diff options
author | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
---|---|---|
committer | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
commit | 5f8de423f190bbb79a62f804151bc24824fa32d8 (patch) | |
tree | 10027f336435511475e392454359edea8e25895d /security/nss/tests | |
parent | 49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff) | |
download | UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip |
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/nss/tests')
349 files changed, 26616 insertions, 0 deletions
diff --git a/security/nss/tests/README.txt b/security/nss/tests/README.txt new file mode 100644 index 000000000..08088b50b --- /dev/null +++ b/security/nss/tests/README.txt @@ -0,0 +1,6 @@ +Hints for running the NSS test suite: + +- all.sh is used to run all tests + +- if your host is not registered with DNS you may use: + HOST=localhost DOMSUF=localdomain ./all.sh diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh new file mode 100755 index 000000000..8305e6766 --- /dev/null +++ b/security/nss/tests/all.sh @@ -0,0 +1,311 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/all.sh +# +# Script to start selected available NSS QA suites on one machine +# this script is called or sourced by NSS QA which runs on all required +# platforms +# +# Needs to work on all Unix and Windows platforms +# +# Currently available NSS QA suites: +# ---------------------------------- +# cipher.sh - tests NSS ciphers +# libpkix.sh - tests PKIX functionality +# cert.sh - exercises certutil and creates certs necessary for +# all other tests +# dbtests.sh - tests related to certificate databases +# tools.sh - tests the majority of the NSS tools +# fips.sh - tests basic functionallity of NSS in FIPS-compliant +# - mode +# sdr.sh - tests NSS SDR +# crmf.sh - CRMF/CMMF testing +# smime.sh - S/MIME testing +# ssl.sh - tests SSL V2 SSL V3 and TLS +# ocsp.sh - OCSP testing +# merge.sh - tests merging old and new shareable databases +# pkits.sh - NIST/PKITS tests +# chains.sh - PKIX cert chains tests +# dbupgrade.sh - upgrade databases to new shareable version (used +# only in upgrade test cycle) +# memleak.sh - memory leak testing (optional) +# ssl_gtests.sh- Gtest based unit tests for ssl +# gtests.sh - Gtest based unit tests for everything else +# bogo.sh - Bogo interop tests (disabled by default) +# https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md +# +# NSS testing is now devided to 4 cycles: +# --------------------------------------- +# standard - run test suites with defaults settings +# pkix - run test suites with PKIX enabled +# upgradedb - upgrade existing certificate databases to shareable +# format (creates them if doesn't exist yet) and run +# test suites with those databases +# sharedb - run test suites with shareable database format +# enabled (databases are created directly to this +# format) +# +# Mandatory environment variables (to be set before testing): +# ----------------------------------------------------------- +# HOST - test machine host name +# DOMSUF - test machine domain name +# +# Optional environment variables to specify build to use: +# ------------------------------------------------------- +# BUILT_OPT - use optimized/debug build +# USE_64 - use 64bit/32bit build +# USE_ASAN - use Address Sanitizer build +# +# Optional environment variables to enable specific NSS features: +# --------------------------------------------------------------- +# NSS_DISABLE_ECC - disable ECC +# +# Optional environment variables to select which cycles/suites to test: +# --------------------------------------------------------------------- +# NSS_CYCLES - list of cycles to run (separated by space +# character) +# - by default all cycles are tested +# +# NSS_TESTS - list of all test suites to run (separated by space +# character, without trailing .sh) +# - this list can be reduced for individual test cycles +# +# NSS_SSL_TESTS - list of ssl tests to run (see ssl.sh) +# NSS_SSL_RUN - list of ssl sub-tests to run (see ssl.sh) +# +# Testing schema: +# --------------- +# all.sh ~ (main) +# | | +# +------------+------------+-----------+ ~ run_cycles +# | | | | | +# standard pkix upgradedb sharedb ~ run_cycle_* +# | | +# +------+------+------+-----> ~ run_tests +# | | | | | +# cert tools fips ssl ... ~ . *.sh +# +# Special strings: +# ---------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +# NOTE: +# ----- +# Unlike the old QA this is based on files sourcing each other +# This is done to save time, since a great portion of time is lost +# in calling and sourcing the same things multiple times over the +# network. Also, this way all scripts have all shell function +# available and a completely common environment +# +######################################################################## + +############################## run_tests ############################### +# run test suites defined in TESTS variable, skip scripts defined in +# TESTS_SKIP variable +######################################################################## +run_tests() +{ + for TEST in ${TESTS} + do + # NOTE: the spaces are important. If you don't include + # the spaces, then turning off ssl_gtests will also turn off ssl + # tests. + echo " ${TESTS_SKIP} " | grep " ${TEST} " > /dev/null + if [ $? -eq 0 ]; then + continue + fi + + SCRIPTNAME=${TEST}.sh + echo "Running tests for ${TEST}" + echo "TIMESTAMP ${TEST} BEGIN: `date`" + (cd ${QADIR}/${TEST}; . ./${SCRIPTNAME} 2>&1) + echo "TIMESTAMP ${TEST} END: `date`" + done +} + +########################## run_cycle_standard ########################## +# run test suites with defaults settings (no PKIX, no sharedb) +######################################################################## +run_cycle_standard() +{ + TEST_MODE=STANDARD + + TESTS="${ALL_TESTS}" + TESTS_SKIP= + + run_tests +} + +############################ run_cycle_pkix ############################ +# run test suites with PKIX enabled +######################################################################## +run_cycle_pkix() +{ + TEST_MODE=PKIX + + TABLE_ARGS="bgcolor=cyan" + html_head "Testing with PKIX" + html "</TABLE><BR>" + + HOSTDIR="${HOSTDIR}/pkix" + mkdir -p "${HOSTDIR}" + init_directories + + NSS_ENABLE_PKIX_VERIFY="1" + export NSS_ENABLE_PKIX_VERIFY + + TESTS="${ALL_TESTS}" + TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit" + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` + + run_tests +} + +######################### run_cycle_upgrade_db ######################### +# upgrades certificate database to shareable format and run test suites +# with those databases +######################################################################## +run_cycle_upgrade_db() +{ + TEST_MODE=UPGRADE_DB + + TABLE_ARGS="bgcolor=pink" + html_head "Testing with upgraded library" + html "</TABLE><BR>" + + OLDHOSTDIR="${HOSTDIR}" + HOSTDIR="${HOSTDIR}/upgradedb" + mkdir -p "${HOSTDIR}" + init_directories + + if [ -r "${OLDHOSTDIR}/cert.log" ]; then + DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA stapling tools/copydir cert.log cert.done tests.*" + for i in $DIRS + do + cp -r ${OLDHOSTDIR}/${i} ${HOSTDIR} #2> /dev/null + done + fi + + # upgrade certs dbs to shared db + TESTS="dbupgrade" + TESTS_SKIP= + + run_tests + + NSS_DEFAULT_DB_TYPE="sql" + export NSS_DEFAULT_DB_TYPE + + # run the subset of tests with the upgraded database + TESTS="${ALL_TESTS}" + TESTS_SKIP="cipher libpkix cert dbtests sdr ocsp pkits chains" + + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` + NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"` + + run_tests +} + +########################## run_cycle_shared_db ######################### +# run test suites with certificate databases set to shareable format +######################################################################## +run_cycle_shared_db() +{ + TEST_MODE=SHARED_DB + + TABLE_ARGS="bgcolor=yellow" + html_head "Testing with shared library" + html "</TABLE><BR>" + + HOSTDIR="${HOSTDIR}/sharedb" + mkdir -p "${HOSTDIR}" + init_directories + + NSS_DEFAULT_DB_TYPE="sql" + export NSS_DEFAULT_DB_TYPE + + # run the tests for native sharedb support + TESTS="${ALL_TESTS}" + TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits" + + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` + NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"` + + run_tests +} + +############################# run_cycles ############################### +# run test cycles defined in CYCLES variable +######################################################################## +run_cycles() +{ + for CYCLE in ${CYCLES} + do + case "${CYCLE}" in + "standard") + run_cycle_standard + ;; + "pkix") + if [ -z "$NSS_DISABLE_LIBPKIX" ]; then + run_cycle_pkix + fi + ;; + "upgradedb") + run_cycle_upgrade_db + ;; + "sharedb") + run_cycle_shared_db + ;; + esac + . ${ENV_BACKUP} + done +} + +############################## main code ############################### + +cycles="standard pkix upgradedb sharedb" +CYCLES=${NSS_CYCLES:-$cycles} + +tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +TESTS=${NSS_TESTS:-$tests} + +ALL_TESTS=${TESTS} + +nss_ssl_tests="crl fips_normal normal_fips iopr policy" +NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}" + +nss_ssl_run="cov auth stapling stress" +NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}" + +SCRIPTNAME=all.sh +CLEANUP="${SCRIPTNAME}" +cd `dirname $0` + +# all.sh should be the first one to try to source the init +if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd common + . ./init.sh +fi + +# NOTE: +# Lists of enabled tests and other settings are stored to ${ENV_BACKUP} +# file and are are restored after every test cycle. + +ENV_BACKUP=${HOSTDIR}/env.sh +env_backup > ${ENV_BACKUP} + +if [ "${O_CRON}" = "ON" ]; then + run_cycles >> ${LOGFILE} +else + run_cycles | tee -a ${LOGFILE} +fi + +SCRIPTNAME=all.sh + +. ${QADIR}/common/cleanup.sh diff --git a/security/nss/tests/bogo/bogo.sh b/security/nss/tests/bogo/bogo.sh new file mode 100755 index 000000000..7503d230e --- /dev/null +++ b/security/nss/tests/bogo/bogo.sh @@ -0,0 +1,56 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/bogo/bogo.sh +# +# Script to drive the ssl bogo interop unit tests +# +######################################################################## + +bogo_init() +{ + SCRIPTNAME="bogo.sh" + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then + cd ../common + . ./init.sh + fi + + mkdir -p "${HOSTDIR}/bogo" + cd "${HOSTDIR}/bogo" + BORING=${BORING:=boringssl} + if [ ! -d "$BORING" ]; then + git clone -q https://boringssl.googlesource.com/boringssl "$BORING" + git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3 + fi + + SCRIPTNAME="bogo.sh" + html_head "bogo test" +} + +bogo_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +# Need to add go to the PATH. +export PATH=$PATH:/usr/lib/go-1.6/bin + +cd "$(dirname "$0")" +SOURCE_DIR="$PWD"/../.. +bogo_init +(cd "$BORING"/ssl/test/runner; + GOPATH="$PWD" go test -pipe -shim-path "${BINDIR}"/nss_bogo_shim \ + -loose-errors -allow-unimplemented \ + -shim-config "${SOURCE_DIR}/gtests/nss_bogo_shim/config.json") \ + 2>bogo.errors | tee bogo.log +html_msg "${PIPESTATUS[0]}" 0 "Bogo" "Run successfully" +grep -i 'FAILED\|Assertion failure' bogo.errors +html_msg $? 1 "Bogo" "No failures" +bogo_cleanup diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh new file mode 100755 index 000000000..9b3455747 --- /dev/null +++ b/security/nss/tests/cert/cert.sh @@ -0,0 +1,2012 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/cert/rcert.sh +# +# Certificate generating and handeling for NSS QA, can be included +# multiple times from all.sh and the individual scripts +# +# needs to work on all Unix and Windows platforms +# +# included from (don't expect this to be up to date) +# -------------------------------------------------- +# all.sh +# ssl.sh +# smime.sh +# tools.sh +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +# FIXME - Netscape - NSS +######################################################################## + +############################## cert_init ############################### +# local shell function to initialize this script +######################################################################## +cert_init() +{ + SCRIPTNAME="cert.sh" + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + if [ -z "${INIT_SOURCED}" ] ; then + cd ../common + . ./init.sh + fi + if [ -z "${IOPR_CERT_SOURCED}" ]; then + . ../iopr/cert_iopr.sh + fi + SCRIPTNAME="cert.sh" + CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` + if [ -z "$NSS_DISABLE_ECC" ] ; then + html_head "Certutil and Crlutil Tests with ECC" + else + html_head "Certutil and Crlutil Tests" + fi + + LIBDIR="${DIST}/${OBJDIR}/lib" + + ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1` + if [ ! "${ROOTCERTSFILE}" ] ; then + html_failed "Looking for root certs module." + cert_log "ERROR: Root certs module not found." + Exit 5 "Fatal - Root certs module not found." + else + html_passed "Looking for root certs module." + fi + + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}` + fi +} + +cert_log() ###################### write the cert_status file +{ + echo "$SCRIPTNAME $*" + echo $* >>${CERT_LOG_FILE} +} + +######################################################################## +# function wraps calls to pk12util, also: writes action and options +# to stdout. +# Params are the same as to pk12util. +# Returns pk12util status +# +pk12u() +{ + echo "${CU_ACTION} --------------------------" + + echo "pk12util $@" + ${BINDIR}/pk12util $@ + RET=$? + + return $RET +} + +################################ certu ################################# +# local shell function to call certutil, also: writes action and options to +# stdout, sets variable RET and writes results to the html file results +######################################################################## +certu() +{ + echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" + EXPECTED=${RETEXPECTED-0} + + if [ -n "${CU_SUBJECT}" ]; then + #the subject of the cert contains blanks, and the shell + #will strip the quotes off the string, if called otherwise... + echo "certutil -s \"${CU_SUBJECT}\" $*" + ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $* + RET=$? + CU_SUBJECT="" + else + echo "certutil $*" + ${PROFTOOL} ${BINDIR}/certutil $* + RET=$? + fi + if [ "$RET" -ne "$EXPECTED" ]; then + CERTFAILED=$RET + html_failed "${CU_ACTION} ($RET=$EXPECTED) " + cert_log "ERROR: ${CU_ACTION} failed $RET" + else + html_passed "${CU_ACTION}" + fi + + return $RET +} + +################################ crlu ################################# +# local shell function to call crlutil, also: writes action and options to +# stdout, sets variable RET and writes results to the html file results +######################################################################## +crlu() +{ + echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" + + CRLUTIL="crlutil -q" + echo "$CRLUTIL $*" + ${PROFTOOL} ${BINDIR}/$CRLUTIL $* + RET=$? + if [ "$RET" -ne 0 ]; