`which ${COMMAND}`
+
+ echo "dbxenv follow_fork_mode parent" > ${DBXCMD}
+ echo "dbxenv rtc_mel_at_exit verbose" >> ${DBXCMD}
+ echo "dbxenv rtc_biu_at_exit verbose" >> ${DBXCMD}
+ echo "check -memuse -match 16 -frames 16" >> ${DBXCMD}
+ echo "run ${ATTR}" >> ${DBXCMD}
+
+ export NSS_DISABLE_ARENA_FREE_LIST=1
+
+ echo "${SCRIPTNAME}: -------- Running ${COMMAND} under DBX:"
+ echo "${DBX} ${COMMAND}"
+ echo "${SCRIPTNAME}: -------- DBX commands:"
+ cat ${DBXCMD}
+
+ ( ${DBX} ${COMMAND} < ${DBXCMD} > ${DBXOUT} 2> ${DBXERR} )
+ grep -v Reading ${DBXOUT} 1>&2
+ cat ${DBXERR}
+
+ unset NSS_DISABLE_ARENA_FREE_LIST
+
+ grep "exit code is" ${DBXOUT}
+ grep "exit code is 0" ${DBXOUT} > /dev/null
+ return $?
+}
+
+######################### run_command_valgrind #########################
+# local shell function to run command under valgrind tool
+########################################################################
+run_command_valgrind()
+{
+ COMMAND=$1
+ shift
+ ATTR=$*
+
+ export NSS_DISABLE_ARENA_FREE_LIST=1
+
+ echo "${SCRIPTNAME}: -------- Running ${COMMAND} under Valgrind:"
+ echo "${VALGRIND} --tool=memcheck --leak-check=yes --show-reachable=yes --partial-loads-ok=yes --leak-resolution=high --num-callers=50 ${COMMAND} ${ATTR}"
+ echo "Running: ${COMMAND} ${ATTR}" 1>&2
+ ${VALGRIND} --tool=memcheck --leak-check=yes --show-reachable=yes --partial-loads-ok=yes --leak-resolution=high --num-callers=50 ${COMMAND} ${ATTR} 1>&2
+ ret=$?
+ echo "==0=="
+
+ unset NSS_DISABLE_ARENA_FREE_LIST
+
+ return $ret
+}
+
+############################# run_selfserv #############################
+# local shell function to start selfserv
+########################################################################
+run_selfserv()
+{
+ echo "PATH=${PATH}"
+ echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"
+ echo "${SCRIPTNAME}: -------- Running selfserv:"
+ echo "selfserv ${SELFSERV_ATTR}"
+ ${BINDIR}/selfserv ${SELFSERV_ATTR}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "${LOGNAME}: Selfserv"
+ echo "${SCRIPTNAME} ${LOGNAME}: " \
+ "Selfserv produced a returncode of ${ret} - FAILED"
+ fi
+}
+
+########################### run_selfserv_dbg ###########################
+# local shell function to start selfserv under debug tool
+########################################################################
+run_selfserv_dbg()
+{
+ echo "PATH=${PATH}"
+ echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"
+ ${RUN_COMMAND_DBG} ${BINDIR}/selfserv ${SERVER_OPTION} ${SELFSERV_ATTR}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "${LOGNAME}: Selfserv"
+ echo "${SCRIPTNAME} ${LOGNAME}: " \
+ "Selfserv produced a returncode of ${ret} - FAILED"
+ fi
+}
+
+############################# run_strsclnt #############################
+# local shell function to run strsclnt for all ciphers and send stop
+# command to selfserv over tstclnt
+########################################################################
+run_strsclnt()
+{
+ for cipher in ${cipher_list}; do
+ VMIN="ssl3"
+ VMAX="tls1.2"
+ case "${cipher}" in
+ f|g)
+ # TLS 1.1 disallows export cipher suites.
+ VMAX="tls1.0"
+ ;;
+ esac
+ ATTR="${STRSCLNT_ATTR} -C ${cipher} -V ${VMIN}:${VMAX}"
+ echo "${SCRIPTNAME}: -------- Trying cipher ${cipher}:"
+ echo "strsclnt ${ATTR}"
+ ${BINDIR}/strsclnt ${ATTR}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "${LOGNAME}: Strsclnt with cipher ${cipher}"
+ echo "${SCRIPTNAME} ${LOGNAME}: " \
+ "Strsclnt produced a returncode of ${ret} - FAILED"
+ fi
+ done
+
+ ATTR="${TSTCLNT_ATTR} -V ssl3:tls1.2"
+ echo "${SCRIPTNAME}: -------- Stopping server:"
+ echo "tstclnt ${ATTR} < ${REQUEST_FILE}"
+ ${BINDIR}/tstclnt ${ATTR} < ${REQUEST_FILE}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "${LOGNAME}: Tstclnt"
+ echo "${SCRIPTNAME} ${LOGNAME}: " \
+ "Tstclnt produced a returncode of ${ret} - FAILED"
+ fi
+
+ sleep 20
+ kill $(jobs -p) 2> /dev/null
+}
+
+########################### run_strsclnt_dbg ###########################
+# local shell function to run strsclnt under debug tool for all ciphers
+# and send stop command to selfserv over tstclnt
+########################################################################
+run_strsclnt_dbg()
+{
+ for cipher in ${cipher_list}; do
+ VMIN="ssl3"
+ VMAX="tls1.2"
+ case "${cipher}" in
+ f|g)
+ # TLS 1.1 disallows export cipher suites.
+ VMAX="tls1.0"
+ ;;
+ esac
+ ATTR="${STRSCLNT_ATTR} -C ${cipher} -V ${VMIN}:${VMAX}"
+ ${RUN_COMMAND_DBG} ${BINDIR}/strsclnt ${CLIENT_OPTION} ${ATTR}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "${LOGNAME}: Strsclnt with cipher ${cipher}"
+ echo "${SCRIPTNAME} ${LOGNAME}: " \
+ "Strsclnt produced a returncode of ${ret} - FAILED"
+ fi
+ done
+
+ ATTR="${TSTCLNT_ATTR} -V ssl3:tls1.2"
+ echo "${SCRIPTNAME}: -------- Stopping server:"
+ echo "tstclnt ${ATTR} < ${REQUEST_FILE}"
+ ${BINDIR}/tstclnt ${ATTR} < ${REQUEST_FILE}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "${LOGNAME}: Tstclnt"
+ echo "${SCRIPTNAME} ${LOGNAME}: " \
+ "Tstclnt produced a returncode of ${ret} - FAILED"
+ fi
+
+ kill $(jobs -p) 2> /dev/null
+}
+
+stat_clear()
+{
+ stat_minbytes=9999999
+ stat_maxbytes=0
+ stat_minblocks=9999999
+ stat_maxblocks=0
+ stat_bytes=0
+ stat_blocks=0
+ stat_runs=0
+}
+
+stat_add()
+{
+ read hash lbytes bytes_str lblocks blocks_str in_str lruns runs_str \
+ minbytes minbytes_str maxbytes maxbytes_str minblocks \
+ minblocks_str maxblocks maxblocks_str rest < ${TMP_COUNT}
+ rm ${TMP_COUNT}
+
+ tbytes=`expr ${tbytes} + ${lbytes}`
+ tblocks=`expr ${tblocks} + ${lblocks}`
+ truns=`expr ${truns} + ${lruns}`
+
+ if [ ${stat_minbytes} -gt ${minbytes} ]; then
+ stat_minbytes=${minbytes}
+ fi
+
+ if [ ${stat_maxbytes} -lt ${maxbytes} ]; then
+ stat_maxbytes=${maxbytes}
+ fi
+
+ if [ ${stat_minblocks} -gt ${minblocks} ]; then
+ stat_minblocks=${minblocks}
+ fi
+
+ if [ ${stat_maxblocks} -lt ${maxblocks} ]; then
+ stat_maxblocks=${maxblocks}
+ fi
+
+ stat_bytes=`expr ${stat_bytes} + ${lbytes}`
+ stat_blocks=`expr ${stat_blocks} + ${lblocks}`
+ stat_runs=`expr ${stat_runs} + ${lruns}`
+}
+
+stat_print()
+{
+ if [ ${stat_runs} -gt 0 ]; then
+ stat_avgbytes=`expr "${stat_bytes}" / "${stat_runs}"`
+ stat_avgblocks=`expr "${stat_blocks}" / "${stat_runs}"`
+
+ echo
+ echo "$1 statistics:"
+ echo "Leaked bytes: ${stat_minbytes} min, ${stat_avgbytes} avg, ${stat_maxbytes} max"
+ echo "Leaked blocks: ${stat_minblocks} min, ${stat_avgblocks} avg, ${stat_maxblocks} max"
+ echo "Total runs: ${stat_runs}"
+ echo
+ fi
+}
+
+########################## run_ciphers_server ##########################
+# local shell function to test server part of code (selfserv)
+########################################################################
+run_ciphers_server()
+{
+ html_head "Memory leak checking - server"
+
+ stat_clear
+
+ client_mode="NORMAL"
+ for server_mode in ${MODE_LIST}; do
+ set_test_mode
+
+ for freebl in ${FREEBL_LIST}; do
+ set_freebl || continue
+
+ LOGNAME=server-${BIT_NAME}-${freebl}-${server_mode}
+ LOGFILE=${LOGDIR}/${LOGNAME}.log
+ echo "Running ${LOGNAME}"
+
+ (
+ run_selfserv_dbg 2>> ${LOGFILE} &
+ sleep 5
+ run_strsclnt
+ )
+
+ sleep 20
+ clear_freebl
+
+ log_parse
+ ret=$?
+
+ html_msg ${ret} 0 "${LOGNAME}" "produced a returncode of $ret, expected is 0"
+ done
+ done
+
+ stat_print "Selfserv"
+
+ html "</TABLE><BR>"
+}
+
+########################## run_ciphers_client ##########################
+# local shell function to test client part of code (strsclnt)
+########################################################################
+run_ciphers_client()
+{
+ html_head "Memory leak checking - client"
+
+ stat_clear
+
+ server_mode="NORMAL"
+ for client_mode in ${MODE_LIST}; do
+ set_test_mode
+
+ for freebl in ${FREEBL_LIST}; do
+ set_freebl || continue
+
+ LOGNAME=client-${BIT_NAME}-${freebl}-${client_mode}
+ LOGFILE=${LOGDIR}/${LOGNAME}.log
+ echo "Running ${LOGNAME}"
+
+ (
+ run_selfserv &
+ sleep 5
+ run_strsclnt_dbg 2>> ${LOGFILE}
+ )
+
+ sleep 20
+ clear_freebl
+
+ log_parse
+ ret=$?
+ html_msg ${ret} 0 "${LOGNAME}" "produced a returncode of $ret, expected is 0"
+ done
+ done
+
+ stat_print "Strsclnt"
+
+ html "</TABLE><BR>"
+}
+
+########################## parse_logfile_dbx ###########################
+# local shell function to parse and process logs from dbx
+########################################################################
+parse_logfile_dbx()
+{
+ ${AWK} '
+ BEGIN {
+ in_mel = 0
+ mel_line = 0
+ bytes = 0
+ lbytes = 0
+ minbytes = 9999999
+ maxbytes = 0
+ blocks = 0
+ lblocks = 0
+ minblocks = 9999999
+ maxblocks = 0
+ runs = 0
+ stack_string = ""
+ bin_name = ""
+ }
+ /Memory Leak \(mel\):/ ||
+ /Possible memory leak -- address in block \(aib\):/ ||
+ /Block in use \(biu\):/ {
+ in_mel = 1
+ stack_string = ""
+ next
+ }
+ in_mel == 1 && /^$/ {
+ print bin_name stack_string
+ in_mel = 0
+ mel_line = 0
+ next
+ }
+ in_mel == 1 {
+ mel_line += 1
+ }
+ /Found leaked block of size/ {
+ bytes += $6
+ blocks += 1
+ next
+ }
+ /Found .* leaked blocks/ {
+ bytes += $8
+ blocks += $2
+ next
+ }
+ /Found block of size/ {
+ bytes += $5
+ blocks += 1
+ next
+ }
+ /Found .* blocks totaling/ {
+ bytes += $5
+ blocks += $2
+ next
+ }
+ mel_line > 2 {
+ gsub(/\(\)/, "")
+ new_line = $2
+ stack_string = "/" new_line stack_string
+ next
+ }
+ /^Running: / {
+ bin_name = $2
+ next
+ }
+ /execution completed/ {
+ runs += 1
+ lbytes += bytes
+ minbytes = (minbytes < bytes) ? minbytes : bytes
+ maxbytes = (maxbytes > bytes) ? maxbytes : bytes
+ bytes = 0
+ lblocks += blocks
+ minblocks = (minblocks < blocks) ? minblocks : blocks
+ maxblocks = (maxblocks > blocks) ? maxblocks : blocks
+ blocks = 0
+ next
+ }
+ END {
+ print "# " lbytes " bytes " lblocks " blocks in " runs " runs " \
+ minbytes " minbytes " maxbytes " maxbytes " minblocks " minblocks " \
+ maxblocks " maxblocks " > "/dev/stderr"
+ }' 2> ${TMP_COUNT}
+
+ stat_add
+}
+
+######################## parse_logfile_valgrind ########################
+# local shell function to parse and process logs from valgrind
+########################################################################
+parse_logfile_valgrind()
+{
+ ${AWK} '
+ BEGIN {
+ in_mel = 0
+ in_sum = 0
+ bytes = 0
+ lbytes = 0
+ minbytes = 9999999
+ maxbytes = 0
+ blocks = 0
+ lblocks = 0
+ minblocks = 9999999
+ maxblocks = 0
+ runs = 0
+ stack_string = ""
+ bin_name = ""
+ }
+ !/==[0-9]*==/ {
+ if ( $1 == "Running:" )
+ bin_name = $2
+ bin_nf = split(bin_name, bin_fields, "/")
+ bin_name = bin_fields[bin_nf]
+ next
+ }
+ /blocks are/ {
+ in_mel = 1
+ stack_string = ""
+ next
+ }
+ /LEAK SUMMARY/ {
+ in_sum = 1
+ next
+ }
+ /^==[0-9]*== *$/ {
+ if (in_mel)
+ print bin_name stack_string
+ if (in_sum) {
+ runs += 1
+ lbytes += bytes
+ minbytes = (minbytes < bytes) ? minbytes : bytes
+ maxbytes = (maxbytes > bytes) ? maxbytes : bytes
+ bytes = 0
+ lblocks += blocks
+ minblocks = (minblocks < blocks) ? minblocks : blocks
+ maxblocks = (maxblocks > blocks) ? maxblocks : blocks
+ blocks = 0
+ }
+ in_sum = 0
+ in_mel = 0
+ next
+ }
+ in_mel == 1 {
+ new_line = $4
+ if ( new_line == "(within")
+ new_line = "*"
+ stack_string = "/" new_line stack_string
+ }
+ in_sum == 1 {
+ for (i = 2; i <= NF; i++) {
+ if ($i == "bytes") {
+ str = $(i - 1)
+ gsub(",", "", str)
+ bytes += str
+ }
+ if ($i == "blocks.") {
+ str = $(i - 1)
+ gsub(",", "", str)
+ blocks += str
+ }
+ }
+ }
+ END {
+ print "# " lbytes " bytes " lblocks " blocks in " runs " runs " \
+ minbytes " minbytes " maxbytes " maxbytes " minblocks " minblocks " \
+ maxblocks " maxblocks " > "/dev/stderr"
+ }' 2> ${TMP_COUNT}
+
+ stat_add
+}
+
+############################# check_ignored ############################
+# local shell function to check all stacks if they are not ignored
+########################################################################
+check_ignored()
+{
+ ${AWK} -F/ '
+ BEGIN {
+ ignore = "'${IGNORED_STACKS}'"
+ # read in the ignore file
+ BUGNUM = ""
+ count = 0
+ new = 0
+ while ((getline line < ignore) > 0) {
+ if (line ~ "^#[0-9]+") {
+ BUGNUM = line
+ } else if (line ~ "^#") {
+ continue
+ } else if (line == "") {
+ continue
+ } else {
+ bugnum_array[count] = BUGNUM
+ # Create a regular expression for the ignored stack:
+ # replace * with % so we can later replace them with regular expressions
+ # without messing up everything (the regular expressions contain *)
+ gsub("\\*", "%", line)
+ # replace %% with .*
+ gsub("%%", ".*", line)
+ # replace % with [^/]*
+ gsub("%", "[^/]*", line)
+ # add ^ at the beginning
+ # add $ at the end
+ line_array[count] = "^" line "$"
+ count++
+ }
+ }
+ }
+ {
+ match_found = 0
+ # Look for matching ignored stack
+ for (i = 0; i < count; i++) {
+ if ($0 ~ line_array[i]) {
+ # found a match
+ match_found = 1
+ bug_found = bugnum_array[i]
+ break
+ }
+ }
+ # Process result
+ if (match_found == 1 ) {
+ if (bug_found != "") {
+ print "IGNORED STACK (" bug_found "): " $0
+ } else {
+ print "IGNORED STACK: " $0
+ }
+ } else {
+ print "NEW STACK: " $0
+ new = 1
+ }
+ }
+ END {
+ exit new
+ }'
+ ret=$?
+ return $ret
+}
+
+############################### parse_log ##############################
+# local shell function to parse log file
+########################################################################
+log_parse()
+{
+ ${PARSE_LOGFILE} < ${LOGFILE} > ${TMP_STACKS}
+ echo "${SCRIPTNAME}: Processing log ${LOGNAME}:" > ${TMP_SORTED}
+ cat ${TMP_STACKS} | sort -u | check_ignored >> ${TMP_SORTED}
+ ret=$?
+ echo >> ${TMP_SORTED}
+
+ cat ${TMP_SORTED} | tee -a ${FOUNDLEAKS}
+ rm ${TMP_STACKS} ${TMP_SORTED}
+
+ return ${ret}
+}
+
+############################## cnt_total ###############################
+# local shell function to count total leaked bytes
+########################################################################
+cnt_total()
+{
+ echo ""
+ echo "TinderboxPrint:${OPT} Lk bytes: ${tbytes}"
+ echo "TinderboxPrint:${OPT} Lk blocks: ${tblocks}"
+ echo "TinderboxPrint:${OPT} # of runs: ${truns}"
+ echo ""
+}
+
+############################### run_ocsp ###############################
+# local shell function to run ocsp tests
+########################################################################
+run_ocsp()
+{
+ stat_clear
+
+ cd ${QADIR}/iopr
+ . ./ocsp_iopr.sh
+ ocsp_iopr_run
+
+ stat_print "Ocspclnt"
+}
+
+############################## run_chains ##############################
+# local shell function to run PKIX certificate chains tests
+########################################################################
+run_chains()
+{
+ stat_clear
+
+ LOGNAME="chains"
+ LOGFILE=${LOGDIR}/chains.log
+
+ . ${QADIR}/chains/chains.sh
+
+ stat_print "Chains"
+}
+
+############################## run_chains ##############################
+# local shell function to run memory leak tests
+#
+# NSS_MEMLEAK_TESTS - list of tests to run, if not defined before,
+# then is redefined to default list
+########################################################################
+memleak_run_tests()
+{
+ nss_memleak_tests="ssl_server ssl_client chains ocsp"
+ NSS_MEMLEAK_TESTS="${NSS_MEMLEAK_TESTS:-$nss_memleak_tests}"
+
+ for MEMLEAK_TEST in ${NSS_MEMLEAK_TESTS}
+ do
+ case "${MEMLEAK_TEST}" in
+ "ssl_server")
+ run_ciphers_server
+ ;;
+ "ssl_client")
+ run_ciphers_client
+ ;;
+ "chains")
+ run_chains
+ ;;
+ "ocsp")
+ run_ocsp
+ ;;
+ esac
+ done
+}
+
+################################# main #################################
+
+memleak_init
+memleak_run_tests
+cnt_total
+memleak_cleanup
+
diff --git a/security/nss/tests/memleak/sslreq.dat b/security/nss/tests/memleak/sslreq.dat
new file mode 100644
index 000000000..1db703d1a
--- /dev/null
+++ b/security/nss/tests/memleak/sslreq.dat
@@ -0,0 +1,2 @@
+GET /stop HTTP/1.0
+
diff --git a/security/nss/tests/merge/merge.sh b/security/nss/tests/merge/merge.sh
new file mode 100755
index 000000000..1929b12c8
--- /dev/null
+++ b/security/nss/tests/merge/merge.sh
@@ -0,0 +1,277 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/merge/merge.sh
+#
+# Script to test NSS merge
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## merge_init ##############################
+# local shell function to initialize this script
+########################################################################
+merge_init()
+{
+ SCRIPTNAME=merge.sh # sourced - $0 would point to all.sh
+ HAS_EXPLICIT_DB=0
+ if [ ! -z "${NSS_DEFAULT_DB_TYPE}" ]; then
+ HAS_EXPLICIT_DB=1
+ fi
+
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ${QADIR}/cert
+ . ./cert.sh
+ fi
+
+ if [ ! -d ${HOSTDIR}/SDR ]; then
+ cd ${QADIR}/sdr
+ . ./sdr.sh
+ fi
+ SCRIPTNAME=merge.sh
+
+ html_head "Merge Tests"
+
+ # need the SSL & SMIME directories from cert.sh
+ grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+ Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+ }
+ grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
+ Exit 8 "Fatal - SSL of cert.sh needs to pass first"
+ }
+
+ #temporary files for SDR tests
+ VALUE1=$HOSTDIR/tests.v1.$$
+ VALUE3=$HOSTDIR/tests.v3.$$
+
+ # local directories used in this test.
+ MERGEDIR=${HOSTDIR}/merge
+ R_MERGEDIR=../merge
+ D_MERGE="merge.$version"
+ # SDR not initialized in common/init
+ P_R_SDR=../SDR
+ D_SDR="SDR.$version"
+ mkdir -p ${MERGEDIR}
+
+ PROFILE=.
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ PROFILE="multiaccess:${D_MERGE}"
+ P_R_SDR="multiaccess:${D_SDR}"
+ fi
+
+ cd ${MERGEDIR}
+
+ # clear out any existing databases, potentially from a previous run.
+ rm -f *.db
+
+ # copy alicedir over as a seed database.
+ cp ${R_ALICEDIR}/* .
+ # copy the smime text samples
+ cp ${QADIR}/smime/*.txt .
+
+ # create a set of conflicting names.
+ CONFLICT1DIR=conflict1
+ CONFLICT2DIR=conflict2
+ mkdir ${CONFLICT1DIR}
+ mkdir ${CONFLICT2DIR}
+ # in the upgrade mode (dbm->sql), make sure our test databases
+ # are dbm databases.
+ if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+ save=${NSS_DEFAULT_DB_TYPE}
+ NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
+ fi
+
+ certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
+ certutil -N -d ${CONFLICT2DIR} -f ${R_PWFILE}
+ certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser41.cert -d ${CONFLICT1DIR}
+ # modify CONFLICTDIR potentially corrupting the database
+ certutil -A -n "Alice #1" -t C,, -i ${R_CADIR}/TestUser42.cert -d ${CONFLICT1DIR} -f ${R_PWFILE}
+ certutil -M -n "Alice #1" -t ,, -d ${CONFLICT1DIR} -f ${R_PWFILE}
+ certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser43.cert -d ${CONFLICT1DIR}
+ certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser44.cert -d ${CONFLICT2DIR}
+ certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser45.cert -d ${CONFLICT2DIR}
+ certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser46.cert -d ${CONFLICT2DIR}
+ if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+ NSS_DEFAULT_DB_TYPE=${save}; export NSS_DEFAULT_DB_TYPE
+ fi
+
+ #
+ # allow all the tests to run in standalone mode.
+ # in standalone mode, TEST_MODE is not set.
+ # if NSS_DEFAULT_DB_TYPE is dbm, then test merge with dbm
+ # if NSS_DEFAULT_DB_TYPE is sql, then test merge with sql
+ # if NSS_DEFAULT_DB_TYPE is not set, then test database upgrade merge
+ # from dbm databases (created above) into a new sql db.
+ if [ -z "${TEST_MODE}" ] && [ ${HAS_EXPLICIT_DB} -eq 0 ]; then
+ echo "*** Using Standalone Upgrade DB mode"
+ NSS_DEFAULT_DB_TYPE=sql; export NSS_DEFAULT_DB_TYPE
+ echo certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+ ${BINDIR}/certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+ TEST_MODE=UPGRADE_DB
+
+ fi
+
+}
+
+#
+# this allows us to run this test for both merge and upgrade-merge cases.
+# merge_cmd takes the potential upgrade-id and the rest of the certutil
+# arguments.
+#
+merge_cmd()
+{
+ MERGE_CMD=--merge
+ if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+ MERGE_CMD="--upgrade-merge --upgrade-token-name OldDB --upgrade-id ${1}"
+ fi
+ shift
+ echo certutil ${MERGE_CMD} $*
+ ${PROFTOOL} ${BINDIR}/certutil ${MERGE_CMD} $*
+}
+
+
+merge_main()
+{
+ # first create a local sdr key and encrypt some data with it
+ # This will cause a colision with the SDR key in ../SDR.
+ echo "$SCRIPTNAME: Creating an SDR key & Encrypt"
+ echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}"
+ ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}
+ html_msg $? 0 "Creating SDR Key"
+
+ # Now merge in Dave
+ # Dave's cert is already in alicedir, but his key isn't. This will make
+ # sure we are updating the keys and CKA_ID's on the certificate properly.
+ MERGE_ID=dave
+ echo "$SCRIPTNAME: Merging in Key for Existing user"
+ merge_cmd dave --source-dir ${P_R_DAVEDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+ html_msg $? 0 "Merging Dave"
+
+ # Merge in server
+ # contains a CRL and new user certs
+ MERGE_ID=server
+ echo "$SCRIPTNAME: Merging in new user "
+ merge_cmd server --source-dir ${P_R_SERVERDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+ html_msg $? 0 "Merging server"
+
+ # Merge in ext_client
+ # contains a new certificate chain and additional trust flags
+ MERGE_ID=ext_client
+ echo "$SCRIPTNAME: Merging in new chain "
+ merge_cmd ext_client --source-dir ${P_R_EXT_CLIENTDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+ html_msg $? 0 "Merging ext_client"
+
+ # Merge conflicting nicknames in conflict1dir
+ # contains several certificates with nicknames that conflict with the target
+ # database
+ MERGE_ID=conflict1
+ echo "$SCRIPTNAME: Merging in conflicting nicknames 1"
+ merge_cmd conflict1 --source-dir ${CONFLICT1DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+
+ html_msg $? 0 "Merging conflicting nicknames 1"
+
+ # Merge conflicting nicknames in conflict2dir
+ # contains several certificates with nicknames that conflict with the target
+ # database
+ MERGE_ID=conflict2
+ echo "$SCRIPTNAME: Merging in conflicting nicknames 1"
+ merge_cmd conflict2 --source-dir ${CONFLICT2DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+ html_msg $? 0 "Merging conflicting nicknames 2"
+
+ # Make sure conflicted names were properly sorted out.
+ echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #4)"
+ certutil -L -n "Alice #4" -d ${PROFILE}
+ html_msg $? 0 "Verify nicknames were deconflicted (Alice #4)"
+
+ # Make sure conflicted names were properly sorted out.
+ echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #100)"
+ certutil -L -n "Alice #100" -d ${PROFILE}
+ html_msg $? 0 "Verify nicknames were deconflicted (Alice #100)"
+
+ # Merge in SDR
+ # contains a secret SDR key
+ MERGE_ID=SDR
+ echo "$SCRIPTNAME: Merging in SDR "
+ merge_cmd sdr --source-dir ${P_R_SDR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+ html_msg $? 0 "Merging SDR"
+
+ # insert a listing of the database into the log for diagonic purposes
+ ${BINDIR}/certutil -L -d ${PROFILE}
+ ${BINDIR}/crlutil -L -d ${PROFILE}
+
+ # Make sure we can decrypt with our original SDR key generated above
+ echo "$SCRIPTNAME: Decrypt - With Original SDR Key"
+ echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}"
+ ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}
+ html_msg $? 0 "Decrypt - Value 3"
+
+ # Make sure we can decrypt with our the SDR key merged in from ../SDR
+ echo "$SCRIPTNAME: Decrypt - With Merged SDR Key"
+ echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}"
+ ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}
+ html_msg $? 0 "Decrypt - Value 1"
+
+ # Make sure we can sign with merge certificate
+ echo "$SCRIPTNAME: Signing with merged key ------------------"
+ echo "cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig"
+ ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig
+ html_msg $? 0 "Create Detached Signature Dave" "."
+
+ echo "cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} "
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE}
+ html_msg $? 0 "Verifying Dave's Detached Signature"
+
+ # Make sure that trust objects were properly merged
+ echo "$SCRIPTNAME: verifying merged cert ------------------"
+ echo "certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}"
+ ${PROFTOOL} ${BINDIR}/certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}
+ html_msg $? 0 "Verifying ExtendedSSL User Cert"
+
+ # Make sure that the crl got properly copied in
+ echo "$SCRIPTNAME: verifying merged crl ------------------"
+ echo "crlutil -L -n TestCA -d ${PROFILE}"
+ ${PROFTOOL} ${BINDIR}/crlutil -L -n TestCA -d ${PROFILE}
+ html_msg $? 0 "Verifying TestCA CRL"
+
+}
+
+############################## smime_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+merge_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+merge_init
+merge_main
+echo "TEST_MODE=${TEST_MODE}"
+echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
+merge_cleanup
+
+
diff --git a/security/nss/tests/mksymlinks b/security/nss/tests/mksymlinks
new file mode 100755
index 000000000..aae3386ce
--- /dev/null
+++ b/security/nss/tests/mksymlinks
@@ -0,0 +1,115 @@
+#! /bin/sh
+
+O_OPTIONS=OFF
+. `dirname $0`/header
+
+if [ $O_DEBUG = ON ] ; then
+ Debug "NTDIST $NTDIST"
+ Debug "UXDIST $UXDIST"
+ Debug "TESTSCRIPTDIR $TESTSCRIPTDIR"
+fi
+
+if [ -d "$NSS_VER_DIR" ] ; then
+ cd $NSS_VER_DIR
+else
+ glob_usage "cant cd to $NSS_VER_DIR Exiting"
+fi
+
+if [ -d "$NTDIST" ] ; then
+ cd $NTDIST
+ if [ ! -h WINNT5.0_DBG.OBJ -a ! -d WINNT5.0_DBG.OBJ ] ; then
+ ln -s WINNT4.0_DBG.OBJ WINNT5.0_DBG.OBJ
+ fi
+ if [ ! -h WINNT5.0_DBG.OBJD -a ! -d WINNT5.0_DBG.OBJD ] ; then
+ ln -s WINNT4.0_DBG.OBJD WINNT5.0_DBG.OBJD
+ fi
+ if [ ! -h WINNT5.0_OPT.OBJ -a ! -d WINNT5.0_OPT.OBJ ] ; then
+ ln -s WINNT4.0_OPT.OBJ WINNT5.0_OPT.OBJ
+ fi
+ if [ ! -h WINNT5.1_DBG.OBJ -a ! -d WINNT5.1_DBG.OBJ ] ; then
+ ln -s WINNT4.0_DBG.OBJ WINNT5.1_DBG.OBJ
+ fi
+ if [ ! -h WINNT5.1_DBG.OBJD -a ! -d WINNT5.1_DBG.OBJD ] ; then
+ ln -s WINNT4.0_DBG.OBJD WINNT5.1_DBG.OBJD
+ fi
+ if [ ! -h WINNT5.1_OPT.OBJ -a ! -d WINNT5.1_OPT.OBJ ] ; then
+ ln -s WINNT4.0_OPT.OBJ WINNT5.1_OPT.OBJ
+ fi
+
+ if [ $O_DEBUG = ON ] ; then
+ tell
+ fi
+else
+ if [ $O_DEBUG = ON ] ; then
+ Debug "WARNING!!! cant cd to $NTDIST "
+ fi
+fi
+
+if [ -d "$UXDIST" ]
+then
+ cd $UXDIST
+else
+ glob_usage "Error!!! cant cd to $UXDIST "
+fi
+
+ErrorFlag=0
+
+#if [ ! -h OSF1V5.1_DBG.OBJ -a ! -d OSF1V5.1_DBG.OBJ ] ; then
+ #ln -s OSF1V4.0D_DBG.OBJ OSF1V5.1_DBG.OBJ || ErrorFlag=1
+#fi
+#if [ ! -h OSF1V5.1_OPT.OBJ -a ! -d OSF1V5.1_OPT.OBJ ] ; then
+ #ln -s OSF1V4.0D_OPT.OBJ OSF1V5.1_OPT.OBJ || ErrorFlag=1
+#fi
+#if [ ! -h OSF1V5.0_DBG.OBJ -a ! -d OSF1V5.0_DBG.OBJ ] ; then
+ #ln -s OSF1V4.0D_DBG.OBJ OSF1V5.0_DBG.OBJ || ErrorFlag=1
+#fi
+#if [ ! -h OSF1V5.0_OPT.OBJ -a ! -d OSF1V5.0_OPT.OBJ ] ; then
+ #ln -s OSF1V4.0D_OPT.OBJ OSF1V5.0_OPT.OBJ || ErrorFlag=1
+#fi
+if [ ! -h SunOS5.9_64_DBG.OBJ -a ! -d SunOS5.9_64_DBG.OBJ ] ; then
+ ln -s SunOS5.8_64_DBG.OBJ SunOS5.9_64_DBG.OBJ || ErrorFlag=1
+fi
+if [ ! -h SunOS5.9_64_OPT.OBJ -a ! -d SunOS5.9_64_OPT.OBJ ] ; then
+ ln -s SunOS5.8_64_OPT.OBJ SunOS5.9_64_OPT.OBJ || ErrorFlag=1
+fi
+if [ ! -h SunOS5.9_DBG.OBJ -a ! -d SunOS5.9_DBG.OBJ ] ; then
+ ln -s SunOS5.8_DBG.OBJ SunOS5.9_DBG.OBJ || ErrorFlag=1
+fi
+if [ ! -h SunOS5.9_OPT.OBJ -a ! -d SunOS5.9_OPT.OBJ ] ; then
+ ln -s SunOS5.8_OPT.OBJ SunOS5.9_OPT.OBJ || ErrorFlag=1
+fi
+#sonmi - still leaving the section in there so 3.3 and 3.2 will not break
+#since 5.8 is the masterbuild it should never be executed
+#additionally: only creat link if the slave build is present, but
+#master is not
+#if [ ! -h SunOS5.8_DBG.OBJ -a ! -d SunOS5.8_DBG.OBJ ] ; then
+ #if [ -d SunOS5.6_DBG.OBJ ] ; then
+ #ln -s SunOS5.6_DBG.OBJ SunOS5.8_DBG.OBJ || ErrorFlag=1
+ #fi
+#fi
+#if [ ! -h SunOS5.8_OPT.OBJ -a ! -d SunOS5.8_OPT.OBJ ] ; then
+ #if [ -d SunOS5.6_OPT.OBJ ] ; then
+ #ln -s SunOS5.6_OPT.OBJ SunOS5.8_OPT.OBJ || ErrorFlag=1
+ #fi
+#fi
+#if [ ! -h Linux2.4_x86_glibc_PTH_DBG.OBJ -a ! -d Linux2.4_x86_glibc_PTH_DBG.OBJ]
+#then
+ #ln -s Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.4_x86_glibc_PTH_DBG.OBJ || ErrorFlag=1
+#fi
+#if [ ! -h Linux2.4_x86_glibc_PTH_OPT.OBJ -a ! -d Linux2.4_x86_glibc_PTH_OPT.OBJ]
+#then
+ #ln -s Linux2.2_x86_glibc_PTH_OPT.OBJ Linux2.4_x86_glibc_PTH_OPT.OBJ || ErrorFlag=1
+#fi
+
+if [ ! -h SunOS5.9_i86pc_DBG.OBJ -a ! -d SunOS5.9_i86pc_DBG.OBJ ] ; then
+ ln -s SunOS5.8_i86pc_DBG.OBJ SunOS5.9_i86pc_DBG.OBJ || ErrorFlag=1
+fi
+if [ ! -h SunOS5.9_i86pc_OPT.OBJ -a ! -d SunOS5.9_i86pc_OPT.OBJ ] ; then
+ ln -s SunOS5.8_i86pc_OPT.OBJ SunOS5.9_i86pc_OPT.OBJ || ErrorFlag=1
+fi
+
+if [ $O_DEBUG = ON ] ; then
+ tell
+fi
+
+exit $ErrorFlag #no cleanup here, no tempfiles
diff --git a/security/nss/tests/mpi/mpi.sh b/security/nss/tests/mpi/mpi.sh
new file mode 100644
index 000000000..5cda51615
--- /dev/null
+++ b/security/nss/tests/mpi/mpi.sh
@@ -0,0 +1,40 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+mpi_init()
+{
+ SCRIPTNAME="mpi.sh"
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+ SCRIPTNAME="mpi.sh"
+ html_head "MPI tests"
+}
+
+mpi_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+mpi_init
+tests=($(mpi_tests list | awk '{print $1}'))
+for test in "${tests[@]}"
+do
+ OUT=$(mpi_tests $test 2>&1)
+ [ ! -z "$OUT" ] && echo "$OUT"
+ OUT=`echo $OUT | grep -i 'error\|Assertion failure'`
+
+ if [ -n "$OUT" ] ; then
+ html_failed "mpi $test test"
+ else
+ html_passed "mpi $test test"
+ fi
+done
+
+mpi_cleanup
diff --git a/security/nss/tests/multinit/multinit.sh b/security/nss/tests/multinit/multinit.sh
new file mode 100755
index 000000000..6ec605f0e
--- /dev/null
+++ b/security/nss/tests/multinit/multinit.sh
@@ -0,0 +1,158 @@
+#! /bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/multinit/multinit.sh
+#
+# Script to test NSS multinit
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## multinit_init ##############################
+# local shell function to initialize this script
+########################################################################
+multinit_init()
+{
+ SCRIPTNAME=multinit.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ SCRIPTNAME=multinit.sh
+
+ html_head "MULTI Tests"
+
+ grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+ Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+ }
+
+ # set up our directories
+ MULTINITDIR=${HOSTDIR}/multinit
+ MULTINITDIR_1=${MULTINITDIR}/dir1
+ MULTINITDIR_2=${MULTINITDIR}/dir2
+ MULTINITDIR_3=${MULTINITDIR}/dir3
+ R_MULINITDIR=../multinit
+ R_MULTINITDIR_1=${R_MULTINITDIR}/dir1
+ R_MULTINITDIR_2=${R_MULTINITDIR}/dir2
+ R_MULTINITDIR_3=${R_MULTINITDIR}/dir3
+ # first create them all
+ mkdir -p ${MULTINITDIR}
+ mkdir -p ${MULTINITDIR_1}
+ mkdir -p ${MULTINITDIR_2}
+ mkdir -p ${MULTINITDIR_3}
+ # now copy them fro alice, bob, and dave
+ cd ${MULTINITDIR}
+ cp ${P_R_ALICEDIR}/* ${MULTINITDIR_1}/
+ cp ${P_R_BOBDIR}/* ${MULTINITDIR_2}/
+ cp ${P_R_DAVEDIR}/* ${MULTINITDIR_3}/
+ # finally delete the RootCerts module to keep the certificate noice in the
+ # summary lines down
+ echo | modutil -delete RootCerts -dbdir ${MULTINITDIR_1}
+ echo | modutil -delete RootCerts -dbdir ${MULTINITDIR_2}
+ echo | modutil -delete RootCerts -dbdir ${MULTINITDIR_3}
+ MULTINIT_TESTS=${QADIR}/multinit/multinit.txt
+}
+
+
+############################## multinit_main ##############################
+# local shell function to test basic signed and enveloped messages
+# from 1 --> 2"
+########################################################################
+multinit_main()
+{
+ html_head "Multi init interface testing"
+ exec < ${MULTINIT_TESTS}
+ while read order commands shutdown_type dirs readonly testname
+ do
+ if [ "$order" != "#" ]; then
+ read tag expected_result
+
+ # handle the case where we expect different results based on
+ # the database type.
+ if [ "$tag" != "all" ]; then
+ read tag2 expected_result2
+ if [ "$NSS_DEFAULT_DB_TYPE" == "$tag2" ]; then
+ expected_result=$expected_result2
+ fi
+ fi
+
+ # convert shutdown type to option flags
+ shutdown_command="";
+ if [ "$shutdown_type" == "old" ]; then
+ shutdown_command="--oldStype"
+ fi
+
+ # convert read only to option flags
+ ro_command="";
+ case $readonly in
+ all) ro_command="--main_readonly --lib1_readonly --lib2_readonly";;
+ libs) ro_command="--lib1_readonly --lib2_readonly";;
+ main) ro_command="--main_readonly";;
+ lib1) ro_command="--lib1_readonly";;
+ lib2) ro_command="--lib2_readonly";;
+ none) ;;
+ *) ;;
+ esac
+
+ # convert commands to option flags
+ main_command=`echo $commands | sed -e 's;,.*$;;'`
+ lib1_command=`echo $commands | sed -e 's;,.*,;+&+;' -e 's;^.*+,;;' -e 's;,+.*$;;'`
+ lib2_command=`echo $commands | sed -e 's;^.*,;;'`
+
+ # convert db's to option flags
+ main_db=`echo $dirs | sed -e 's;,.*$;;'`
+ lib1_db=`echo $dirs | sed -e 's;,.*,;+&+;' -e 's;^.*+,;;' -e 's;,+.*$;;'`
+ lib2_db=`echo $dirs | sed -e 's;^.*,;;'`
+
+ # show us the command we are executing
+ echo ${PROFILETOOL} ${BINDIR}/multinit --order $order --main_command $main_command --lib1_command $lib1_command --lib2_command $lib2_command $shutdown_command --main_db $main_db --lib1_db $lib1_db --lib2_db $lib2_db $ro_command --main_token_name "Main" --lib1_token_name "Lib1" --lib2_token_name "Lib2" --verbose --summary
+
+ # execute the command an collect the result. Most of the user
+ # visible output goes to stderr, so it's not captured by the pipe
+ actual_result=`${PROFILETOOL} ${BINDIR}/multinit --order $order --main_command $main_command --lib1_command $lib1_command --lib2_command $lib2_command $shutdown_command --main_db $main_db --lib1_db $lib1_db --lib2_db $lib2_db $ro_command --main_token_name "Main" --lib1_token_name "Lib1" --lib2_token_name "Lib2" --verbose --summary | grep "^result=" | sed -e 's;^result=;;'`
+
+ # show what we got and what we expected for diagnostic purposes
+ echo "actual = |$actual_result|"
+ echo "expected = |$expected_result|"
+ test "$actual_result" == "$expected_result"
+ html_msg $? 0 "$testname"
+ fi
+ done
+}
+
+############################## multinit_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+multinit_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+multinit_init
+multinit_main
+multinit_cleanup
diff --git a/security/nss/tests/multinit/multinit.txt b/security/nss/tests/multinit/multinit.txt
new file mode 100644
index 000000000..d5296dc0e
--- /dev/null
+++ b/security/nss/tests/multinit/multinit.txt
@@ -0,0 +1,79 @@
+#
+# This file defines the tests for multiple initialization of NSS in
+# different libraries.
+#
+# Test description lines control the parameters for the multinit test program.
+#
+# Init order: Upper case/digits indicate an init call, lower case indicate
+# a shutdown call.
+# M,m-Main 1,i-lib1, 2,z-lib2
+# Main calls the traditional NSS init calls (simulating the main application)
+# lib1 and lib2 call NSS_InitContext().
+#
+# All functions call NSS_ShutdownContext unless 'main shutdown type' is set to
+# 'old', in which case main will call the traditional NSS_Shutdown().
+#
+# Commands: comma separated list of commands to execute. These simulate
+# executing commands from either a library or main. In each cycle, multinit
+# will do one initialize or shutdown, then execute all the commands
+# for any of the libraries or main that is currently initialized. The same
+# command is executed in each cycle that it's library is initialized.
+#
+# Commands are given in order or 'main','lib1','lib2'. Valid commands are:
+# none - don't execute any commands for this library (or main).
+# list_certs - list all the visible certs in the system.
+# list_slots - list all the slots in the system.
+# key_slot - list the current default key slot.
+#
+# Main Shutdown Type - which kind of shutdown does main call. See Init order.
+#
+# Directories - which directory should each init open. Listed in order of:
+# (main init directory),(lib1 init directory),(lib2 init directory).
+#
+# RO - Which databases to open up read only, valid values are:
+# all - main, lib1, and lib2
+# none - open all directories R/W
+# libs - lib1 & lib2
+# main, lib1, lib2 - their respective directories only.
+#
+# Test description lines are followed by their expected summary output.
+# output lines are of the form:
+#
+# tag expected output.
+#
+# where tag is one of
+# all - applies to all database types
+# sql - expected output for sql databases
+# dbm - expected output for dbm databases
+#
+# if you do not specify all, you must have one line each for sql and dbm
+#
+# main
+# init main,lib1,lib2 shutdown main,lib1,lib2 Test Case name
+# order commands type directories RO
+# ------ ------------------------ --- ----------- ----- --------------
+ 1M2zmi list_slots,list_certs,none new dir1,dir2,dir3 all Progressive init
+all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCCMS<NSS Generic Crypto Services>ttS<Main>ttS<Lib1>ttC<Alice>uuuC<Bob>pupupuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCZS<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCNC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCI
+ 1M2zmi list_certs,none,none old dir1,dir2,dir3 all Progressive init - oldStyle
+all 1MC<Alice>uuuC<Bob>pupupuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2C<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCZC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCNIE0xffffe09a
+ 12Mizm none,list_certs,none new dir1,dir2,dir3 all Sequenced init
+all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2C<Bob>uuuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCMC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCIZN
+ 12Mizm none,list_certs,none old dir1,dir2,dir3 all Sequenced init - old Style
+all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2C<Bob>uuuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCMC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCIZN
+ 1Mi2mz none,list_certs,list_slots new dir1,dir2,dir3 all Overlap shutdown
+all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCCMC<Alice>uuuC<Bob>pupupuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCCI2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttNS<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttZ
+ 1Mi2mz none,key_slot,none new dir1,dir2,dir3 all Keyslot test
+all 1S<Lib1>ttMS<Main>ttI2NZ
+ M12miz none,key_slot,none new dir1,dir2,dir3 all Main init first
+all M1S<Main>tt2S<Main>ttNS<Main>ttIZ
+ M12miz key_slot,none,none old dir1,dir2,dir3 all Main init first - old Style
+all MS<Main>tt1S<Main>tt2S<Main>ttNIE0xffffe09aZE0xffffe09a
+ M12miz list_slots,none,none new dir1,dir1,dir2 all Loading the same directory twice
+all MS<NSS Generic Crypto Services>ttS<Main>tt1S<NSS Generic Crypto Services>ttS<Main>tt2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttNIZ
+ M12miz list_slots,none,none new dir1,dir1,dir2 libs Loading the same directory twice - r/w then ro
+all MS<NSS Generic Crypto Services>ttS<Main>tf1S<NSS Generic Crypto Services>ttS<Main>tf2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>tfNIZ
+ M12miz list_slots,none,none new dir1,dir1,dir2 main Loading the same directory twice - ro then r/w
+sql MS<NSS Generic Crypto Services>ttS<Main>tt1S<NSS Generic Crypto Services>ttS<Lib1>tfS<Main>tt2S<NSS Generic Crypto Services>ttS<Lib2>tfS<Lib1>tfS<Main>ttNIZ
+dbm MS<NSS Generic Crypto Services>ttS<Main>tt1S<NSS Generic Crypto Services>ttS<Main>tt2S<NSS Generic Crypto Services>ttS<Lib2>tfS<Main>ttNIZ
+ M12miM1zim key_slot,none,none old dir1,dir2,dir3 all Properly detect shutdown of a closed handle
+all MS<Main>tt1S<Main>tt2S<Main>ttNIE0xffffe09aMS<Main>tt1S<Main>ttZE0xffffe09aS<Main>ttIS<Main>ttN
diff --git a/security/nss/tests/nssdir b/security/nss/tests/nssdir
new file mode 100755
index 000000000..884c299f5
--- /dev/null
+++ b/security/nss/tests/nssdir
@@ -0,0 +1,28 @@
+if ( "$2" == "" ) then
+ setenv BUILDDATE `date +%m%d`
+else
+ setenv BUILDDATE $2
+endif
+
+if ( "$1" == "" ) then
+ setenv NSSVER tip
+else
+ setenv NSSVER $1
+endif
+
+if ( ! ${?QAYEAR} ) then
+ setenv QAYEAR `date +%Y`
+else if ( "$QAYEAR" == "" ) then
+ setenv QAYEAR `date +%Y`
+
+endif
+
+setenv NSS_VER_DIR /share/builds/mccrel3/nss/nss$NSSVER
+setenv NTDIST ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/blowfish_NT4.0_Win95/mozilla/dist
+setenv UXDIST ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/dist
+setenv TESTSCRIPTDIR ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/security/nss/tests
+setenv RESULTDIR ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/tests_results/security
+
+cd ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8
+pwd
+ls
diff --git a/security/nss/tests/nsspath b/security/nss/tests/nsspath
new file mode 100755
index 000000000..5d5ececc6
--- /dev/null
+++ b/security/nss/tests/nsspath
@@ -0,0 +1,12 @@
+#! /bin/tcsh
+
+set PWD=`pwd`
+source /u/sonmi/bin/nssdir $*
+set OBJDIR=`(cd mozilla/security/nss/tests/common; gmake objdir_name)`
+setenv PATH `perl /u/sonmi/bin/path_uniq -s "${PATH}:${UXDIST}/${OBJDIR}/bin"`
+if ( `uname -n` == "iws-perf" ) then
+ setenv LD_LIBRARY_PATH "${UXDIST}/${OBJDIR}/lib:/opt/nfast/toolkits/pkcs11"
+else
+ setenv LD_LIBRARY_PATH "${UXDIST}/${OBJDIR}/lib"
+endif
+cd $PWD
diff --git a/security/nss/tests/nssqa b/security/nss/tests/nssqa
new file mode 100755
index 000000000..441128155
--- /dev/null
+++ b/security/nss/tests/nssqa
@@ -0,0 +1,286 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/nssqa - /u/svbld/bin/init/nss/nssqa
+#
+# this script is supposed to automatically run QA for NSS on all required
+# Unix and Windows (NT and 2000) platforms
+#
+# parameters
+# ----------
+# nssversion (supported: 30b, 31, tip)
+# builddate (default - today)
+#
+# options
+# -------
+# -y answer all questions with y - use at your own risk...ignores warnings
+# -s silent (only usefull with -y)
+# -h, -? - you guessed right - displays this text
+# -d debug
+# -f <filename> - write the (error)output to filename
+# -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.nssqa
+#
+# 12/1/00
+# took out the (unused) local directory for releasebuild QA on NT
+# cleaned up 32 - 64 bit issues
+# took hardcoded machinenames out
+########################################################################
+
+O_OPTIONS=ON # accept options (see above for listing)
+WIN_WAIT_FOREVER=ON # first we wait forever for a TESTDIR to appear, than
+ # we wait forever for the build to finish...
+
+TBX_EXIT=50 # in case we are running on a tinderbox build, any
+ # early exit needs to return an error
+. `dirname $0`/header # utilities, shellfunctions etc, global to NSS QA
+
+if [ -z "$O_TBX" -o "$O_TBX" != "ON" ] ; then
+ is_running ${TMP}/nssqa
+ # checks if the file exists, if yes Exits, if not
+ # creates to implement a primitive locking mechanism
+fi
+
+KILL_SELFSERV=OFF # cleanup will also kill the leftover selfserv processes
+
+################################ check_distdir #########################
+# local shell function to check if the DIST directory exists, if not there
+# is no use to continue the test
+########################################################################
+check_distdir()
+{
+ set_objdir
+
+ if [ ! -d "$LOCALDIST_BIN" ]
+ then
+ Debug "Dist $DIST"
+ Warning "$LOCALDIST_BIN (the dist binaries dir) does not exist"
+ return 1
+ fi
+
+ if [ ! -d "$LOCALDIST" -a ! -h "$LOCALDIST" ]
+ then
+ Debug "Dist $DIST"
+ Warning "$LOCALDIST (the dist directory) does not exist"
+ return 1
+ fi
+
+ Debug "LOCALDIST_BIN $LOCALDIST_BIN"
+ Debug "Dist $DIST"
+ return 0
+}
+
+################################ run_all ###############################
+# local shell function to start the all.sh after asking user and redirect
+# the output apropriately
+########################################################################
+run_all()
+{
+ check_distdir || return 1
+ #kill_by_name selfserv
+ ask "Testing $OBJDIR continue with all.sh" "y" "n" || Exit
+
+ Debug "running all.sh in `pwd`"
+ if [ $O_SILENT = ON ]
+ then
+ if [ $O_DEBUG = ON -a $O_FILE = ON ]
+ then
+ all.sh >>$FILENAME 2>>$FILENAME
+ else
+ all.sh >/dev/null 2>/dev/null
+ fi
+ else
+ all.sh
+ fi
+ Debug "Done with all.sh "
+ line
+}
+
+all_sh()
+{
+ echo
+}
+
+
+########################### wait_for_build #############################
+# local shell function to wait until the build is finished
+########################################################################
+wait_for_build()
+{
+ if [ $O_WIN = "ON" ]
+ then
+ WaitForever ${OSDIR}/SVbuild.InProgress.1 0
+ #Wait for the build to finish Windows a lot longer
+ OS_TARGET=WINNT;export OS_TARGET;Debug "OS_TARGET set to $OS_TARGET"
+ QA_OS_NAME=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name | \
+ sed -e "s/WINNT4.0.*/Windows-NT-4.0/" -e "s/WINNT5.0.*/Windows-2000/"`
+ Echo "WINDOWS-OS-LINE: $QA_OS_NAME"
+ else
+ Wait ${OSDIR}/SVbuild.InProgress.1 0
+ #Wait for the build to finish... Unix a few hours
+ qa_stat_get_sysinfo
+ Echo "UNIX-OS-LINE: $QA_OS"
+ fi
+ find_nt_masterbuild
+}
+
+
+########################### map_os #############################
+# local shell function: From the operatingsystem figure out the name of
+# the build ; needed to detemine if the build finished, passed and for
+# the directory names
+########################################################################
+map_os32()
+{
+ case `uname -s` in
+ SunOS)
+ S_REL=`uname -r | sed -e "s/^[^\.]*\.//g"`
+ if [ `uname -p` = "i386" ] ; then
+ MAPPED_OS=Solaris8_x86
+ elif [ "$S_REL" -lt 8 ] ; then
+ MAPPED_OS=Solaris2.6
+ else
+ MAPPED_OS=Solaris8_forte6
+ fi
+ ;;
+ OSF1)
+ MAPPED_OS=OSF1V4.0
+ ;;
+ Darwin)
+ MAPPED_OS=Darwin6.5
+ ;;
+ AIX)
+ MAPPED_OS=AIX4.3
+ ;;
+ Linux)
+ RH_MR=`cat /etc/redhat-release | sed \
+ -e "s/Red Hat Linux release //" -e "s/ .*//g" \
+ -e "s/\..*//g"`
+
+ if [ "$RH_MR" = "6" ] ; then
+ MAPPED_OS=Linux2.2
+ else
+ MAPPED_OS=Linux2.4
+ LD_ASSUME_KERNEL="2.2.5"
+ export LD_ASSUME_KERNEL
+ fi
+ ;;
+ HP-UX)
+ MAPPED_OS=HPUX11.00
+ ;;
+ *)
+ if [ "$os_name" = "Windows" ]
+ then
+ MAPPED_OS=NT4.0
+ else
+ Exit "Sorry, operating system `uname -s` is not supported yet"
+ fi
+ ;;
+ esac
+ set_osdir
+ Debug "Mapped OS to $MAPPED_OS"
+}
+
+############################# nssqa_main ###############################
+# local shell function main controlling function of the nss qa
+########################################################################
+nssqa_main()
+{
+ Debug "In function nssqa_main"
+
+ if [ $O_WIN = "OFF" -a "$O_TBX" = "OFF" -a $O_LOCAL = "OFF" ] ; then
+ if [ ! -h ${NTDIST}/WINNT5.0_DBG.OBJ -o \
+ ! -h ${UXDIST}/SunOS5.8_OPT.OBJ -o \
+ ! -h ${UXDIST}/OSF1V5.0_DBG.OBJ ] ; then
+ # determine if all needed symbolic links are present, in case
+ # we build on one platform and QA on another
+ # create the symbolic links
+ #mksymlinks $* ||
+ `dirname $0`/mksymlinks $NSSVER $BUILDDATE ||
+ Warning "Can't make the neccessary symbolic links"
+ fi
+ fi
+
+ if [ -d $TESTSCRIPTDIR ] #the directory mozilla/security/nss/tests,
+ then # where all.sh lives
+ cd $TESTSCRIPTDIR
+ else
+ Exit "cant cd to $TESTSCRIPTDIR Exiting"
+ fi
+
+ Debug "Testing from `pwd`"
+ line
+ Debug "HOST: $HOST, DOMSUF: $DOMSUF"
+
+ if [ "$O_TBX" = "OFF" ] ; then
+ map_os32 # From the operatingsystem figure out the name of the build
+ Debug Testing build for $MAPPED_OS in $OSDIR
+ wait_for_build
+ fi
+ run_all
+ BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+ run_all
+
+ # now for the 64 bit build!
+ map_os64 # From the operatingsystem figure out the name of the build
+ if [ -n "$IS_64" ] ; then #Wait for the 64 bit build to finish...
+ Debug "This is a $IS_64 platform"
+ USE_64=1;export USE_64;Debug "Use_64 set to $USE_64"
+ unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT"
+
+ run_all
+ BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+ run_all
+ elif [ "$O_WIN" = "ON" ] ; then
+ OS_TARGET=WIN95;export OS_TARGET
+ Debug "OS_TARGET set to $OS_TARGET"
+ #Echo "WINDOWS-OS-LINE: $os_name $os_full $OS_TARGET"
+ unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT"
+ #if [ "$TEST_LEVEL" = "0" ] ; then
+ #QA_OS_NAME=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name | \
+ #sed -e "s/WINNT4.0.*/Windows-NT-4.0/" -e \
+ #"s/WINNT5.0.*/Windows-2000/"`
+ #Echo "WINDOWS-OS-LINE: $QA_OS_NAME $OS_TARGET"
+ #fi
+ run_all
+ BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+ run_all
+ else
+ Debug "This is a 32 bit platform"
+ fi
+}
+
+TEST_LEVEL=0
+
+while [ $TEST_LEVEL -lt 2 ] ; do
+ export TEST_LEVEL
+ unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT"
+ unset USE_64;export USE_64;Debug "USE_64 $USE_64"
+ bc $TEST_LEVEL
+ Debug "About to start nssqa_main"
+ if [ $O_FILE = ON -a "$O_WIN" != "ON" ] ; then
+ nssqa_main 2>>$FILENAME
+ else
+ nssqa_main
+ fi
+ if [ "$O_TBX" = "ON" ] ; then # do not do backward compatibility
+ TEST_LEVEL=3 # testing on tinderbox
+ else
+ TEST_LEVEL=`expr $TEST_LEVEL + 1 `
+ fi
+done
+
+if [ "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then
+#FIXME - maybe it should be copied back to the networkdrive later (-ln)
+ if [ -n "${TMPFILES}" ] ; then #caused problems on tinderbox machines
+ Debug "rm -f ${TMPFILES}"
+ rm -f $TMPFILES 2>/dev/null
+ fi
+ Debug "running qa_stat"
+ . `dirname $0`/qa_stat
+fi
+
+
+qa_stat_get_sysinfo
+
+Exit "nssqa completed. Done `uname -n` $QA_OS_STRING"
diff --git a/security/nss/tests/ocsp/ocsp.sh b/security/nss/tests/ocsp/ocsp.sh
new file mode 100644
index 000000000..246e6e3d4
--- /dev/null
+++ b/security/nss/tests/ocsp/ocsp.sh
@@ -0,0 +1,54 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/ocsp/ocsp.sh
+#
+# Script to test NSS OCSP
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_init ################################
+# local shell function to initialize this script
+########################################################################
+ocsp_init()
+{
+ SCRIPTNAME=ocsp.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ -z "${IOPR_OCSP_SOURCED}" ]; then
+ . ../iopr/ocsp_iopr.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ SCRIPTNAME=ocsp.sh
+ echo "$SCRIPTNAME: OCSP tests ==============================="
+
+ REQF=${QADIR}/ssl/sslreq.dat
+
+ cd ${CLIENTDIR}
+}
+
+################## main #################################################
+ocsp_init
+ocsp_iopr_run
diff --git a/security/nss/tests/path_uniq b/security/nss/tests/path_uniq
new file mode 100755
index 000000000..f29f60a00
--- /dev/null
+++ b/security/nss/tests/path_uniq
@@ -0,0 +1,107 @@
+#! /bin/perl
+
+########################################################################
+#
+# /u/sonmi/bin/path_uniq
+#
+# this script makes components of a PATH like string unique cand prints
+# it to stdout
+#
+# parameters
+# ----------
+# PATH
+#
+# options
+# -------
+# -d delimiter - default :
+# -s shortens the path
+#
+# usefull enhancements: in the usage part, try to guess what was meant as
+# a path and echo it to stdout to not break for PATHs with blanks
+#
+########################################################################
+
+sub usage {
+ print STDERR "usage $0 [-s] [-d <delimiter>] PATH\n";
+ print STDERR " this script makes components of the PATH unique, if you\n";
+ print STDERR " pass in a searchpath A:B:C:A:B:E it will print A:B:C:E to\n";
+ print STDERR " the stdout\n\n";
+ print STDERR " -s will mercylessly cut components from the path, \n";
+ print STDERR " use at your own risk\n\n";
+ print STDERR " the parameters you gave were: \n";
+ for ( $i = 0; $i <= $#ARGV; $i++ ) {
+ print STDERR " $ARGV[$i]\n";
+ }
+ exit ;
+}
+
+
+$i = 0;
+$j = 0;
+$delimiter = ":";
+$searchpath = "";
+@pathcomponents;
+$found=0;
+$newpath="";
+$shorten=0;
+
+for ( $i=0; $i <= $#ARGV; $i++) {
+ if ( $ARGV[$i] eq '-d' ) {
+ $delimiter = $ARGV[++$i];
+ } elsif ( $ARGV[$i] eq '-s' ) {
+ $shorten=1;
+ } else {
+ $searchpath = $ARGV[$i];
+ }
+}
+if ( $searchpath eq "" ) {
+ usage;
+}
+#print STDERR "delimiter $delimiter\n";
+#print STDERR "shorten $shorten\n";
+#print STDERR "searchpath $searchpath\n";
+
+@pathcomponents=split($delimiter, $searchpath);
+
+for ( $i = 0; $i <= $#pathcomponents; $i++ ) {
+ $found=0;
+ if ( $shorten == 1 ) {
+ if ( "\/tools\/ns-arch\/sparc_sun_solaris2\.4\/lib\/sparcworks\/SUNWspro/bin" eq $pathcomponents[$i] ||
+ "\/h\/tortoise\/export\/share\/builds\/tools\/sparc_sun_solaris2\.5\.1\/perl5\.004\/bin" eq $pathcomponents[$i] ||
+ "\/usr\/dist\/local\/exe" eq $pathcomponents[$i] ||
+ "\/opt\/SUNWspro\/bin" eq $pathcomponents[$i] ||
+ "\/opt\/SUNWwabi\/bin" eq $pathcomponents[$i] ||
+ "\/u\/svbld\/bin" eq $pathcomponents[$i] ||
+ "\/usr\/demos" eq $pathcomponents[$i] ||
+ "\/usr\/audio\/bin" eq $pathcomponents[$i] ||
+ "\/usr\/openwin\/demo" eq $pathcomponents[$i] ||
+ "\/tools\/contrib\/bin" eq $pathcomponents[$i] ||
+ "\/usr\/etc\/" eq $pathcomponents[$i] ||
+ "\/usr\/demos\/bin" eq $pathcomponents[$i] ) {
+
+
+ #print "dumped: $pathcomponents[$i]\n";
+ next;
+ }
+ #print "keep: $pathcomponents[$i]\n";
+ }
+ for ( $j = 0; $j < $i; $j++ ) {
+ if ( $pathcomponents[$j] eq $pathcomponents[$i] ) {
+ #print "$i and $j match - $pathcomponents[$i] - $pathcomponents[$j]\n";
+ $found=1;
+ last;
+ }
+ }
+ if ( $found == 0 ) {
+ #print "$pathcomponents[$i]:";
+ if ($i == 0) {
+ $newpath = $pathcomponents[$i];
+ } else {
+ $newpath=join($delimiter, $newpath,$pathcomponents[$i]);
+ }
+ }
+}
+print "$newpath\n";
+exit;
+
+
diff --git a/security/nss/tests/perf/perf.sh b/security/nss/tests/perf/perf.sh
new file mode 100755
index 000000000..b398a0e57
--- /dev/null
+++ b/security/nss/tests/perf/perf.sh
@@ -0,0 +1,61 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/perf/perf.sh
+#
+# script run from the nightly NSS QA to measure nss performance
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## perf_init ##############################
+# local shell function to initialize this script
+########################################################################
+
+perf_init()
+{
+ SCRIPTNAME="perf.sh"
+ if [ -z "${INIT_SOURCED}" ] ; then
+ cd ../common
+ . ./init.sh
+ fi
+ SCRIPTNAME="perf.sh"
+ PERFDIR=${HOSTDIR}/perf
+ mkdir -p ${PERFDIR}
+}
+
+perf_init
+cd ${PERFDIR}
+RSAPERF_OUT=`${BINDIR}/rsaperf -i 300 -s -n none`
+RSAPERF_OUT=`echo $RSAPERF_OUT | sed \
+ -e "s/^/RSAPERF: $OBJDIR /" \
+ -e 's/microseconds/us/' \
+ -e 's/milliseconds/ms/' \
+ -e 's/seconds/s/' \
+ -e 's/ minutes, and /_min_/'`
+
+echo "$RSAPERF_OUT"
+
+
+
+#FIXME
+#export RSAPERF_OUT
+#
+#perl -e '
+
+#@rsaperf=split(/ /, $ENV{RSAPERF_OUT});
+
+#echo "${RSAPERF_OUT}" | read IT_NUM T1 T2 TOT_TIM TOT_TIM_U \
+ #T3 T4 T5 AVRG_TIM AVRG_TIM_U
+
+#300 iterations in 8.881 seconds one operation every 29606 microseconds
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db b/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db
new file mode 100644
index 000000000..02f36ae28
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db
Binary files differ
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db b/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db
new file mode 100644
index 000000000..1c015a4a2
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db
Binary files differ
diff --git a/security/nss/tests/pkits/pkits.sh b/security/nss/tests/pkits/pkits.sh
new file mode 100755
index 000000000..ecf007736
--- /dev/null
+++ b/security/nss/tests/pkits/pkits.sh
@@ -0,0 +1,1988 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/pkits/pkits.sh
+#
+# Script to test the NIST PKITS tests
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+# vfychain
+#
+# special NOTES
+# ---------------
+# NIST PKITS data needs to be downloaded from
+# http://csrc.nist.gov/pki/testing/x509paths.html
+# Environment variable PKITS_DATA needs to be set to the directory
+# where this data is downloaded, or test data needs to be copied under
+# the mozilla source tree in mozilla/PKITS_DATA
+########################################################################
+
+############################## pkits_init ##############################
+# local shell function to initialize this script
+########################################################################
+pkits_init()
+{
+ SCRIPTNAME=pkits.sh
+
+ if [ -z "${CLEANUP}" ] ; then
+ CLEANUP="${SCRIPTNAME}"
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+
+ if [ -z "${PKITS_DATA}" ]; then
+ echo "${SCRIPTNAME}: PKITS data directory not defined, skipping."
+ exit 0
+ fi
+
+ if [ ! -d "${PKITS_DATA}" ]; then
+ echo "${SCRIPTNAME}: PKITS data directory ${PKITS_DATA} doesn't exist, skipping."
+ exit 0
+ fi
+
+ PKITSDIR=${HOSTDIR}/pkits
+
+ COPYDIR=${PKITSDIR}/copydir
+
+ mkdir -p ${PKITSDIR}
+ mkdir -p ${COPYDIR}
+ mkdir -p ${PKITSDIR}/html
+
+ certs=${PKITS_DATA}/certs
+ crls=${PKITS_DATA}/crls
+
+ cd ${PKITSDIR}
+
+ PKITSdb=${PKITSDIR}/PKITSdb
+ PKITSbkp=${PKITSDIR}/PKITSbkp
+
+ PKITS_LOG=${PKITSDIR}/pkits.log #getting its own logfile
+ pkits_log "Start of logfile $PKITS_LOG"
+
+ if [ ! -d "${PKITSdb}" ]; then
+ mkdir -p ${PKITSdb}
+ else
+ pkits_log "$SCRIPTNAME: WARNING - ${PKITSdb} exists"
+ fi
+
+ if [ ! -d "${PKITSbkp}" ]; then
+ mkdir -p ${PKITSbkp}
+ else
+ pkits_log "$SCRIPTNAME: WARNING - ${PKITSbkp} exists"
+ fi
+
+ echo "HOSTDIR" $HOSTDIR
+ echo "PKITSDIR" $PKITSDIR
+ echo "PKITSdb" $PKITSdb
+ echo "PKITSbkp" $PKITSbkp
+ echo "PKITS_DATA" $PKITS_DATA
+ echo "certs" $certs
+ echo "crls" $crls
+
+ echo nss > ${PKITSdb}/pw
+ ${BINDIR}/certutil -N -d ${PKITSdb} -f ${PKITSdb}/pw
+
+ ${BINDIR}/certutil -A -n TrustAnchorRootCertificate -t "C,C,C" -i \
+ $certs/TrustAnchorRootCertificate.crt -d $PKITSdb
+ if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+ ${BINDIR}/crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb} -f ${PKITSdb}/pw
+ else
+ html "<H3>NO CRLs are being used.</H3>"
+ pkits_log "NO CRLs are being used."
+ fi
+
+ cp ${PKITSdb}/* ${PKITSbkp}
+
+ KNOWN_BUG=
+}
+
+############################### pkits_log ##############################
+# write to pkits.log file
+########################################################################
+pkits_log()
+{
+ echo "$SCRIPTNAME $*"
+ echo $* >> ${PKITS_LOG}
+}
+
+restore_db()
+{
+ echo "Restore DB"
+ rm ${PKITSdb}/*
+ cp ${PKITSbkp}/* ${PKITSdb}
+}
+
+log_banner()
+{
+ echo ""
+ echo "--------------------------------------------------------------------"
+ echo "Test case ${VFY_ACTION}"
+ echo ""
+}
+
+start_table()
+{
+ html "<TABLE BORDER=1><TR><TH COLSPAN=3>$*</TH></TR>"
+ html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>"
+ echo ""
+ echo "***************************************************************"
+ echo "$*"
+ echo "***************************************************************"
+}
+
+break_table()
+{
+ html "</TABLE><P>"
+ start_table "$@"
+}
+
+################################ pkits #################################
+# local shell function for positive testcases, calls vfychain, writes
+# action and options to stdout, sets variable RET and writes results to
+# the html file results
+########################################################################
+pkits()
+{
+ echo "vfychain -d $PKITSdb -u 4 $*"
+ ${BINDIR}/vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1
+ RET=$?
+ CNT=`grep -c ERROR ${PKITSDIR}/cmdout.txt`
+ RET=`expr ${RET} + ${CNT}`
+ cat ${PKITSDIR}/cmdout.txt
+
+ if [ "$RET" -ne 0 ]; then
+ html_failed "${VFY_ACTION} ($RET) "
+ pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+ else
+ html_passed "${VFY_ACTION}"
+ pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+ fi
+
+ return $RET
+}
+
+################################ pkitsn #################################
+# local shell function for negative testcases, calls vfychain, writes
+# action and options to stdout, sets variable RET and writes results to
+# the html file results
+########################################################################
+pkitsn()
+{
+ echo "vfychain -d $PKITSdb -u 4 $*"
+ ${BINDIR}/vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1
+ RET=$?
+ CNT=`grep -c ERROR ${PKITSDIR}/cmdout.txt`
+ RET=`expr ${RET} + ${CNT}`
+ cat ${PKITSDIR}/cmdout.txt
+
+ if [ "$RET" -eq 0 ]; then
+ html_failed "${VFY_ACTION} ($RET) "
+ pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+ else
+ html_passed "${VFY_ACTION} ($RET) "
+ pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+ fi
+ return $RET
+}
+
+################################ crlImport #############################
+# local shell function to import a CRL, calls crlutil -I -i, writes
+# action and options to stdout
+########################################################################
+crlImport()
+{
+ if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+ echo "crlutil -d $PKITSdb -I -f ${PKITSdb}/pw -i $crls/$*"
+ ${BINDIR}/crlutil -d ${PKITSdb} -I -f ${PKITSdb}/pw -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1
+ RET=$?
+ cat ${PKITSDIR}/cmdout.txt
+
+ if [ "$RET" -ne 0 ]; then
+ html_failed "${VFY_ACTION} ($RET) "
+ pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+ fi
+ fi
+}
+
+################################ crlImportn #############################
+# local shell function to import an incorrect CRL, calls crlutil -I -i,
+# writes action and options to stdout
+########################################################################
+crlImportn()
+{
+ RET=0
+ if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+ echo "crlutil -d $PKITSdb -I -f ${PKITSdb}/pw -i $crls/$*"
+ ${BINDIR}/crlutil -d ${PKITSdb} -I -f ${PKITSdb}/pw -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1
+ RET=$?
+ cat ${PKITSDIR}/cmdout.txt
+
+ if [ "$RET" -eq 0 ]; then
+ html_failed "${VFY_ACTION} ($RET) "
+ pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+ else
+ html_passed "${VFY_ACTION} ($RET) "
+ pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+ fi
+ fi
+ return $RET
+}
+
+################################ certImport #############################
+# local shell function to import a Cert, calls certutil -A, writes
+# action and options to stdout
+########################################################################
+certImport()
+{
+ echo "certutil -d $PKITSdb -A -t \",,\" -n $* -i $certs/$*.crt"
+ ${BINDIR}/certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1
+ RET=$?
+ cat ${PKITSDIR}/cmdout.txt
+
+ if [ "$RET" -ne 0 ]; then
+ html_failed "${VFY_ACTION} ($RET) "
+ pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+ fi
+}
+
+################################ certImportn #############################
+# local shell function to import an incorrect Cert, calls certutil -A,
+# writes action and options to stdout
+########################################################################
+certImportn()
+{
+ RET=0
+ if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+ echo "certutil -d $PKITSdb -A -t \",,\" -n $* -i $certs/$*.crt"
+ ${BINDIR}/certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1
+ RET=$?
+ cat ${PKITSDIR}/cmdout.txt
+
+ if [ "$RET" -eq 0 ]; then
+ html_failed "${VFY_ACTION} ($RET) "
+ pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+ else
+ html_passed "${VFY_ACTION} ($RET) "
+ pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+ fi
+ fi
+}
+
+############################## pkits_tests_bySection ###################
+# running the various PKITS tests
+########################################################################
+pkits_SignatureVerification()
+{
+ start_table "NIST PKITS Section 4.1: Signature Verification"
+
+ VFY_ACTION="Valid Signatures Test1"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/ValidCertificatePathTest1EE.crt $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid CA Signature Test2"; log_banner
+ certImport BadSignedCACert
+ crlImport BadSignedCACRL.crl
+ pkitsn $certs/InvalidCASignatureTest2EE.crt \
+ $certs/BadSignedCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid EE Signature Test3"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkitsn $certs/InvalidEESignatureTest3EE.crt $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid DSA Signatures Test4"; log_banner
+ certImport DSACACert
+ crlImport DSACACRL.crl
+ pkits $certs/ValidDSASignaturesTest4EE.crt $certs/DSACACert.crt
+ restore_db
+
+ # NSS doesn't support DSA parameter inheritance anymore (see bug 671097)
+ # VFY_ACTION="Valid DSA Parameter Inheritance Test5"; log_banner
+ # certImport DSACACert
+ # crlImport DSACACRL.crl
+ # certImport DSAParametersInheritedCACert
+ # crlImport DSAParametersInheritedCACRL.crl
+ # pkits $certs/ValidDSAParameterInheritanceTest5EE.crt \
+ # $certs/DSAParametersInheritedCACert.crt \
+ # $certs/DSACACert.crt
+ # restore_db
+
+ VFY_ACTION="Invalid DSA Signature Test6"; log_banner
+ certImport DSACACert
+ crlImport DSACACRL.crl
+ pkitsn $certs/InvalidDSASignatureTest6EE.crt $certs/DSACACert.crt
+ restore_db
+}
+
+pkits_ValidityPeriods()
+{
+ break_table "NIST PKITS Section 4.2: Validity Periods"
+
+ VFY_ACTION="Invalid CA notBefore Date Test1"; log_banner
+ certImport BadnotBeforeDateCACert
+ crlImportn BadnotBeforeDateCACRL.crl
+ if [ $RET -eq 0 ] ; then
+ pkitsn $certs/InvalidCAnotBeforeDateTest1EE.crt \
+ $certs/BadnotBeforeDateCACert.crt
+ fi
+ restore_db
+
+ VFY_ACTION="Invalid EE notBefore Date Test2"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkitsn $certs/InvalidEEnotBeforeDateTest2EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid pre2000 UTC notBefore Date Test3"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/Validpre2000UTCnotBeforeDateTest3EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid GeneralizedTime notBefore Date Test4"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/ValidGeneralizedTimenotBeforeDateTest4EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid CA notAfter Date Test5"; log_banner
+ certImport BadnotAfterDateCACert
+ crlImportn BadnotAfterDateCACRL.crl
+ if [ $RET -eq 0 ] ; then
+ pkitsn $certs/InvalidCAnotAfterDateTest5EE.crt \
+ $certs/BadnotAfterDateCACert.crt
+ fi
+ restore_db
+
+ VFY_ACTION="Invalid EE notAfter Date Test6"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkitsn $certs/InvalidEEnotAfterDateTest6EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid pre2000 UTC EE notAfter Date Test7"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkitsn $certs/Invalidpre2000UTCEEnotAfterDateTest7EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="ValidGeneralizedTime notAfter Date Test8"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/ValidGeneralizedTimenotAfterDateTest8EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+}
+
+pkits_NameChaining()
+{
+ break_table "NIST PKITS Section 4.3: Verifying NameChaining"
+
+ VFY_ACTION="Invalid Name Chaining EE Test1"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkitsn $certs/InvalidNameChainingTest1EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Name Chaining Order Test2"; log_banner
+ certImport NameOrderingCACert
+ crlImport NameOrderCACRL.crl
+ pkitsn $certs/InvalidNameChainingOrderTest2EE.crt \
+ $certs/NameOrderingCACert.crt
+ restore_db
+
+### bug 216123 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Valid Name Chaining Whitespace Test3"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/ValidNameChainingWhitespaceTest3EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Name Chaining Whitespace Test4"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/ValidNameChainingWhitespaceTest4EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Name Chaining Capitalization Test5"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/ValidNameChainingCapitalizationTest5EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+fi
+
+ VFY_ACTION="Valid Name Chaining UIDs Test6"; log_banner
+ certImport UIDCACert
+ crlImport UIDCACRL.crl
+ pkits $certs/ValidNameUIDsTest6EE.crt $certs/UIDCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid RFC3280 Mandatory Attribute Types Test7"; log_banner
+ certImport RFC3280MandatoryAttributeTypesCACert
+ crlImport RFC3280MandatoryAttributeTypesCACRL.crl
+ pkits $certs/ValidRFC3280MandatoryAttributeTypesTest7EE.crt \
+ $certs/RFC3280MandatoryAttributeTypesCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid RFC3280 Optional Attribute Types Test8"; log_banner
+ certImport RFC3280OptionalAttributeTypesCACert
+ crlImport RFC3280OptionalAttributeTypesCACRL.crl
+ pkits $certs/ValidRFC3280OptionalAttributeTypesTest8EE.crt \
+ $certs/RFC3280OptionalAttributeTypesCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid UTF8String Encoded Names Test9"; log_banner
+ certImport UTF8StringEncodedNamesCACert
+ crlImport UTF8StringEncodedNamesCACRL.crl
+ pkits $certs/ValidUTF8StringEncodedNamesTest9EE.crt \
+ $certs/UTF8StringEncodedNamesCACert.crt
+ restore_db
+
+### bug 216123 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Valid Rollover from PrintableString to UTF8String Test10"; log_banner
+ certImport RolloverfromPrintableStringtoUTF8StringCACert
+ crlImport RolloverfromPrintableStringtoUTF8StringCACRL.crl
+ pkits $certs/ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt \
+ $certs/RolloverfromPrintableStringtoUTF8StringCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid UTF8String case Insensitive Match Test11"; log_banner
+ certImport UTF8StringCaseInsensitiveMatchCACert
+ crlImport UTF8StringCaseInsensitiveMatchCACRL.crl
+ pkits $certs/ValidUTF8StringCaseInsensitiveMatchTest11EE.crt \
+ $certs/UTF8StringCaseInsensitiveMatchCACert.crt
+ restore_db
+fi
+}
+
+pkits_BasicCertRevocation()
+{
+ break_table "NIST PKITS Section 4.4: Basic Certificate Revocation Tests"
+
+### bug 414556 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Missing CRL Test1"; log_banner
+ pkitsn $certs/InvalidMissingCRLTest1EE.crt \
+ $certs/NoCRLCACert.crt
+fi
+
+ VFY_ACTION="Invalid Revoked CA Test2"; log_banner
+ certImport RevokedsubCACert
+ crlImport RevokedsubCACRL.crl
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkitsn $certs/InvalidRevokedCATest2EE.crt \
+ $certs/RevokedsubCACert.crt $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Revoked EE Test3"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkitsn $certs/InvalidRevokedEETest3EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Bad CRL Signature Test4"; log_banner
+ certImport BadCRLSignatureCACert
+ crlImportn BadCRLSignatureCACRL.crl
+ if [ $RET -eq 0 ] ; then
+ pkitsn $certs/InvalidBadCRLSignatureTest4EE.crt \
+ $certs/BadCRLSignatureCACert.crt
+ fi
+ restore_db
+
+ VFY_ACTION="Invalid Bad CRL Issuer Name Test5"; log_banner
+ certImport BadCRLIssuerNameCACert
+ crlImportn BadCRLIssuerNameCACRL.crl
+ if [ $RET -eq 0 ] ; then
+ pkitsn $certs/InvalidBadCRLIssuerNameTest5EE.crt \
+ $certs/BadCRLIssuerNameCACert.crt
+ fi
+ restore_db
+
+### bug 414556 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Invalid Wrong CRL Test6"; log_banner
+ certImport WrongCRLCACert
+ crlImport WrongCRLCACRL.crl
+ pkitsn $certs/InvalidWrongCRLTest6EE.crt \
+ $certs/WrongCRLCACert.crt
+ restore_db
+fi
+
+ VFY_ACTION="Valid Two CRLs Test7"; log_banner
+ certImport TwoCRLsCACert
+ crlImport TwoCRLsCAGoodCRL.crl
+ crlImportn TwoCRLsCABadCRL.crl
+ pkits $certs/ValidTwoCRLsTest7EE.crt \
+ $certs/TwoCRLsCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Unknown CRL Entry Extension Test8"; log_banner
+ certImport UnknownCRLEntryExtensionCACert
+ crlImportn UnknownCRLEntryExtensionCACRL.crl
+ if [ $RET -eq 0 ] ; then
+ pkitsn $certs/InvalidUnknownCRLEntryExtensionTest8EE.crt \
+ $certs/UnknownCRLEntryExtensionCACert.crt
+ fi
+ restore_db
+
+ VFY_ACTION="Invalid Unknown CRL Extension Test9"; log_banner
+ certImport UnknownCRLExtensionCACert
+ crlImportn UnknownCRLExtensionCACRL.crl
+ if [ $RET -eq 0 ] ; then
+ pkitsn $certs/InvalidUnknownCRLExtensionTest9EE.crt \
+ $certs/UnknownCRLExtensionCACert.crt
+ fi
+ restore_db
+
+ VFY_ACTION="Invalid Unknown CRL Extension Test10"; log_banner
+ certImport UnknownCRLExtensionCACert
+ crlImportn UnknownCRLExtensionCACRL.crl
+ if [ $RET -eq 0 ] ; then
+ pkitsn $certs/InvalidUnknownCRLExtensionTest10EE.crt \
+ $certs/UnknownCRLExtensionCACert.crt
+ fi
+ restore_db
+
+### bug 414563 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Invalid Old CRL nextUpdate Test11"; log_banner
+ certImport OldCRLnextUpdateCACert
+ crlImport OldCRLnextUpdateCACRL.crl
+ pkitsn $certs/InvalidOldCRLnextUpdateTest11EE.crt \
+ $certs/OldCRLnextUpdateCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid pre2000 CRL nextUpdate Test12"; log_banner
+ certImport pre2000CRLnextUpdateCACert
+ crlImport pre2000CRLnextUpdateCACRL.crl
+ pkitsn $certs/Invalidpre2000CRLnextUpdateTest12EE.crt \
+ $certs/pre2000CRLnextUpdateCACert.crt
+ restore_db
+fi
+
+ VFY_ACTION="Valid GeneralizedTime CRL nextUpdate Test13"; log_banner
+ certImport GeneralizedTimeCRLnextUpdateCACert
+ crlImport GeneralizedTimeCRLnextUpdateCACRL.crl
+ pkits $certs/ValidGeneralizedTimeCRLnextUpdateTest13EE.crt \
+ $certs/GeneralizedTimeCRLnextUpdateCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Negative Serial Number Test14"; log_banner
+ certImport NegativeSerialNumberCACert
+ crlImport NegativeSerialNumberCACRL.crl
+ pkits $certs/ValidNegativeSerialNumberTest14EE.crt \
+ $certs/NegativeSerialNumberCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Negative Serial Number Test15"; log_banner
+ certImport NegativeSerialNumberCACert
+ crlImport NegativeSerialNumberCACRL.crl
+ pkitsn $certs/InvalidNegativeSerialNumberTest15EE.crt \
+ $certs/NegativeSerialNumberCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Long Serial Number Test16"; log_banner
+ certImport LongSerialNumberCACert
+ crlImport LongSerialNumberCACRL.crl
+ pkits $certs/ValidLongSerialNumberTest16EE.crt \
+ $certs/LongSerialNumberCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Long Serial Number Test17"; log_banner
+ certImport LongSerialNumberCACert
+ crlImport LongSerialNumberCACRL.crl
+ pkits $certs/ValidLongSerialNumberTest17EE.crt \
+ $certs/LongSerialNumberCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Long Serial Number Test18"; log_banner
+ certImport LongSerialNumberCACert
+ crlImport LongSerialNumberCACRL.crl
+ pkitsn $certs/InvalidLongSerialNumberTest18EE.crt \
+ $certs/LongSerialNumberCACert.crt
+ restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Valid Separate Certificate and CRL Keys Test19"; log_banner
+ certImport SeparateCertificateandCRLKeysCertificateSigningCACert
+ certImport SeparateCertificateandCRLKeysCRLSigningCert
+ crlImport SeparateCertificateandCRLKeysCRL.crl
+ pkits $certs/ValidSeparateCertificateandCRLKeysTest19EE.crt \
+ $certs/SeparateCertificateandCRLKeysCRLSigningCert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Separate Certificate and CRL Keys Test20"; log_banner
+ certImport SeparateCertificateandCRLKeysCertificateSigningCACert
+ certImport SeparateCertificateandCRLKeysCRLSigningCert
+ crlImport SeparateCertificateandCRLKeysCRL.crl
+ pkits $certs/InvalidSeparateCertificateandCRLKeysTest20EE.crt \
+ $certs/SeparateCertificateandCRLKeysCRLSigningCert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Separate Certificate and CRL Keys Test21"; log_banner
+ certImport SeparateCertificateandCRLKeysCA2CertificateSigningCACert
+ certImport SeparateCertificateandCRLKeysCA2CRLSigningCert
+ crlImport SeparateCertificateandCRLKeysCA2CRL.crl
+ pkits $certs/InvalidSeparateCertificateandCRLKeysTest21EE.crt \
+ $certs/SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
+ restore_db
+fi
+}
+
+pkits_PathVerificWithSelfIssuedCerts()
+{
+ break_table "NIST PKITS Section 4.5: Self-Issued Certificates"
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Valid Basic Self-Issued Old With New Test1"; log_banner
+ certImport BasicSelfIssuedNewKeyCACert
+ crlImport BasicSelfIssuedNewKeyCACRL.crl
+ pkits $certs/ValidBasicSelfIssuedOldWithNewTest1EE.crt \
+ $certs/BasicSelfIssuedNewKeyOldWithNewCACert.crt \
+ $certs/BasicSelfIssuedNewKeyCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Basic Self-Issued Old With New Test2"; log_banner
+ certImport BasicSelfIssuedNewKeyCACert
+ crlImport BasicSelfIssuedNewKeyCACRL.crl
+ pkitsn $certs/InvalidBasicSelfIssuedOldWithNewTest2EE.crt \
+ $certs/BasicSelfIssuedNewKeyOldWithNewCACert.crt \
+ $certs/BasicSelfIssuedNewKeyCACert.crt
+ restore_db
+fi
+
+### bugs 321755 & 418769 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Valid Basic Self-Issued New With Old Test3"; log_banner
+ certImport BasicSelfIssuedOldKeyCACert
+ crlImport BasicSelfIssuedOldKeyCACRL.crl
+ pkits $certs/ValidBasicSelfIssuedNewWithOldTest3EE.crt \
+ $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \
+ $certs/BasicSelfIssuedOldKeyCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Basic Self-Issued New With Old Test4"; log_banner
+ certImport BasicSelfIssuedOldKeyCACert
+ crlImport BasicSelfIssuedOldKeyCACRL.crl
+ pkits $certs/ValidBasicSelfIssuedNewWithOldTest4EE.crt \
+ $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \
+ $certs/BasicSelfIssuedOldKeyCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Basic Self-Issued New With Old Test5"; log_banner
+ certImport BasicSelfIssuedOldKeyCACert
+ crlImport BasicSelfIssuedOldKeyCACRL.crl
+ pkitsn $certs/InvalidBasicSelfIssuedNewWithOldTest5EE.crt \
+ $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \
+ $certs/BasicSelfIssuedOldKeyCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Basic Self-Issued CRL Signing Key Test6"; log_banner
+ certImport BasicSelfIssuedCRLSigningKeyCACert
+ crlImport BasicSelfIssuedOldKeyCACRL.crl
+ pkits $certs/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt \
+ $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \
+ $certs/BasicSelfIssuedCRLSigningKeyCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Basic Self-Issued CRL Signing Key Test7"; log_banner
+ certImport BasicSelfIssuedCRLSigningKeyCACert
+ crlImport BasicSelfIssuedOldKeyCACRL.crl
+ pkitsn $certs/InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt \
+ $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \
+ $certs/BasicSelfIssuedCRLSigningKeyCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Basic Self-Issued CRL Signing Key Test8"; log_banner
+ certImport BasicSelfIssuedCRLSigningKeyCACert
+ crlImport BasicSelfIssuedOldKeyCACRL.crl
+ pkitsn $certs/InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt \
+ $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \
+ $certs/BasicSelfIssuedCRLSigningKeyCACert.crt
+ restore_db
+fi
+}
+
+pkits_BasicConstraints()
+{
+ break_table "NIST PKITS Section 4.6: Verifying Basic Constraints"
+
+ VFY_ACTION="Invalid Missing basicConstraints Test1"; log_banner
+ certImport MissingbasicConstraintsCACert
+ crlImport MissingbasicConstraintsCACRL.crl
+ pkitsn $certs/InvalidMissingbasicConstraintsTest1EE.crt \
+ $certs/MissingbasicConstraintsCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid cA False Test2"; log_banner
+ certImport basicConstraintsCriticalcAFalseCACert
+ crlImport basicConstraintsCriticalcAFalseCACRL.crl
+ pkitsn $certs/InvalidcAFalseTest2EE.crt \
+ $certs/basicConstraintsCriticalcAFalseCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid cA False Test3"; log_banner
+ certImport basicConstraintsNotCriticalcAFalseCACert
+ crlImport basicConstraintsNotCriticalcAFalseCACRL.crl
+ pkitsn $certs/InvalidcAFalseTest3EE.crt \
+ $certs/basicConstraintsNotCriticalcAFalseCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid basicConstraints Not Critical Test4"; log_banner
+ certImport basicConstraintsNotCriticalCACert
+ crlImport basicConstraintsNotCriticalCACRL.crl
+ pkits $certs/ValidbasicConstraintsNotCriticalTest4EE.crt \
+ $certs/basicConstraintsNotCriticalCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid pathLenConstraint Test5"; log_banner
+ certImport pathLenConstraint0CACert
+ crlImport pathLenConstraint0CACRL.crl
+ certImport pathLenConstraint0subCACert
+ crlImport pathLenConstraint0subCACRL.crl
+ pkitsn $certs/InvalidpathLenConstraintTest5EE.crt \
+ $certs/pathLenConstraint0subCACert.crt \
+ $certs/pathLenConstraint0CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid pathLenConstraint Test6"; log_banner
+ certImport pathLenConstraint0CACert
+ crlImport pathLenConstraint0CACRL.crl
+ certImport pathLenConstraint0subCACert
+ crlImport pathLenConstraint0subCACRL.crl
+ pkitsn $certs/InvalidpathLenConstraintTest6EE.crt \
+ $certs/pathLenConstraint0subCACert.crt \
+ $certs/pathLenConstraint0CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid pathLenConstraint Test7"; log_banner
+ certImport pathLenConstraint0CACert
+ crlImport pathLenConstraint0CACRL.crl
+ pkits $certs/ValidpathLenConstraintTest7EE.crt \
+ $certs/pathLenConstraint0CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid pathLenConstraint test8"; log_banner
+ certImport pathLenConstraint0CACert
+ crlImport pathLenConstraint0CACRL.crl
+ pkits $certs/ValidpathLenConstraintTest8EE.crt \
+ $certs/pathLenConstraint0CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid pathLenConstraint Test9"; log_banner
+ certImport pathLenConstraint6CACert
+ crlImport pathLenConstraint6CACRL.crl
+ certImport pathLenConstraint6subCA0Cert
+ crlImport pathLenConstraint6subCA0CRL.crl
+ certImport pathLenConstraint6subsubCA00Cert
+ crlImport pathLenConstraint6subsubCA00CRL.crl
+ pkitsn $certs/InvalidpathLenConstraintTest9EE.crt \
+ $certs/pathLenConstraint6subsubCA00Cert.crt \
+ $certs/pathLenConstraint6subCA0Cert.crt \
+ $certs/pathLenConstraint6CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid pathLenConstraint Test10"; log_banner
+ certImport pathLenConstraint6CACert
+ crlImport pathLenConstraint6CACRL.crl
+ certImport pathLenConstraint6subCA0Cert
+ crlImport pathLenConstraint6subCA0CRL.crl
+ certImport pathLenConstraint6subsubCA00Cert
+ crlImport pathLenConstraint6subsubCA00CRL.crl
+ pkitsn $certs/InvalidpathLenConstraintTest10EE.crt \
+ $certs/pathLenConstraint6subsubCA00Cert.crt \
+ $certs/pathLenConstraint6subCA0Cert.crt \
+ $certs/pathLenConstraint6CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid pathLenConstraint Test11"; log_banner
+ certImport pathLenConstraint6CACert
+ crlImport pathLenConstraint6CACRL.crl
+ certImport pathLenConstraint6subCA1Cert
+ crlImport pathLenConstraint6subCA1CRL.crl
+ certImport pathLenConstraint6subsubCA11Cert
+ crlImport pathLenConstraint6subsubCA11CRL.crl
+ certImport pathLenConstraint6subsubsubCA11XCert
+ crlImport pathLenConstraint6subsubsubCA11XCRL.crl
+ pkitsn $certs/InvalidpathLenConstraintTest11EE.crt \
+ $certs/pathLenConstraint6subsubsubCA11XCert.crt \
+ $certs/pathLenConstraint6subsubCA11Cert.crt \
+ $certs/pathLenConstraint6subCA1Cert.crt \
+ $certs/pathLenConstraint6CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid pathLenConstraint test12"; log_banner
+ certImport pathLenConstraint6CACert
+ crlImport pathLenConstraint6CACRL.crl
+ certImport pathLenConstraint6subCA1Cert
+ crlImport pathLenConstraint6subCA1CRL.crl
+ certImport pathLenConstraint6subsubCA11Cert
+ crlImport pathLenConstraint6subsubCA11CRL.crl
+ certImport pathLenConstraint6subsubsubCA11XCert
+ crlImport pathLenConstraint6subsubsubCA11XCRL.crl
+ pkitsn $certs/InvalidpathLenConstraintTest12EE.crt \
+ $certs/pathLenConstraint6subsubsubCA11XCert.crt \
+ $certs/pathLenConstraint6subsubCA11Cert.crt \
+ $certs/pathLenConstraint6subCA1Cert.crt \
+ $certs/pathLenConstraint6CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid pathLenConstraint Test13"; log_banner
+ certImport pathLenConstraint6CACert
+ crlImport pathLenConstraint6CACRL.crl
+ certImport pathLenConstraint6subCA4Cert
+ crlImport pathLenConstraint6subCA4CRL.crl
+ certImport pathLenConstraint6subsubCA41Cert
+ crlImport pathLenConstraint6subsubCA41CRL.crl
+ certImport pathLenConstraint6subsubsubCA41XCert
+ crlImport pathLenConstraint6subsubsubCA41XCRL.crl
+ pkits $certs/ValidpathLenConstraintTest13EE.crt \
+ $certs/pathLenConstraint6subsubsubCA41XCert.crt \
+ $certs/pathLenConstraint6subsubCA41Cert.crt \
+ $certs/pathLenConstraint6subCA4Cert.crt \
+ $certs/pathLenConstraint6CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid pathLenConstraint Test14"; log_banner
+ certImport pathLenConstraint6CACert
+ crlImport pathLenConstraint6CACRL.crl
+ certImport pathLenConstraint6subCA4Cert
+ crlImport pathLenConstraint6subCA4CRL.crl
+ certImport pathLenConstraint6subsubCA41Cert
+ crlImport pathLenConstraint6subsubCA41CRL.crl
+ certImport pathLenConstraint6subsubsubCA41XCert
+ crlImport pathLenConstraint6subsubsubCA41XCRL.crl
+ pkits $certs/ValidpathLenConstraintTest14EE.crt \
+ $certs/pathLenConstraint6subsubsubCA41XCert.crt \
+ $certs/pathLenConstraint6subsubCA41Cert.crt \
+ $certs/pathLenConstraint6subCA4Cert.crt \
+ $certs/pathLenConstraint6CACert.crt
+ restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Valid Self-Issued pathLenConstraint Test15"; log_banner
+ certImport pathLenConstraint0CACert
+ crlImport pathLenConstraint0CACRL.crl
+ pkits $certs/ValidSelfIssuedpathLenConstraintTest15EE.crt \
+ $certs/pathLenConstraint0SelfIssuedCACert.crt \
+ $certs/pathLenConstraint0CACert.crt
+ restore_db
+fi
+
+ VFY_ACTION="Invalid Self-Issued pathLenConstraint Test16"; log_banner
+ certImport pathLenConstraint0CACert
+ crlImport pathLenConstraint0CACRL.crl
+ certImport pathLenConstraint0subCA2Cert
+ crlImport pathLenConstraint0subCA2CRL.crl
+ pkitsn $certs/InvalidSelfIssuedpathLenConstraintTest16EE.crt \
+ $certs/pathLenConstraint0subCA2Cert.crt \
+ $certs/pathLenConstraint0SelfIssuedCACert.crt \
+ $certs/pathLenConstraint0CACert.crt
+ restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Valid Self-Issued pathLenConstraint Test17"; log_banner
+ certImport pathLenConstraint1CACert
+ crlImport pathLenConstraint1CACRL.crl
+ certImport pathLenConstraint1subCACert
+ crlImport pathLenConstraint1subCACRL.crl
+ pkits $certs/ValidSelfIssuedpathLenConstraintTest17EE.crt \
+ $certs/pathLenConstraint1SelfIssuedsubCACert.crt \
+ $certs/pathLenConstraint1subCACert.crt \
+ $certs/pathLenConstraint1SelfIssuedCACert.crt \
+ $certs/pathLenConstraint1CACert.crt
+ restore_db
+fi
+}
+
+pkits_KeyUsage()
+{
+ break_table "NIST PKITS Section 4.7: Key Usage"
+
+ VFY_ACTION="Invalid keyUsage Critical keyCertSign False Test1"; log_banner
+ certImport keyUsageCriticalkeyCertSignFalseCACert
+ crlImport keyUsageCriticalkeyCertSignFalseCACRL.crl
+ pkitsn $certs/InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt \
+ $certs/keyUsageCriticalkeyCertSignFalseCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid keyUsage Not Critical keyCertSign False Test2"; log_banner
+ certImport keyUsageNotCriticalkeyCertSignFalseCACert
+ crlImport keyUsageNotCriticalkeyCertSignFalseCACRL.crl
+ pkitsn $certs/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt \
+ $certs/keyUsageNotCriticalkeyCertSignFalseCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid keyUsage Not Critical Test3"; log_banner
+ certImport keyUsageNotCriticalCACert
+ crlImport keyUsageNotCriticalCACRL.crl
+ pkits $certs/ValidkeyUsageNotCriticalTest3EE.crt \
+ $certs/keyUsageNotCriticalCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid keyUsage Critical cRLSign False Test4"; log_banner
+ certImport keyUsageCriticalcRLSignFalseCACert
+ crlImportn keyUsageCriticalcRLSignFalseCACRL.crl
+ if [ $RET -eq 0 ] ; then
+ pkitsn $certs/InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt \
+ $certs/keyUsageCriticalcRLSignFalseCACert.crt
+ fi
+ restore_db
+
+ VFY_ACTION="Invalid keyUsage Not Critical cRLSign False Test5"; log_banner
+ certImport keyUsageNotCriticalcRLSignFalseCACert
+ crlImportn keyUsageNotCriticalcRLSignFalseCACRL.crl
+ if [ $RET -eq 0 ] ; then
+ pkitsn $certs/InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt \
+ $certs/keyUsageNotCriticalcRLSignFalseCACert.crt
+ fi
+ restore_db
+}
+
+pkits_CertificatePolicies()
+{
+ break_table "NIST PKITS Section 4.8: Certificate Policies"
+
+ VFY_ACTION="All Certificates Same Policy Test1"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/ValidCertificatePathTest1EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="All Certificates No Policies Test2"; log_banner
+ certImport NoPoliciesCACert
+ crlImport NoPoliciesCACRL.crl
+ pkits $certs/AllCertificatesNoPoliciesTest2EE.crt \
+ $certs/NoPoliciesCACert.crt
+ restore_db
+
+ VFY_ACTION="Different Policies Test3"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ certImport PoliciesP2subCACert
+ crlImport PoliciesP2subCACRL.crl
+ pkits $certs/DifferentPoliciesTest3EE.crt \
+ $certs/PoliciesP2subCACert.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Different Policies Test4"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ certImport GoodsubCACert
+ crlImport GoodsubCACRL.crl
+ pkits $certs/DifferentPoliciesTest4EE.crt \
+ $certs/GoodsubCACert.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Different Policies Test5"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ certImport PoliciesP2subCA2Cert
+ crlImport PoliciesP2subCA2CRL.crl
+ pkits $certs/DifferentPoliciesTest5EE.crt \
+ $certs/PoliciesP2subCA2Cert.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Overlapping Policies Test6"; log_banner
+ certImport PoliciesP1234CACert
+ crlImport PoliciesP1234CACRL.crl
+ certImport PoliciesP1234subCAP123Cert
+ crlImport PoliciesP1234subCAP123CRL.crl
+ certImport PoliciesP1234subsubCAP123P12Cert
+ crlImport PoliciesP1234subsubCAP123P12CRL.crl
+ pkits $certs/OverlappingPoliciesTest6EE.crt \
+ $certs/PoliciesP1234subsubCAP123P12Cert.crt \
+ $certs/PoliciesP1234subCAP123Cert.crt \
+ $certs/PoliciesP1234CACert.crt
+ restore_db
+
+ VFY_ACTION="Different Policies Test7"; log_banner
+ certImport PoliciesP123CACert
+ crlImport PoliciesP123CACRL.crl
+ certImport PoliciesP123subCAP12Cert
+ crlImport PoliciesP123subCAP12CRL.crl
+ certImport PoliciesP123subsubCAP12P1Cert
+ crlImport PoliciesP123subsubCAP12P1CRL.crl
+ pkits $certs/DifferentPoliciesTest7EE.crt \
+ $certs/PoliciesP123subsubCAP12P1Cert.crt \
+ $certs/PoliciesP123subCAP12Cert.crt \
+ $certs/PoliciesP123CACert.crt
+ restore_db
+
+ VFY_ACTION="Different Policies Test8"; log_banner
+ certImport PoliciesP12CACert
+ crlImport PoliciesP12CACRL.crl
+ certImport PoliciesP12subCAP1Cert
+ crlImport PoliciesP12subCAP1CRL.crl
+ certImport PoliciesP12subsubCAP1P2Cert
+ crlImport PoliciesP12subsubCAP1P2CRL.crl
+ pkits $certs/DifferentPoliciesTest8EE.crt \
+ $certs/PoliciesP123subsubCAP12P1Cert.crt \
+ $certs/PoliciesP12subCAP1Cert.crt \
+ $certs/PoliciesP12CACert.crt
+ restore_db
+
+ VFY_ACTION="Different Policies Test9"; log_banner
+ certImport PoliciesP123CACert
+ crlImport PoliciesP123CACRL.crl
+ certImport PoliciesP123subCAP12Cert
+ crlImport PoliciesP123subCAP12CRL.crl
+ certImport PoliciesP123subsubCAP12P2Cert
+ crlImport PoliciesP123subsubCAP2P2CRL.crl
+ certImport PoliciesP123subsubsubCAP12P2P1Cert
+ crlImport PoliciesP123subsubsubCAP12P2P1CRL.crl
+ pkits $certs/DifferentPoliciesTest9EE.crt \
+ $certs/PoliciesP123subsubsubCAP12P2P1Cert.crt \
+ $certs/PoliciesP123subsubCAP12P1Cert.crt \
+ $certs/PoliciesP12subCAP1Cert.crt \
+ $certs/PoliciesP12CACert.crt
+ restore_db
+
+ VFY_ACTION="All Certificates Same Policies Test10"; log_banner
+ certImport PoliciesP12CACert
+ crlImport PoliciesP12CACRL.crl
+ pkits $certs/AllCertificatesSamePoliciesTest10EE.crt \
+ $certs/NoPoliciesCACert.crt
+ restore_db
+
+ VFY_ACTION="All Certificates AnyPolicy Test11"; log_banner
+ certImport anyPolicyCACert
+ crlImport anyPolicyCACRL.crl
+ pkits $certs/AllCertificatesanyPolicyTest11EE.crt \
+ $certs/anyPolicyCACert.crt
+ restore_db
+
+ VFY_ACTION="Different Policies Test12"; log_banner
+ certImport PoliciesP3CACert
+ crlImport PoliciesP3CACRL.crl
+ pkits $certs/DifferentPoliciesTest12EE.crt \
+ $certs/PoliciesP3CACert.crt
+ restore_db
+
+ VFY_ACTION="All Certificates Same Policies Test13"; log_banner
+ certImport PoliciesP123CACert
+ crlImport PoliciesP123CACRL.crl
+ pkits $certs/AllCertificatesSamePoliciesTest13EE.crt \
+ $certs/PoliciesP123CACert.crt
+ restore_db
+
+ VFY_ACTION="AnyPolicy Test14"; log_banner
+ certImport anyPolicyCACert
+ crlImport anyPolicyCACRL.crl
+ pkits $certs/AnyPolicyTest14EE.crt \
+ $certs/anyPolicyCACert.crt
+ restore_db
+
+ VFY_ACTION="User Notice Qualifier Test15"; log_banner
+ pkits $certs/UserNoticeQualifierTest15EE.crt
+
+ VFY_ACTION="User Notice Qualifier Test16"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/UserNoticeQualifierTest16EE.crt \
+ $certs/GoodCACert.crt
+
+ VFY_ACTION="User Notice Qualifier Test17"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/UserNoticeQualifierTest17EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="User Notice Qualifier Test18"; log_banner
+ certImport PoliciesP12CACert
+ crlImport PoliciesP12CACRL.crl
+ pkits $certs/UserNoticeQualifierTest18EE.crt \
+ $certs/PoliciesP12CACert.crt
+ restore_db
+
+ VFY_ACTION="User Notice Qualifier Test19"; log_banner
+ pkits $certs/UserNoticeQualifierTest19EE.crt
+
+ VFY_ACTION="CPS Pointer Qualifier Test20"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ pkits $certs/CPSPointerQualifierTest20EE.crt \
+ $certs/GoodCACert.crt
+ restore_db
+}
+
+pkits_RequireExplicitPolicy()
+{
+ break_table "NIST PKITS Section 4.9: Require Explicit Policy"
+
+ VFY_ACTION="Valid RequireExplicitPolicy Test1"; log_banner
+ certImportn requireExplicitPolicy10CACert
+ crlImportn requireExplicitPolicy10CACRL.crl
+ certImport requireExplicitPolicy10subCACert
+ crlImport requireExplicitPolicy10subCACRL.crl
+ certImport requireExplicitPolicy10subsubCACert
+ crlImport requireExplicitPolicy10subsubCACRL.crl
+ certImport requireExplicitPolicy10subsubsubCACert
+ crlImport requireExplicitPolicy10subsubsubCACRL.crl
+ pkits $certs/ValidrequireExplicitPolicyTest1EE.crt \
+ $certs/requireExplicitPolicy10subsubsubCACert.crt \
+ $certs/requireExplicitPolicy10subsubCACert.crt \
+ $certs/requireExplicitPolicy10subCACert.crt \
+ $certs/requireExplicitPolicy10CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid RequireExplicitPolicy Test2"; log_banner
+ certImportn requireExplicitPolicy5CACert
+ crlImportn requireExplicitPolicy5CACRL.crl
+ certImport requireExplicitPolicy5subCACert
+ crlImport requireExplicitPolicy5subCACRL.crl
+ certImport requireExplicitPolicy5subsubCACert
+ crlImport requireExplicitPolicy5subsubCACRL.crl
+ certImport requireExplicitPolicy5subsubsubCACert
+ crlImport requireExplicitPolicy5subsubsubCACRL.crl
+ pkits $certs/ValidrequireExplicitPolicyTest2EE.crt \
+ $certs/requireExplicitPolicy5subsubsubCACert.crt \
+ $certs/requireExplicitPolicy5subsubCACert.crt \
+ $certs/requireExplicitPolicy5subCACert.crt \
+ $certs/requireExplicitPolicy5CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid RequireExplicitPolicy Test3"; log_banner
+ certImportn requireExplicitPolicy4CACert
+ crlImportn requireExplicitPolicy4CACRL.crl
+ certImport requireExplicitPolicy4subCACert
+ crlImport requireExplicitPolicy4subCACRL.crl
+ certImport requireExplicitPolicy4subsubCACert
+ crlImport requireExplicitPolicy4subsubCACRL.crl
+ certImport requireExplicitPolicy4subsubsubCACert
+ crlImport requireExplicitPolicy4subsubsubCACRL.crl
+ pkitsn $certs/InvalidrequireExplicitPolicyTest3EE.crt \
+ $certs/requireExplicitPolicy4subsubsubCACert.crt \
+ $certs/requireExplicitPolicy4subsubCACert.crt \
+ $certs/requireExplicitPolicy4subCACert.crt \
+ $certs/requireExplicitPolicy4CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid RequireExplicitPolicy Test4"; log_banner
+ certImportn requireExplicitPolicy0CACert
+ crlImportn requireExplicitPolicy0CACRL.crl
+ certImport requireExplicitPolicy0subCACert
+ crlImport requireExplicitPolicy0subCACRL.crl
+ certImport requireExplicitPolicy0subsubCACert
+ crlImport requireExplicitPolicy0subsubCACRL.crl
+ certImport requireExplicitPolicy0subsubsubCACert
+ crlImport requireExplicitPolicy0subsubsubCACRL.crl
+ pkits $certs/ValidrequireExplicitPolicyTest4EE.crt \
+ $certs/requireExplicitPolicy0subsubsubCACert.crt \
+ $certs/requireExplicitPolicy0subsubCACert.crt \
+ $certs/requireExplicitPolicy0subCACert.crt \
+ $certs/requireExplicitPolicy0CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid RequireExplicitPolicy Test5"; log_banner
+ certImportn requireExplicitPolicy7CACert
+ crlImportn requireExplicitPolicy7CACRL.crl
+ certImportn requireExplicitPolicy7subCARE2Cert
+ crlImportn requireExplicitPolicy7subCARE2CRL.crl
+ certImportn requireExplicitPolicy7subsubCARE2RE4Cert
+ crlImportn requireExplicitPolicy7subsubCARE2RE4CRL.crl
+ certImport requireExplicitPolicy7subsubsubCARE2RE4Cert
+ crlImport requireExplicitPolicy7subsubsubCARE2RE4CRL.crl
+ pkitsn $certs/InvalidrequireExplicitPolicyTest5EE.crt \
+ $certs/requireExplicitPolicy7subsubsubCARE2RE4Cert.crt \
+ $certs/requireExplicitPolicy7subsubCARE2RE4Cert.crt \
+ $certs/requireExplicitPolicy7subCARE2Cert.crt \
+ $certs/requireExplicitPolicy7CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Self-Issued RequireExplicitPolicy Test6"; log_banner
+ certImportn requireExplicitPolicy2CACert
+ crlImportn requireExplicitPolicy2CACRL.crl
+ pkits $certs/ValidSelfIssuedrequireExplicitPolicyTest6EE.crt \
+ $certs/requireExplicitPolicy2SelfIssuedCACert.crt \
+ $certs/requireExplicitPolicy2CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Self-Issued RequireExplicitPolicy Test7"; log_banner
+ certImportn requireExplicitPolicy2CACert
+ crlImportn requireExplicitPolicy2CACRL.crl
+ certImport requireExplicitPolicy2subCACert
+ crlImport requireExplicitPolicy2subCACRL.crl
+ pkitsn $certs/InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt \
+ $certs/requireExplicitPolicy2subCACert.crt \
+ $certs/requireExplicitPolicy2SelfIssuedCACert.crt \
+ $certs/requireExplicitPolicy2CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Self-Issued RequireExplicitPolicy Test8"; log_banner
+ certImportn requireExplicitPolicy2CACert
+ crlImportn requireExplicitPolicy2CACRL.crl
+ certImport requireExplicitPolicy2subCACert
+ crlImport requireExplicitPolicy2subCACRL.crl
+ pkitsn $certs/InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt \
+ $certs/requireExplicitPolicy2SelfIssuedsubCACert.crt \
+ $certs/requireExplicitPolicy2subCACert.crt \
+ $certs/requireExplicitPolicy2SelfIssuedCACert.crt \
+ $certs/requireExplicitPolicy2CACert.crt
+ restore_db
+}
+
+pkits_PolicyMappings()
+{
+ break_table "NIST PKITS Section 4.10: Policy Mappings"
+
+ VFY_ACTION="Valid Policy Mapping Test1"; log_banner
+ certImportn Mapping1to2CACert
+ crlImportn Mapping1to2CACRL.crl
+ pkits $certs/ValidPolicyMappingTest1EE.crt \
+ $certs/Mapping1to2CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Policy Mapping Test2"; log_banner
+ certImportn Mapping1to2CACert
+ crlImportn Mapping1to2CACRL.crl
+ pkitsn $certs/InvalidPolicyMappingTest2EE.crt \
+ $certs/Mapping1to2CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Policy Mapping Test3"; log_banner
+ certImportn P12Mapping1to3CACert
+ crlImportn P12Mapping1to3CACRL.crl
+ certImportn P12Mapping1to3subCACert
+ crlImportn P12Mapping1to3subCACRL.crl
+ certImportn P12Mapping1to3subsubCACert
+ crlImportn P12Mapping1to3subsubCACRL.crl
+ pkits $certs/ValidPolicyMappingTest3EE.crt \
+ $certs/P12Mapping1to3subsubCACert.crt \
+ $certs/P12Mapping1to3subCACert.crt \
+ $certs/P12Mapping1to3CA.crt
+ restore_db
+
+ VFY_ACTION="Invalid Policy Mapping Test4"; log_banner
+ certImportn P12Mapping1to3CACert
+ crlImportn P12Mapping1to3CACRL.crl
+ certImportn P12Mapping1to3subCACert
+ crlImportn P12Mapping1to3subCACRL.crl
+ certImportn P12Mapping1to3subsubCACert
+ crlImportn P12Mapping1to3subsubCACRL.crl
+ pkitsn $certs/InvalidPolicyMappingTest4EE.crt \
+ $certs/P12Mapping1to3subsubCACert.crt \
+ $certs/P12Mapping1to3subCACert.crt \
+ $certs/P12Mapping1to3CA.crt
+ restore_db
+
+ VFY_ACTION="Valid Policy Mapping Test5"; log_banner
+ certImportn P1Mapping1to234CACert
+ crlImportn P1Mapping1to234CACRL.crl
+ certImportn P1Mapping1to234subCACert
+ crlImportn P1Mapping1to234subCACRL.crl
+ pkits $certs/ValidPolicyMappingTest5EE.crt \
+ $certs/P1Mapping1to234subCACert.crt \
+ $certs/P1Mapping1to234CA.crt
+ restore_db
+
+ VFY_ACTION="Valid Policy Mapping Test6"; log_banner
+ certImportn P1Mapping1to234CACert
+ crlImportn P1Mapping1to234CACRL.crl
+ certImportn P1Mapping1to234subCACert
+ crlImportn P1Mapping1to234subCACRL.crl
+ pkits $certs/ValidPolicyMappingTest6EE.crt \
+ $certs/P1Mapping1to234subCACert.crt \
+ $certs/P1Mapping1to234CA.crt
+ restore_db
+
+ VFY_ACTION="Invalid Mapping from anyPolicy Test7"; log_banner
+ certImportn MappingFromanyPolicyCACert
+ crlImportn MappingFromanyPolicyCACRL.crl
+ pkitsn $certs/InvalidMappingFromanyPolicyTest7EE.crt \
+ $certs/MappingFromanyPolicyCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Mapping to anyPolicy Test8"; log_banner
+ certImportn MappingToanyPolicyCACert
+ crlImportn MappingToanyPolicyCACRL.crl
+ pkitsn $certs/InvalidMappingToanyPolicyTest8EE.crt \
+ $certs/MappingToanyPolicyCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Policy Mapping Test9"; log_banner
+ certImport PanyPolicyMapping1to2CACert
+ crlImport PanyPolicyMapping1to2CACRL.crl
+ pkits $certs/ValidPolicyMappingTest9EE.crt \
+ $certs/PanyPolicyMapping1to2CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Policy Mapping Test10"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ certImportn GoodsubCAPanyPolicyMapping1to2CACert
+ crlImportn GoodsubCAPanyPolicyMapping1to2CACRL.crl
+ pkitsn $certs/InvalidPolicyMappingTest10EE.crt \
+ $certs/GoodsubCAPanyPolicyMapping1to2CACert.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Policy Mapping Test11"; log_banner
+ certImport GoodCACert
+ crlImport GoodCACRL.crl
+ certImportn GoodsubCAPanyPolicyMapping1to2CACert
+ crlImportn GoodsubCAPanyPolicyMapping1to2CACRL.crl
+ pkits $certs/ValidPolicyMappingTest11EE.crt \
+ $certs/GoodsubCAPanyPolicyMapping1to2CACert.crt \
+ $certs/GoodCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Policy Mapping Test12"; log_banner
+ certImportn P12Mapping1to3CACert
+ crlImportn P12Mapping1to3CACRL.crl
+ pkits $certs/ValidPolicyMappingTest12EE.crt \
+ $certs/P12Mapping1to3CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Policy Mapping Test13"; log_banner
+ certImportn P1anyPolicyMapping1to2CACert
+ crlImportn P1anyPolicyMapping1to2CACRL.crl
+ pkits $certs/ValidPolicyMappingTest13EE.crt \
+ $certs/P1anyPolicyMapping1to2CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Policy Mapping Test14"; log_banner
+ certImportn P1anyPolicyMapping1to2CACert
+ crlImportn P1anyPolicyMapping1to2CACRL.crl
+ pkits $certs/ValidPolicyMappingTest14EE.crt \
+ $certs/P1anyPolicyMapping1to2CACert.crt
+ restore_db
+}
+
+
+pkits_InhibitPolicyMapping()
+{
+ break_table "NIST PKITS Section 4.11: Inhibit Policy Mapping"
+
+ VFY_ACTION="Invalid inhibitPolicyMapping Test1"; log_banner
+ certImportn inhibitPolicyMapping0CACert
+ crlImportn inhibitPolicyMapping0CACRL.crl
+ certImportn inhibitPolicyMapping0subCACert
+ crlImportn inhibitPolicyMapping0subCACRL.crl
+ pkitsn $certs/InvalidinhibitPolicyMappingTest1EE.crt \
+ $certs/inhibitPolicyMapping0CACert.crt \
+ $certs/inhibitPolicyMapping0subCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid inhibitPolicyMapping Test2"; log_banner
+ certImportn inhibitPolicyMapping1P12CACert
+ crlImportn inhibitPolicyMapping1P12CACRL.crl
+ certImportn inhibitPolicyMapping1P12subCACert
+ crlImportn inhibitPolicyMapping1P12subCACRL.crl
+ pkits $certs/ValidinhibitPolicyMappingTest2EE.crt \
+ $certs/inhibitPolicyMapping1P12CACert.crt \
+ $certs/inhibitPolicyMapping1P12subCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid inhibitPolicyMapping Test3"; log_banner
+ certImportn inhibitPolicyMapping1P12CACert
+ crlImportn inhibitPolicyMapping1P12CACRL.crl
+ certImportn inhibitPolicyMapping1P12subCACert
+ crlImportn inhibitPolicyMapping1P12subCACRL.crl
+ certImportn inhibitPolicyMapping1P12subsubCACert
+ crlImportn inhibitPolicyMapping1P12subsubCACRL.crl
+ pkitsn $certs/InvalidinhibitPolicyMappingTest3EE.crt \
+ $certs/inhibitPolicyMapping1P12subsubCACert.crt \
+ $certs/inhibitPolicyMapping1P12subCACert.crt \
+ $certs/inhibitPolicyMapping1P12CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid inhibitPolicyMapping Test4"; log_banner
+ certImportn inhibitPolicyMapping1P12CACert
+ crlImportn inhibitPolicyMapping1P12CACRL.crl
+ certImportn inhibitPolicyMapping1P12subCACert
+ crlImportn inhibitPolicyMapping1P12subCACRL.crl
+ certImportn inhibitPolicyMapping1P12subsubCACert
+ crlImportn inhibitPolicyMapping1P12subsubCACRL.crl
+ pkits $certs/ValidinhibitPolicyMappingTest4EE.crt \
+ $certs/inhibitPolicyMapping1P12CACert.crt \
+ $certs/inhibitPolicyMapping1P12subCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid inhibitPolicyMapping Test5"; log_banner
+ certImportn inhibitPolicyMapping5CACert
+ crlImportn inhibitPolicyMapping5CACRL.crl
+ certImportn inhibitPolicyMapping5subCACert
+ crlImportn inhibitPolicyMapping5subCACRL.crl
+ certImport inhibitPolicyMapping5subsubCACert
+ crlImport inhibitPolicyMapping5subsubCACRL.crl
+ pkitsn $certs/InvalidinhibitPolicyMappingTest5EE.crt \
+ $certs/inhibitPolicyMapping5subsubCACert.crt \
+ $certs/inhibitPolicyMapping5subCACert.crt \
+ $certs/inhibitPolicyMapping5CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid inhibitPolicyMapping Test6"; log_banner
+ certImportn inhibitPolicyMapping1P12CACert
+ crlImportn inhibitPolicyMapping1P12CACRL.crl
+ certImportn inhibitPolicyMapping1P12subCAIPM5Cert
+ crlImportn inhibitPolicyMapping1P12subCAIPM5CRL.crl
+ certImport inhibitPolicyMapping1P12subsubCAIPM5Cert
+ crlImportn inhibitPolicyMapping1P12subsubCAIPM5CRL.crl
+ pkitsn $certs/InvalidinhibitPolicyMappingTest6EE.crt \
+ $certs/inhibitPolicyMapping1P12subsubCAIPM5Cert.crt \
+ $certs/inhibitPolicyMapping1P12subCAIPM5Cert.crt \
+ $certs/inhibitPolicyMapping1P12CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Self-Issued inhibitPolicyMapping Test7"; log_banner
+ certImportn inhibitPolicyMapping1P1CACert
+ crlImportn inhibitPolicyMapping1P1CACRL.crl
+ certImportn inhibitPolicyMapping1P1subCACert
+ crlImportn inhibitPolicyMapping1P1subCACRL.crl
+ pkits $certs/ValidSelfIssuedinhibitPolicyMappingTest7EE.crt \
+ $certs/inhibitPolicyMapping1P1subCACert.crt \
+ $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+ $certs/inhibitPolicyMapping1P1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test8"; log_banner
+ certImportn inhibitPolicyMapping1P1CACert
+ crlImportn inhibitPolicyMapping1P1CACRL.crl
+ certImportn inhibitPolicyMapping1P1subCACert
+ crlImportn inhibitPolicyMapping1P1subCACRL.crl
+ certImport inhibitPolicyMapping1P1subsubCACert
+ crlImportn inhibitPolicyMapping1P1subsubCACRL.crl
+ pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt \
+ $certs/inhibitPolicyMapping1P1subsubCACert.crt \
+ $certs/inhibitPolicyMapping1P1subCACert.crt \
+ $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+ $certs/inhibitPolicyMapping1P1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test9"; log_banner
+ certImportn inhibitPolicyMapping1P1CACert
+ crlImportn inhibitPolicyMapping1P1CACRL.crl
+ certImportn inhibitPolicyMapping1P1subCACert
+ crlImportn inhibitPolicyMapping1P1subCACRL.crl
+ certImportn inhibitPolicyMapping1P1subsubCACert
+ crlImportn inhibitPolicyMapping1P1subsubCACRL.crl
+ pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt \
+ $certs/inhibitPolicyMapping1P1subsubCACert.crt \
+ $certs/inhibitPolicyMapping1P1subCACert.crt \
+ $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+ $certs/inhibitPolicyMapping1P1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test10"; log_banner
+ certImportn inhibitPolicyMapping1P1CACert
+ crlImportn inhibitPolicyMapping1P1CACRL.crl
+ certImportn inhibitPolicyMapping1P1subCACert
+ crlImportn inhibitPolicyMapping1P1subCACRL.crl
+ pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt \
+ $certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt \
+ $certs/inhibitPolicyMapping1P1subCACert.crt \
+ $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+ $certs/inhibitPolicyMapping1P1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test11"; log_banner
+ certImportn inhibitPolicyMapping1P1CACert
+ crlImportn inhibitPolicyMapping1P1CACRL.crl
+ certImportn inhibitPolicyMapping1P1subCACert
+ crlImportn inhibitPolicyMapping1P1subCACRL.crl
+ pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt \
+ $certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt \
+ $certs/inhibitPolicyMapping1P1subCACert.crt \
+ $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+ $certs/inhibitPolicyMapping1P1CACert.crt
+ restore_db
+}
+
+
+pkits_InhibitAnyPolicy()
+{
+ break_table "NIST PKITS Section 4.12: Inhibit Any Policy"
+
+ VFY_ACTION="Invalid inhibitAnyPolicy Test1"; log_banner
+ certImportn inhibitAnyPolicy0CACert
+ crlImportn inhibitAnyPolicy0CACRL.crl
+ pkitsn $certs/InvalidinhibitAnyPolicyTest1EE.crt \
+ $certs/inhibitAnyPolicy0CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid inhibitAnyPolicy Test2"; log_banner
+ certImportn inhibitAnyPolicy0CACert
+ crlImportn inhibitAnyPolicy0CACRL.crl
+ pkits $certs/ValidinhibitAnyPolicyTest2EE.crt \
+ $certs/inhibitAnyPolicy0CACert.crt
+ restore_db
+
+ VFY_ACTION="inhibitAnyPolicy Test3"; log_banner
+ certImportn inhibitAnyPolicy1CACert
+ crlImportn inhibitAnyPolicy1CACRL.crl
+ certImport inhibitAnyPolicy1subCA1Cert
+ crlImport inhibitAnyPolicy1subCA1CRL.crl
+ pkits $certs/inhibitAnyPolicyTest3EE.crt \
+ $certs/inhibitAnyPolicy1CACert.crt \
+ $certs/inhibitAnyPolicy1subCA1Cert.crt
+ restore_db
+
+ VFY_ACTION="Invalid inhibitAnyPolicy Test4"; log_banner
+ certImportn inhibitAnyPolicy1CACert
+ crlImportn inhibitAnyPolicy1CACRL.crl
+ certImport inhibitAnyPolicy1subCA1Cert
+ crlImport inhibitAnyPolicy1subCA1CRL.crl
+ pkitsn $certs/InvalidinhibitAnyPolicyTest4EE.crt \
+ $certs/inhibitAnyPolicy1CACert.crt \
+ $certs/inhibitAnyPolicy1subCA1Cert.crt
+ restore_db
+
+ VFY_ACTION="Invalid inhibitAnyPolicy Test5"; log_banner
+ certImportn inhibitAnyPolicy5CACert
+ crlImportn inhibitAnyPolicy5CACRL.crl
+ certImportn inhibitAnyPolicy5subCACert
+ crlImportn inhibitAnyPolicy5subCACRL.crl
+ certImport inhibitAnyPolicy5subsubCACert
+ crlImport inhibitAnyPolicy5subsubCACRL.crl
+ pkitsn $certs/InvalidinhibitAnyPolicyTest5EE.crt \
+ $certs/inhibitAnyPolicy5CACert.crt \
+ $certs/inhibitAnyPolicy5subCACert.crt \
+ $certs/inhibitAnyPolicy5subsubCACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid inhibitAnyPolicy Test6"; log_banner
+ certImportn inhibitAnyPolicy1CACert
+ crlImportn inhibitAnyPolicy1CACRL.crl
+ certImportn inhibitAnyPolicy1subCAIAP5Cert
+ crlImportn inhibitAnyPolicy1subCAIAP5CRL.crl
+ pkitsn $certs/InvalidinhibitAnyPolicyTest5EE.crt \
+ $certs/inhibitAnyPolicy1CACert.crt \
+ $certs/inhibitAnyPolicy5subCACert.crt \
+ $certs/inhibitAnyPolicy5subsubCACert.crt
+ restore_db
+
+ VFY_ACTION="Valid Self-Issued inhibitAnyPolicy Test7"; log_banner
+ certImportn inhibitAnyPolicy1CACert
+ crlImportn inhibitAnyPolicy1CACRL.crl
+ certImport inhibitAnyPolicy1subCA2Cert
+ crlImport inhibitAnyPolicy1subCA2CRL.crl
+ pkits $certs/ValidSelfIssuedinhibitAnyPolicyTest7EE.crt \
+ $certs/inhibitAnyPolicy1CACert.crt \
+ $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+ $certs/inhibitAnyPolicy1subCA2Cert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Self-Issued inhibitAnyPolicy Test8"; log_banner
+ certImportn inhibitAnyPolicy1CACert
+ crlImportn inhibitAnyPolicy1CACRL.crl
+ certImport inhibitAnyPolicy1subCA2Cert
+ crlImport inhibitAnyPolicy1subCA2CRL.crl
+ certImport inhibitAnyPolicy1subsubCA2Cert
+ crlImport inhibitAnyPolicy1subsubCA2CRL.crl
+ pkitsn $certs/InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt \
+ $certs/inhibitAnyPolicy1CACert.crt \
+ $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+ $certs/inhibitAnyPolicy1subCA2Cert.crt \
+ $certs/inhibitAnyPolicy1subsubCA2Cert.crt
+ restore_db
+
+ VFY_ACTION="Valid Self-Issued inhibitAnyPolicy Test9"; log_banner
+ certImportn inhibitAnyPolicy1CACert
+ crlImportn inhibitAnyPolicy1CACRL.crl
+ certImport inhibitAnyPolicy1subCA2Cert
+ crlImport inhibitAnyPolicy1subCA2CRL.crl
+ pkits $certs/ValidSelfIssuedinhibitAnyPolicyTest9EE.crt \
+ $certs/inhibitAnyPolicy1CACert.crt \
+ $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+ $certs/inhibitAnyPolicy1subCA2Cert.crt \
+ $certs/inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
+ restore_db
+
+ VFY_ACTION="Invalid Self-Issued inhibitAnyPolicy Test10"; log_banner
+ certImportn inhibitAnyPolicy1CACert
+ crlImportn inhibitAnyPolicy1CACRL.crl
+ certImport inhibitAnyPolicy1subCA2Cert
+ crlImport inhibitAnyPolicy1subCA2CRL.crl
+ pkitsn $certs/InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt \
+ $certs/inhibitAnyPolicy1CACert.crt \
+ $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+ $certs/inhibitAnyPolicy1subCA2Cert.crt
+ restore_db
+}
+
+
+pkits_NameConstraints()
+{
+ break_table "NIST PKITS Section 4.13: Name Constraints"
+
+ VFY_ACTION="Valid DN nameConstraints Test1"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ pkits $certs/ValidDNnameConstraintsTest1EE.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test2"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest2EE.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test3"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest3EE.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid DN nameConstraints Test4"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ pkits $certs/ValidDNnameConstraintsTest4EE.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid DN nameConstraints Test5"; log_banner
+ certImport nameConstraintsDN2CACert
+ crlImport nameConstraintsDN2CACRL.crl
+ pkits $certs/ValidDNnameConstraintsTest5EE.crt \
+ $certs/nameConstraintsDN2CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid DN nameConstraints Test6"; log_banner
+ certImport nameConstraintsDN3CACert
+ crlImport nameConstraintsDN3CACRL.crl
+ pkits $certs/ValidDNnameConstraintsTest6EE.crt \
+ $certs/nameConstraintsDN3CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test7"; log_banner
+ certImport nameConstraintsDN3CACert
+ crlImport nameConstraintsDN3CACRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest7EE.crt \
+ $certs/nameConstraintsDN3CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test8"; log_banner
+ certImport nameConstraintsDN4CACert
+ crlImport nameConstraintsDN4CACRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest8EE.crt \
+ $certs/nameConstraintsDN4CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test9"; log_banner
+ certImport nameConstraintsDN4CACert
+ crlImport nameConstraintsDN4CACRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest9EE.crt \
+ $certs/nameConstraintsDN4CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test10"; log_banner
+ certImport nameConstraintsDN5CACert
+ crlImport nameConstraintsDN5CACRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest10EE.crt \
+ $certs/nameConstraintsDN5CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid DN nameConstraints Test11"; log_banner
+ certImport nameConstraintsDN5CACert
+ crlImport nameConstraintsDN5CACRL.crl
+ pkits $certs/ValidDNnameConstraintsTest11EE.crt \
+ $certs/nameConstraintsDN5CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test12"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ certImport nameConstraintsDN1subCA1Cert
+ crlImport nameConstraintsDN1subCA1CRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest12EE.crt \
+ $certs/nameConstraintsDN1subCA1Cert.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test13"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ certImport nameConstraintsDN1subCA2Cert
+ crlImport nameConstraintsDN1subCA2CRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest13EE.crt \
+ $certs/nameConstraintsDN1subCA2Cert.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid DN nameConstraints Test14"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ certImport nameConstraintsDN1subCA2Cert
+ crlImport nameConstraintsDN1subCA2CRL.crl
+ pkits $certs/ValidDNnameConstraintsTest14EE.crt \
+ $certs/nameConstraintsDN1subCA2Cert.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test15"; log_banner
+ certImport nameConstraintsDN3CACert
+ crlImport nameConstraintsDN3CACRL.crl
+ certImport nameConstraintsDN3subCA1Cert
+ crlImport nameConstraintsDN3subCA1CRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest15EE.crt \
+ $certs/nameConstraintsDN3subCA1Cert.crt \
+ $certs/nameConstraintsDN3CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test16"; log_banner
+ certImport nameConstraintsDN3CACert
+ crlImport nameConstraintsDN3CACRL.crl
+ certImport nameConstraintsDN3subCA1Cert
+ crlImport nameConstraintsDN3subCA1CRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest16EE.crt \
+ $certs/nameConstraintsDN3subCA1Cert.crt \
+ $certs/nameConstraintsDN3CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN nameConstraints Test17"; log_banner
+ certImport nameConstraintsDN3CACert
+ crlImport nameConstraintsDN3CACRL.crl
+ certImport nameConstraintsDN3subCA2Cert
+ crlImport nameConstraintsDN3subCA2CRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest17EE.crt \
+ $certs/nameConstraintsDN3subCA2Cert.crt \
+ $certs/nameConstraintsDN3CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid DN nameConstraints Test18"; log_banner
+ certImport nameConstraintsDN3CACert
+ crlImport nameConstraintsDN3CACRL.crl
+ certImport nameConstraintsDN3subCA2Cert
+ crlImport nameConstraintsDN3subCA2CRL.crl
+ pkits $certs/ValidDNnameConstraintsTest18EE.crt \
+ $certs/nameConstraintsDN3subCA2Cert.crt \
+ $certs/nameConstraintsDN3CACert.crt
+ restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+ VFY_ACTION="Valid Self-Issued DN nameConstraints Test19"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ pkits $certs/ValidDNnameConstraintsTest19EE.crt \
+ $certs/nameConstraintsDN1SelfIssuedCACert.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+fi
+
+ VFY_ACTION="Invalid Self-Issued DN nameConstraints Test20"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ pkitsn $certs/InvalidDNnameConstraintsTest20EE.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid RFC822 nameConstraints Test21"; log_banner
+ certImport nameConstraintsRFC822CA1Cert
+ crlImport nameConstraintsRFC822CA1CRL.crl
+ pkits $certs/ValidRFC822nameConstraintsTest21EE.crt \
+ $certs/nameConstraintsRFC822CA1Cert.crt
+ restore_db
+
+ VFY_ACTION="Invalid RFC822 nameConstraints Test22"; log_banner
+ certImport nameConstraintsRFC822CA1Cert
+ crlImport nameConstraintsRFC822CA1CRL.crl
+ pkitsn $certs/InvalidRFC822nameConstraintsTest22EE.crt \
+ $certs/nameConstraintsRFC822CA1Cert.crt
+ restore_db
+
+ VFY_ACTION="Valid RFC822 nameConstraints Test23"; log_banner
+ certImport nameConstraintsRFC822CA2Cert
+ crlImport nameConstraintsRFC822CA2CRL.crl
+ pkits $certs/ValidRFC822nameConstraintsTest23EE.crt \
+ $certs/nameConstraintsRFC822CA2Cert.crt
+ restore_db
+
+ VFY_ACTION="Invalid RFC822 nameConstraints Test24"; log_banner
+ certImport nameConstraintsRFC822CA2Cert
+ crlImport nameConstraintsRFC822CA2CRL.crl
+ pkitsn $certs/InvalidRFC822nameConstraintsTest24EE.crt \
+ $certs/nameConstraintsRFC822CA2Cert.crt
+ restore_db
+
+ VFY_ACTION="Valid RFC822 nameConstraints Test25"; log_banner
+ certImport nameConstraintsRFC822CA3Cert
+ crlImport nameConstraintsRFC822CA3CRL.crl
+ pkits $certs/ValidRFC822nameConstraintsTest25EE.crt \
+ $certs/nameConstraintsRFC822CA3Cert.crt
+ restore_db
+
+ VFY_ACTION="Invalid RFC822 nameConstraints Test26"; log_banner
+ certImport nameConstraintsRFC822CA3Cert
+ crlImport nameConstraintsRFC822CA3CRL.crl
+ pkitsn $certs/InvalidRFC822nameConstraintsTest26EE.crt \
+ $certs/nameConstraintsRFC822CA3Cert.crt
+ restore_db
+
+ VFY_ACTION="Valid DN and RFC822 nameConstraints Test27"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ certImport nameConstraintsDN1subCA3Cert
+ crlImport nameConstraintsDN1subCA3CRL.crl
+ pkits $certs/ValidDNandRFC822nameConstraintsTest27EE.crt \
+ $certs/nameConstraintsDN1subCA3Cert.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN and RFC822 nameConstraints Test28"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ certImport nameConstraintsDN1subCA3Cert
+ crlImport nameConstraintsDN1subCA3CRL.crl
+ pkitsn $certs/InvalidDNandRFC822nameConstraintsTest28EE.crt \
+ $certs/nameConstraintsDN1subCA3Cert.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DN and RFC822 nameConstraints Test29"; log_banner
+ certImport nameConstraintsDN1CACert
+ crlImport nameConstraintsDN1CACRL.crl
+ certImport nameConstraintsDN1subCA3Cert
+ crlImport nameConstraintsDN1subCA3CRL.crl
+ pkitsn $certs/InvalidDNandRFC822nameConstraintsTest29EE.crt \
+ $certs/nameConstraintsDN1subCA3Cert.crt \
+ $certs/nameConstraintsDN1CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid DNS nameConstraints Test30"; log_banner
+ certImport nameConstraintsDNS1CACert
+ crlImport nameConstraintsDNS1CACRL.crl
+ pkits $certs/ValidDNSnameConstraintsTest30EE.crt \
+ $certs/nameConstraintsDNS1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DNS nameConstraints Test31"; log_banner
+ certImport nameConstraintsDNS1CACert
+ crlImport nameConstraintsDNS1CACRL.crl
+ pkitsn $certs/InvalidDNSnameConstraintsTest31EE.crt \
+ $certs/nameConstraintsDNS1CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid DNS nameConstraints Test32"; log_banner
+ certImport nameConstraintsDNS2CACert
+ crlImport nameConstraintsDNS2CACRL.crl
+ pkits $certs/ValidDNSnameConstraintsTest32EE.crt \
+ $certs/nameConstraintsDNS2CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DNS nameConstraints Test33"; log_banner
+ certImport nameConstraintsDNS2CACert
+ crlImport nameConstraintsDNS2CACRL.crl
+ pkitsn $certs/InvalidDNSnameConstraintsTest33EE.crt \
+ $certs/nameConstraintsDNS2CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid URI nameConstraints Test34"; log_banner
+ certImport nameConstraintsURI1CACert
+ crlImport nameConstraintsURI1CACRL.crl
+ pkits $certs/ValidURInameConstraintsTest34EE.crt \
+ $certs/nameConstraintsURI1CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid URI nameConstraints Test35"; log_banner
+ certImport nameConstraintsURI1CACert
+ crlImport nameConstraintsURI1CACRL.crl
+ pkitsn $certs/InvalidURInameConstraintsTest35EE.crt \
+ $certs/nameConstraintsURI1CACert.crt
+ restore_db
+
+ VFY_ACTION="Valid URI nameConstraints Test36"; log_banner
+ certImport nameConstraintsURI2CACert
+ crlImport nameConstraintsURI2CACRL.crl
+ pkits $certs/ValidURInameConstraintsTest36EE.crt \
+ $certs/nameConstraintsURI2CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid URI nameConstraints Test37"; log_banner
+ certImport nameConstraintsURI2CACert
+ crlImport nameConstraintsURI2CACRL.crl
+ pkitsn $certs/InvalidURInameConstraintsTest37EE.crt \
+ $certs/nameConstraintsURI2CACert.crt
+ restore_db
+
+ VFY_ACTION="Invalid DNS nameConstraints Test38"; log_banner
+ certImport nameConstraintsDNS1CACert
+ crlImport nameConstraintsDNS1CACRL.crl
+ pkitsn $certs/InvalidDNSnameConstraintsTest38EE.crt \
+ $certs/nameConstraintsDNS1CACert.crt
+ restore_db
+}
+
+pkits_PvtCertExtensions()
+{
+ break_table "NIST PKITS Section 4.16: Private Certificate Extensions"
+
+ VFY_ACTION="Valid Unknown Not Critical Certificate Extension Test1"; log_banner
+ pkits $certs/ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+
+ VFY_ACTION="Invalid Unknown Critical Certificate Extension Test2"; log_banner
+ pkitsn $certs/InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+}
+
+############################## pkits_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+pkits_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+
+################################## main ################################
+pkits_init
+pkits_SignatureVerification | tee -a $PKITS_LOG
+pkits_ValidityPeriods | tee -a $PKITS_LOG
+pkits_NameChaining | tee -a $PKITS_LOG
+pkits_BasicCertRevocation | tee -a $PKITS_LOG
+pkits_PathVerificWithSelfIssuedCerts | tee -a $PKITS_LOG
+pkits_BasicConstraints | tee -a $PKITS_LOG
+pkits_KeyUsage | tee -a $PKITS_LOG
+if [ -n "$NSS_PKITS_POLICIES" ]; then
+ pkits_CertificatePolicies | tee -a $PKITS_LOG
+ pkits_RequireExplicitPolicy | tee -a $PKITS_LOG
+ pkits_PolicyMappings | tee -a $PKITS_LOG
+ pkits_InhibitPolicyMapping | tee -a $PKITS_LOG
+ pkits_InhibitAnyPolicy | tee -a $PKITS_LOG
+fi
+pkits_NameConstraints | tee -a $PKITS_LOG
+pkits_PvtCertExtensions | tee -a $PKITS_LOG
+pkits_cleanup
+
diff --git a/security/nss/tests/platformlist b/security/nss/tests/platformlist
new file mode 100644
index 000000000..19bf821e9
--- /dev/null
+++ b/security/nss/tests/platformlist
@@ -0,0 +1,11 @@
+Darwin6.5
+HP-UX_B.11.00_32_bit
+HP-UX_B.11.00_64
+RH_Linux_7.2_(Enigma)
+RH_Linux_7.3_(Valhalla)
+RH_Linux_Advanced_Server_2.1AS_(Pensacola)
+SunOS_5.8_32_bit
+SunOS_5.8_64_bit
+Windows-2000
+Windows-XP
+
diff --git a/security/nss/tests/platformlist.tbx b/security/nss/tests/platformlist.tbx
new file mode 100644
index 000000000..435284cff
--- /dev/null
+++ b/security/nss/tests/platformlist.tbx
@@ -0,0 +1,14 @@
+AIX_3_32_bit AIX4.3_DBG.OBJ AIX4.3_OPT.OBJ
+AIX_3_64_bit AIX4.3_DBG.OBJ AIX4.3_OPT.OBJ AIX4.3_64_DBG.OBJ AIX4.3_64_OPT.OBJ
+HP-UX_B.11.00_32_bit HP-UXB.11.00_DBG.OBJ HP-UXB.11.00_OPT.OBJ
+HP-UX_B.11.00_64_bit HP-UXB.11.00_DBG.OBJ HP-UXB.11.00_OPT.OBJ
+OSF1_V4.0 OSF1V4.0D_DBG.OBJ OSF1V4.0D_OPT.OBJ
+OSF1_V5.0 OSF1V5.0_DBG.OBJ OSF1V5.0_OPT.OBJ
+RH_Linux_6.2_(Zoot) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ
+RH_Linux_6.1_(Cartman) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ
+RH_Linux_6.0_(Hedwig) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ
+SunOS_5.6 SunOS5.6_DBG.OBJ SunOS5.6_OPT.OBJ
+SunOS_5.8_32_bit
+SunOS_5.8_64_bit
+Windows-2000 WINNT5.0_DBG.OBJ WINNT5.0_OPT.OBJ WIN954.0_DBG.OBJ WIN954.0_OPT.OBJ
+Windows-NT-4.0 WIN954.0_DBG.OBJ WIN954.0_OPT.OBJ WINNT4.0_DBG.OBJ WINNT4.0_OPT.OBJ
diff --git a/security/nss/tests/qa_stage b/security/nss/tests/qa_stage
new file mode 100755
index 000000000..f0960c845
--- /dev/null
+++ b/security/nss/tests/qa_stage
@@ -0,0 +1,336 @@
+#! /bin/sh
+########################################################################
+#
+# /u/sonmi/bin/qa_stage - /u/svbld/bin/init/nss/qa_stage
+#
+# this script is supposed to convert the tinderbox and daily QA files
+# for use on mozilla.org
+#
+# parameters
+# ----------
+# nssversion (supported: 30b, 31, tip)
+# builddate (default - today)
+#
+########################################################################
+
+if [ -z "$BUILDNUMBER" ]
+then
+ BUILDNUMBER=1
+fi
+if [ `uname` = "Linux" ] ; then
+ PATH=".:/u/sonmi/bin:/u/sonmi/bin/linux:/usr/bsd:/usr/ucb/:/bin:/usr/bin:/usr/ccs/bin:/usr/sbin:/usr/bin/X11:/usr/etc:/etc:/usr/demos:/usr/demos/bin:/usr/local/bin:/usr/local/X11/bin:/tools/ns/bin"
+ export PATH
+fi
+
+Echo()
+{
+ if [ "$O_SILENT" = "OFF" ] ; then
+ echo $*
+ fi
+}
+
+################################### qa_stage_init ##########################
+#
+########################################################################
+qa_stage_init()
+{
+ umask 000
+
+ eval_opts $*
+
+ if [ -z "${QAYEAR}" ] ; then
+ QAYEAR=`date +%Y`
+ elif [ "$QAYEAR" = "" ] ; then
+ QAYEAR=`date +%Y`
+ fi
+
+ Echo "Init..."
+ DAYBUILD=${QAYEAR}${BUILDDATE}.${BUILDNUMBER}
+ NSS_D0=/share/builds/mccrel3/nss
+ NSS_VER_DIR=${NSS_D0}/nss${NSSVER}
+ NTDIST=${NSS_VER_DIR}/builds/${DAYBUILD}/blowfish_NT4.0_Win95/mozilla/dist
+ UXDIST=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/dist
+ TESTSCRIPTDIR=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/security/nss/tests
+ RESULTDIR=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/tests_results/security
+ TBX_RESULTDIR=${NSS_D0}/nsstip/tinderbox/tests_results/security
+
+ MOZ_D0=/pub/security/nss
+ MOZ_RESULTDIR=${MOZ_D0}/daily_qa/${DAYBUILD}
+ MOZ_TBX_RESULTDIR=${MOZ_D0}/tinderbox
+
+ export BUILDDATE NSSVER QAYEAR NTDIST UXDIST TESTSCRIPTDIR RESULTDIR
+
+
+ IPLANET_TBX_URL="http://cindercone.red.iplanet.com${TBX_RESULTDIR}"
+ IPLANET_DQA_URL="http://cindercone.red.iplanet.com${RESULTDIR}"
+
+ MOZ_TBX_URL="ftp://ftp.mozilla.org${MOZ_TBX_RESULTDIR}"
+ MOZ_DQA_URL="ftp://ftp.mozilla.org${MOZ_RESULTDIR}"
+
+ export IPLANET_TBX_URL IPLANET_DQA_URL MOZ_TBX_URL MOZ_DQA_URL
+ STAGE_1=/u/sonmi/tmp/ftp_stage
+
+ if [ ! -d $STAGE_1 ] ; then
+ Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit"
+ exit 1
+ fi
+ cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit)
+ rm all.tar* 2>/dev/null
+ TBX_STAGE=$STAGE_1/tinderbox
+ DQA_STAGE=$STAGE_1/daily_qa/${DAYBUILD}
+ Echo "Staging area tbx: $TBX_STAGE"
+ Echo "Staging area daily QA (DQA): $DQA_STAGE"
+ Echo "Resultdir (sourcedir) for daily QA (RESULTDIR): $RESULTDIR"
+}
+
+################################### qa_stage_dqa ##########################
+#
+########################################################################
+qa_stage_dqa()
+{
+ Echo "DQA:..."
+ Echo "Resultdir (sourcedir) for daily QA (RESULTDIR): $RESULTDIR"
+#set -x
+ if [ ! -d $RESULTDIR ] ; then
+ Echo "Resultdir $RESULTDIR does not exist, can't push daily QA"
+ return
+ fi
+ cd $RESULTDIR || return
+ #for w in `find . -name "result*html"`
+ for w in `find . -name "result.html"`
+ do
+ if [ ! -d $DQA_STAGE/`dirname $w` ] ; then
+ mkdir -p $DQA_STAGE/`dirname $w`
+ fi
+ rm $DQA_STAGE/$w 2>/dev/null
+ cat $w | reformat_qa >$DQA_STAGE/$w
+ done
+ for w in `find . -name "output.log" -o -name "results.html"`
+ do
+#echo $w
+ if [ ! -d $DQA_STAGE/`dirname $w` ] ; then
+ mkdir -p $DQA_STAGE/`dirname $w`
+ fi
+ cp $w $DQA_STAGE/$w
+ done
+}
+
+
+################################### qa_stage_tbx ##########################
+#
+########################################################################
+qa_stage_tbx()
+{
+ Echo "tbx: "
+ if [ ! -d $TBX_RESULTDIR ] ; then
+ Echo "TBX_RESULTDIR $TBX_RESULTDIR does not exist"
+ return
+ fi
+ cd $TBX_RESULTDIR || return
+ Echo "find from $TBX_FIND_FROM"
+ for w in `find $TBX_FIND_FROM -name "result.html"`
+ do
+ if [ ! -d "$TBX_STAGE/`dirname $w`" ] ; then
+ mkdir -p $TBX_STAGE/`dirname $w`
+ fi
+ rm $TBX_STAGE/$w 2>/dev/null
+ cat $w | reformat_qa >$TBX_STAGE/$w
+ done
+ for w in `find $TBX_FIND_FROM -name "output.log" -o -name "results.html"`
+ do
+ if [ ! -d $TBX_STAGE/`dirname $w` ] ; then
+ mkdir -p $TBX_STAGE/`dirname $w`
+ fi
+ cp $w $TBX_STAGE/$w
+ done
+}
+
+match_tbxdirs()
+{
+ YY=`date +%Y`
+ DD=`date +%d`
+ MM=`date +%m`
+ HH=`date +%H`
+
+ TBX_FIND_FROM="*-$YY$MM$DD-$HH.*"
+ i=$1
+ while [ $i -gt 0 ] ; do
+ i=`expr $i - 1`
+ HH=`expr $HH - 1`
+ if [ $HH -lt 0 ] ; then
+ HH=23
+ DD=`expr $DD - 1`
+ if [ $DD -eq 0 ] ; then
+ MM=`expr $MM - 1`
+ case $MM in
+ 0)
+ YY=`expr $YY - 1`
+ MM=12
+ DD=31
+ ;;
+ [13578]|10|12)
+ DD=31
+ ;;
+ 2)
+ DD=28
+ ;;
+ [469]|11)
+ DD=30
+ ;;
+ esac
+ fi
+ fi
+ case $MM in
+ [123456789])
+ MM=0$MM
+ ;;
+ esac
+ case $DD in
+ [123456789])
+ DD=0$DD
+ ;;
+ esac
+ case $HH in
+ [0123456789])
+ HH=0$HH
+ ;;
+ esac
+ TBX_FIND_FROM="$TBX_FIND_FROM *-$YY$MM$DD-$HH.*"
+ done
+}
+
+################################### eval_opts ##########################
+# global shell function, evapuates options and parameters, sets flags
+# variables and defaults
+########################################################################
+eval_opts()
+{
+ DO_TBX=OFF
+ DO_DQA=OFF
+ DO_CLEAN=OFF
+ O_SILENT=OFF
+ O_INCREMENTAL=OFF
+ O_MAIL=OFF
+ BUILDDATE=`date +%m%d`
+ NSSVER=tip
+
+ TBX_FIND_FROM="."
+
+ while [ -n "$1" ]
+ do
+ case $1 in
+ -d)
+ DO_DQA=ON
+ ;;
+ -m)
+ O_MAIL=ON
+ shift
+ MAILINGLIST=$1
+ if [ -z "$MAILINGLIST" ]
+ then
+ echo "Error: -m requires a mailinglist to follow, for example sonmi@iplanet.com"
+ exit
+ fi
+ ;;
+ -ti)
+ DO_TBX=ON
+ match_tbxdirs 2
+ O_INCREMENTAL=ON
+ ;;
+ -t)
+ DO_TBX=ON
+ ;;
+ -c)
+ DO_CLEAN=ON
+ ;;
+ -s)
+ O_SILENT=ON
+ ;;
+
+ tip|3[0-9]*)
+ NSSVER=$1
+ ;;
+ [01][0-9][0-3][0-9])
+ BUILDDATE=$1
+ ;;
+ esac
+ shift
+ done
+}
+
+qa_stage_init $*
+
+if [ "$DO_CLEAN" = "ON" ] ; then
+ Echo "Cleaning old stuff"
+ if [ ! -d $STAGE_1 ] ; then
+ Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit"
+ exit 1
+ fi
+ cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit)
+ if [ -n "$TBX_STAGE" -a -d "$TBX_STAGE" ] ; then
+ rm -rf $TBX_STAGE/*
+ else
+ Echo "nothing here to clean..."
+ fi
+fi
+if [ "$DO_DQA" = "ON" ] ; then
+ qa_stage_dqa
+ if [ "$O_MAIL" = "ON" -a -f "$DQA_STAGE/result.html" ] ; then
+ cat $DQA_STAGE/result.html | /usr/sbin/sendmail $MAILINGLIST
+ fi
+fi
+if [ "$DO_TBX" = "ON" ] ; then
+ qa_stage_tbx
+fi
+if [ ! -d $STAGE_1 ] ; then
+ Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit"
+ exit 1
+fi
+cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit)
+Echo "tar..."
+if [ "$O_SILENT" = "ON" ] ; then
+ TARPARAM=cf
+else
+ TARPARAM=cvf
+fi
+
+
+if [ "$DO_DQA" = "ON" -a "$DO_TBX" = "ON" ] ; then
+ Echo "tar $TARPARAM all.tar daily_qa tinderbox"
+ tar $TARPARAM all.tar daily_qa tinderbox
+elif [ "$DO_DQA" = "ON" ] ; then
+ Echo "tar $TARPARAM all.tar daily_qa"
+ tar $TARPARAM all.tar daily_qa
+else
+ Echo "tar $TARPARAM all.tar tinderbox"
+ tar $TARPARAM all.tar tinderbox
+fi
+gzip all.tar
+# ssh-agent > /u/sonmi/.ssh/ssh-agent.info
+# setenv like it says in that file
+# ssh-add
+
+SSH_AUTH_SOCK=`grep SSH_AUTH_SOCK /u/sonmi/.ssh/ssh-agent.info | sed -e 's/setenv SSH_AUTH_SOCK //' -e 's/;//'`
+SSH_AGENT_PID=`grep SSH_AGENT_PID /u/sonmi/.ssh/ssh-agent.info | sed -e 's/setenv SSH_AGENT_PID //' -e 's/;//'`
+export SSH_AUTH_SOCK SSH_AGENT_PID
+if [ "$O_SILENT" = "OFF" ] ; then
+ set -x
+ scp all.tar.gz sonmi@stage.mozilla.org:/home/ftp/pub/security/nss
+ ssh -l sonmi stage.mozilla.org '/home/sonmi/bin/nssqa_stage '
+else
+ scp all.tar.gz sonmi@stage.mozilla.org:/home/ftp/pub/security/nss >/dev/null 2>/dev/null
+ ssh -l sonmi stage.mozilla.org '/home/sonmi/bin/nssqa_stage ' >/dev/null 2>/dev/null
+fi
+
+#" rlogin huey "
+#" sftp sonmi@stage.mozilla.org"
+#" cd /home/ftp/pub/security/nss"
+#" lcd tmp/ftp_stage"
+#" put all.tar.gz"
+#" quit "
+#" ssh -l sonmi stage.mozilla.org"
+#" cd /home/ftp/pub/security/nss"
+#" gunzip all.tar.gz"
+#" tar xvf all.tar"
+#" rm all.tar"
+
diff --git a/security/nss/tests/qa_stat b/security/nss/tests/qa_stat
new file mode 100755
index 000000000..ddf8dd8d2
--- /dev/null
+++ b/security/nss/tests/qa_stat
@@ -0,0 +1,938 @@
+#! /bin/sh
+########################################################################
+#
+# /u/sonmi/bin/qa_stat - /u/svbld/bin/init/nss/qa_stat
+#
+# this script is supposed to automatically run QA for NSS on all required
+# Unix platforms
+#
+# parameters
+# ----------
+# nssversion (supported: 30b, 31, tip)
+# builddate (default - today)
+#
+# options
+# -------
+# -y answer all questions with y - use at your own risk...ignores warnings
+# -s silent (only usefull with -y)
+# -h, -? - you guessed right - displays this text
+# -d debug
+# -f <filename> - write the (error)output to filename
+# -m <mailinglist> - send filename to mailinglist (csl) only useful
+# with -f
+# -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.qa_stat
+#
+########################################################################
+
+O_OPTIONS=ON
+
+TBX_EXIT=49 # in case we are running on a tinderbox build, any
+ # early exit needs to return an error
+if [ -z "$O_TBX" -o "$O_TBX" = "OFF" ] ; then
+ if [ -z "$O_LOCAL" -o "$O_LOCAL" = "OFF" ] ; then
+ . `dirname $0`/header
+ fi
+fi
+Debug "Sourced header O_TBX=$O_TBX O_LOCAL=$O_LOCAL"
+TBX_EXIT=48
+EARLY_EXIT=TRUE
+
+URL="cindercone.red.iplanet.com"
+
+DOCDIR=/u/sonmi/doc
+
+HTML_ERRORCOLOR=\"#FF0000\"
+HTML_ERRORMSG=Failed
+
+HTML_MISSINGCOLOR=\"#FFFFCC\"
+HTML_MISSINGMSG=Missing
+
+HTML_INCOMPLETECOLOR=$HTML_MISSINGCOLOR
+HTML_INCOMPLETEMSG=Incomplete
+
+HTML_PASSEDCOLOR=\"#66FF99\"
+HTML_PASSEDMSG=Passed
+
+# this file is used to deal with hanging rsh - a new shell is started
+# for each rsh, and a function is called after it is finished - they
+# communicate with this file
+
+RSH_FILE=$TMP/rsh.$$
+echo >$RSH_FILE
+TMPFILES="$TMPFILES $WARNINGLIST $RSH_FILE "
+RSH_WAIT_TIME=80 #maximum time allowed for the 2 rsh to finish...
+#TOTAL_TESTS=106
+TOTAL_TESTS=252 #tip
+#TOTAL_TESTS=244 #3.4
+#TOTAL_TESTS=123 #3.3.2
+BCT_TOTAL_TESTS=122 #3.2.2
+#TOTAL_TESTS=133 #tip
+
+Debug "NTDIST $NTDIST"
+Debug "UXDIST $UXDIST"
+Debug "TESTSCRIPTDIR $TESTSCRIPTDIR"
+Debug "RESULTDIR $RESULTDIR"
+
+############################### watch_rsh ##############################
+# local shell function, deals with a hanging rsh (kills it...)
+# this function is started as a backgroundprocess before the rsh is started,
+# and writes info to the RSH_FILE, after the rsh is finished it writes finish
+# info to the same file (this time called as a function, forground).
+# the backgroundprocess stays around for RSH_WAIT_TIME, if then the finish
+# information is not there attempts to kill the rsh
+#
+# watch_rsh start qa_computername &
+# watch_rsh stop qa_computername
+#
+########################################################################
+watch_rsh()
+{
+ case $1 in
+ start)
+ echo "$2 started" >>$RSH_FILE
+ sleep $RSH_WAIT_TIME
+ O_ALWAYS_YES=ON # may modify global flags because this is a
+ # forked off bg process - kill_by_name otherwise
+ # will ask the user if it really should be killed
+ grep "$2 finished" $RSH_FILE >/dev/null || kill_by_name "rsh $2"
+ exit
+ ;;
+ stop)
+ echo "$2 finished" >>$RSH_FILE
+ ;;
+ esac
+}
+
+############################### find_qa_systems ########################
+# local shell function, tries to determine the QA operating system
+# works remotely, and for Windows machines
+########################################################################
+find_qa_systems()
+{
+for QA_SYS in `ls $RESULTDIR | grep '\.1$' | sed -e "s/\..*//" | sort -u`
+do
+ NO_RSH="FALSE"
+ QA_OS=""
+ QA_RHVER=""
+ IS_64=""
+ IS_WIN=""
+
+ grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa >/dev/null && NO_RSH=TRUE
+
+ if [ "$NO_RSH" = "TRUE" ]
+ then
+
+ QA_OS=`grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \
+ -e "s/.*-OS-LINE: /${QA_SYS}/"`
+ QA_OS_STRING=`echo $QA_OS | sed -e "s/^[_ ]//" -e "s/ /_/g"`
+ echo $QA_OS_STRING >>$PLATFORMLIST
+ if [ "$O_SILENT" != ON ] ; then
+ echo $QA_OS
+ fi
+
+ #grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \
+ #-e "s/.*-OS-LINE: /${QA_SYS}_/" >>$PLATFORMLIST
+ #if [ "$O_SILENT" != ON ] ; then
+ #grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \
+ #-e "s/.*-OS-LINE:/${QA_SYS}/"
+ #fi
+ else
+ REM_SYSNAME=$QA_SYS
+ watch_rsh start $REM_SYSNAME &
+ qa_stat_get_sysinfo $QA_SYS
+ watch_rsh stop $REM_SYSNAME
+ echo $QA_OS_STRING >>$PLATFORMLIST
+ # use later for missing list
+ fi
+done
+
+}
+
+################################### qa_stat_init ##########################
+# local shell function, sets the name of the resultfile to:
+# <filename> if option -f <filename>
+# $RESULTDIR/result if write permission
+# (mozilla/tests_results/security/result)
+# $HOME/resultNSS${NSSVER}-${BUILDDATE} if no write permission in $RESULTDIR
+########################################################################
+qa_stat_init()
+{
+ if [ $O_FILE = ON -a $O_CRON = OFF ] # if -f was specified write there
+ then
+ RFILE=$FILENAME
+ else
+ RFILE=${RESULTDIR}/result.$$
+ if [ ! -w $RESULTDIR ]
+ then
+ RFILE=$HOME/resultNSS${NSSVER}-${BUILDDATE}.$$
+ Debug "Using alternate resultfile $RFILE"
+ #elif [ $O_CRON = ON ]
+ #then
+ ##find ${RESULTDIR} -exec chmod a+rw {} \; #FIXME - umask
+ ##doesn't seem to work - this is a tmp workaround
+ fi
+
+ if [ ! -x $RESULTDIR -o ! -r $RESULTDIR -o ! -w $RESULTDIR ]
+ then
+ glob_usage "$RESULTDIR does not have the right permissions `ls -l $RESULTDIR`"
+ fi
+ if [ -d $RESULTDIR ]
+ then
+ cd $RESULTDIR
+ else
+ glob_usage "$RESULTDIR does not exist"
+ fi
+ fi
+
+ ERRORLIST=${RFILE}.E
+ PLATFORMLIST=${RFILE}.P
+ PERFLIST=${RFILE}.PE
+ TMP_HTML_FILE=${RFILE}.html
+ HTML_FILE=${RESULTDIR}/result.html
+ WARNINGLIST=${RFILE}.W
+ BCMISSINGLIST=${RFILE}.BCM
+ BCERRORLIST=${RFILE}.BCE
+ TMPFILE=${RFILE}.T
+ ML_FILE=${RFILE}.ML
+
+ TMPFILES="$TMPFILES $TMPFILE"
+ TMPFILES="$TMPFILES $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \
+ $BCMISSINGLIST $BCERRORLIST $ML_FILE" #FIXME uncomment
+
+ FILENAME=$RFILE #we might want to mail it...later switch to html file
+ O_FILE="ON"
+
+ rm $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \
+ $BCMISSINGLIST $BCERRORLIST $TMP_HTML_FILE 2>/dev/null
+ touch $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \
+ $BCMISSINGLIST $BCERRORLIST $TMP_HTML_FILE 2>/dev/null
+
+ if [ $O_WIN = "ON" -a "$O_TBX" = "ON" ] ; then
+ HTML_PATH="http://${URL}${UX_D0}/nss${NSSVER}/tinderbox/tests_results/security/`basename $RESULTDIR`"
+ else
+ HTML_PATH="http://${URL}${RESULTDIR}"
+ fi
+ HREF_TMP_HTML_FILE="${HTML_PATH}/`basename $HTML_FILE`"
+
+ write_qa_header_html >$TMP_HTML_FILE
+}
+
+################################# html_footer #########################
+# local shell function, writes end of the html body
+#######################################################################
+write_qa_header_html()
+{
+echo 'Subject: QA Report ' $NSSVER $BUILDDATE '
+From: sonmi@iplanet.com
+Reply-To: sonmi@iplanet.com
+Content-Type: text/html; charset=us-ascii
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+ <meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; U; SunOS 5.8 sun4u) [N
+etscape]">
+</head>
+<body>
+<br>
+&nbsp;
+<br>&nbsp;
+<h2>
+<a href="http://tinderbox.mozilla.org/showbuilds.cgi?tree=NSS">Tinderbox</a
+><br>
+<a href="http://cindercone.red.iplanet.com/share/builds/mccrel3/nss/nsstip/tinderbox/tests_results/security/">Tinderbox QA&nbsp;result</a><br>
+<a href="ftp://ftp.mozilla.org/pub/security/nss/daily_qa">Mozilla Daily NSS QA&nbsp;result</a></h2>
+&nbsp;
+
+&nbsp;
+<br>&nbsp;
+<center>
+<h1>
+<a NAME="Top"></a><b><font size=+2>QA&nbsp;Results</font></b></h1></center>
+
+
+<table BORDER WIDTH="100%" NOSAVE >
+<tr>
+<td>&nbsp;<b><font size=+1>Build-OS and version</font></b></td>
+<td><b><font size=+1>QA-OS</font></b></td>
+<td><b><font size=+1>Systemname</font></b></td>
+<td><b><font size=+1>P/F</font></b></td>
+<td><b><font size=+1>result</font></b></td>
+<td><b><font size=+1>output</font></b></td>
+<td><b><font size=+1>errors</font></b></td>
+<td><b><font size=+1>QA time / #</font></b></td>
+</tr>
+'
+}
+
+################################# html_footer #########################
+# local shell function, writes end of the html body
+#######################################################################
+html_footer()
+{
+ echo '</body>'
+ echo '</html>'
+}
+
+################################# setQAsysvars #########################
+# local shell function, sets system specific variables
+########################################################################
+setQAsysvars()
+{
+ if [ "$MACHINE" != "0" ]
+ then
+ MACHINE=`echo $MACHINE | sed -e 's/^bct.//g'`
+ TESTDATE=`ls -ld $MACHINE | awk '{ print $6, $7, $8 }'`
+ TESTNUMBER=`echo $MACHINE | sed -e 's/.*\.//'`
+ SYSNAME=`echo $MACHINE | sed -e 's/\..*//'`
+ Debug "SYSNAME= $SYSNAME"
+
+ if [ "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then
+ QA_SYS_OS=$QA_OS
+ else
+ QA_SYS_OS=`grep $SYSNAME $PLATFORMLIST |
+ sed -e 's/ //' | \
+ sort | uniq | sed -e "s/$SYSNAME//" \
+ -e "s/^_//" | sort | uniq`
+ fi
+ Debug "QA_SYS_OS= $QA_SYS_OS"
+ fi
+ BUILD_SYS=`echo $BUILDPLATFORM | sed -e 's/\.OBJ//' -e 's/_DBG/ Debug/' \
+ -e 's/_OPT/ Optimized/' -e 's/_64/ 64bit/' -e 's/_glibc_PTH//' \
+ -e 's/_/ /'`
+ Debug "BUILD_SYS=$BUILD_SYS"
+ if [ -f "${RESULTDIR}/${MACHINE}/results.html" ] ; then
+ RESULT="${HTML_PATH}/${MACHINE}/results.html"
+ else
+ RESULT="0"
+ fi
+ if [ -f "${RESULTDIR}/bct/${MACHINE}/results.html" ] ; then
+ BCB_RESULT="${HTML_PATH}/bct/${MACHINE}/results.html"
+ else
+ BCB_RESULT="0"
+ fi
+
+ if [ -f "${RESULTDIR}/${MACHINE}/output.log" ] ; then
+ LOG="${HTML_PATH}/${MACHINE}/output.log"
+ else
+ LOG="0"
+ fi
+ if [ -f "${RESULTDIR}/bct/${MACHINE}/output.log" ] ; then
+ BCB_LOG="${HTML_PATH}/bct/${MACHINE}/output.log"
+ else
+ BCB_LOG="0"
+ fi
+}
+
+################################# html_line() #########################
+# local shell function, writes a line in the html table
+########################################################################
+html_line()
+{
+ echo '<tr NOSAVE>'
+ echo '<td NOSAVE>'$BUILD_SYS'</td>'
+ echo ''
+ if [ "$QA_SYS_OS" != "0" ] ; then
+ echo '<td NOSAVE>'$QA_SYS_OS'</td>'
+ else
+ echo '<td></td>'
+ fi
+ echo ''
+ if [ "$SYSNAME" != "0" ] ; then
+ echo '<td>'$SYSNAME'</td>'
+ else
+ echo '<td></td>'
+ fi
+ #echo '<td>'$SYSNAME $TESTNUMBER $TESTDATE'</td>'
+ echo ''
+ # hopefully we never run more different tests on a tinderbox build...
+ # on win some shells can not handle exit codes greater then 52 (64???)
+ # so for very early exits the codes are set 50-45, for failures later
+ # in the process the higher the number, the more failures
+ if [ "$O_TBX" = "ON" -a "$TBX_EXIT" -gt 45 ] ; then
+ TBX_EXIT=0
+ fi
+ if [ "$1" = "failed" ]
+ then
+ TBX_EXIT=`expr $TBX_EXIT + 1`
+ echo '<td BGCOLOR='$HTML_ERRORCOLOR' NOSAVE><b>'$HTML_ERRORMSG'</b></td>'
+ elif [ "$1" = "passed" ]
+ then
+ echo '<td BGCOLOR='$HTML_PASSEDCOLOR' NOSAVE>'$HTML_PASSEDMSG'</td>'
+ elif [ "$1" = "incomplete" ]
+ then
+ TBX_EXIT=`expr $TBX_EXIT + 1`
+ echo '<td BGCOLOR='$HTML_INCOMPLETECOLOR' NOSAVE>'$HTML_INCOMPLETEMSG'</td>'
+ else
+ TBX_EXIT=`expr $TBX_EXIT + 1`
+ echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+ fi
+ if [ "$CURRENT_TABLE" != "BC" ] ; then
+ if [ "$RESULT" = "0" ] ; then
+ echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+ else
+ echo '<td>&nbsp;<a href="'$RESULT'">result</a>&nbsp;</td>'
+ fi
+ if [ "$LOG" = "0" ] ; then
+ echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+ else
+ echo '<td>&nbsp;<a href="'$LOG'">log</a>&nbsp;</td>'
+ fi
+ if [ "$1" = "failed" ] ; then
+ echo '<td>&nbsp;<a href="'${HREF_TMP_HTML_FILE}'#errorlist">error</a>&nbsp;</td>'
+ else
+ echo '<td></td>'
+ fi
+ else
+ #<td><b><font size=+1>errors</font></b></td>
+ #<td><b><font size=+1>P/F</font></b></td>
+ #<td><b><font size=+1>P/F</font></b></td>
+
+ #echo '<td><b><font size=+1>All Current</font></b></td>'
+ #echo '<td><b><font size=+1>old dlls</font></b></td>'
+ #echo '<td><b><font size=+1>old executables</font></b></td>'
+ #if [ "$RESULT" != "0" -a "$LOG" != "0" ] ; then
+ #echo '<td><a href="'$RESULT'">result</a>, <a href="'$LOG'">log</td>'
+ #elif [ "$RESULT" = "0" -a "$LOG" != "0" ] ; then
+ #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$LOG'">log</a></td>'
+ #elif [ "$RESULT" != "0" -a "$LOG" = "0" ] ; then
+ #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$RESULT'">result</a></td>'
+ #else
+ #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+ #fi
+ #if [ "$BCB_RESULT" != "0" -a "$BCB_LOG" != "0" ] ; then
+ #echo '<td><a href="'$BCB_RESULT'">result</a>, <a href="'$BCB_LOG'"> log</td>'
+ #elif [ "$BCB_RESULT" = "0" -a "$BCB_LOG" != "0" ] ; then
+ #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$BCB_LOG'">log</a></td>'
+ #elif [ "$BCB_RESULT" != "0" -a "$BCB_LOG" = "0" ] ; then
+ #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$BCB_RESULT'">result</a></td>'
+ #else
+ #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+ #fi
+ if [ "$BCB_RESULT" = "0" ] ; then
+ echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+ else
+ echo '<td>&nbsp;<a href="'$BCB_RESULT'">result</a>&nbsp;</td>'
+ fi
+ if [ "$BCB_LOG" = "0" ] ; then
+ echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+ else
+ echo '<td>&nbsp;<a href="'$BCB_LOG'">log</a>&nbsp;</td>'
+ fi
+ fi
+ echo '<td>'$TESTDATE $TESTNUMBER'</td>'
+ echo '</tr>'
+}
+
+################################# qa_errorlist #########################
+# local shell function, finds problems in the previously run QA
+# linux:the gnu grep, on Linux can output 10 lines above and 3 lines below
+# the errormessage
+########################################################################
+qa_errorlist()
+{
+ grep "bgcolor=red" ${MACHINES_TO_CHECK}*/results.html |
+ sed -e 's/.results.html:<TR><TD>/ /' -e 's/<[^>]*>/ /g'
+ grep 'cache hits; .* cache misses, .* cache not reusable' \
+ ${MACHINES_TO_CHECK}*/output.log |
+ grep strsclnt |
+ grep -v '0 cache hits; 0 cache misses, 0 cache not reusable' |
+ grep -v ' cache hits; 1 cache misses, 0 cache not reusable'
+ for logfile in ${MACHINES_TO_CHECK}*/output.log; do
+ grep -vi "write to SSL socket" $logfile |
+ grep -vi "HDX PR_Read returned error" |
+ grep -vi "no error" |
+ grep -vi "12285" |
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP error
+ #grep -vi "5938" | needed for -v option
+ #grep -vi "HDX PR_Read hit EOF" |
+ grep -vi "write to SSL socket" $logfile |
+ grep -vi "peer cannot verify" |
+ grep -vi "error" |
+ grep -vi "fatal" |
+ grep -vi "TCP Connection aborted" |
+ grep -vi "TCP connection reset" |
+ grep $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i failed
+ done
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "segmentation violation" \
+ ${MACHINES_TO_CHECK}*/output.log
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "memory fault" \
+ ${MACHINES_TO_CHECK}*/output.log
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "bus error" \
+ ${MACHINES_TO_CHECK}*/output.log
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "core dumped" \
+ ${MACHINES_TO_CHECK}*/output.log
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP fatal \
+ ${MACHINES_TO_CHECK}*/output.log
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i\
+ "PKCS12 decode not verified" ${MACHINES_TO_CHECK}*/output.log
+
+ if [ -n "${MACHINES_TO_CHECK}" ] ; then
+ find ${MACHINES_TO_CHECK}* -name core -print 2>/dev/null |
+ grep -v bct
+ else
+ find . -name core -print 2>/dev/null |
+ grep -v bct
+ fi
+}
+
+tbx_missing_platforms ()
+{
+ QA_MISSING="QA report missing"
+ MACHINE="0"
+
+ if [ "$QA_OS_STRING" = "WINNT4.0" ] ; then
+ QA_OS_STRING="Windows-NT-4.0"
+ fi
+ for BUILDPLATFORM in `grep $QA_OS_STRING $TESTSCRIPTDIR/platformlist.tbx`
+ do
+ if [ "$BUILDPLATFORM" != "$QA_OS_STRING" ] ; then
+ Debug "BUILDPLATFORM = $BUILDPLATFORM QA_OS_STRING = $QA_OS_STRING"
+ grep $BUILDPLATFORM ${MACHINES_TO_CHECK}*/results.html \
+ >/dev/null || {
+ setQAsysvars
+ html_line missing >>$TMP_HTML_FILE
+ }
+ fi
+ done
+}
+
+############################ platform _list ###########################
+# local shell function, generate pass/fail information for each Platform
+########################################################################
+platformlist()
+{
+ grep Platform ${MACHINES_TO_CHECK}*/results.html |
+ sed -e 's/.results.html:<H4>Platform: /---/' \
+ -e 's/<BR>//' >$TMPFILE
+ # this is done a little complicated to avoid starting a subshell in
+ # a while read that gets the input from a pipeline, and variables set
+ #in or underneath this function get unset after done...
+ for MB in `cat $TMPFILE` ; do
+ MACHINE=`echo $MB | sed -e "s/---.*//"`
+ BUILDPLATFORM=`echo $MB | sed -e "s/.*---//"`
+ grep "${MACHINE}[^0-9]" $ERRORLIST >/dev/null
+ ret=$?
+ setQAsysvars
+ if [ $ret -eq 0 ]
+ then
+ echo "Failed $MACHINE $BUILDPLATFORM" >>$RFILE
+ html_line failed >>$TMP_HTML_FILE
+ else
+ echo "Passed $MACHINE $BUILDPLATFORM" >>$RFILE
+ html_line passed >>$TMP_HTML_FILE
+ fi
+ done
+}
+
+############################ missing_platforms ###########################
+# local shell function, finds out if we ran on all required platforms
+########################################################################
+missing_platforms()
+{
+ QA_MISSING="QA report missing"
+ MACHINE="0"
+ SYSNAME="0"
+ QA_SYS_OS="0"
+
+ for BUILDPLATFORM in `cat $TESTSCRIPTDIR/platformlist`
+ do
+ grep $BUILDPLATFORM $PLATFORMLIST > /dev/null || {
+ setQAsysvars
+ html_line missing >>$TMP_HTML_FILE
+ }
+ done
+}
+
+############################ incomplete_results ###########################
+# local shell function, finds out if all qa runs were complete
+########################################################################
+incomplete_results ()
+{
+
+ for w in `ls ${MACHINES_TO_CHECK}*/results.html`
+ do
+ grep bgcolor=red $w || {
+ PASSED_LINES=""
+ PASSED_LINES=`grep bgcolor=lightGreen $w | wc -l`
+ if [ -n "$PASSED_LINES" -a "$PASSED_LINES" -lt "$TOTAL_TESTS" ] ; then
+ BUILDPLATFORM=`grep Platform $w | sed -e 's/<H4>Platform:/ /' -e 's/<BR>//'`
+ MACHINE=`echo $w | sed -e "s/.results.html//"`
+ #MACHINE=`echo $w | sed -e "s/\.[0-9]*.results.html//"`
+ setQAsysvars
+ html_line incomplete >>$TMP_HTML_FILE
+ elif [ "$PASSED_LINES" -gt "$TOTAL_TESTS" ] ; then
+ echo "WARNING - more tests than expected on $w ($PASSED_LINES)" >>$WARNINGLIST
+ fi
+ }
+ done
+}
+
+qa_stat_table()
+{
+ echo '&nbsp;'
+ echo '<br>&nbsp;'
+ echo '<center>'
+ echo '<h1>'
+ echo '<a NAME="'$1'"></a>'$1'</h1></center>'
+ echo '&nbsp;'
+ echo '<table BORDER WIDTH="100%" NOSAVE >'
+ echo '<tr NOSAVE>'
+}
+
+############################### psaperf ########################
+# local shell function, copies results of the daily performance test
+# into a table in the QA report
+########################################################################
+rsaperf()
+{
+ grep RSAPERF */output.log | grep -v "_DBG" > $PERFLIST
+
+ qa_stat_table "Performance list"
+
+ echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+ echo '<td><b><font size=+1>Systemname</font></b></td>'
+ echo '<td><b><font size=+1># of iterations</font></b></td>'
+ echo '<td><b><font size=+1>average for one op</font></b></td>'
+ echo '<td><b><font size=+1>Total</font></b></td>'
+ echo '<td><b><font size=+1>QA time / #</font></b></td>'
+ echo '</tr>'
+ cat $PERFLIST |
+ while read MACHINE BUILDPLATFORM no_iter t1 t2 total total_unit t3 \
+ t4 t5 average average_unit
+ do
+ #caution subshell, variables local to this loop
+ BUILD_SYS=`echo $BUILDPLATFORM | sed -e 's/\.OBJ//' \
+ -e 's/_DBG/ Debug/' \
+ -e 's/_OPT/ Optimized/' -e 's/_64/ 64bit/' -e 's/_glibc_PTH//' \
+ -e 's/_/ /'`
+ TESTNUMBER=`echo $MACHINE | sed -e 's/[^\.]*\.//' -e 's/\/.*//'`
+ MACHINE=`echo $MACHINE | sed -e 's/\..*//'`
+ TESTDATE=`ls -ld ${MACHINE}.${TESTNUMBER} | awk '{ print $6, $7, $8 }'`
+ echo '<tr>'
+ echo '<td>'$BUILD_SYS'</td>'
+ echo ''
+ echo '<td>'$MACHINE'</td>'
+ echo ''
+ echo '<td>'$no_iter'</td>'
+ echo ''
+ echo '<td>'$average' '$average_unit'</td>'
+ echo ''
+ echo '<td>'$total' '$total_unit'</td>'
+ echo ''
+ echo '<td>'$TESTDATE $TESTNUMBER'</td>'
+ echo ''
+ echo '</tr>'
+ done
+ echo '</table>'
+}
+
+############################### qa_stat_cleanup ########################
+# local shell function, finishes html file, sets variables for global Exit
+########################################################################
+qa_stat_cleanup()
+{
+
+ html_footer >>$TMP_HTML_FILE
+
+ O_DEBUG=OFF
+
+ EARLY_EXIT=FALSE
+ cp $TMP_HTML_FILE $HTML_FILE
+ FILENAME=$HTML_FILE #we might want to mail it...
+ Exit
+}
+
+
+############################### bc_test ########################
+# local shell function, evaluates the results of the backward u
+# compatibility tests
+########################################################################
+bc_header()
+{
+CURRENT_TABLE="BC" #so html_line can determine which fields to write
+
+ qa_stat_table "Backward Compatibility Test"
+ echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+ echo '<td><b><font size=+1>QA-OS</font></b></td>'
+ echo '<td><b><font size=+1>Systemname</font></b></td>'
+ echo '<td><b><font size=+1>P/F</font></b></td>'
+ #echo '<td><b><font size=+1>All Current</font></b></td>'
+ #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+ echo '<td><b><font size=+1>result</font></b></td>'
+ echo '<td><b><font size=+1>output</font></b></td>'
+ echo '<td><b><font size=+1>QA time / #</font></b></td>'
+ echo '</tr>'
+
+}
+
+old_bc_test()
+{
+CURRENT_TABLE="BC" #so html_line can determine which fields to write
+
+ qa_stat_table "Backward Compatibility Test"
+ echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+ echo '<td><b><font size=+1>QA-OS</font></b></td>'
+ echo '<td><b><font size=+1>Systemname</font></b></td>'
+ echo '<td><b><font size=+1>P/F</font></b></td>'
+ #echo '<td><b><font size=+1>All Current</font></b></td>'
+ #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+ echo '<td><b><font size=+1>result</font></b></td>'
+ echo '<td><b><font size=+1>output</font></b></td>'
+ echo '<td><b><font size=+1>QA time / #</font></b></td>'
+ echo '</tr>'
+
+ for w in `ls */results.html`
+ do
+ TMP_RESULT="`dirname $w`/results.tmp"
+ TMP_BC_RESULT="`dirname bct/$w`/results.tmp"
+ rm $TMP_RESULT $TMP_BC_RESULT 2>/dev/null
+ cat $w | sed -e 's/<[^>]*>//g' -e 's/ /_/g' \
+ -e 's/signtool_-[vw]/signtool_-vw/' |
+ grep '_[PF]a[si][sl]ed' >$TMP_RESULT
+ cat bct/$w | sed -e 's/<[^>]*>//g' -e 's/ /_/g' \
+ -e 's/signtool_-[vw]/signtool_-vw/' |
+ grep '_[PF]a[si][sl]ed' >$TMP_BC_RESULT
+ diff $TMP_RESULT $TMP_BC_RESULT 2>>$BCMISSINGLIST |
+ grep -v "Create_objsign_cert_.signtool_-G.*Passed" |
+ grep -v "porting_Alice.s_email_cert" |
+ grep -v "^[0-9,cad]*$" | grep -v "^---$" | grep -v "^---.$" |
+ grep -v "Can.t_run_pk12util_tests_for_NSS_3.2" >/dev/null && (
+ echo "$w differs" >> $BCMISSINGLIST
+ echo "========================================="
+ echo "diff $w bct/$w"
+ echo "========================================="
+ diff $TMP_RESULT $TMP_BC_RESULT 2>&1 |
+ grep -v "Create_objsign_cert_.signtool_-G.*Passed" |
+ grep -v "porting_Alice.s_email_cert" |
+ grep -v "Can.t_run_pk12util_tests_for_NSS_3.2"
+ ) 2>&1 >>$BCERRORLIST
+
+ #diff -b $w bct/$w 2>>$BCMISSINGLIST |
+ #grep -v "Create objsign cert .signtool -G.*Passed" |
+ #grep -v "Listing signed files in jar .signtool -v.*Passed" |
+ #grep -v "Listing signed files in jar .signtool -w.*Passed" |
+ #grep -v "backward compatibility" |
+ #grep -v "Can.t run pk12util tests for NSS 3.2" |
+ #grep -v "porting Alice.s email cert " |
+ #grep -v "^---$" | grep -v "^[<> ] $" |
+ #grep -v "^---.$" | grep -v "^[<> ] .$" |
+ #grep -v '< </BODY></HTML>' |
+ #grep -v "^[0-9,cad]*$" 2>>$BCMISSINGLIST >/dev/null && (
+ #echo "$w differs" >> $BCMISSINGLIST
+ #echo "========================================="
+ #echo "diff $w bct/$w"
+ #echo "========================================="
+ #diff -b $w bct/$w 2>&1 |
+ #grep -v "Listing signed files in jar .signtool -v.*Passed" |
+ #grep -v "Listing signed files in jar .signtool -w.*Passed" |
+ #grep -v "backward compatibility" |
+ #grep -v "Can.t run pk12util tests for NSS 3.2" |
+ #grep -v "porting Alice.s email cert " |
+ #grep -v "^---$" | grep -v "^[<> ] $" |
+ #grep -v "^---.$" | grep -v "^[<> ] .$" |
+ #grep -v '< </BODY></HTML>' |
+ #grep -v "^[0-9,cad]*$" \
+ #) 2>&1 >>$BCERRORLIST
+ rm $TMP_RESULT $TMP_BC_RESULT 2>/dev/null
+ done
+ rm $ERRORLIST
+ cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \
+ -e "s/.results.html.*/\/results.html/" |
+ sort -u > $ERRORLIST
+
+ platformlist
+ echo '</table>' >>$TMP_HTML_FILE
+
+ head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/"
+}
+
+bc_test()
+{
+CURRENT_TABLE="BC" #so html_line can determine which fields to write
+
+ qa_stat_table "Backward Compatibility Test"
+ echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+ echo '<td><b><font size=+1>QA-OS</font></b></td>'
+ echo '<td><b><font size=+1>Systemname</font></b></td>'
+ echo '<td><b><font size=+1>P/F</font></b></td>'
+ #echo '<td><b><font size=+1>All Current</font></b></td>'
+ #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+ echo '<td><b><font size=+1>result</font></b></td>'
+ echo '<td><b><font size=+1>output</font></b></td>'
+ echo '<td><b><font size=+1>QA time / #</font></b></td>'
+ echo '</tr>'
+
+set -x
+ for w in `ls */results.html`
+ do
+ BCT_DIR=`dirname "bct/$w"`
+ BCT_RESULT="bct/$w"
+ BCT_LOG="$BCT_DIR/output.log"
+ grep "bgcolor=red" $BCT_RESULT |
+ sed -e 's/.results.html:<TR><TD>/ /' -e 's/<[^>]*>/ /g'
+ grep 'cache hits; .* cache misses, .* cache not reusable' \
+ $BCT_LOG |
+ grep -v selfserv |
+ grep -v '0 cache hits; 1 cache misses, 0 cache not reusable' |
+ grep -v '0 cache hits; 0 cache misses, 0 cache not reusable' |
+ grep -v ' cache hits; 1 cache misses, 0 cache not reusable'
+ grep -vi "write to SSL socket" $BCT_LOG |
+ grep -vi "HDX PR_Read returned error" |
+ grep -vi "no error" |
+ grep -vi "12285" |
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP error
+ grep -vi "write to SSL socket" $BCT_LOG |
+ grep -vi "peer cannot verify" |
+ grep -vi "TCP Connection aborted" |
+ grep -vi "error" |
+ grep -vi "fatal" |
+ grep -vi "TCP connection reset" |
+ grep $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i failed $BCT_LOG
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "segmentation violation" $BCT_LOG
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "memory fault" $BCT_LOG
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "bus error" $BCT_LOG
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "core dumped" $BCT_LOG
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP fatal $BCT_LOG
+ grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i "PKCS12 decode not verified" $BCT_LOG
+ find ${BTC_DIR} -name core -print
+
+ done 2>&1 >>$BCERRORLIST
+ rm $ERRORLIST
+ cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \
+ -e "s/.results.html.*/\/results.html/" |
+ sort -u > $ERRORLIST
+
+ platformlist
+ echo '</table>' >>$TMP_HTML_FILE
+
+ head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/"
+}
+
+
+############################### bc_test ########################
+# local shell function, evaluates the results of the backward u
+# compatibility tests
+# move the whole function to old to tests a new solution
+########################################################################
+bc_test_old()
+{
+CURRENT_TABLE="BC" #so html_line can determine which fields to write
+
+ qa_stat_table "Backward Compatibility Test"
+ echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+ echo '<td><b><font size=+1>QA-OS</font></b></td>'
+ echo '<td><b><font size=+1>Systemname</font></b></td>'
+ echo '<td><b><font size=+1>P/F</font></b></td>'
+ #echo '<td><b><font size=+1>All Current</font></b></td>'
+ #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+ echo '<td><b><font size=+1>result</font></b></td>'
+ echo '<td><b><font size=+1>output</font></b></td>'
+ echo '<td><b><font size=+1>QA time / #</font></b></td>'
+ echo '</tr>'
+
+ for w in `ls */results.html`
+ do
+ diff -b $w bct/$w 2>>$BCMISSINGLIST |
+ grep -v "Create objsign cert .signtool -G.*Passed" |
+ grep -v "Listing signed files in jar .signtool -v.*Passed" |
+ grep -v "Listing signed files in jar .signtool -w.*Passed" |
+ grep -v "backward compatibility" |
+ grep -v "Can.t run pk12util tests for NSS 3.2" |
+ grep -v "porting Alice.s email cert " |
+ grep -v "^---$" | grep -v "^[<> ] $" |
+ grep -v "^---.$" | grep -v "^[<> ] .$" |
+ grep -v '< </BODY></HTML>' |
+ grep -v "^[0-9,cad]*$" 2>>$BCMISSINGLIST >/dev/null && (
+ echo "$w differs" >> $BCMISSINGLIST
+ echo "========================================="
+ echo "diff $w bct/$w"
+ echo "========================================="
+ diff -b $w bct/$w 2>&1 |
+ grep -v "Listing signed files in jar .signtool -v.*Passed" |
+ grep -v "Listing signed files in jar .signtool -w.*Passed" |
+ grep -v "backward compatibility" |
+ grep -v "Can.t run pk12util tests for NSS 3.2" |
+ grep -v "porting Alice.s email cert " |
+ grep -v "^---$" | grep -v "^[<> ] $" |
+ grep -v "^---.$" | grep -v "^[<> ] .$" |
+ grep -v '< </BODY></HTML>' |
+ grep -v "^[0-9,cad]*$" \
+ ) 2>&1 >>$BCERRORLIST
+ done
+ rm $ERRORLIST
+ cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \
+ -e "s/.results.html.*/\/results.html/" |
+ sort -u > $ERRORLIST
+
+ platformlist
+ echo '</table>' >>$TMP_HTML_FILE
+
+ head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/"
+
+}
+
+############################### tbx_main ########################
+# local shell function, tinderbox variation of the qa status script
+########################################################################
+tbx_main()
+{
+ TBX_EXIT=47
+ qa_stat_get_sysinfo # find out the OS we are running and all required tests
+ # on this OS
+
+ MACHINES_TO_CHECK=$HOST #`uname -n` only search the local tests for errors
+ qa_errorlist > $ERRORLIST #
+ platformlist
+ #tbx_missing_platforms #temp. taken out until we find a better way to
+ #determine if all necessary QA ran - right now we run different
+ #tinderboxes on one machine
+ incomplete_results
+ echo '</table>' >>$TMP_HTML_FILE
+ echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE
+ cat $ERRORLIST | sed -e "s/^/<br>/" >>$TMP_HTML_FILE
+
+}
+
+############################### qa_stat_main ########################
+# local shell function, main flow of the qa status script
+########################################################################
+qa_stat_main()
+{
+ find_qa_systems 2>/dev/null
+ MACHINES_TO_CHECK="" # check all founf qa runs
+ qa_errorlist > $ERRORLIST
+ platformlist
+ missing_platforms
+ incomplete_results
+ echo '</table>' >>$TMP_HTML_FILE
+ echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE
+ cat $ERRORLIST | sed -e "s/^/<br>/" >>$TMP_HTML_FILE
+ cat $WARNINGLIST 2>/dev/null | sed -e "s/^/<br>/" >>$TMP_HTML_FILE 2>/dev/null
+ rsaperf >>$TMP_HTML_FILE
+ bc_header >>$TMP_HTML_FILE
+ MACHINES_TO_CHECK="bct/"
+ TOTAL_TESTS=$BCT_TOTAL_TESTS
+ BEFORE_CONTEXT_GREP="" #WORKAROUND - errors in one outputlog within the first
+ AFTER_CONTEXT_GREP="" # or last lines will show up in the next/previos file
+ qa_errorlist > $ERRORLIST
+ platformlist
+ missing_platforms
+ incomplete_results
+ echo '</table>' >>$TMP_HTML_FILE
+ echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE
+ cat $ERRORLIST | sed -e "s/^/<br>/" >>$TMP_HTML_FILE
+ cat $WARNINGLIST 2>/dev/null | sed -e "s/^/<br>/" >>$TMP_HTML_FILE 2>/dev/null
+ #bc_test >>$TMP_HTML_FILE
+}
+
+CURRENT_TABLE="Standard"
+qa_stat_init
+
+if [ "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then
+ tbx_main
+else
+ qa_stat_main
+fi
+
+qa_stat_cleanup
diff --git a/security/nss/tests/qaclean b/security/nss/tests/qaclean
new file mode 100755
index 000000000..14c71f390
--- /dev/null
+++ b/security/nss/tests/qaclean
@@ -0,0 +1,144 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/qaclean
+#
+# is supposed to clean up after a "hanging" QA
+#
+# 1) see if there is a lockfile
+# if yes:
+# 1a) kill the process of the lockfile and if possible it's children
+# 1b) rm the lockfile
+# 2) kill selfservers
+# 3) clean up old tmp files
+#
+########################################################################
+
+if [ -z "$TMP" ]
+then
+ if [ -z "$TEMP" ]
+ then
+ TMP="/tmp"
+ else
+ TMP=$TEMP
+ fi
+fi
+if [ ! -w "$TMP" ]
+then
+ echo "Can't write to tmp directory $TMP - exiting"
+ echo "Can't write to tmp directory $TMP - exiting" >&2
+ exit 1
+fi
+
+########################### Ps #########################################
+# platform specific ps
+########################################################################
+Ps()
+{
+ if [ `uname -s` = "SunOS" ]
+ then
+ /usr/5bin/ps -e
+ else
+ ps -e
+ fi
+}
+
+Kill()
+{
+ if [ "$1" = "$$" ]
+ then
+ return
+ fi
+ echo "Killing PID $1"
+ kill $1
+ sleep 1
+ kill -9 $1 2>/dev/null
+}
+
+########################### kill_by_name ################################
+# like killall, only without permissionproblems, kills the process whose
+# name is given as parameter
+########################################################################
+kill_by_name()
+{
+ echo "Killing all $1"
+
+ for PID in `Ps | grep "$1" | grep -v grep | \
+ sed -e "s/^[ ]*//g" -e "s/[ ].*//"`
+ do
+ Kill $PID
+ done
+}
+
+kill_the_rest()
+{
+i=0
+while [ $i -lt $1 ]
+do
+ kill_by_name nssqa
+ kill_by_name selfserv
+ kill_by_name strsclnt
+ kill_by_name all.sh
+ kill_by_name sdr.sh
+ kill_by_name ssl.sh
+ kill_by_name smime.sh
+ i=`expr $i + 1`
+done
+}
+
+nt_warning()
+{
+os_name=`uname -s`
+case $os_name in
+ CYGWIN*|WIN*|Win*)
+ echo
+ echo
+ echo
+ echo "Another Windows problem... If you have not already done so"
+ echo "after this script completes, please reboot, and log in as"
+ echo "user svbld again"
+ echo
+ echo
+ echo
+ ;;
+esac
+}
+
+nt_warning
+case $1 in
+ -all)
+ for w in tommy booboo kentuckyderby galileo shame axilla columbus \
+ smarch charm hp64 biggayal orville kwyjibo hbombaix raven \
+ jordan hornet phaedrus louie box dbldog huey washer dryer \
+ shabadoo trex bummer compaqtor jellyfish sjsu
+ do
+ echo $w
+ ping $w && rsh $w '/u/sonmi/bin/qaclean'
+ done
+
+ ;;
+ ?*)
+ rsh $1 '/u/sonmi/bin/qaclean'
+ exit
+ ;;
+esac
+
+uname -a
+echo
+
+if [ -f ${TMP}/nssqa.* ]
+then
+ echo "nssqa seems to be running ${TMP}/nssqa.*"
+ #cat ${TMP}/nssqa.*
+ NSSQA_PID=`ls ${TMP}/nssqa.* | sed -e 's/[^.]*\.//'`
+ Kill $NSSQA_PID
+ rm ${TMP}/nssqa.*
+fi
+
+kill_the_rest 3
+ls -l ${TMP}/nsstmp.*
+rm ${TMP}/nsstmp.* 2>/dev/null
+rm ${TMP}/certutilout.* 2>/dev/null
+rm ${TMP}/Pk12*
+nt_warning
diff --git a/security/nss/tests/remote/Makefile b/security/nss/tests/remote/Makefile
new file mode 100644
index 000000000..6c6e5bd55
--- /dev/null
+++ b/security/nss/tests/remote/Makefile
@@ -0,0 +1,153 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY). #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL) #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL). #
+#######################################################################
+
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL) #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL). #
+#######################################################################
+
+TESTPACKAGE="nss-$(OS_TARGET)$(CPU_TAG).tgz"
+RTSH=$(DIST)/../../runtests.sh
+PCFG=$(DIST)/platform.cfg
+
+
+#Hint: In order to test the Makefiles without running the tests, use:
+# make NSS_CYCLES="standard" NSS_TESTS="dummy"
+
+ifeq ($(OS_TARGET),Android)
+TEST_SHELL?=$$HOME/bin/sh
+ANDROID_PORT?="2222"
+#Define the subset of tests that is known to work on Android
+NSS_CYCLES?="standard pkix upgradedb sharedb"
+NSS_TESTS?="cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits chains"
+NSS_SSL_TESTS?="crl normal_normal iopr"
+NSS_SSL_RUN?="cov auth stress"
+else
+TEST_SHELL?="/bin/sh"
+endif
+
+# Create a package for test execution on a separate system.
+package_for_testing:
+ echo "export OBJDIR=$(OBJDIR_NAME)" > $(PCFG)
+ echo "export OS_ARCH=$(OS_ARCH)" >> $(PCFG)
+ echo "export OS_TARGET=$(OS_TARGET)" >> $(PCFG)
+ echo "export DLL_PREFIX=$(DLL_PREFIX)" >> $(PCFG)
+ echo "export DLL_SUFFIX=$(DLL_SUFFIX)" >> $(PCFG)
+ echo 'echo "set HOST and DOMSUF if your system is not registered in DNS"' > $(RTSH)
+ cat $(PCFG) >> $(RTSH)
+ echo 'export NSS_TESTS=$(NSS_TESTS)' >> $(RTSH)
+ echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(RTSH)
+ echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)' >> $(RTSH)
+ echo 'export NSS_CYCLES=$(NSS_CYCLES)' >> $(RTSH)
+ echo 'export USE_64=$(USE_64)' >> $(RTSH)
+ echo 'export BUILD_OPT=$(BUILD_OPT)' >> $(RTSH)
+ echo 'export PKITS_DATA=$(PKITS_DATA)' >> $(RTSH)
+ echo 'export NSS_DISABLE_ECC=$(NSS_DISABLE_ECC)' >> $(RTSH)
+ echo 'export NSPR_LOG_MODULES=$(NSPR_LOG_MODULES)' >> $(RTSH)
+ifeq ($(OS_TARGET),Android)
+ # Android doesn't support FIPS tests, because
+ # dladdr does not return a full path for implicitly loaded libraries
+ echo "export NSS_TEST_DISABLE_FIPS=1" >> $(DIST)/platform.cfg
+endif
+ifeq ($(CROSS_COMPILE),1)
+# execute signing on test system
+ echo 'export DIST=$${HOME}/nsstest/dist/' >> $(RTSH)
+ echo 'export NSPR_LIB_DIR=$${DIST}/$${OBJDIR}/lib/' >> $(RTSH)
+ echo 'echo "signing"' >> $(RTSH)
+# work around a bug in Android ash that has a corrupted work directory after login
+ echo 'cd $${HOME}/nsstest' >> $(RTSH)
+ echo 'cd nss/cmd/shlibsign' >> $(RTSH)
+ echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}freebl3.$${DLL_SUFFIX}' >> $(RTSH)
+ echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}softokn3.$${DLL_SUFFIX}' >> $(RTSH)
+ echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}nssdbm3.$${DLL_SUFFIX}' >> $(RTSH)
+ifneq ($(OS_TARGET),Android)
+# Android's ash doesn't support "export -n" yet
+ echo 'export -n DIST' >> $(RTSH)
+ echo 'export -n NSPR_LIB_DIR' >> $(RTSH)
+endif
+ echo 'cd ../../../' >> $(RTSH)
+endif
+ echo 'rm -rf tests_results' >> $(RTSH)
+ echo 'echo "running tests"' >> $(RTSH)
+ echo 'cd nss/tests' >> $(RTSH)
+ # We require progress indication on stdout while running the tests (to avoid timeouts).
+ set -o pipefail
+ echo '$(TEST_SHELL) ./all.sh | tee ../../logfile 2>&1 |grep ": #"' >> $(RTSH)
+ RETVAL=$?
+ echo 'cd ../../' >> $(RTSH)
+ # dump test summary from end of logfile
+ echo 'echo "=========="; tail -100 logfile' >> $(RTSH)
+ echo 'tar czf tests_results.tgz tests_results' >> $(RTSH)
+ echo 'echo "created tests_results.tgz"' >> $(RTSH)
+ echo 'echo "results are in directory: "`ls -1d tests_results/security/*.1`' >> $(RTSH)
+ echo 'echo exit status: $${RETVAL}' >> $(RTSH)
+ echo 'exit $${RETVAL}' >> $(RTSH)
+ rm -f $(TESTPACKAGE)
+ (cd $(DIST)/../.. ; tar czhf dist/$(TESTPACKAGE) runtests.sh dist/$(OBJDIR_NAME) dist/public nss/tests nss/cmd/bltest/tests nss/cmd/pk11gcmtest/tests nss/cmd/shlibsign; echo "created "`pwd`"/dist/$(TESTPACKAGE)" )
+
+android_run_tests:
+ ssh -p $(ANDROID_PORT) -o CheckHostIP=no $(ANDROID_ADDR) 'pwd; cd; pwd; cd nsstest; export PATH=$$HOME/bin:$$PATH ; $(TEST_SHELL) runtests.sh'
+
+android_install:
+ rm -f $(DIST)/android.sftp
+ echo '-mkdir nsstest' > $(DIST)/android.sftp
+ echo '-rm nsstest/$(TESTPACKAGE)' >> $(DIST)/android.sftp
+ echo 'progress' >> $(DIST)/android.sftp
+ echo 'put $(DIST)/../$(TESTPACKAGE) nsstest' >> $(DIST)/android.sftp
+ sftp -o Port=$(ANDROID_PORT) -o CheckHostIP=no -b $(DIST)/android.sftp $(ANDROID_ADDR)
+ ssh -p $(ANDROID_PORT) -o CheckHostIP=no $(ANDROID_ADDR) 'cd nsstest ; $$HOME/bin/rm -rf logfile runtests.sh dist security tests_results tests_results.tgz; $$HOME/bin/tar xzf $(TESTPACKAGE)'
+
+WORKDIR="$(DIST)/../../"
+RESULTSPACKAGE=tests_results.tgz
+android_get_result:
+ rm -f $(WORKDIR)/result.sftp $(WORKDIR)/$(RESULTSPACKAGE)
+ echo "progress" > $(WORKDIR)/result.sftp
+ echo 'get nsstest/$(RESULTSPACKAGE) $(WORKDIR)' >> $(WORKDIR)/result.sftp
+ sftp -o Port=$(ANDROID_PORT) -o CheckHostIP=no -b $(WORKDIR)/result.sftp $(ANDROID_ADDR)
+ (cd $(WORKDIR); tar xzf $(RESULTSPACKAGE); rm -f result.sftp $(RESULTSPACKAGE) )
+
+# Android testing assumes having built with: OS_TARGET=Android CROSS_COMPILE=1
+# Connectivity tested with Android app: SSHDroid
+# Provide appropriate ANDROID_ADDR variable, e.g.:
+# make test_android ANDROID_ADDR=root@192.168.4.5
+# See also: https://wiki.mozilla.org/NSS:Android
+
+test_android: package_for_testing android_install android_run_tests android_get_result
diff --git a/security/nss/tests/remote/manifest.mn b/security/nss/tests/remote/manifest.mn
new file mode 100644
index 000000000..049f1617c
--- /dev/null
+++ b/security/nss/tests/remote/manifest.mn
@@ -0,0 +1,6 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..
+DEPTH = ../..
diff --git a/security/nss/tests/run_niscc.sh b/security/nss/tests/run_niscc.sh
new file mode 100755
index 000000000..def3fd07e
--- /dev/null
+++ b/security/nss/tests/run_niscc.sh
@@ -0,0 +1,982 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# PRIOR TO RUNNING THIS SCRIPT
+# you should adjust MAIL_COMMAND and QA_LIST
+#
+# External dependencies:
+# - install the NISCC test files, e.g. at /niscc (readonly OK)
+# - libfaketimeMT because the test certificates have expired
+# - build environment for building NSS
+# - gdb to analyze core files
+# - a command line mail tool (e.g. mailx)
+# - openssl to combine input PEM files into pkcs#12
+# - curl for obtaining version information from the web
+#
+
+################################################################################
+# Print script usage
+################################################################################
+usage()
+{
+ cat << EOF
+Usage: $0 [options]
+
+Test NSS library against NISCC SMIME and TLS testcases.
+
+Options:
+ -h, --help print this help message and exit
+ -v, --verbose enable extra verbose output
+ --niscc-home DIR use NISCC testcases from directory DIR (default /niscc)
+ --host HOST use host HOST (default '127.0.0.1')
+ --threads X set thread number to X (max. 10, default 10)
+ --out DIR set DIR as output directory (default '/out')
+ --mail ADDRESS send mail with test result to ADDRESS
+ --nss DIR set NSS directory to DIR (default '~/niscc-hg/nss')
+ --nss-hack DIR set hacked NSS directory to DIR (default '~/niscc-hg/nss_hack')
+ --log-store store all the logs (only summary by default)
+ --no-build-test don't pull and build tested NSS
+ --no-build-hack don't pull and build hacked NSS
+ --test-system test system installed NSS
+ --date DATE use DATE in log archive name and outgoing email
+ --libfaketime path.so use faketime library with LD_PRELOAD=path.so
+ --smallset test only a very small subset
+
+All options are optional.
+All options (and possibly more) can be also set through environment variables.
+Commandline options have higher priority than environment variables.
+For more information please refer to the source code of this script.
+
+For a successfull run the script NEEDS the core file pattern to be 'core.*',
+e.g. 'core.%t'. You can check the current pattern in
+'/proc/sys/kernel/core_pattern'. Otherwise the test will be unable to detect
+any failures and will pass every time.
+
+It is recommended to use hacked and tested binaries in a location, where their
+absolute path is max. 80 characters. If their path is longer and a core file is
+generated, its properties may be incomplete.
+
+Return value of the script indicates how many failures it experienced.
+
+EOF
+ exit $1
+}
+
+################################################################################
+# Process command-line arguments
+################################################################################
+process_args()
+{
+ HELP="false"
+ args=`getopt -u -l "niscc-home:,host:,threads:,out:,verbose,mail:,nss:,nss-hack:,log-store,no-build-test,no-build-hack,help,test-system,date:,libfaketime:,smallset" -- "hv" $*`
+ [ "$?" != "0" ] && usage 1
+ set -- $args
+ for i; do
+ case "$i" in
+ -v|--verbose)
+ shift
+ VERBOSE="-v"
+ ;;
+ --niscc-home)
+ shift
+ NISCC_HOME="$1"
+ shift
+ ;;
+ --host)
+ shift
+ HOST="$1"
+ shift
+ ;;
+ --threads)
+ shift
+ THREADS="$1"
+ shift
+ ;;
+ --out)
+ shift
+ TEST_OUTPUT="$1"
+ shift
+ ;;
+ --mail)
+ shift
+ USE_MAIL="true"
+ QA_LIST="$1"
+ shift
+ ;;
+ --nss)
+ shift
+ LOCALDIST="$1"
+ shift
+ ;;
+ --nss-hack)
+ shift
+ NSS_HACK="$1"
+ shift
+ ;;
+ --log-store)
+ shift
+ LOG_STORE="true"
+ ;;
+ --no-build-test)
+ shift
+ NO_BUILD_TEST="true"
+ ;;
+ --no-build-hack)
+ shift
+ NO_BUILD_HACK="true"
+ ;;
+ -h|--help)
+ shift
+ HELP="true"
+ ;;
+ --test-system)
+ shift
+ TEST_SYSTEM="true"
+ ;;
+ --date)
+ shift
+ DATE="$1"
+ shift
+ ;;
+ --libfaketime)
+ shift
+ FAKETIMELIB="$1"
+ shift
+ ;;
+ --smallset)
+ shift
+ SMALLSET="true"
+ ;;
+ --)
+ ;;
+ *)
+ ;;
+ esac
+ done
+ [ $HELP = "true" ] && usage 0
+}
+
+################################################################################
+# Create and set needed and useful environment variables
+################################################################################
+create_environment()
+{
+ # Base location of NISCC testcases
+ export NISCC_HOME=${NISCC_HOME:-/niscc}
+
+ # Base location of NSS
+ export HG=${HG:-"$HOME/niscc-hg"}
+
+ # NSS being tested
+ export LOCALDIST=${LOCALDIST:-"${HG}/nss"}
+
+ # Hacked NSS - built with "NISCC_TEST=1"
+ export NSS_HACK=${NSS_HACK:-"${HG}/nss_hack"}
+
+ # Hostname of the testmachine
+ export HOST=${HOST:-127.0.0.1}
+
+ # Whether to store logfiles
+ export LOG_STORE=${LOG_STORE:-"false"}
+
+ # Whether to mail the summary
+ export USE_MAIL=${USE_MAIL:-"false"}
+
+ # How to mail summary
+ export MAIL_COMMAND=${MAIL_COMMAND:-"mailx -S smtp=smtp://your.smtp.server:25 -r your+niscc@email.address"}
+
+ # List of mail addresses where to send summary
+ export QA_LIST=${QA_LIST:-"result@recipient.address"}
+
+ # Whether to use 64b build
+ export USE_64=${USE_64:-1}
+
+ # Directory where to write all the output data (around 650MiB for each run)
+ export TEST_OUTPUT=${TEST_OUTPUT:-"$HOME/out"}
+
+ # How many threads to use in selfserv and strsclnt (max. 10)
+ export THREADS=${THREADS:-10}
+
+ # If true, do not build tthe tested version of NSS
+ export NO_BUILD_TEST=${NO_BUILD_TEST:-"false"}
+
+ # If true, do not build the special NSS version for NISCC
+ export NO_BUILD_HACK=${NO_BUILD_HACK:-"false"}
+
+ # If true, do not rebuild client and server directories
+ export NO_SETUP=${NO_SETUP:-"false"}
+
+ # Location of NISCC SSL/TLS testcases
+ export TEST=${TEST:-"${NISCC_HOME}/NISCC_SSL_testcases"}
+
+ # If true, then be extra verbose
+ export VERBOSE=${VERBOSE:-""}
+
+ # If true, test the system installed NSS
+ export TEST_SYSTEM=${TEST_SYSTEM:-"false"}
+ [ "$TEST_SYSTEM" = "true" ] && export NO_BUILD_TEST="true"
+
+ [ ! -z "$VERBOSE" ] && set -xv
+
+ # Real date for naming of archives (system date must be 2002-11-18 .. 2007-11-18 due to certificate validity
+ DATE=${DATE:-`date`}
+ export DATE=`date -d "$DATE" +%Y%m%d`
+
+ FAKETIMELIB=${FAKETIMELIB:-""}
+ export DATE=`date -d "$DATE" +%Y%m%d`
+
+ # Whether to test only a very small subset
+ export SMALLSET=${SMALLSET:-"false"}
+
+ # Create output dir if it doesn't exist
+ mkdir -p ${TEST_OUTPUT}
+}
+
+################################################################################
+# Do a HG pull of NSS
+################################################################################
+hg_pull()
+{
+ # Tested NSS - by default using HG default tip
+ if [ "$NO_BUILD_TEST" = "false" ]; then
+ echo "cloning NSS sources to be tested from HG"
+ [ ! -d "$LOCALDIST" ] && mkdir -p "$LOCALDIST"
+ cd "$LOCALDIST"
+ [ ! -d "$LOCALDIST/nspr" ] && hg clone --noupdate https://hg.mozilla.org/projects/nspr
+ cd nspr; hg pull; hg update -C -r default; cd ..
+ [ ! -d "$LOCALDIST/nss" ] && hg clone --noupdate https://hg.mozilla.org/projects/nss
+ cd nss; hg pull; hg update -C -r default; cd ..
+ #find . -exec touch {} \;
+ fi
+
+ # Hacked NSS - by default using some RTM version.
+ # Do not use HEAD for hacked NSS - it needs to be stable and bug-free
+ if [ "$NO_BUILD_HACK" = "false" ]; then
+ echo "cloning NSS sources for a hacked build from HG"
+ [ ! -d "$NSS_HACK" ] && mkdir -p "$NSS_HACK"
+ cd "$NSS_HACK"
+ NSPR_TAG=`curl --silent http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/nsprpub/TAG-INFO | head -1 | sed --regexp-extended 's/[[:space:]]//g' | awk '{print $1}'`
+ NSS_TAG=`curl --silent http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/TAG-INFO | head -1 | sed --regexp-extended 's/[[:space:]]//g' | awk '{print $1}'`
+ [ ! -d "$NSS_HACK/nspr" ] && hg clone --noupdate https://hg.mozilla.org/projects/nspr
+ cd nspr; hg pull; hg update -C -r "$NSPR_TAG"; cd ..
+ [ ! -d "$NSS_HACK/nss" ] && hg clone --noupdate https://hg.mozilla.org/projects/nss
+ cd nss; hg pull; hg update -C -r "$NSS_TAG"; cd ..
+ #find . -exec touch {} \;
+ fi
+}
+
+################################################################################
+# Build NSS after setting make variable NISCC_TEST
+################################################################################
+build_NSS()
+{
+ # Tested NSS
+ if [ "$NO_BUILD_TEST" = "false" ]; then
+ echo "building NSS to be tested"
+ cd "$LOCALDIST"
+ unset NISCC_TEST
+ cd nss
+ gmake nss_clean_all &>> $TEST_OUTPUT/nisccBuildLog
+ gmake nss_build_all &>> $TEST_OUTPUT/nisccBuildLog
+ fi
+
+ # Hacked NSS
+ if [ "$NO_BUILD_HACK" = "false" ]; then
+ echo "building hacked NSS"
+ cd "$NSS_HACK"
+ export NISCC_TEST=1
+ cd nss
+ gmake nss_clean_all &>> $TEST_OUTPUT/nisccBuildLogHack
+ gmake nss_build_all &>> $TEST_OUTPUT/nisccBuildLogHack
+ fi
+
+ unset NISCC_TEST
+}
+
+################################################################################
+# Set build dir, bin and lib directories
+################################################################################
+init()
+{
+ # Enable useful core files to be generated in case of crash
+ ulimit -c unlimited
+
+ # Pattern of core files, they should be created in current directory
+ echo "core_pattern $(cat /proc/sys/kernel/core_pattern)" > "$TEST_OUTPUT/nisccLog00"
+
+ # gmake is needed in the path for this suite to run
+ echo "PATH $PATH" >> "$TEST_OUTPUT/nisccLog00"
+
+ # Find out hacked NSS version
+ DISTTYPE=`cd "$NSS_HACK/nss/tests/common"; gmake objdir_name`
+ echo "NSS_HACK DISTTYPE $DISTTYPE" >> "$TEST_OUTPUT/nisccLog00"
+ export HACKBIN="$NSS_HACK/dist/$DISTTYPE/bin"
+ export HACKLIB="$NSS_HACK/dist/$DISTTYPE/lib"
+
+ if [ "$TEST_SYSTEM" = "false" ]; then
+ # Find out nss version
+ DISTTYPE=`cd "$LOCALDIST/nss/tests/common"; gmake objdir_name`
+ echo "NSS DISTTYPE $DISTTYPE" >> "$TEST_OUTPUT/nisccLog00"
+ export TESTBIN="$LOCALDIST/dist/$DISTTYPE/bin"
+ export TESTLIB="$LOCALDIST/dist/$DISTTYPE/lib"
+ export TESTTOOLS="$TESTBIN"
+ else
+ # Using system installed NSS
+ echo "USING SYSTEM NSS" >> "$TEST_OUTPUT/nisccLog00"
+ export TESTBIN="/usr/bin"
+ if [ `uname -m` = "x86_64" ]; then
+ export TESTLIB="/usr/lib64"
+ export TESTTOOLS="/usr/lib64/nss/unsupported-tools"
+ else
+ export TESTLIB="/usr/lib"
+ export TESTTOOLS="/usr/lib/nss/unsupported-tools"
+ fi
+ fi
+
+ # Verify NISCC_TEST was set in the proper library
+ if strings "$HACKLIB/libssl3.so" | grep NISCC_TEST > /dev/null 2>&1; then
+ echo "$HACKLIB/libssl3.so contains NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00"
+ else
+ echo "$HACKLIB/libssl3.so does NOT contain NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00"
+ fi
+
+ if strings "$TESTLIB/libssl3.so" | grep NISCC_TEST > /dev/null 2>&1; then
+ echo "$TESTLIB/libssl3.so contains NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00"
+ else
+ echo "$TESTLIB/libssl3.so does NOT contain NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00"
+ fi
+}
+
+################################################################################
+# Setup simple client and server directory
+################################################################################
+ssl_setup_dirs_simple()
+{
+ [ "$NO_SETUP" = "true" ] && return
+
+ echo "Setting up working directories for SSL simple tests"
+
+ CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client"
+ SERVER="$TEST_OUTPUT/niscc_ssl/simple_server"
+
+ # Generate .p12 files
+ openssl pkcs12 -export -inkey "$TEST/client_key.pem" -in "$TEST/client_crt.pem" -out "$TEST_OUTPUT/client_crt.p12" -passout pass:testtest1 -name "client_crt"
+ openssl pkcs12 -export -inkey "$TEST/server_key.pem" -in "$TEST/server_crt.pem" -out "$TEST_OUTPUT/server_crt.p12" -passout pass:testtest1 -name "server_crt"
+
+ # Setup simple client directory
+ rm -rf "$CLIENT"
+ mkdir -p "$CLIENT"
+ echo test > "$CLIENT/password-is-test.txt"
+ export LD_LIBRARY_PATH="$TESTLIB"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -N -d "$CLIENT" -f "$CLIENT/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -A -d "$CLIENT" -n rootca -i "$TEST/rootca.crt" -t "C,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/client_crt.p12" -d "$CLIENT" -k "$CLIENT/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -L -d "$CLIENT" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+
+ # File containg message used for terminating the server
+ echo "GET /stop HTTP/1.0" > "$CLIENT/stop.txt"
+ echo "" >> "$CLIENT/stop.txt"
+
+ # Setup simple server directory
+ rm -rf "$SERVER"
+ mkdir -p "$SERVER"
+ echo test > "$SERVER/password-is-test.txt"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -N -d "$SERVER" -f "$SERVER/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -A -d "$SERVER" -n rootca -i "$TEST/rootca.crt" -t "TC,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/server_crt.p12" -d "$SERVER" -k "$SERVER/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -L -d "$SERVER" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+
+ unset LD_LIBRARY_PATH
+}
+
+################################################################################
+# Setup resigned client and server directory
+################################################################################
+ssl_setup_dirs_resigned()
+{
+ [ "$NO_SETUP" = "true" ] && return
+
+ echo "Setting up working directories for SSL resigned tests"
+
+ CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client"
+ SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server"
+
+ # Setup resigned client directory
+ rm -rf "$CLIENT"
+ mkdir -p "$CLIENT"
+ echo test > "$CLIENT/password-is-test.txt"
+ export LD_LIBRARY_PATH="$TESTLIB"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -N -d "$CLIENT" -f "$CLIENT/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -A -d "$CLIENT" -n rootca -i "$TEST/rootca.crt" -t "C,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/client_crt.p12" -d "$CLIENT" -k "$CLIENT/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -L -d "$CLIENT" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+
+ echo "GET /stop HTTP/1.0" > "$CLIENT/stop.txt"
+ echo "" >> "$CLIENT/stop.txt"
+
+ # Setup resigned server directory
+ rm -rf "$SERVER"
+ mkdir -p "$SERVER"
+ echo test > "$SERVER/password-is-test.txt"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -N -d "$SERVER" -f "$SERVER/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -A -d "$SERVER" -n rootca -i "$TEST/rootca.crt" -t "TC,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/server_crt.p12" -d "$SERVER" -k "$SERVER/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -L -d "$SERVER" >> "$TEST_OUTPUT/nisccLog00" 2>&1
+
+ unset LD_LIBRARY_PATH
+}
+
+################################################################################
+# NISCC SMIME tests
+################################################################################
+niscc_smime()
+{
+ cd "$TEST_OUTPUT"
+ DATA="$NISCC_HOME/NISCC_SMIME_testcases"
+
+ [ ! -d niscc_smime ] && mkdir -p niscc_smime
+
+ export SMIME_CERT_DB_DIR=envDB
+ export NSS_STRICT_SHUTDOWN=1
+ export NSS_DISABLE_ARENA_FREE_LIST=1
+ export LD_LIBRARY_PATH="$TESTLIB"
+
+ # Generate .p12 files
+ openssl pkcs12 -export -inkey "$DATA/Client.key" -in "$DATA/Client.crt" -out Client.p12 -passout pass:testtest1 &>/dev/null
+ openssl pkcs12 -export -inkey "$DATA/CA.key" -in "$DATA/CA.crt" -out CA.p12 -passout pass:testtest1 &>/dev/null
+
+ # Generate envDB if needed
+ if [ ! -d "$SMIME_CERT_DB_DIR" ]; then
+ mkdir -p "$SMIME_CERT_DB_DIR"
+ echo testtest1 > password-is-testtest1.txt
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -N -d "./$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt > /dev/null 2>&1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt -i "$DATA/CA.crt" -n CA -t "TC,C,"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt -i "$DATA/Client.crt" -n Client -t "TC,C,"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/pk12util" -i ./CA.p12 -d "$SMIME_CERT_DB_DIR" -k password-is-testtest1.txt -W testtest1
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/pk12util" -i ./Client.p12 -d "$SMIME_CERT_DB_DIR" -k password-is-testtest1.txt -W testtest1
+ fi
+
+ # if p7m-ed-m-files.txt does not exist, then generate it.
+ [ -f "$DATA/p7m-ed-m-files.txt" ] && sed "s|^|$DATA/|" "$DATA/p7m-ed-m-files.txt" > p7m-ed-m-files.txt
+ export P7M_ED_M_FILES=p7m-ed-m-files.txt
+ if [ "$SMALLSET" = "true" ]; then
+ [ ! -f "$P7M_ED_M_FILES" ] && find "$DATA"/p7m-ed-m-0* -type f -print | head -10 >> "$P7M_ED_M_FILES"
+ else
+ [ ! -f "$P7M_ED_M_FILES" ] && find "$DATA"/p7m-ed-m-0* -type f -print >> "$P7M_ED_M_FILES"
+ fi
+
+ # Test "p7m-ed-m*" testcases
+ echo "Testing SMIME enveloped data testcases"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/cmsutil" $VERBOSE -D -d "$SMIME_CERT_DB_DIR" -p testtest1 -b -i "$P7M_ED_M_FILES" > niscc_smime/p7m-ed-m-results.txt 2>&1
+
+ export SMIME_CERT_DB_DIR=sigDB
+ # Generate sigDB if needed
+ if [ ! -d "$SMIME_CERT_DB_DIR" ]; then
+ mkdir -p "$SMIME_CERT_DB_DIR"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -N -d "$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -i "$DATA/CA.crt" -n CA -t "TC,C,"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -i "$DATA/Client.crt" -n Client -t "TC,C,"
+ fi
+
+ # if p7m-sd-dt-files.txt does not exist, then generate it.
+ [ -f "$DATA/p7m-sd-dt-files.txt" ] && sed "s|^|$DATA/|" "$DATA/p7m-sd-dt-files.txt" > p7m-sd-dt-files.txt
+ export P7M_SD_DT_FILES=p7m-sd-dt-files.txt
+ if [ "$SMALLSET" = "true" ]; then
+ [ ! -f "$P7M_SD_DT_FILES" ] && find "$DATA"/p7m-sd-dt-[cm]-* -type f -print | head -10 >> "$P7M_SD_DT_FILES"
+ else
+ [ ! -f "$P7M_SD_DT_FILES" ] && find "$DATA"/p7m-sd-dt-[cm]-* -type f -print >> "$P7M_SD_DT_FILES"
+ fi
+
+ [ ! -f detached.txt ] && touch detached.txt
+
+ # Test "p7m-sd-dt*" testcases
+ echo "Testing SMIME detached signed data testcases"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/cmsutil" $VERBOSE -D -d "$SMIME_CERT_DB_DIR" -c detached.txt -b -i "$P7M_SD_DT_FILES" > niscc_smime/p7m-sd-dt-results.txt 2>&1
+
+ # if p7m-sd-op-files.txt does not exist, then generate it.
+ [ -f "$DATA/p7m-sd-op-files.txt" ] && sed "s|^|$DATA/|" "$DATA/p7m-sd-op-files.txt" > p7m-sd-op-files.txt
+ export P7M_SD_OP_FILES=p7m-sd-op-files.txt
+ if [ "$SMALLSET" = "true" ]; then
+ [ ! -f "$P7M_SD_OP_FILES" ] && find "$DATA"/p7m-sd-op-[cm]-* -type f -print | head -10 >> "$P7M_SD_OP_FILES"
+ else
+ [ ! -f "$P7M_SD_OP_FILES" ] && find "$DATA"/p7m-sd-op-[cm]-* -type f -print >> "$P7M_SD_OP_FILES"
+ fi
+
+ # Test "p7m-sd-op*" testcases
+ echo "Testing SMIME opaque signed data testcases"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTBIN}/cmsutil" $VERBOSE -D -d "$SMIME_CERT_DB_DIR" -b -i "$P7M_SD_OP_FILES" > niscc_smime/p7m-sd-op-results.txt 2>&1
+
+ unset LD_LIBRARY_PATH
+}
+
+################################################################################
+# Set env variables for NISCC SSL tests
+################################################################################
+niscc_ssl_init()
+{
+ export NSS_STRICT_SHUTDOWN=1
+ export NSS_DISABLE_ARENA_FREE_LIST=1
+ cd "$TEST_OUTPUT"
+}
+
+force_crash()
+{
+ echo "int main(int argc, char *argv[]) { int *i; i = (int*)(void*)1; *i = 1; }" > "$TEST_OUTPUT/crashme.c"
+ gcc -g -o "$TEST_OUTPUT/crashme" "$TEST_OUTPUT/crashme.c"
+ "$TEST_OUTPUT/crashme"
+}
+
+################################################################################
+# Do simple client auth tests
+# Use an altered client against the server
+################################################################################
+ssl_simple_client_auth()
+{
+ echo "Testing SSL simple client auth testcases"
+ export CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client"
+ export SERVER="$TEST_OUTPUT/niscc_ssl/simple_server"
+ export PORT=8443
+ export START_AT=1
+ if [ "$SMALLSET" = "true" ]; then
+ export STOP_AT=10
+ else
+ export STOP_AT=106160
+ fi
+ unset NISCC_TEST
+ export LD_LIBRARY_PATH="$TESTLIB"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTTOOLS}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -rr -t $THREADS -w test > "$TEST_OUTPUT/nisccLog01" 2>&1 &
+
+ export NISCC_TEST="$TEST/simple_client"
+ export LD_LIBRARY_PATH="$HACKLIB"
+
+ for START in `seq $START_AT $THREADS $STOP_AT`; do
+ START_AT=$START \
+ STOP_AT=$(($START+$THREADS)) \
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${HACKBIN}/strsclnt" $VERBOSE -d "$CLIENT" -n client_crt -p $PORT -t $THREADS -c $THREADS -o -N -w test $HOST >> "$TEST_OUTPUT/nisccLog02" 2>&1
+ done
+
+ unset NISCC_TEST
+ echo "starting tstclnt to shutdown simple client selfserv process"
+ for i in `seq 5`; do
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${HACKBIN}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog02" 2>&1
+ done
+
+ unset LD_LIBRARY_PATH
+
+ sleep 1
+}
+
+################################################################################
+# Do simple server auth tests
+# Use an altered server against the client
+################################################################################
+ssl_simple_server_auth()
+{
+ echo "Testing SSL simple server auth testcases"
+ export CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client"
+ export SERVER="$TEST_OUTPUT/niscc_ssl/simple_server"
+ export PORT=8444
+ export START_AT=00000001
+ if [ "$SMALLSET" = "true" ]; then
+ export STOP_AT=00000010
+ else
+ export STOP_AT=00106167
+ fi
+ export LD_LIBRARY_PATH="$HACKLIB"
+ export NISCC_TEST="$TEST/simple_server"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog03" 2>&1 &
+
+ unset NISCC_TEST
+ export LD_LIBRARY_PATH="$TESTLIB"
+ for START in `seq $START_AT $THREADS $STOP_AT`; do
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog04" 2>&1
+ done
+
+ echo "starting tstclnt to shutdown simple server selfserv process"
+ for i in `seq 5`; do
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog04" 2>&1
+ done
+
+ unset LD_LIBRARY_PATH
+
+ sleep 1
+}
+
+################################################################################
+# Do simple rootCA tests
+# Use an altered server against the client
+################################################################################
+ssl_simple_rootca()
+{
+ echo "Testing SSL simple rootCA testcases"
+ export CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client"
+ export SERVER="$TEST_OUTPUT/niscc_ssl/simple_server"
+ export PORT=8445
+ export START_AT=1
+ if [ "$SMALLSET" = "true" ]; then
+ export STOP_AT=10
+ else
+ export STOP_AT=106190
+ fi
+ export LD_LIBRARY_PATH="$HACKLIB"
+ export NISCC_TEST="$TEST/simple_rootca"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog05" 2>&1 &
+
+ unset NISCC_TEST
+ export LD_LIBRARY_PATH="$TESTLIB"
+ for START in `seq $START_AT $THREADS $STOP_AT`; do
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog06" 2>&1
+ done
+
+ echo "starting tstclnt to shutdown simple rootca selfserv process"
+ for i in `seq 5`; do
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog06" 2>&1
+ done
+
+ unset LD_LIBRARY_PATH
+
+ sleep 1
+}
+
+################################################################################
+# Do resigned client auth tests
+# Use an altered client against the server
+################################################################################
+ssl_resigned_client_auth()
+{
+ echo "Testing SSL resigned client auth testcases"
+ export CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client"
+ export SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server"
+ export PORT=8446
+ export START_AT=0
+ if [ "$SMALLSET" = "true" ]; then
+ export STOP_AT=9
+ else
+ export STOP_AT=99981
+ fi
+ unset NISCC_TEST
+ export LD_LIBRARY_PATH="$TESTLIB"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTTOOLS}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -rr -t $THREADS -w test > "$TEST_OUTPUT/nisccLog07" 2>&1 &
+
+ export NISCC_TEST="$TEST/resigned_client"
+ export LD_LIBRARY_PATH="$HACKLIB"
+
+ for START in `seq $START_AT $THREADS $STOP_AT`; do
+ START_AT=$START \
+ STOP_AT=$(($START+$THREADS)) \
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${HACKBIN}/strsclnt" $VERBOSE -d "$CLIENT" -n client_crt -p $PORT -t $THREADS -c $THREADS -o -N -w test $HOST >> "$TEST_OUTPUT/nisccLog08" 2>&1
+ done
+
+ unset NISCC_TEST
+ echo "starting tstclnt to shutdown resigned client selfserv process"
+ for i in `seq 5`; do
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${HACKBIN}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog08" 2>&1
+ done
+
+ unset LD_LIBRARY_PATH
+
+ sleep 1
+}
+
+################################################################################
+# Do resigned server auth tests
+# Use an altered server against the client
+################################################################################
+ssl_resigned_server_auth()
+{
+ echo "Testing SSL resigned server auth testcases"
+ export CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client"
+ export SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server"
+ export PORT=8447
+ export START_AT=0
+ if [ "$SMALLSET" = "true" ]; then
+ export STOP_AT=9
+ else
+ export STOP_AT=100068
+ fi
+ export LD_LIBRARY_PATH="$HACKLIB"
+ export NISCC_TEST="$TEST/resigned_server"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog09" 2>&1 &
+
+ unset NISCC_TEST
+ export LD_LIBRARY_PATH="$TESTLIB"
+ for START in `seq $START_AT $THREADS $STOP_AT`; do
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog10" 2>&1
+ done
+
+ echo "starting tstclnt to shutdown resigned server selfserv process"
+ for i in `seq 5`; do
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog10" 2>&1
+ done
+
+ unset LD_LIBRARY_PATH
+
+ sleep 1
+}
+
+################################################################################
+# Do resigned rootCA tests
+# Use an altered server against the client
+################################################################################
+ssl_resigned_rootca()
+{
+ echo "Testing SSL resigned rootCA testcases"
+ export CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client"
+ export SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server"
+ export PORT=8448
+ export START_AT=0
+ if [ "$SMALLSET" = "true" ]; then
+ export STOP_AT=9
+ else
+ export STOP_AT=99959
+ fi
+ export LD_LIBRARY_PATH="$HACKLIB"
+ export NISCC_TEST="$TEST/resigned_rootca"
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog11" 2>&1 &
+
+ unset NISCC_TEST
+ export LD_LIBRARY_PATH="$TESTLIB"
+ for START in `seq $START_AT $THREADS $STOP_AT`; do
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog12" 2>&1
+ done
+
+ echo "starting tstclnt to shutdown resigned rootca selfserv process"
+ for i in `seq 5`; do
+ LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \
+ "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog12" 2>&1
+ done
+
+ unset LD_LIBRARY_PATH
+
+ sleep 1
+}
+
+################################################################################
+# Email the test logfile, and if core found, notify of failure
+################################################################################
+mail_testLog()
+{
+ pushd "$TEST_OUTPUT"
+
+ # remove mozilla nss build false positives and core stored in previous runs
+ find . -name "core*" -print | grep -v coreconf | grep -v core_watch | grep -v archive >> crashLog
+ export SIZE=`cat crashLog | wc -l`
+
+ [ "$USE_MAIL" = "false" ] && return
+
+ # mail text
+ MT=mailText
+ rm -f $MT
+
+ if [ "$SIZE" -ne 1 ]; then
+ echo "### FAILED ###" >> $MT
+ echo "### Exactly one crash is expected." >> $MT
+ echo "### Zero means: crash detection is broken, fix the script!" >> $MT
+ echo "### > 1 means: robustness test failure, fix the bug! (check the logs)" >> $MT
+ cat crashLog >> nisccLogSummary
+ SUBJ="FAILED: NISCC TESTS (check file: crashLog)"
+ else
+ echo ":) PASSED :)" >> $MT
+ SUBJ="PASSED: NISCC tests"
+ fi
+
+ echo "Date used during test run: $DATE" >> $MT
+
+ echo "Count of lines in files:" >> $MT
+ wc -l crashLog nisccBuildLog nisccBuildLogHack nisccLog[0-9]* p7m-* |grep -vw total >> $MT
+ NUM=`cat nisccLog0[123456789] nisccLog1[12] | egrep -ic "success/passed"`
+ echo "Number of times the SSL tests reported success/passed (low expected): $NUM" >> $MT
+ NUM=`cat nisccLog0[123456789] nisccLog1[12] | egrep -ic "problem|failed|error"`
+ echo "Number of times the SSL tests reported problem/failed/error (high expected): $NUM" >> $MT
+ NUM=`cat niscc_smime/p7m*results.txt | egrep -ic "success/passed"`
+ echo "Number of times the S/MIME tests reported success/passed (low expected): $NUM" >> $MT
+ NUM=`cat niscc_smime/p7m*results.txt | egrep -ic "problem|failed|error"`
+ echo "Number of times the S/MIME tests reported problem/failed/error (high expected): $NUM" >> $MT
+ echo "==== tail of nisccBuildLog ====" >> $MT
+ tail -20 nisccBuildLog >> $MT
+ echo "===============================" >> $MT
+ echo "==== tail of nisccBuildLogHack ====" >> $MT
+ tail -20 nisccBuildLogHack >> $MT
+ echo "===================================" >> $MT
+
+ #NUM=``
+ #echo "Number of : $NUM" >> $MT
+
+ cat $MT | $MAIL_COMMAND -s "$SUBJ" $QA_LIST
+
+ popd
+}
+
+################################################################################
+# Summarize all logs
+################################################################################
+log_summary()
+{
+ echo "Summarizing all logs"
+ # Move old logs
+ [ -f "$TEST_OUTPUT/nisccLogSummary" ] && mv nisccLogSummary nisccLogSummary.old
+ [ -f "$TEST_OUTPUT/crashLog" ] && mv crashLog crashLog.old
+
+ for a in $TEST_OUTPUT/nisccLog[0-9]*; do
+ echo ================================== "$a"
+ grep -v using "$a" | sort | uniq -c | sort -b -n +0 -1
+ done > $TEST_OUTPUT/nisccLogSummary
+
+ for a in $TEST_OUTPUT/niscc_smime/p7m-*-results.txt; do
+ echo ================================== "$a"
+ grep -v using "$a" | sort | uniq -c | sort -b -n +0 -1
+ done >> $TEST_OUTPUT/nisccLogSummary
+}
+
+################################################################################
+# Process core files
+################################################################################
+core_process()
+{
+ echo "Processing core files"
+ cd "$TEST_OUTPUT"
+
+ for CORE in `cat crashLog`; do
+ FILE=`file "$CORE" | sed "s/.* from '//" | sed "s/'.*//"`
+ BINARY=`strings "$CORE" | grep "^${FILE}" | tail -1`
+ gdb "$BINARY" "$CORE" << EOF_GDB > "$CORE.details"
+where
+quit
+EOF_GDB
+ done
+}
+
+################################################################################
+# Move the old log files to save them, delete extra log files
+################################################################################
+move_files()
+{
+ echo "Moving and deleting log files"
+ cd "$TEST_OUTPUT"
+
+ rm -rf TRASH
+ mkdir TRASH
+
+ if [ "$LOG_STORE" = "true" ]; then
+ BRANCH=`echo $LOCALDIST | sed "s:.*/\(security.*\)/builds/.*:\1:"`
+ if [ "$BRANCH" = "$LOCALDIST" ]; then
+ ARCHIVE="$TEST_OUTPUT/archive"
+ else
+ ARCHIVE="$TEST_OUTPUT/archive/$BRANCH"
+ fi
+
+ # Check for archive directory
+ if [ ! -d "$ARCHIVE" ]; then
+ mkdir -p "$ARCHIVE"
+ fi
+
+ # Determine next log storage point
+ slot=`ls -1 "$ARCHIVE" | grep $DATE | wc -l`
+ slot=`expr $slot + 1`
+ location="$ARCHIVE/$DATE.$slot"
+ mkdir -p "$location"
+
+ # Archive the logs
+ mv nisccBuildLog "$location" 2> /dev/null
+ mv nisccBuildLogHack "$location" 2> /dev/null
+ mv nisccLogSummary "$location"
+ mv nisccLog* "$location"
+ mv niscc_smime/p7m-ed-m-results.txt "$location"
+ mv niscc_smime/p7m-sd-dt-results.txt "$location"
+ mv niscc_smime/p7m-sd-op-results.txt "$location"
+
+ # Archive any core files produced
+ for core in `cat "$TEST_OUTPUT/crashLog"`; do
+ mv "$core" "$location"
+ mv "$core.details" "$location"
+ done
+ mv crashLog "$location"
+ else
+ # Logs not stored => summaries, crashlog and corefiles not moved, other logs deleted
+ mv nisccLog00 nisccLog01 nisccLog02 nisccLog03 nisccLog04 nisccLog05 nisccLog06 nisccLog07 nisccLog08 nisccLog09 nisccLog10 nisccLog11 nisccLog12 TRASH/
+ mv niscc_smime/p7m-ed-m-results.txt niscc_smime/p7m-sd-dt-results.txt niscc_smime/p7m-sd-op-results.txt TRASH/
+ fi
+ mv envDB sigDB niscc_smime niscc_ssl TRASH/
+ mv CA.p12 Client.p12 client_crt.p12 server_crt.p12 TRASH/
+ mv p7m-ed-m-files.txt p7m-sd-dt-files.txt p7m-sd-op-files.txt password-is-testtest1.txt detached.txt TRASH/
+ mv crashme.c crashme TRASH/
+}
+
+################################################################################
+# Main
+################################################################################
+process_args $*
+create_environment
+hg_pull
+build_NSS
+init
+niscc_smime
+niscc_ssl_init
+force_crash
+ssl_setup_dirs_simple
+ ssl_simple_client_auth
+ ssl_simple_server_auth
+ ssl_simple_rootca
+ssl_setup_dirs_resigned
+ ssl_resigned_client_auth
+ ssl_resigned_server_auth
+ ssl_resigned_rootca
+# no idea what these commented-out lines are supposed to be!
+#ssl_setup_dirs_update
+# ssl_update_server_auth der
+# ssl_update_client_auth der
+# ssl_update_server_auth resigned-der
+# ssl_update_client_auth resigned-der
+log_summary
+mail_testLog
+core_process
+move_files
+exit $SIZE
diff --git a/security/nss/tests/sdr/sdr.sh b/security/nss/tests/sdr/sdr.sh
new file mode 100755
index 000000000..f846e9247
--- /dev/null
+++ b/security/nss/tests/sdr/sdr.sh
@@ -0,0 +1,111 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/sdr/sdr.sh
+#
+# Script to start test basic functionallity of NSS sdr
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## sdr_init ################################
+# local shell function to initialize this script
+########################################################################
+sdr_init()
+{
+ SCRIPTNAME=sdr.sh
+ if [ -z "${CLEANUP}" ] ; then
+ CLEANUP="${SCRIPTNAME}"
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ SCRIPTNAME=sdr.sh
+
+ #temporary files
+ VALUE1=$HOSTDIR/tests.v1.$$
+ VALUE2=$HOSTDIR/tests.v2.$$
+ VALUE3=$HOSTDIR/tests.v3.$$
+
+ T1="Test1"
+ T2="The quick brown fox jumped over the lazy dog"
+ T3="1234567"
+
+ SDRDIR=${HOSTDIR}/SDR
+ D_SDR="SDR.$version"
+ if [ ! -d ${SDRDIR} ]; then
+ mkdir -p ${SDRDIR}
+ fi
+
+ PROFILE=.
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ PROFILE="multiaccess:${D_SDR}"
+ fi
+
+ cd ${SDRDIR}
+ html_head "SDR Tests"
+}
+
+############################## sdr_main ################################
+# local shell function to test NSS SDR
+########################################################################
+sdr_main()
+{
+ echo "$SCRIPTNAME: Creating an SDR key/SDR Encrypt - Value 1"
+ echo "sdrtest -d ${PROFILE} -o ${VALUE1} -t \"${T1}\""
+ ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE1} -t "${T1}"
+ html_msg $? 0 "Creating SDR Key/Encrypt - Value 1"
+
+ echo "$SCRIPTNAME: SDR Encrypt - Value 2"
+ echo "sdrtest -d ${PROFILE} -o ${VALUE2} -t \"${T2}\""
+ ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE2} -t "${T2}"
+ html_msg $? 0 "Encrypt - Value 2"
+
+ echo "$SCRIPTNAME: SDR Encrypt - Value 3"
+ echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t \"${T3}\""
+ ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t "${T3}"
+ html_msg $? 0 "Encrypt - Value 3"
+
+ echo "$SCRIPTNAME: SDR Decrypt - Value 1"
+ echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t \"${T1}\""
+ ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t "${T1}"
+ html_msg $? 0 "Decrypt - Value 1"
+
+ echo "$SCRIPTNAME: SDR Decrypt - Value 2"
+ echo "sdrtest -d ${PROFILE} -i ${VALUE2} -t \"${T2}\""
+ ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE2} -t "${T2}"
+ html_msg $? 0 "Decrypt - Value 2"
+
+ echo "$SCRIPTNAME: SDR Decrypt - Value 3"
+ echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t \"${T3}\""
+ ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t "${T3}"
+ html_msg $? 0 "Decrypt - Value 3"
+}
+
+############################## sdr_cleanup #############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+sdr_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+sdr_init
+sdr_main
+sdr_cleanup
diff --git a/security/nss/tests/set_environment b/security/nss/tests/set_environment
new file mode 100644
index 000000000..5a3515cca
--- /dev/null
+++ b/security/nss/tests/set_environment
@@ -0,0 +1,234 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/set_environment
+#
+# sourced from the header if running from cron to get the full environment
+# to run nssqa - also used to unify all nssqa environments
+#
+# This is derived from the .cshrc file for the svbld account.
+#
+########################################################################
+
+if [ -z "$HOME" ]
+then
+ HOME=/u/svbld
+fi
+if [ -z "$QASCRIPT_DIR" ]
+then
+ QASCRIPT_DIR=`dirname $0`
+fi
+
+os_name=`uname -s`
+if [ "$os_name" != "Windows_95" -a \
+ "$os_name" != "Windows_NT" -a \
+ "$os_name" != "WINNT" -a \
+ "$os_name" != "Windows" -a \
+ "$os_name" != "Windows_98" -a \
+ "$os_name" != "CYGWIN_NT-4.0" -a \
+ "$os_name" != "CYGWIN_NT-5.0" -a \
+ "$os_name" != "CYGWIN_95-4.0" -a \
+ "$os_name" != "CYGWIN_98-4.10" ]
+then
+ PATH=.:$HOME/bin:/tools/ns/bin:/bin:/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/dist/local/exe:/usr/bin/X11:/usr/audio/bin:/u/sonmi/bin:$PATH
+ JAVA_HOME="D:/i386/jdk1.2.2"
+ JAVA_HOME14="R:/jdk/1.4.0/WINNT"
+fi
+
+CVSROOT=:pserver:svbld@redcvs.red.iplanet.com:/m/src
+
+os_name=`uname -s`
+os_version=`uname -r`
+#os_p=`uname -p`
+os_full=""
+
+if [ -f /u/svbld/bin/nsarch ]
+then
+ os_full=`/u/svbld/bin/nsarch -f` #FIXME
+fi
+
+MANPATH=/usr/share/man:/usr/openwin/man:/usr/local/man
+
+RMAIL=rmail
+BEFORE_CONTEXT_GREP=""
+AFTER_CONTEXT_GREP=""
+
+export CVSROOT HOME os_name os_version os_full MANPATH
+
+
+if [ "$os_name" = "HP-UX" ]
+then
+ PATH=$PATH:/usr/local/bin:/opt/aCC/bin:/usr/local/bin/audio:/tools/ns/bin:/etc:/usr/contrib/bin:/usr/contrib/bin/X11:/usr/local/hpux/bin:/nfs/iapp1/hphome/bin:/etc:/u/svbld/bin/HP/perl/bin
+ JAVA_HOME="/share/builds/components/cms_jdk/HP-UX/1.2.2.04"
+ JAVA_HOME14=$JAVA_HOME
+# JAVA_HOME="/share/builds/components/cms_jdk/HP-UX/1.3.0.00"
+elif [ "$os_name" = "SunOS" ]
+then
+ NATIVE_FLAG="-native"
+ XAPPLRESDIR=/usr/openwin/lib/app-defaults:/usr/local/lib/X11/app-defaults
+ OPENWINHOME=/usr/openwin
+ LD_LIBRARY_PATH=$OPENWINHOME/lib
+ if [ "$os_full" = "SOLARISx86 2.8" -o "$os_full" = "SOLARISx86 2.9" ]
+ then
+ #PATH=/usr/ucb:/opt/usr/local/bin:$PATH
+ JAVA_HOME="/usr/java1.2"
+ JAVA_HOME14=/share/builds/components/jdk/1.4.0/SunOS_x86
+ PATH=".:/usr/dist/share/forte_dev_i386,v6.2/SUNWspro/bin:/opt/usr/local/perl5/bin:/opt/SUNWspro/bin:/opt/usr/local/bin:/bin:/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/dist/local/exe:/usr/ccs/bin:/usr/ucb/bin:/usr/ucb:/opt/SUNWwabi/bin:/usr/local/bin:/tools/ns/bin:/etc:/tools/contrib/bin"
+ else
+ PATH=/usr/ucb:$PATH
+ JAVA_HOME="/share/builds/components/jdk/1.2.2/SunOS"
+ JAVA_HOME14=/share/builds/components/jdk/1.4.0/SunOS64
+ PATH=/tools/ns/bin:$PATH:/opt/SUNWspro/bin:/usr/bin/X11:/usr/openwin/bin:/usr/openwin/demo
+
+ if [ "$os_version" = "5.8" -o "$os_version" = "5.7" -o \
+ "$os_version" = "5.9" ]
+ then
+ PATH=$PATH:/usr/dist/pkgs/forte_dev,v6.2/SUNWspro/bin:/tools/ns/workshop/bin
+ else
+ PATH=$PATH:/usr/dist/share/devpro,v5.0/5.x-sparc/bin:/tools/ns/workshop/bin
+ fi
+ PATH=$PATH:/usr/ccs/bin:/usr/ucb/bin:/opt/SUNWwabi/bin:/usr/local/bin:/tools/ns/bin:/etc:/tools/contrib/bin
+ fi
+ export XAPPLRESDIR OPENWINHOME LD_LIBRARY_PATH
+
+elif [ "$os_name" = "IRIX" ]
+then
+ PATH=$PATH:/tools/ns/bin:/usr/local/bin:/etc:/usr/bsd
+ MANPATH=/tools/ns/man:/usr/local/man
+ JAVA_HOME="/share/builds/components/jdk/1.2.2/IRIX"
+ JAVA_HOME14=$JAVA_HOME
+elif [ "$os_name" = "IRIX64" ]
+then
+ PATH=$PATH:/tools/ns/bin:/usr/local/bin:/etc:/usr/bsd
+ MANPATH=/tools/ns/man:/usr/local/man
+ JAVA_HOME="/share/builds/components/jdk/1.2.2/IRIX"
+ JAVA_HOME14=$JAVA_HOME
+elif [ "$os_name" = "Linux" ]
+then
+ PATH=/lib:/usr/lib:/bin:/sbin:/usr/bin:/usr/sbin:$PATH
+ RMAIL=sendmail
+ #the gnu grep, on Linux can output 10 lines above and 3 lines below
+ #the errormessage
+ BEFORE_CONTEXT_GREP="--before-context=10"
+ AFTER_CONTEXT_GREP="--after-context=3"
+ JAVA_HOME="/share/builds/components/jdk/1.2.2/Linux"
+ JAVA_HOME14=/share/builds/components/jdk/1.4.0/Linux
+elif [ "$os_name" = "AIX" ]
+then
+ PATH=$PATH:/tools/contrib/bin:/usr/local/bin
+ TERM=vt100
+ export TERM
+ JAVA_HOME="/share/builds/components/cms_jdk/AIX/1.3.0"
+ JAVA_HOME14=$JAVA_HOME
+elif [ "$os_name" = "OSF1" ]
+then
+ PATH=$PATH:/usr/local/bin
+ JAVA_HOME="/share/builds/components/jdk/1.2.2/OSF1"
+ JAVA_HOME14=$JAVA_HOME
+fi
+
+if [ "$os_name" = "IRIX" ]
+then
+ PATH=/tools/ns-arch/soft/perl-5.004_04/run/default/mips_sgi_irix5.3/bin:$PATH
+elif [ "$os_name" = "IRIX64" ]
+then
+ PATH=/tools/ns-arch/soft/perl-5.004_04/run/default/mips_sgi_irix5.3/bin:$PATH
+fi
+
+O_CYGNUS=OFF
+O_MKS=OFF
+O_WIN=OFF
+
+if [ "$os_name" = "CYGWIN_NT-4.0" -o \
+ "$os_name" = "CYGWIN_NT-5.0" -o \
+ "$os_name" = "CYGWIN_95-4.0" -o \
+ "$os_name" = "CYGWIN_98-4.10" ]
+then
+ #FIXME net use, mount the neccessary pnetwork drives and partitiones first
+ #FIXME - take MKS out of the PATH
+ os_full=$os_name
+ os_name="Windows"
+ O_CYGNUS=ON
+ O_WIN=ON
+ PATH="`dirname $0`:.:/cygdrive/c/cygwin/bin:/cygdrive/z/nstools/bin:/cygdrive/z/nstools/perl5:/cygdrive/z/bin:/cygdrive/c/WINNT/System32:/cygdrive/c/WINNT"
+ RM=/cygdrive/c/cygwin/bin/rm.exe #FIXME - in case we cant cporrect
+ #these with the PATH alone
+ PATH=`perl $QASCRIPT_DIR/path_uniq "$PATH"`
+ RSH=/cygdrive/c/winnt/system32/rsh
+elif [ "$os_name" = "Windows_95" -o \
+ "$os_name" = "Windows_NT" -o \
+ "$os_name" = "WINNT" -o \
+ "$os_name" = "Windows" -o \
+ "$os_name" = "Windows_98" ]
+then
+ #FIXME net use, mount the neccessary pnetwork drives and partitiones first
+ PATH=`echo $SHELL | sed -e "s/.[kK][sS][Hh].[Ee][Xx][Ee]//g" \
+ -e "s/.[sS][Hh].[Ee][Xx][Ee]//g"`
+ MOZTOOLS_IN_PATH=NO
+ if [ -n "$MOZ_TOOLS" -a -d "$MOZ_TOOLS" ] ; then
+ MOZ_TOOLS=`ls -d "$MOZ_TOOLS" | sed -e 's/\\\/\//g'`
+ #echo "MOZ_TOOLS reformated to $MOZ_TOOLS"
+ if [ -d "$MOZ_TOOLS" ] ; then #still exist after reformating?
+ MOZTOOLS_IN_PATH=OK
+ fi
+ fi
+ if [ -n "$MOZTOOLS_IN_PATH" -a "$MOZTOOLS_IN_PATH" = "OK" ] ; then
+ #echo "Use MOZTOOLS in PATH"
+ PATH="$MOZ_TOOLS/bin;$MOZ_TOOLS/perl5;$PATH"
+ elif [ -d Z:/nstools/bin ] ; then
+ PATH="Z:/nstools/bin;Z:/nstools/perl5;$PATH"
+ elif [ -d C:/nstools/bin ] ; then
+ PATH="C:/nstools/bin;C:/nstools/perl5;$PATH"
+ elif [ -d D:/nstools/bin ] ; then
+ PATH="D:/nstools/bin;D:/nstools/perl5;$PATH"
+ elif [ -d D:/i386/nstools/bin ] ; then
+ PATH="D:/i386/nstools/bin;D:/i386/nstools/perl5;$PATH"
+ else
+ echo "FATAL: Can't find nstools"
+ exit
+ fi
+
+ if [ "$os_name" = "Windows_NT" -o \
+ "$os_name" = "WINNT" ]
+ then
+ PATH="${PATH};C:/WINNT/System32;C:/WINNT;.;"
+ fi
+ PATH="`dirname $0`;$PATH"
+
+ PATH=`perl $QASCRIPT_DIR/path_uniq -d ';' "$PATH"`
+ echo $PATH
+ os_full=$os_name
+ os_name="Windows"
+ O_MKS=ON
+ O_WIN=ON
+ if [ -z $RSH ] ; then
+ RSH=c:/winnt/system32/rsh
+ fi
+
+else
+ EDITOR=vi
+ EMACSLOADPATH=/u/svbld/emacs
+ PYTHONPATH=.:/tools/ns/lib/python1.4
+ PAGER=less
+ XMCD_LIBDIR=/usr/local/lib/xmcd
+ DISPLAY=:0.0
+ PATH=`perl $QASCRIPT_DIR/path_uniq "$PATH"`
+ RSH=rsh
+fi
+
+BASEPATH=$PATH # in case we we set and reset DIST directories the PATH
+ # needs to change accordingly
+export PATH EDITOR EMACSLOADPATH PYTHONPATH PAGER XMCD_LIBDIR DISPLAY MANPATH os_full os_name BASEPATH RSH O_WIN
+
+umask 022
+
+system=`uname -n` # name of this system.
+
+JAVAC=$JAVA_HOME/bin/javac
+JAVA=$JAVA_HOME/bin/java
+JAVAC14=$JAVA_HOME14/bin/javac
+JAVA14=$JAVA_HOME14/bin/java
+#JAVA=$JAVA_HOME/jre/bin/java
+export JAVAC JAVA JAVA_HOME JAVAC14 JAVA_HOME14 JAVA14
+
diff --git a/security/nss/tests/smime/alice.txt b/security/nss/tests/smime/alice.txt
new file mode 100644
index 000000000..0378db464
--- /dev/null
+++ b/security/nss/tests/smime/alice.txt
@@ -0,0 +1,6 @@
+Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT)
+From: alice@bogus.com
+Subject: message Alice --> Bob
+To: bob@bogus.com
+
+This is a test message from Alice to Bob.
diff --git a/security/nss/tests/smime/bob.txt b/security/nss/tests/smime/bob.txt
new file mode 100644
index 000000000..330b2c94d
--- /dev/null
+++ b/security/nss/tests/smime/bob.txt
@@ -0,0 +1,6 @@
+Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT)
+From: bob@bogus.com
+Subject: message Bob --> Alice
+To: alice@bogus.com
+
+This is a test message from Bob to Alice.
diff --git a/security/nss/tests/smime/smime.sh b/security/nss/tests/smime/smime.sh
new file mode 100755
index 000000000..2360100de
--- /dev/null
+++ b/security/nss/tests/smime/smime.sh
@@ -0,0 +1,259 @@
+#! /bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/smime/smime.sh
+#
+# Script to test NSS smime
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## smime_init ##############################
+# local shell function to initialize this script
+########################################################################
+smime_init()
+{
+ SCRIPTNAME=smime.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ SCRIPTNAME=smime.sh
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ html_head "S/MIME Tests with ECC"
+ else
+ html_head "S/MIME Tests"
+ fi
+
+ grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+ Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+ }
+
+ SMIMEDIR=${HOSTDIR}/smime
+ R_SMIMEDIR=../smime
+ mkdir -p ${SMIMEDIR}
+ cd ${SMIMEDIR}
+ cp ${QADIR}/smime/alice.txt ${SMIMEDIR}
+}
+
+smime_sign()
+{
+ HASH_CMD="-H ${HASH}"
+ SIG=sig.${HASH}
+
+ echo "$SCRIPTNAME: Signing Detached Message {$HASH} ------------------"
+ echo "cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}
+ html_msg $? 0 "Create Detached Signature Alice (${HASH})" "."
+
+ echo "cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
+ html_msg $? 0 "Verifying Alice's Detached Signature (${HASH})" "."
+
+ echo "$SCRIPTNAME: Signing Attached Message (${HASH}) ------------------"
+ echo "cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}
+ html_msg $? 0 "Create Attached Signature Alice (${HASH})" "."
+
+ echo "cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}
+ html_msg $? 0 "Decode Alice's Attached Signature (${HASH})" "."
+
+ echo "diff alice.txt alice.data.${HASH}"
+ diff alice.txt alice.data.${HASH}
+ html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "."
+
+# Test ECDSA signing for all hash algorithms.
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
+ echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
+ html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
+
+ echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
+ html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
+
+ echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
+ echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
+ html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
+
+ echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}
+ html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
+
+ echo "diff alice.txt alice-ec.data.${HASH}"
+ diff alice.txt alice-ec.data.${HASH}
+ html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
+ fi
+
+}
+
+
+
+smime_p7()
+{
+ echo "$SCRIPTNAME: p7 util Data Tests ------------------------------"
+ echo "p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice_p7.env"
+ ${PROFTOOL} ${BINDIR}/p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice.env
+ html_msg $? 0 "Creating envelope for user Alice" "."
+
+ echo "p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data"
+ ${PROFTOOL} ${BINDIR}/p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data -p nss
+ html_msg $? 0 "Verifying file delivered to user Alice" "."
+
+ sed -e '3,8p' -n alice_p7.data > alice_p7.data.sed
+
+ echo "diff alice.txt alice_p7.data.sed"
+ diff alice.txt alice_p7.data.sed
+ html_msg $? 0 "Compare Decoded Enveloped Data and Original" "."
+
+ echo "p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e"
+ ${PROFTOOL} ${BINDIR}/p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e
+ html_msg $? 0 "Signing file for user Alice" "."
+
+ echo "p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig"
+ ${PROFTOOL} ${BINDIR}/p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig
+ html_msg $? 0 "Verifying file delivered to user Alice" "."
+}
+
+############################## smime_main ##############################
+# local shell function to test basic signed and enveloped messages
+# from 1 --> 2"
+########################################################################
+smime_main()
+{
+
+ HASH=SHA1
+ smime_sign
+ HASH=SHA256
+ smime_sign
+ HASH=SHA384
+ smime_sign
+ HASH=SHA512
+ smime_sign
+
+ echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------"
+ echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
+ echo " -o alice.env"
+ ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
+ html_msg $? 0 "Create Enveloped Data Alice" "."
+
+ echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1"
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1
+ html_msg $? 0 "Decode Enveloped Data Alice" "."
+
+ echo "diff alice.txt alice.data1"
+ diff alice.txt alice.data1
+ html_msg $? 0 "Compare Decoded Enveloped Data and Original" "."
+
+ # multiple recip
+ echo "$SCRIPTNAME: Testing multiple recipients ------------------------------"
+ echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\"
+ echo " -r bob@bogus.com,dave@bogus.com"
+ ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \
+ -r bob@bogus.com,dave@bogus.com
+ ret=$?
+ html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "."
+ if [ $ret != 0 ] ; then
+ echo "certutil -L -d ${P_R_ALICEDIR}"
+ ${BINDIR}/certutil -L -d ${P_R_ALICEDIR}
+ echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com"
+ ${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com
+ fi
+
+ echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------"
+ echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\"
+ echo " -r eve@bogus.net"
+ ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \
+ -r eve@bogus.net
+ ret=$?
+ html_msg $ret 0 "Encrypt to a Multiple Email cert" "."
+
+ echo "cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2"
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2
+ html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Bob" "."
+
+ echo "cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3"
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3
+ html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Dave" "."
+
+ echo "cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4"
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4
+ html_msg $? 0 "Decrypt with a Multiple Email cert" "."
+
+ diff alice.txt alice.data2
+ html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Bob" "."
+
+ diff alice.txt alice.data3
+ html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Dave" "."
+
+ diff alice.txt alice.data4
+ html_msg $? 0 "Compare Decoded with Multiple Email cert" "."
+
+ echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------"
+ echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\"
+ echo " -d ${P_R_ALICEDIR} > co.der"
+ ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der
+ html_msg $? 0 "Create Certs-Only Alice" "."
+
+ echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i co.der -d ${P_R_BOBDIR}
+ html_msg $? 0 "Verify Certs-Only by CA" "."
+
+ echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------"
+ echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\"
+ echo " -r \"bob@bogus.com\" > alice.enc"
+ ${PROFTOOL} ${BINDIR}/cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \
+ -r "bob@bogus.com" > alice.enc
+ html_msg $? 0 "Create Encrypted-Data" "."
+
+ echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\"
+ echo " -o alice.data2"
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2
+ html_msg $? 0 "Decode Encrypted-Data" "."
+
+ diff alice.txt alice.data2
+ html_msg $? 0 "Compare Decoded and Original Data" "."
+}
+
+############################## smime_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+smime_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+smime_init
+smime_main
+smime_p7
+smime_cleanup
+
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
new file mode 100755
index 000000000..b34c9c097
--- /dev/null
+++ b/security/nss/tests/ssl/ssl.sh
@@ -0,0 +1,1199 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/ssl/ssl.sh
+#
+# Script to test NSS SSL
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_init ################################
+# local shell function to initialize this script
+########################################################################
+ssl_init()
+{
+ SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ -z "${IOPR_SSL_SOURCED}" ]; then
+ . ../iopr/ssl_iopr.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ SCRIPTNAME=ssl.sh
+ echo "$SCRIPTNAME: SSL tests ==============================="
+
+ grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
+ html_head "SSL Test failure"
+ Exit 8 "Fatal - cert.sh needs to pass first"
+ }
+
+ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+ grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
+ html_head "SSL Test failure"
+ Exit 8 "Fatal - SSL of cert.sh needs to pass first"
+ }
+ fi
+
+ PORT=${PORT-8443}
+ NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
+ nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
+ NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
+
+ # Test case files
+ SSLCOV=${QADIR}/ssl/sslcov.txt
+ SSLAUTH=${QADIR}/ssl/sslauth.txt
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
+ REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+
+ #temparary files
+ SERVEROUTFILE=${TMP}/tests_server.$$
+ SERVERPID=${TMP}/tests_pid.$$
+
+ R_SERVERPID=../tests_pid.$$
+
+ TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
+
+ fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
+ #fileout=1
+ #verbose="-v" #FIXME - see where this is usefull
+
+ USER_NICKNAME=TestUser
+ NORM_EXT=""
+
+ EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D"
+ EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027"
+ EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA"
+
+ NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B"
+ NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz"
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ ECC_STRING=" - with ECC"
+ # List of cipher suites to test, including ECC cipher suites.
+ CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
+ else
+ ECC_STRING=""
+ # List of cipher suites to test, excluding ECC cipher suites.
+ CIPHER_SUITES="-c ${NON_EC_SUITES}"
+ fi
+
+ if [ "${OS_ARCH}" != "WINNT" ]; then
+ ulimit -n 1000 # make sure we have enough file descriptors
+ fi
+
+ cd ${CLIENTDIR}
+}
+
+########################### is_selfserv_alive ##########################
+# local shell function to exit with a fatal error if selfserver is not
+# running
+########################################################################
+is_selfserv_alive()
+{
+ if [ ! -f "${SERVERPID}" ]; then
+ echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
+ sleep 5
+ if [ ! -f "${SERVERPID}" ]; then
+ Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
+ fi
+ fi
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+
+ echo "selfserv with PID ${PID} found at `date`"
+}
+
+########################### wait_for_selfserv ##########################
+# local shell function to wait until selfserver is running and initialized
+########################################################################
+wait_for_selfserv()
+{
+ #verbose="-v"
+ echo "trying to connect to selfserv at `date`"
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+ echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
+ ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
+ sleep 5
+ echo "retrying to connect to selfserv at `date`"
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+ echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}"
+ ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
+ html_failed "Waiting for Server"
+ fi
+ fi
+ is_selfserv_alive
+}
+
+########################### kill_selfserv ##############################
+# local shell function to kill the selfserver after the tests are done
+########################################################################
+kill_selfserv()
+{
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "trying to kill selfserv with PID ${PID} at `date`"
+
+ if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
+ echo "${KILL} ${PID}"
+ ${KILL} ${PID}
+ else
+ echo "${KILL} -USR1 ${PID}"
+ ${KILL} -USR1 ${PID}
+ fi
+ wait ${PID}
+ if [ ${fileout} -eq 1 ]; then
+ cat ${SERVEROUTFILE}
+ fi
+
+ # On Linux selfserv needs up to 30 seconds to fully die and free
+ # the port. Wait until the port is free. (Bug 129701)
+ if [ "${OS_ARCH}" = "Linux" ]; then
+ echo "selfserv -b -p ${PORT} 2>/dev/null;"
+ until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
+ echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
+ sleep 1
+ done
+ fi
+
+ echo "selfserv with PID ${PID} killed at `date`"
+
+ rm ${SERVERPID}
+ html_detect_core "kill_selfserv core detection step"
+}
+
+########################### start_selfserv #############################
+# local shell function to start the selfserver with the parameters required
+# for this test and log information (parameters, start time)
+# also: wait until the server is up and running
+########################################################################
+start_selfserv()
+{
+ if [ -n "$testname" ] ; then
+ echo "$SCRIPTNAME: $testname ----"
+ fi
+ sparam=`echo $sparam | sed -e 's;_; ;g'`
+ if [ -z "$NSS_DISABLE_ECC" ] && \
+ [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
+ ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
+ else
+ ECC_OPTIONS=""
+ fi
+ echo "selfserv starting at `date`"
+ echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
+ echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
+ echo " -V ssl3:tls1.2 $verbose -H 1 &"
+ if [ ${fileout} -eq 1 ]; then
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
+ > ${SERVEROUTFILE} 2>&1 &
+ RET=$?
+ else
+ ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
+ RET=$?
+ fi
+
+ # The PID $! returned by the MKS or Cygwin shell is not the PID of
+ # the real background process, but rather the PID of a helper
+ # process (sh.exe). MKS's kill command has a bug: invoking kill
+ # on the helper process does not terminate the real background
+ # process. Our workaround has been to have selfserv save its PID
+ # in the ${SERVERPID} file and "kill" that PID instead. But this
+ # doesn't work under Cygwin; its kill command doesn't recognize
+ # the PID of the real background process, but it does work on the
+ # PID of the helper process. So we save the value of $! in the
+ # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
+ # file under Cygwin. (In fact, this should work in any shell
+ # other than the MKS shell.)
+ SHELL_SERVERPID=$!
+ wait_for_selfserv
+
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "selfserv with PID ${PID} started at `date`"
+}
+
+############################## ssl_cov #################################
+# local shell function to perform SSL Cipher Coverage tests
+########################################################################
+ssl_cov()
+{
+ #verbose="-v"
+ html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ testname=""
+ sparam="$CIPHER_SUITES"
+
+ start_selfserv # Launch the server
+
+ VMIN="ssl3"
+ VMAX="tls1.1"
+
+ exec < ${SSLCOV}
+ while read ectype testmax param testname
+ do
+ echo "${testname}" | grep "EXPORT" > /dev/null
+ EXP=$?
+
+ if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
+ echo "$SCRIPTNAME: running $testname ----------------------------"
+ VMAX="ssl3"
+ if [ "$testmax" = "TLS10" ]; then
+ VMAX="tls1.0"
+ fi
+ if [ "$testmax" = "TLS11" ]; then
+ VMAX="tls1.1"
+ fi
+ if [ "$testmax" = "TLS12" ]; then
+ VMAX="tls1.2"
+ fi
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ html_msg $ret 0 "${testname}" \
+ "produced a returncode of $ret, expected is 0"
+ fi
+ done
+
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
+############################## ssl_auth ################################
+# local shell function to perform SSL Client Authentication tests
+########################################################################
+ssl_auth()
+{
+ #verbose="-v"
+ html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ exec < ${SSLAUTH}
+ while read ectype value sparam cparam testname
+ do
+ [ -z "$ectype" ] && continue
+ echo "${testname}" | grep "don't require client auth" > /dev/null
+ CAUTH=$?
+
+ if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+ cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ if [ "$ectype" = "SNI" ]; then
+ cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ fi
+ start_selfserv
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " ${cparam} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ #workaround for bug #402058
+ [ $ret -ne 0 ] && ret=1
+ [ $value -ne 0 ] && value=1
+
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+ fi
+ done
+
+ html "</TABLE><BR>"
+}
+
+ssl_stapling_sub()
+{
+ #verbose="-v"
+ testname=$1
+ SO=$2
+ value=$3
+
+ if [ "$NORM_EXT" = "Extended Test" ] ; then
+ # these tests use the ext_client directory for tstclnt,
+ # which doesn't contain the required "TestCA" for server cert
+ # verification, I don't know if it would be OK to add it...
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ return 0
+ fi
+ if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ return 0
+ fi
+
+ SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+ SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+
+ SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+ P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+
+ echo "${testname}"
+
+ start_selfserv
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ # hopefully no workaround for bug #402058 needed here?
+ # (see commands in ssl_auth
+
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+
+ SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+ P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+
+ssl_stapling_stress()
+{
+ testname="Stress OCSP stapling, server uses random status"
+ SO="-A TestCA -T random"
+ value=0
+
+ if [ "$NORM_EXT" = "Extended Test" ] ; then
+ # these tests use the ext_client directory for tstclnt,
+ # which doesn't contain the required "TestCA" for server cert
+ # verification, I don't know if it would be OK to add it...
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ return 0
+ fi
+ if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ return 0
+ fi
+
+ SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
+ SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}"
+
+ SAVE_P_R_SERVERDIR=${P_R_SERVERDIR}
+ P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/
+
+ echo "${testname}"
+ start_selfserv
+
+ echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\"
+ echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}"
+ echo "strsclnt started at `date`"
+ ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
+ -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
+ ret=$?
+
+ echo "strsclnt completed at `date`"
+ html_msg $ret $value \
+ "${testname}" \
+ "produced a returncode of $ret, expected is $value."
+ kill_selfserv
+
+ SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
+ P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
+}
+
+############################ ssl_stapling ##############################
+# local shell function to perform SSL Cert Status (OCSP Stapling) tests
+########################################################################
+ssl_stapling()
+{
+ html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ # tstclnt Exit code:
+ # 0: have fresh and valid revocation data, status good
+ # 1: cert failed to verify, prior to revocation checking
+ # 2: missing, old or invalid revocation data
+ # 3: have fresh and valid revocation data, status revoked
+
+ # selfserv modes
+ # good, revoked, unkown: Include locally signed response. Requires: -A
+ # failure: Include OCSP failure status, such as "try later" (unsigned)
+ # badsig: use a good status but with an invalid signature
+ # corrupted: stapled cert status is an invalid block of data
+
+ ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0
+ ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3
+ ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2
+ ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2
+ ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2
+ ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2
+ ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2
+
+ ssl_stapling_stress
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_signed_cert_timestamps #################
+# local shell function to perform SSL Signed Certificate Timestamp tests
+#########################################################################
+ssl_signed_cert_timestamps()
+{
+ #verbose="-v"
+ html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ testname="ssl_signed_cert_timestamps"
+ value=0
+
+ if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ return 0
+ fi
+
+ echo "${testname}"
+
+ start_selfserv
+
+ # Since we don't have server-side support, this test only covers advertising the
+ # extension in the client hello.
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+ echo " -U -V tls1.0:tls1.2 < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+ -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ html_msg $ret $value "${testname}" \
+ "produced a returncode of $ret, expected is $value"
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+
+
+############################## ssl_stress ##############################
+# local shell function to perform SSL stress test
+########################################################################
+ssl_stress()
+{
+ html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ exec < ${SSLSTRESS}
+ while read ectype value sparam cparam testname
+ do
+ if [ -z "$ectype" ]; then
+ # silently ignore blank lines
+ continue
+ fi
+
+ echo "${testname}" | grep "client auth" > /dev/null
+ CAUTH=$?
+
+ if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
+ echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
+ elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+ cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ if [ "$ectype" = "SNI" ]; then
+ cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
+ fi
+
+ start_selfserv
+
+ if [ "`uname -n`" = "sjsu" ] ; then
+ echo "debugging disapering selfserv... ps -ef | grep selfserv"
+ ps -ef | grep selfserv
+ fi
+
+ echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
+ echo " -V ssl3:tls1.2 $verbose ${HOSTADDR}"
+ echo "strsclnt started at `date`"
+ ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
+ -V ssl3:tls1.2 $verbose ${HOSTADDR}
+ ret=$?
+ echo "strsclnt completed at `date`"
+ html_msg $ret $value \
+ "${testname}" \
+ "produced a returncode of $ret, expected is $value. "
+ if [ "`uname -n`" = "sjsu" ] ; then
+ echo "debugging disapering selfserv... ps -ef | grep selfserv"
+ ps -ef | grep selfserv
+ fi
+ kill_selfserv
+ fi
+ done
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_crl_ssl ###############################
+# local shell function to perform SSL test with/out revoked certs tests
+########################################################################
+ssl_crl_ssl()
+{
+ #verbose="-v"
+ html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+
+ # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
+ # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
+ CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
+ CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
+ UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
+
+ exec < ${SSLAUTH}
+ while read ectype value sparam cparam testname
+ do
+ [ "$ectype" = "" ] && continue
+ if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "$ectype" = "SNI" ]; then
+ continue
+ elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
+ servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+ pwd=`echo $cparam | grep nss`
+ user=`echo $cparam | grep TestUser`
+ _cparam=$cparam
+ case $servarg in
+ 1) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=254
+ fi
+ ;;
+ 2) rev_modvalue=254 ;;
+ 3) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=1
+ fi
+ ;;
+ 4) rev_modvalue=1 ;;
+ esac
+ TEMP_NUM=0
+ while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
+ do
+ CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
+ TEMP_NUM=`expr $TEMP_NUM + 1`
+ USER_NICKNAME="TestUser${CURR_SER_NUM}"
+ cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+ start_selfserv
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo " ${cparam} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+ -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
+ modvalue=$rev_modvalue
+ testAddMsg="revoked"
+ else
+ testAddMsg="not revoked"
+ modvalue=$value
+ fi
+
+ html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue"
+ kill_selfserv
+ done
+ fi
+ done
+
+ html "</TABLE><BR>"
+}
+
+############################## ssl_cov #################################
+# local shell function to perform SSL Policy tests
+########################################################################
+ssl_policy()
+{
+ #verbose="-v"
+ html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+ testname=""
+ sparam="$CIPHER_SUITES"
+
+ if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
+ return;
+ fi
+
+ echo "Saving pkcs11.txt"
+ cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
+
+ start_selfserv # Launch the server
+
+ VMIN="ssl3"
+ VMAX="tls1.2"
+
+ exec < ${SSLPOLICY}
+ while read value ectype testmax param policy testname
+ do
+ VMIN="ssl3"
+
+ if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "`echo $value | cut -b 1`" != "#" ] ; then
+ echo "$SCRIPTNAME: running $testname ----------------------------"
+ VMAX="ssl3"
+ if [ "$testmax" = "TLS10" ]; then
+ VMAX="tls1.0"
+ fi
+ if [ "$testmax" = "TLS11" ]; then
+ VMAX="tls1.1"
+ fi
+ if [ "$testmax" = "TLS12" ]; then
+ VMAX="tls1.2"
+ fi
+
+ # load the policy
+ policy=`echo ${policy} | sed -e 's;_; ;g'`
+
+ cat > ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+++EOF++
+ echo "config=${policy}" >> ${P_R_CLIENTDIR}/pkcs11.txt
+ echo "" >> ${P_R_CLIENTDIR}/pkcs11.txt
+ echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> ${P_R_CLIENTDIR}/pkcs11.txt >> ${P_R_CLIENTDIR}/pkcs11.txt
+ cat >> ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++
+name=RootCerts
+NSS=trustOrder=100
+++EOF++
+
+ echo "******************************Testing with: "
+ cat ${P_R_CLIENTDIR}/pkcs11.txt
+ echo "******************************"
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+ echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+ -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+ #workaround for bug #402058
+ [ $ret -ne 0 ] && ret=1
+ [ ${value} -ne 0 ] && value=1
+
+ html_msg $ret ${value} "${testname}" \
+ "produced a returncode of $ret, expected is ${value}"
+ fi
+ done
+ cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt
+
+ kill_selfserv
+ html "</TABLE><BR>"
+}
+############################# is_revoked ###############################
+# local shell function to check if certificate is revoked
+########################################################################
+is_revoked() {
+ certNum=$1
+ currLoadedGrp=$2
+
+ found=0
+ ownerGrp=1
+ while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
+ do
+ currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
+ currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
+ currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
+ if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
+ found=1
+ else
+ ownerGrp=`expr $ownerGrp + 1`
+ fi
+ done
+ if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
+ return 1
+ fi
+ if [ $found -eq 0 ]; then
+ return 1
+ fi
+ unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
+ if [ $certNum -eq $unrevokedGrpCert ]; then
+ return 1
+ fi
+ return 0
+}
+
+########################### load_group_crl #############################
+# local shell function to load CRL
+########################################################################
+load_group_crl() {
+ #verbose="-v"
+ group=$1
+ ectype=$2
+
+ OUTFILE_TMP=${TMP}/$HOST.tmp.$$
+ grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
+ grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
+ grpEnd=`expr $grpBegin + $grpRange - 1`
+
+ if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
+ ret=1
+ return 1;
+ fi
+
+ # Add -ec suffix for ECC
+ if [ "$ectype" = "ECC" ] ; then
+ ecsuffix="-ec"
+ eccomment="ECC "
+ else
+ ecsuffix=""
+ eccomment=""
+ fi
+
+ if [ "$RELOAD_CRL" != "" ]; then
+ if [ $group -eq 1 ]; then
+ echo "==================== Resetting to group 1 crl ==================="
+ kill_selfserv
+ start_selfserv
+ is_selfserv_alive
+ fi
+ echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
+
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo " -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
+ echo "Request:"
+ echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
+ echo ""
+ echo "RELOAD time $i"
+
+ REQF=${R_CLIENTDIR}.crlreq
+ cat > ${REQF} <<_EOF_REQUEST_
+GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
+
+_EOF_REQUEST_
+
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \
+ -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
+ >${OUTFILE_TMP} 2>&1 < ${REQF}
+
+ cat ${OUTFILE_TMP}
+ grep "CRL ReCache Error" ${OUTFILE_TMP}
+ if [ $? -eq 0 ]; then
+ ret=1
+ return 1
+ fi
+ else
+ echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
+
+ kill_selfserv
+ CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
+ crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
+ -p ../tests.pw.928
+ ret=$?
+ if [ "$ret" -eq 0 ]; then
+ html_passed "${CU_ACTION}"
+ return 1
+ fi
+ start_selfserv
+ fi
+ is_selfserv_alive
+ ret=$?
+ echo "================= CRL Reloaded ============="
+}
+
+
+########################### ssl_crl_cache ##############################
+# local shell function to perform SSL test for crl cache functionality
+# with/out revoked certs
+########################################################################
+ssl_crl_cache()
+{
+ #verbose="-v"
+ html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+ SSLAUTH_TMP=${TMP}/authin.tl.tmp
+ SERV_ARG=-r_-r
+ rm -f ${SSLAUTH_TMP}
+ echo ${SSLAUTH_TMP}
+
+ grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
+ echo $?
+ while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
+ do
+ sparam=$SERV_ARG
+ start_selfserv
+ exec < ${SSLAUTH_TMP}
+ while read ectype value sparam cparam testname
+ do
+ [ "$ectype" = "" ] && continue
+ if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ elif [ "$ectype" = "SNI" ]; then
+ continue
+ else
+ servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+ pwd=`echo $cparam | grep nss`
+ user=`echo $cparam | grep TestUser`
+ _cparam=$cparam
+ case $servarg in
+ 1) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=254
+ fi
+ ;;
+ 2) rev_modvalue=254 ;;
+
+ 3) if [ -z "$pwd" -o -z "$user" ]; then
+ rev_modvalue=0
+ else
+ rev_modvalue=1
+ fi
+ ;;
+ 4) rev_modvalue=1 ;;
+ esac
+ TEMP_NUM=0
+ LOADED_GRP=1
+ while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
+ do
+ while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
+ do
+ CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
+ TEMP_NUM=`expr $TEMP_NUM + 1`
+ USER_NICKNAME="TestUser${CURR_SER_NUM}"
+ cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+
+ echo "Server Args: $SERV_ARG"
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+ echo " ${cparam} < ${REQUEST_FILE}"
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+ -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+ >${TMP}/$HOST.tmp.$$ 2>&1
+ ret=$?
+ cat ${TMP}/$HOST.tmp.$$
+ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+ is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
+ isRevoked=$?
+ if [ $isRevoked -eq 0 ]; then
+ modvalue=$rev_modvalue
+ testAddMsg="revoked"
+ else
+ modvalue=$value
+ testAddMsg="not revoked"
+ fi
+
+ is_selfserv_alive
+ ss_status=$?
+ if [ "$ss_status" -ne 0 ]; then
+ html_msg $ret $modvalue \
+ "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue. " \
+ "selfserv is not alive!"
+ else
+ html_msg $ret $modvalue \
+ "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+ "produced a returncode of $ret, expected is $modvalue"
+ fi
+ done
+ LOADED_GRP=`expr $LOADED_GRP + 1`
+ TEMP_NUM=0
+ if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
+ load_group_crl $LOADED_GRP $ectype
+ html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
+ "produced a returncode of $ret, expected is 0"
+ fi
+ done
+ # Restart selfserv to roll back to two initial group 1 crls
+ # TestCA CRL and TestCA-ec CRL
+ kill_selfserv
+ start_selfserv
+ fi
+ done
+ kill_selfserv
+ SERV_ARG="${SERV_ARG}_-r"
+ rm -f ${SSLAUTH_TMP}
+ grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
+ done
+ TEMPFILES=${SSLAUTH_TMP}
+ html "</TABLE><BR>"
+}
+
+
+############################## ssl_cleanup #############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+ssl_cleanup()
+{
+ rm $SERVERPID 2>/dev/null
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+############################## ssl_run #################################
+# local shell function to run coverage, authentication and stress tests
+########################################################################
+ssl_run()
+{
+ for SSL_RUN in ${NSS_SSL_RUN}
+ do
+ case "${SSL_RUN}" in
+ "stapling")
+ if [ -nz "$NSS_DISABLE_LIBPKIX" ]; then
+ ssl_stapling
+ fi
+ ;;
+ "signed_cert_timestamps")
+ ssl_signed_cert_timestamps
+ ;;
+ "cov")
+ ssl_cov
+ ;;
+ "auth")
+ ssl_auth
+ ;;
+ "stress")
+ ssl_stress
+ ;;
+ esac
+ done
+}
+
+############################ ssl_run_all ###############################
+# local shell function to run both standard and extended ssl tests
+########################################################################
+ssl_run_all()
+{
+ ORIG_SERVERDIR=$SERVERDIR
+ ORIG_CLIENTDIR=$CLIENTDIR
+ ORIG_R_SERVERDIR=$R_SERVERDIR
+ ORIG_R_CLIENTDIR=$R_CLIENTDIR
+ ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
+ ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
+
+ USER_NICKNAME=TestUser
+ NORM_EXT=""
+ cd ${CLIENTDIR}
+
+ ssl_run
+
+ SERVERDIR=$EXT_SERVERDIR
+ CLIENTDIR=$EXT_CLIENTDIR
+ R_SERVERDIR=$R_EXT_SERVERDIR
+ R_CLIENTDIR=$R_EXT_CLIENTDIR
+ P_R_SERVERDIR=$P_R_EXT_SERVERDIR
+ P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
+
+ USER_NICKNAME=ExtendedSSLUser
+ NORM_EXT="Extended Test"
+ cd ${CLIENTDIR}
+
+ ssl_run
+
+ # the next round of ssl tests will only run if these vars are reset
+ SERVERDIR=$ORIG_SERVERDIR
+ CLIENTDIR=$ORIG_CLIENTDIR
+ R_SERVERDIR=$ORIG_R_SERVERDIR
+ R_CLIENTDIR=$ORIG_R_CLIENTDIR
+ P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
+ P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
+
+ USER_NICKNAME=TestUser
+ NORM_EXT=
+ cd ${QADIR}/ssl
+}
+
+############################ ssl_set_fips ##############################
+# local shell function to set FIPS mode on/off
+########################################################################
+ssl_set_fips()
+{
+ CLTSRV=$1
+ ONOFF=$2
+
+ if [ ${CLTSRV} = "server" ]; then
+ DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
+ else
+ DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}"
+ fi
+
+ if [ "${ONOFF}" = "on" ]; then
+ FIPSMODE=true
+ RET_EXP=0
+ else
+ FIPSMODE=false
+ RET_EXP=1
+ fi
+
+ html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
+
+ for DBDIR in ${DBDIRS}
+ do
+ EXT_OPT=
+ echo ${DBDIR} | grep ext > /dev/null
+ if [ $? -eq 0 ]; then
+ EXT_OPT="extended "
+ fi
+
+ echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
+
+ echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
+ ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
+ RET=$?
+ html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
+ "produced a returncode of ${RET}, expected is 0"
+
+ echo "modutil -dbdir ${DBDIR} -list"
+ DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
+ RET=$?
+ html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
+ "produced a returncode of ${RET}, expected is 0"
+
+ echo "${DBLIST}" | grep "FIPS PKCS #11"
+ RET=$?
+ html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
+ "produced a returncode of ${RET}, expected is ${RET_EXP}"
+ done
+
+ html "</TABLE><BR>"
+}
+
+############################ ssl_set_fips ##############################
+# local shell function to run all tests set in NSS_SSL_TESTS variable
+########################################################################
+ssl_run_tests()
+{
+ for SSL_TEST in ${NSS_SSL_TESTS}
+ do
+ case "${SSL_TEST}" in
+ "policy")
+ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+ ssl_policy
+ fi
+ ;;
+ "crl")
+ ssl_crl_ssl
+ ssl_crl_cache
+ ;;
+ "iopr")
+ ssl_iopr_run
+ ;;
+ *)
+ SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
+ CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
+
+ case "${SERVER_MODE}" in
+ "normal")
+ SERVER_OPTIONS=
+ ;;
+ "fips")
+ SERVER_OPTIONS=
+ ssl_set_fips server on
+ ;;
+ *)
+ echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
+ continue
+ ;;
+ esac
+
+ case "${CLIENT_MODE}" in
+ "normal")
+ CLIENT_OPTIONS=
+ ;;
+ "fips")
+ SERVER_OPTIONS=
+ ssl_set_fips client on
+ ;;
+ *)
+ echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
+ continue
+ ;;
+ esac
+
+ ssl_run_all
+
+ if [ "${SERVER_MODE}" = "fips" ]; then
+ ssl_set_fips server off
+ fi
+
+ if [ "${CLIENT_MODE}" = "fips" ]; then
+ ssl_set_fips client off
+ fi
+ ;;
+ esac
+ done
+}
+
+################################# main #################################
+
+ssl_init
+ssl_run_tests
+ssl_cleanup
+
diff --git a/security/nss/tests/ssl/ssl_dist_stress.sh b/security/nss/tests/ssl/ssl_dist_stress.sh
new file mode 100755
index 000000000..a67dfcbac
--- /dev/null
+++ b/security/nss/tests/ssl/ssl_dist_stress.sh
@@ -0,0 +1,313 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/ssl/ssl_dist_stress.sh
+#
+# Script to test NSS SSL - distributed stresstest - this script needs to
+# source the regular ssl.sh (for shellfunctions, certs and variables
+# initialisation)
+# create certs
+# start server
+# start itself via rsh on different systems to connect back to the server
+#
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_ds_init #############################
+# local shell function to initialize this script
+########################################################################
+ssl_ds_init()
+{
+ if [ -z "$GLOB_MIN_CERT" ] ; then
+ GLOB_MIN_CERT=0
+ fi
+ if [ -z "$GLOB_MAX_CERT" ] ; then
+ GLOB_MAX_CERT=200
+ fi
+ IP_PARAM=""
+ CD_QADIR_SSL=""
+
+
+ if [ -n "$1" ] ; then
+ ssl_ds_eval_opts $*
+ fi
+ SCRIPTNAME=ssl_dist_stress.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ ssl_init # let some other script do the hard work (initialize, generate certs, ...
+
+ SCRIPTNAME=ssl_dist_stress.sh
+ echo "$SCRIPTNAME: SSL distributed stress tests ==============================="
+
+}
+
+######################### ssl_ds_usage #################################
+# local shell function to explain the usage
+########################################################################
+ssl_ds_usage()
+{
+ echo "Usage: `basename $1`"
+ echo " -host hostname "
+ echo " ...host who runs the server, for distributed stress test"
+ echo " -stress "
+ echo " ...runs the server sider of the distributed stress test"
+ echo " -dir unixdirectory "
+ echo " ...lets the server side of the distributed stress test"
+ echo " know where to find the scritp to start on the remote side"
+ echo " -certnum start-end"
+ echo " ... provides the range of certs for distributed stress test"
+ echo " for example -certnum 10-20 will connect 10 times"
+ echo " no blanks in the range string (not 10 - 20)"
+ echo " valid range ${GLOB_MIN_CERT}-${GLOB_MAX_CERT}"
+ echo " -? ...prints this text"
+ exit 1 #does not need to be Exit, very early in script
+}
+
+######################### ssl_ds_eval_opts #############################
+# local shell function to deal with options and parameters
+########################################################################
+ssl_ds_eval_opts()
+{
+ #use $0 not $SCRIPTNAM<E, too early, SCRIPTNAME not yet set
+
+ while [ -n "$1" ]
+ do
+ case $1 in
+ -host)
+ BUILD_OPT=1
+ export BUILD_OPT
+ DO_REM_ST="TRUE"
+ shift
+ SERVERHOST=$1
+ HOST=$1
+ if [ -z $SERVERHOST ] ; then
+ echo "$0 `uname -n`: -host requires hostname"
+ ssl_ds_usage
+ fi
+ echo "$0 `uname -n`: host $HOST ($1)"
+ ;;
+ -certn*)
+ shift
+ rangeOK=`echo $1 | sed -e 's/[0-9][0-9]*-[0-9][0-9]*/OK/'`
+ MIN_CERT=`echo $1 | sed -e 's/-[0-9][0-9]*//' -e 's/^00*//'`
+ MAX_CERT=`echo $1 | sed -e 's/[0-9][0-9]*-//' -e 's/^00*//'`
+ if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o \
+ -z "$MIN_CERT" -o -z "$MAX_CERT" -o \
+ "$MIN_CERT" -gt "$MAX_CERT" -o \
+ "$MIN_CERT" -lt "$GLOB_MIN_CERT" -o \
+ "$MAX_CERT" -gt "$GLOB_MAX_CERT" ] ; then
+ echo "$0 `uname -n`: -certn range not valid"
+ ssl_ds_usage
+ fi
+ echo "$0 `uname -n`: will use certs from $MIN_CERT to $MAX_CERT"
+ ;;
+ -server|-stress|-dist*st*)
+ BUILD_OPT=1
+ export BUILD_OPT
+ DO_DIST_ST="TRUE"
+ ;;
+ -dir|-unixdir|-uxdir|-qadir)
+ shift
+ UX_DIR=$1
+ #FIXME - we need a default unixdir
+ if [ -z "$UX_DIR" ] ; then # -o ! -d "$UX_DIR" ] ; then can't do, Win doesn't know...
+ echo "$0 `uname -n`: -dir requires directoryname "
+ ssl_ds_usage
+ fi
+ CD_QADIR_SSL="cd $UX_DIR"
+ ;;
+ -ip*)
+ shift
+ IP_ADDRESS=$1
+ if [ -z "$IP_ADDRESS" ] ; then
+ echo "$0 `uname -n`: -ip requires ip-address "
+ ssl_ds_usage
+ fi
+ USE_IP=TRUE
+ IP_PARAM="-ip $IP_ADDRESS"
+ ;;
+ -h|-help|"-?"|*)
+ ssl_ds_usage
+ ;;
+ esac
+ shift
+ done
+}
+
+############################## ssl_ds_rem_stress #######################
+# local shell function to perform the client part of the SSL stress test
+########################################################################
+
+ssl_ds_rem_stress()
+{
+ testname="SSL remote part of Stress test (`uname -n`)"
+ echo "$SCRIPTNAME `uname -n`: $testname"
+
+ #cp -r "${CLIENTDIR}" /tmp/ssl_ds.$$ #FIXME
+ #cd /tmp/ssl_ds.$$
+ #verbose="-v"
+
+ cd ${CLIENTDIR}
+
+ CONTINUE=$MAX_CERT
+ while [ $CONTINUE -ge $MIN_CERT ]
+ do
+ echo "strsclnt -D -p ${PORT} -d ${P_R_CLIENTDIR} -w nss -c 1 $verbose "
+ echo " -n TestUser$CONTINUE ${HOSTADDR} #`uname -n`"
+ ${BINDIR}/strsclnt -D -p ${PORT} -d . -w nss -c 1 $verbose \
+ -n "TestUser$CONTINUE" ${HOSTADDR} &
+ #${HOSTADDR} &
+ CONTINUE=`expr $CONTINUE - 1 `
+ #sleep 4 #give process time to start up
+ done
+
+ html_msg 0 0 "${testname}" #FIXME
+}
+
+######################### ssl_ds_dist_stress ###########################
+# local shell function to perform the server part of the new, distributed
+# SSL stress test
+########################################################################
+
+ssl_ds_dist_stress()
+{
+ max_clientlist="
+ box-200
+ washer-200
+ dryer-200
+ hornet-50
+ shabadoo-50
+ y2sun2-10
+ galileo-10
+ shame-10
+ axilla-10
+ columbus-10
+ smarch-10
+ nugget-10
+ charm-10
+ hp64-10
+ biggayal-10
+ orville-10
+ kwyjibo-10
+ hbombaix-10
+ raven-10
+ jordan-10
+ phaedrus-10
+ louie-10
+ trex-10
+ compaqtor-10"
+
+ #clientlist=" huey-2 dewey-2 hornet-2 shabadoo-2" #FIXME ADJUST
+ clientlist=" box-200 washer-200 huey-200 dewey-200 hornet-200 shabadoo-200 louie-200"
+ #clientlist=" box-2 huey-2 "
+ #clientlist="washer-200 huey-200 dewey-200 hornet-200 "
+
+ html_head "SSL Distributed Stress Test"
+
+ testname="SSL distributed Stress test"
+
+ echo cd "${CLIENTDIR}"
+ cd "${CLIENTDIR}"
+ if [ -z "CD_QADIR_SSL" ] ; then
+ CD_QADIR_SSL="cd $QADIR/ssl"
+ else
+ cp -r $HOSTDIR $HOSTDIR/../../../../../booboo_Solaris8/mozilla/tests_results/security
+ fi
+
+ #sparam=" -t 128 -D -r "
+ sparam=" -t 16 -D -r -r -y "
+ start_selfserv
+
+ for c in $clientlist
+ do
+ client=`echo $c | sed -e "s/-.*//"`
+ number=`echo $c | sed -e "s/.*-//"`
+ CLIENT_OK="TRUE"
+ echo $client
+ ping $client >/dev/null || CLIENT_OK="FALSE"
+ if [ "$CLIENT_OK" = "FALSE" ] ; then
+ echo "$SCRIPTNAME `uname -n`: $client can't be reached - skipping"
+ else
+ get_certrange $number
+ echo "$SCRIPTNAME `uname -n`: $RSH $client -l svbld \\ "
+ echo " \" $CD_QADIR_SSL ;ssl_dist_stress.sh \\"
+ echo " -host $HOST -certnum $CERTRANGE $IP_PARAM \" "
+ $RSH $client -l svbld \
+ " $CD_QADIR_SSL;ssl_dist_stress.sh -host $HOST -certnum $CERTRANGE $IP_PARAM " &
+ fi
+ done
+
+ echo cd "${CLIENTDIR}"
+ cd "${CLIENTDIR}"
+
+ sleep 500 # give the clients time to finish #FIXME ADJUST
+
+ echo "GET /stop HTTP/1.0\n\n" > stdin.txt #check to make sure it has /r/n
+ echo "tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 "
+ echo " -w nss -f < stdin.txt"
+ ${BINDIR}/tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 \
+ -w nss -f < stdin.txt
+
+ html_msg 0 0 "${testname}"
+ html "</TABLE><BR>"
+}
+
+############################ get_certrange #############################
+# local shell function to find the range of certs that the next remote
+# client is supposed to use (only for server side of the dist stress test
+########################################################################
+get_certrange()
+{
+ rangeOK=`echo $1 | sed -e 's/[0-9][0-9]*/OK/'`
+ if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o $1 = "OK" ] ; then
+ range=10
+ echo "$SCRIPTNAME `uname -n`: $1 is not a valid number of certs "
+ echo " defaulting to 10 for $client"
+ else
+ range=$1
+ if [ $range -gt $GLOB_MAX_CERT ] ; then
+ range=$GLOB_MAX_CERT
+ fi
+ fi
+ if [ -z "$FROM_CERT" ] ; then # start new on top of the cert stack
+ FROM_CERT=$GLOB_MAX_CERT
+ elif [ `expr $FROM_CERT - $range + 1 ` -lt 0 ] ; then
+ FROM_CERT=$GLOB_MAX_CERT # dont let it fall below 0 on the TO_CERT
+
+ fi
+ TO_CERT=`expr $FROM_CERT - $range + 1 `
+ if [ $TO_CERT -lt 0 ] ; then # it's not that I'm bad in math, I just
+ TO_CERT=0 # don't trust expr...
+ fi
+ CERTRANGE="${TO_CERT}-${FROM_CERT}"
+ FROM_CERT=`expr ${TO_CERT} - 1 ` #start the next client one below
+}
+
+
+################## main #################################################
+
+DO_DIST_ST="TRUE"
+. ./ssl.sh
+ssl_ds_init $*
+if [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
+ ssl_ds_rem_stress
+ exit 0 #no cleanup on purpose
+elif [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+ ssl_ds_dist_stress
+fi
+ssl_cleanup
diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt
new file mode 100644
index 000000000..82d1ddea4
--- /dev/null
+++ b/security/nss/tests/ssl/sslauth.txt
@@ -0,0 +1,76 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the tests for client auth.
+#
+# expected
+# Enable return server client Test Case name
+# ECC value params params
+# ------- ------ ------ ------ ---------------
+ noECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
+ noECC 0 -r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
+ noECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Request don't require client auth (client auth)
+ noECC 254 -r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Require client auth (client does not provide auth)
+ noECC 254 -r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Require client auth (bad password)
+ noECC 0 -r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser_ TLS Require client auth (client auth)
+ noECC 0 -r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
+ noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
+ noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
+ noECC 254 -r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
+ noECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
+ noECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Require client auth on 2nd hs (client auth)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Request don't require client auth on 2nd hs (client does not provide auth)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Request don't require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Request don't require client auth on 2nd hs (client auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth)
+ noECC 0 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
+ noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
+ noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
+ noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
+#
+# Use EC cert for client authentication
+#
+ ECC 0 -r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password)
+ ECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth)
+ ECC 254 -r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
+ ECC 0 -r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth)
+ ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password)
+ ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth)
+ ECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
+ ECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth)
+ ECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth)
+ ECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth)
+ ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
+ ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
+ ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
+ ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
+ ECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
+#
+# SNI Tests
+#
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt
new file mode 100644
index 000000000..1eb7f47de
--- /dev/null
+++ b/security/nss/tests/ssl/sslcov.txt
@@ -0,0 +1,143 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables test coverage of the various SSL ciphers
+#
+# Enable Enable Cipher Test Name
+# EC TLS
+#
+ noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5
+ noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA
+ noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA
+ noECC SSL3 i SSL3_RSA_WITH_NULL_MD5
+ noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA
+ noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA
+ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA
+ noECC SSL3 z SSL3_RSA_WITH_NULL_SHA
+ noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
+ noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384
+# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#
+ noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5
+ noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA
+ noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA
+ noECC TLS10 i TLS_RSA_WITH_NULL_MD5
+ noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA
+ noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA
+ noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA
+ noECC TLS10 z TLS_RSA_WITH_NULL_SHA
+# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#
+#
+ noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5
+ noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA
+ noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA
+ noECC TLS11 i TLS11_RSA_WITH_NULL_MD5
+ noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA
+ noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA
+ noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA
+ noECC TLS11 z TLS11_RSA_WITH_NULL_SHA
+#
+ noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5
+ noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA
+ noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA
+ noECC TLS12 i TLS12_RSA_WITH_NULL_MD5
+ noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA
+ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA
+ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA
+ noECC TLS12 z TLS12_RSA_WITH_NULL_SHA
+ noECC TLS12 :0016 TLS12_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ noECC TLS12 :0032 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA
+ noECC TLS12 :0033 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA
+ noECC TLS12 :0038 TLS12_DHE_DSS_WITH_AES_256_CBC_SHA
+ noECC TLS12 :0039 TLS12_DHE_RSA_WITH_AES_256_CBC_SHA
+ noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256
+ noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256
+ noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256
+ noECC TLS12 :0040 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA256
+ noECC TLS12 :0067 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA256
+ noECC TLS12 :006A TLS12_DHE_DSS_WITH_AES_256_CBC_SHA256
+ noECC TLS12 :006B TLS12_DHE_RSA_WITH_AES_256_CBC_SHA256
+ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256
+ noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
+ noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256
+ noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+#
+# ECC ciphers (TLS)
+#
+ ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA
+ ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+ ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA
+ ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+ ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA
+ ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA
+ ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA
+ ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA
+ ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#
+ ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA
+ ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA
+ ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA
+ ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA
+ ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA
+ ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA
+ ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA
+ ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA
+ ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA
+ ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#
+ ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA
+ ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA
+ ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA
+ ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA
+ ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA
+ ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA
+ ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA
+ ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA
+ ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA
+ ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ ECC TLS12 :C024 TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ ECC TLS12 :C028 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
diff --git a/security/nss/tests/ssl/sslpolicy.txt b/security/nss/tests/ssl/sslpolicy.txt
new file mode 100644
index 000000000..82c15d2af
--- /dev/null
+++ b/security/nss/tests/ssl/sslpolicy.txt
@@ -0,0 +1,174 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file enables policy testing
+#
+# The policy string is set to the config= line in the pkcs11.txt
+# it currently has 2 keywords:
+#
+# disallow= turn off the use of this algorithm by policy.
+# allow= allow this algorithm to by used if selected by policy.
+#
+# The syntax is disallow=algorithm{/uses}:algorithm{/uses}
+# where {} signifies an optional element
+#
+# valid algorithms are:
+# ECC curves:
+# PRIME192V1
+# PRIME192V2
+# PRIME192V3
+# PRIME239V1
+# PRIME239V2
+# PRIME239V3
+# PRIME256V1
+# SECP112R1
+# SECP112R2
+# SECP128R1
+# SECP128R2
+# SECP160K1
+# SECP160R1
+# SECP160R2
+# SECP192K1
+# SECP192R1
+# SECP224K1
+# SECP256K1
+# SECP256R1
+# SECP384R1
+# SECP521R1
+# C2PNB163V1
+# C2PNB163V2
+# C2PNB163V3
+# C2PNB176V1
+# C2TNB191V1
+# C2TNB191V2
+# C2TNB191V3
+# C2ONB191V4
+# C2ONB191V5
+# C2PNB208W1
+# C2TNB239V1
+# C2TNB239V2
+# C2TNB239V3
+# C2ONB239V4
+# C2ONB239V5
+# C2PNB272W1
+# C2PNB304W1
+# C2TNB359V1
+# C2PNB368W1
+# C2TNB431R1
+# SECT113R1
+# SECT131R1
+# SECT131R1
+# SECT131R2
+# SECT163K1
+# SECT163R1
+# SECT163R2
+# SECT193R1
+# SECT193R2
+# SECT233K1
+# SECT233R1
+# SECT239K1
+# SECT283K1
+# SECT283R1
+# SECT409K1
+# SECT409R1
+# SECT571K1
+# SECT571R1
+# Hashes:
+# MD2
+# MD4
+# MD5
+# SHA1
+# SHA224
+# SHA256
+# SHA384
+# SHA512
+# MACs:
+# HMAC-SHA1
+# HMAC-SHA224
+# HMAC-SHA256
+# HMAC-SHA384
+# HMAC-SHA512
+# HMAC-MD5
+# Ciphers:
+# AES128-CBC
+# AES192-CBC
+# AES256-CBC
+# AES128-GCM
+# AES192-GCM
+# AES256-GCM
+# CAMELLIA128-CBC
+# CAMELLIA192-CBC
+# CAMELLIA256-CBC
+# SEED-CBC
+# DES-EDE3-CBC
+# DES-40-CBC
+# DES-CBC
+# NULL-CIPHER
+# RC2
+# RC4
+# IDEA
+# Key exchange
+# RSA
+# RSA-EXPORT
+# DHE-RSA
+# DHE-DSS
+# DH-RSA
+# DH-DSS
+# ECDHE-ECDSA
+# ECDHE-RSA
+# ECDH-ECDSA
+# ECDH-RSA
+# SSL Versions
+# SSL2.0
+# SSL3.0
+# TLS1.0
+# TLS1.1
+# TLS1.2
+# DTLS1.1
+# DTLS1.2
+# Include all of the above:
+# ALL
+#-----------------------------------------------
+# Uses are:
+# ssl
+# ssl-key-exchange
+# key-exchange (includes ssl-key-exchange)
+# cert-signature
+# signature (includes cert-signature)
+# all (includes all of the above)
+#-----------------------------------------------
+# In addition there are the following options:
+# min-rsa
+# min-dh
+# min-dsa
+# they have the following syntax:
+# allow=min-rsa=512:min-dh=1024
+#
+# Exp Enable Enable Cipher Config Policy Test Name
+# Ret EC TLS
+# turn on single cipher
+ 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
+ 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
+ 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
+ 1 noECC SSL3 d disallow=all Disallow All Explicitly.
+# turn off signature only
+ 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly.
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
+# turn off single cipher
+ 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
+# turn off H-Mac
+ 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly
+ 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
+# turn off key exchange
+ 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
+# turn off version
+ 1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly.
diff --git a/security/nss/tests/ssl/sslreq.dat b/security/nss/tests/ssl/sslreq.dat
new file mode 100644
index 000000000..2f7ad7736
--- /dev/null
+++ b/security/nss/tests/ssl/sslreq.dat
@@ -0,0 +1,2 @@
+GET / HTTP/1.0
+
diff --git a/security/nss/tests/ssl/sslreq.txt b/security/nss/tests/ssl/sslreq.txt
new file mode 100644
index 000000000..c1da607c0
--- /dev/null
+++ b/security/nss/tests/ssl/sslreq.txt
@@ -0,0 +1,2 @@
+GET / HTTP/1.0
+
diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt
new file mode 100644
index 000000000..e9defc502
--- /dev/null
+++ b/security/nss/tests/ssl/sslstress.txt
@@ -0,0 +1,87 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This file defines the stress tests for SSL/TLS.
+#
+# expected
+# Enable return server client Test Case name
+# ECC value params params
+# ------- ------ ------ ------ ---------------
+ noECC 0 _ -c_1000_-C_c_-V_ssl3:ssl3 Stress SSL3 RC4 128 with MD5
+ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
+ noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
+ noECC 0 -u -V_ssl3:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
+ noECC 0 -z -V_ssl3:tls1.2_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
+ noECC 0 -u_-z -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
+ noECC 0 -u_-z -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
+ SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
+
+#
+# add client auth versions here...
+#
+ noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
+ noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
+ noECC 0 -r_-r_-u -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
+ noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
+ noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
+ noECC 0 -r_-r_-u_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
+ noECC 0 -r_-r_-u_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
+ SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
+ SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
+
+#
+# ############################ ECC ciphers ############################
+#
+ ECC 0 -c_:C009 -V_ssl3:tls1.2_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
+ ECC 0 -c_:C023 -V_ssl3:tls1.2_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse)
+ ECC 0 -c_:C02B -V_ssl3:tls1.2_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse)
+ ECC 0 -c_:C004 -V_ssl3:tls1.2_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse)
+ ECC 0 -c_:C00E -V_ssl3:tls1.2_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
+ ECC 0 -c_:C013 -V_ssl3:tls1.2_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA
+ ECC 0 -c_:C027 -V_ssl3:tls1.2_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256
+ ECC 0 -c_:C02F -V_ssl3:tls1.2_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM
+ ECC 0 -c_:C004_-u -V_ssl3:tls1.2_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket)
+ ECC 0 -c_:C009_-u -V_ssl3:tls1.2_-c_100_-C_:C009_-u Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (session ticket)
+#
+# add client auth versions here...
+#
+ ECC 0 -r_-r_-c_:C009 -V_ssl3:tls1.2_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+ ECC 0 -r_-r_-c_:C013 -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth)
+ ECC 0 -r_-r_-c_:C004 -V_ssl3:tls1.2_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+ ECC 0 -r_-r_-c_:C00E -V_ssl3:tls1.2_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
+ ECC 0 -r_-r_-c_:C013 -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
+ ECC 0 -r_-r_-c_:C013_-u -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)
+
+#
+# ############################ DHE ciphers ############################
+#
+ noECC 0 -c_:0016 -V_ssl3:tls1.2_-c_100_-C_:0016_-N Stress TLS DHE_RSA_WITH_3DES_EDE_CBC_SHA (no reuse)
+ noECC 0 -c_:0033 -V_ssl3:tls1.2_-c_1000_-C_:0033 Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA
+
+
+ noECC 0 -c_:0039 -V_ssl3:tls1.2_-c_100_-C_:0039_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA (no reuse)
+ noECC 0 -c_:0040 -V_ssl3:tls1.2_-c_100_-C_:0040_-N Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA256 (no reuse)
+
+# noECC 0 -c_:0038_-u -V_ssl3:tls1.2_-c_1000_-C_:0038_-u Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (session ticket)
+# use the above session ticket test, once session tickets with DHE_DSS are working
+ noECC 0 -c_:0038 -V_ssl3:tls1.2_-c_1000_-C_:0038_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (no reuse)
+
+# noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256
+# use the above reuse test, once the session cache with DHE_DSS is working
+ noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 (no reuse
+
+ noECC 0 -c_:006B -V_ssl3:tls1.2_-c_100_-C_:006B_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA256 (no reuse)
+ noECC 0 -c_:009E -V_ssl3:tls1.2_-c_100_-C_:009E_-N Stress TLS DHE_RSA_WITH_AES_128_GCM_SHA256 (no reuse)
+ noECC 0 -c_:009F -V_ssl3:tls1.2_-c_100_-C_:009F_-N Stress TLS DHE_RSA_WITH_AES_256_GCM_SHA384 (no reuse)
+#
+# add client auth versions here...
+#
+ noECC 0 -r_-r_-c_:0032 -V_ssl3:tls1.2_-c_100_-C_:0032_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth)
+ noECC 0 -r_-r_-c_:0067 -V_ssl3:tls1.2_-c_1000_-C_:0067_-n_TestUser-dsamixed Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth)
+
+# noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth)
+# noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (session ticket, client auth)
+# use the above session ticket test, once session tickets with DHE_DSS are working
+ noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (no reuse, client auth)
+ noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (no reuse, client auth)
diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh
new file mode 100755
index 000000000..9768c5ed9
--- /dev/null
+++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh
@@ -0,0 +1,159 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/ssl_gtests/ssl_gtests.sh
+#
+# Script to drive the ssl gtest unit tests
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+#
+########################################################################
+
+# Generate input to certutil
+certscript() {
+ while [ $# -gt 0 ]; do
+ case $1 in
+ sign) echo 0 ;;
+ kex) echo 2 ;;
+ ca) echo 5;echo 6 ;;
+ esac; shift
+ done;
+ echo 9
+ echo n
+ echo ${ca:-n}
+ echo
+ echo n
+}
+
+# $1: name
+# $2: type
+# $3+: usages: sign or kex
+make_cert() {
+ name=$1
+ type=$2
+ case $type in
+ dsa) type_args='-g 1024' ;;
+ rsa) type_args='-g 1024' ;;
+ rsa2048) type_args='-g 2048';type=rsa ;;
+ rsapss) type_args='-g 1024 --pss';type=rsa ;;
+ p256) type_args='-q nistp256';type=ec ;;
+ p384) type_args='-q secp384r1';type=ec ;;
+ p521) type_args='-q secp521r1';type=ec ;;
+ rsa_ca) type_args='-g 1024';trust='CT,CT,CT';ca=y;type=rsa ;;
+ rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;;
+ ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;;
+ esac
+ shift 2
+ counter=$(($counter + 1))
+ certscript $@ | ${BINDIR}/certutil -S \
+ -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
+ -n $name -s "CN=$name" -t ${trust:-,,} ${sign:--x} -m $counter \
+ -w -2 -v 120 -k $type $type_args -Z SHA256 -1 -2
+ html_msg $? 0 "create certificate: $@"
+}
+
+ssl_gtest_certs() {
+ mkdir -p "${SSLGTESTDIR}"
+ cd "${SSLGTESTDIR}"
+
+ PROFILEDIR=`pwd`
+ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+ PROFILEDIR=`cygpath -m "${PROFILEDIR}"`
+ fi
+
+ ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1
+ html_msg $? 0 "create ssl_gtest database"
+
+ counter=0
+ make_cert client rsa sign
+ make_cert rsa rsa sign kex
+ make_cert rsa2048 rsa2048 sign kex
+ make_cert rsa_sign rsa sign
+ make_cert rsa_pss rsapss sign
+ make_cert rsa_decrypt rsa kex
+ make_cert ecdsa256 p256 sign
+ make_cert ecdsa384 p384 sign
+ make_cert ecdsa521 p521 sign
+ make_cert ecdh_ecdsa p256 kex
+ make_cert rsa_ca rsa_ca ca
+ make_cert rsa_chain rsa_chain sign
+ make_cert ecdh_rsa ecdh_rsa kex
+ make_cert dsa dsa sign
+}
+
+############################## ssl_gtest_init ##########################
+# local shell function to initialize this script
+########################################################################
+ssl_gtest_init()
+{
+ SCRIPTNAME=ssl_gtest.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+
+ SCRIPTNAME=ssl_gtest.sh
+ html_head SSL Gtests
+
+ if [ ! -d "${SSLGTESTDIR}" ]; then
+ ssl_gtest_certs
+ fi
+
+ cd "${SSLGTESTDIR}"
+}
+
+########################## ssl_gtest_start #########################
+# Local function to actually start the test
+####################################################################
+ssl_gtest_start()
+{
+ if [ ! -f ${BINDIR}/ssl_gtest ]; then
+ html_unknown "Skipping ssl_gtest (not built)"
+ return
+ fi
+
+ SSLGTESTREPORT="${SSLGTESTDIR}/report.xml"
+ PARSED_REPORT="${SSLGTESTDIR}/report.parsed"
+ echo "executing ssl_gtest"
+ ${BINDIR}/ssl_gtest -d "${SSLGTESTDIR}" --gtest_output=xml:"${SSLGTESTREPORT}" \
+ --gtest_filter="${GTESTFILTER-*}"
+ html_msg $? 0 "ssl_gtest run successfully"
+ echo "executing sed to parse the xml report"
+ sed -f ${COMMON}/parsegtestreport.sed "${SSLGTESTREPORT}" > "${PARSED_REPORT}"
+ echo "processing the parsed report"
+ cat "${PARSED_REPORT}" | while read result name; do
+ if [ "$result" = "notrun" ]; then
+ echo "$name" SKIPPED
+ elif [ "$result" = "run" ]; then
+ html_passed_ignore_core "$name"
+ else
+ html_failed_ignore_core "$name"
+ fi
+ done
+}
+
+ssl_gtest_cleanup()
+{
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+cd "$(dirname "$0")"
+ssl_gtest_init
+ssl_gtest_start
+ssl_gtest_cleanup
diff --git a/security/nss/tests/tools/sign.html b/security/nss/tests/tools/sign.html
new file mode 100644
index 000000000..1ec9f7b79
--- /dev/null
+++ b/security/nss/tests/tools/sign.html
@@ -0,0 +1,8 @@
+<html>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<body>
+Sign this javascriptless page.
+</body>
+</html>
diff --git a/security/nss/tests/tools/signjs.html b/security/nss/tests/tools/signjs.html
new file mode 100644
index 000000000..ba22925bd
--- /dev/null
+++ b/security/nss/tests/tools/signjs.html
@@ -0,0 +1,11 @@
+<html>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<body>
+<script language="JavaScript">
+document.write("<h3>Sign this javascript</h3>");
+</script>
+Here's some plain content.
+</body>
+</html>
diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh
new file mode 100644
index 000000000..26abf3e4e
--- /dev/null
+++ b/security/nss/tests/tools/tools.sh
@@ -0,0 +1,498 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/tools/tools.sh
+#
+# Script to test basic functionality of NSS tools
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+# pk12util
+# signtool
+#
+# special strings
+# ---------------
+# FIXME ... known problems, search for this string
+# NOTE .... unexpected behavior
+########################################################################
+
+ export pkcs12v2pbeWithSha1And128BitRc4=\
+"PKCS #12 V2 PBE With SHA-1 and 128 Bit RC4"
+
+ export pkcs12v2pbeWithSha1And40BitRc4=\
+"PKCS #12 V2 PBE With SHA-1 and 40 Bit RC4"
+
+ export pkcs12v2pbeWithSha1AndTripleDESCBC=\
+"PKCS #12 V2 PBE With SHA-1 and Triple DES-CBC"
+
+ export pkcs12v2pbeWithSha1And128BitRc2Cbc=\
+"PKCS #12 V2 PBE With SHA-1 and 128 Bit RC2 CBC"
+
+ export pkcs12v2pbeWithSha1And40BitRc2Cbc=\
+"PKCS #12 V2 PBE With SHA-1 and 40 Bit RC2 CBC"
+
+ export pkcs12v2pbeWithMd2AndDESCBC=\
+"PKCS #5 Password Based Encryption with MD2 and DES-CBC"
+
+ export pkcs12v2pbeWithMd5AndDESCBC=\
+"PKCS #5 Password Based Encryption with MD5 and DES-CBC"
+
+ export pkcs12v2pbeWithSha1AndDESCBC=\
+"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
+
+ export pkcs5pbeWithMD2AndDEScbc=\
+"PKCS #5 Password Based Encryption with MD2 and DES-CBC"
+
+ export pkcs5pbeWithMD5AndDEScbc=\
+"PKCS #5 Password Based Encryption with MD5 and DES-CBC"
+
+ export pkcs5pbeWithSha1AndDEScbc=\
+"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
+
+############################## tools_init ##############################
+# local shell function to initialize this script
+########################################################################
+tools_init()
+{
+ SCRIPTNAME=tools.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
+ cd ../cert
+ . ./cert.sh
+ fi
+ SCRIPTNAME=tools.sh
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ html_head "Tools Tests with ECC"
+ else
+ html_head "Tools Tests"
+ fi
+
+ grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+ Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
+ }
+
+ TOOLSDIR=${HOSTDIR}/tools
+ COPYDIR=${TOOLSDIR}/copydir
+ SIGNDIR=${TOOLSDIR}/signdir
+
+ R_TOOLSDIR=../tools
+ R_COPYDIR=../tools/copydir
+ R_SIGNDIR=../tools/signdir
+ P_R_COPYDIR=${R_COPYDIR}
+ P_R_SIGNDIR=${R_SIGNDIR}
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ P_R_COPYDIR="multiaccess:Tools.$version"
+ P_R_SIGNDIR="multiaccess:Tools.sign.$version"
+ fi
+
+ mkdir -p ${TOOLSDIR}
+ mkdir -p ${COPYDIR}
+ mkdir -p ${SIGNDIR}
+ cp ${ALICEDIR}/* ${SIGNDIR}/
+ mkdir -p ${TOOLSDIR}/html
+ cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
+
+ cd ${TOOLSDIR}
+}
+
+########################## list_p12_file ###############################
+# List the key and cert in the specified p12 file
+########################################################################
+list_p12_file()
+{
+ echo "$SCRIPTNAME: Listing Alice's pk12 file"
+ echo "pk12util -l ${1} -w ${R_PWFILE}"
+
+ ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Listing ${1} (pk12util -l)"
+ check_tmpfile
+}
+
+########################################################################
+# Import the key and cert from the specified p12 file
+########################################################################
+import_p12_file()
+{
+ echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file"
+ echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+
+ ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing ${1} (pk12util -i)"
+ check_tmpfile
+}
+
+########################################################################
+# Export the key and cert to a p12 file using default ciphers
+########################################################################
+export_with_default_ciphers()
+{
+ echo "$SCRIPTNAME: Exporting Alice's key & cert with [default:default] (pk12util -o)"
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting Alices's key & cert with [default:default] (pk12util -o)"
+ check_tmpfile
+ return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, the key encryption cipher is specified
+# and the cert encryption cipher is blank for default.
+########################################################################
+export_with_key_cipher()
+{
+ # $1 key encryption cipher
+ echo "$SCRIPTNAME: Exporting with [${1}:default]"
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -c ${1}"
+ ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} -c "${1}" 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting with [${1}:default] (pk12util -o)"
+ check_tmpfile
+ return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, the key encryption cipher is left
+# empty for default and the cert encryption cipher is specified.
+########################################################################
+export_with_cert_cipher()
+{
+ # $1 certificate encryption cipher
+ echo "$SCRIPTNAME: Exporting with [default:${1}]"
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -C ${1}"
+ ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} -C "${1}" 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting with [default:${1}] (pk12util -o)"
+ check_tmpfile
+ return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, both the key encryption cipher and
+# the cert encryption cipher are specified.
+########################################################################
+export_with_both_key_and_cert_cipher()
+{
+ # $1 key encryption cipher or ""
+ # $2 certificate encryption cipher or ""
+
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -c ${1} -C ${2}"
+ ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} \
+ -c "${1}" -C "${2}" 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting with [${1}:${2}] (pk12util -o)"
+ check_tmpfile
+ return $ret
+}
+
+########################################################################
+# Exports key and cert to a p12 file, both the key encryption cipher
+# and the cert encryption cipher are specified. The key and cert are
+# imported and the p12 file is listed
+########################################################################
+export_list_import()
+{
+ # $1 key encryption cipher
+ # $2 certificate encryption cipher
+
+ if [ "${1}" != "DEFAULT" -a "${2}" != "DEFAULT" ]; then
+ export_with_both_key_and_cert_cipher "${1}" "${2}"
+ elif [ "${1}" != "DEFAULT" -a "${2}" = "DEFAULT" ]; then
+ export_with_key_cipher "${1}"
+ elif [ "${1}" = "DEFAULT" -a "${2}" != "DEFAULT" ]; then
+ export_with_cert_cipher "${2}"
+ else
+ export_with_default_ciphers
+ fi
+
+ list_p12_file Alice.p12
+ import_p12_file Alice.p12
+}
+
+########################################################################
+# Export using the pkcs5pbe ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs5pbe_ciphers()
+{
+ # specify each on key and cert cipher
+ for key_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \
+ "${pkcs5pbeWithMD5AndDEScbc}" \
+ "${pkcs5pbeWithSha1AndDEScbc}"\
+ "DEFAULT"; do
+ for cert_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \
+ "${pkcs5pbeWithMD5AndDEScbc}" \
+ "${pkcs5pbeWithSha1AndDEScbc}" \
+ "DEFAULT"\
+ "null"; do
+ export_list_import "${key_cipher}" "${cert_cipher}"
+ done
+ done
+}
+
+########################################################################
+# Export using the pkcs5v2 ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs5v2_ciphers()
+{
+ # These should pass
+ for key_cipher in\
+ RC2-CBC \
+ DES-EDE3-CBC \
+ AES-128-CBC \
+ AES-192-CBC \
+ AES-256-CBC \
+ CAMELLIA-128-CBC \
+ CAMELLIA-192-CBC \
+ CAMELLIA-256-CBC; do
+
+#---------------------------------------------------------------
+# Bug 452464 - pk12util -o fails when -C option specifies AES or
+# Camellia ciphers
+# FIXME Restore these to the list
+# AES-128-CBC, \
+# AES-192-CBC, \
+# AES-256-CBC, \
+# CAMELLIA-128-CBC, \
+# CAMELLIA-192-CBC, \
+# CAMELLIA-256-CBC, \
+# when 452464 is fixed
+#---------------------------------------------------------------
+ for cert_cipher in \
+ RC2-CBC \
+ DES-EDE3-CBC \
+ null; do
+ export_list_import ${key_cipher} ${cert_cipher}
+ done
+ done
+}
+
+########################################################################
+# Export using the pkcs12v2pbe ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs12v2pbe_ciphers()
+{
+#---------------------------------------------------------------
+# Bug 452471 - pk12util -o fails when -c option specifies pkcs12v2 PBE ciphers
+# FIXME - Restore these to the list
+# "${pkcs12v2pbeWithSha1And128BitRc4}" \
+# "${pkcs12v2pbeWithSha1And40BitRc4}" \
+# "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \
+# "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \
+# "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \
+# "${pkcs12v2pbeWithMd2AndDESCBC}" \
+# "${pkcs12v2pbeWithMd5AndDESCBC}" \
+# "${pkcs12v2pbeWithSha1AndDESCBC}" \
+# "DEFAULT"; do
+# when 452471 is fixed
+#---------------------------------------------------------------
+# for key_cipher in \
+ key_cipher="DEFAULT"
+ for cert_cipher in "${pkcs12v2pbeWithSha1And128BitRc4}" \
+ "${pkcs12v2pbeWithSha1And40BitRc4}" \
+ "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \
+ "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \
+ "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \
+ "${pkcs12v2pbeWithMd2AndDESCBC}" \
+ "${pkcs12v2pbeWithMd5AndDESCBC}" \
+ "${pkcs12v2pbeWithSha1AndDESCBC}" \
+ "DEFAULT"\
+ "null"; do
+ export_list_import "${key_cipher}" "${key_cipher}"
+ done
+ #done
+}
+
+#########################################################################
+# Export with no encryption on key should fail but on cert should pass
+#########################################################################
+tools_p12_export_with_null_ciphers()
+{
+ # use null as the key encryption algorithm default for the cert one
+ # should fail
+
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -c null"
+ ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} \
+ -c null 2>&1
+ ret=$?
+ html_msg $ret 30 "Exporting with [null:default] (pk12util -o)"
+ check_tmpfile
+
+ # use default as the key encryption algorithm null for the cert one
+ # should pass
+
+ echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+ echo " -k ${R_PWFILE} -w ${R_PWFILE} -C null"
+ ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+ -k ${R_PWFILE} -w ${R_PWFILE} \
+ -C null 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting with [default:null] (pk12util -o)"
+ check_tmpfile
+
+}
+
+#########################################################################
+# Exports using the default key and certificate encryption ciphers.
+# Imports from and lists the contents of the p12 file.
+# Repeats the test with ECC if enabled.
+########################################################################
+tools_p12_export_list_import_with_default_ciphers()
+{
+ echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers"
+
+ export_list_import "DEFAULT" "DEFAULT"
+
+ if [ -z "$NSS_DISABLE_ECC" ] ; then
+ echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
+ echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+ echo " -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+ -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
+ check_tmpfile
+
+ echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
+ echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
+ check_tmpfile
+
+ echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
+ echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
+ check_tmpfile
+ fi
+}
+
+############################## tools_p12 ###############################
+# local shell function to test basic functionality of pk12util
+########################################################################
+tools_p12()
+{
+ tools_p12_export_list_import_with_default_ciphers
+ tools_p12_export_list_import_all_pkcs5v2_ciphers
+ tools_p12_export_list_import_all_pkcs5pbe_ciphers
+ tools_p12_export_list_import_all_pkcs12v2pbe_ciphers
+ tools_p12_export_with_null_ciphers
+}
+
+############################## tools_sign ##############################
+# local shell function pk12util uses a hardcoded tmp file, if this exists
+# and is owned by another user we don't get reasonable errormessages
+########################################################################
+check_tmpfile()
+{
+ if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then
+ echo "Error: pk12util temp file exists. Please remove this file and"
+ echo " rerun the test (/tmp/Pk12uTemp) "
+ fi
+}
+
+############################## tools_sign ##############################
+# local shell function to test basic functionality of signtool
+########################################################################
+tools_sign()
+{
+ echo "$SCRIPTNAME: Create objsign cert -------------------------------"
+ echo "signtool -G \"objectsigner\" -d ${P_R_SIGNDIR} -p \"nss\""
+ ${BINDIR}/signtool -G "objsigner" -d ${P_R_SIGNDIR} -p "nss" 2>&1 <<SIGNSCRIPT
+y
+TEST
+MOZ
+NSS
+NY
+US
+liz
+liz@moz.org
+SIGNSCRIPT
+ html_msg $? 0 "Create objsign cert (signtool -G)"
+
+ echo "$SCRIPTNAME: Signing a jar of files ----------------------------"
+ echo "signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\"
+ echo " ${R_TOOLSDIR}/html"
+ ${BINDIR}/signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p "nss" -k objsigner \
+ ${R_TOOLSDIR}/html
+ html_msg $? 0 "Signing a jar of files (signtool -Z)"
+
+ echo "$SCRIPTNAME: Listing signed files in jar ----------------------"
+ echo "signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner"
+ ${BINDIR}/signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner
+ html_msg $? 0 "Listing signed files in jar (signtool -v)"
+
+ echo "$SCRIPTNAME: Show who signed jar ------------------------------"
+ echo "signtool -w nojs.jar -d ${P_R_SIGNDIR}"
+ ${BINDIR}/signtool -w nojs.jar -d ${P_R_SIGNDIR}
+ html_msg $? 0 "Show who signed jar (signtool -w)"
+
+ echo "$SCRIPTNAME: Signing a xpi of files ----------------------------"
+ echo "signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\"
+ echo " ${R_TOOLSDIR}/html"
+ ${BINDIR}/signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p "nss" -k objsigner \
+ ${R_TOOLSDIR}/html
+ html_msg $? 0 "Signing a xpi of files (signtool -Z -X)"
+
+ echo "$SCRIPTNAME: Listing signed files in xpi ----------------------"
+ echo "signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner"
+ ${BINDIR}/signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner
+ html_msg $? 0 "Listing signed files in xpi (signtool -v)"
+
+ echo "$SCRIPTNAME: Show who signed xpi ------------------------------"
+ echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}"
+ ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR}
+ html_msg $? 0 "Show who signed xpi (signtool -w)"
+
+}
+
+############################## tools_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+tools_cleanup()
+{
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
+################## main #################################################
+
+tools_init
+tools_p12
+tools_sign
+tools_cleanup
+
+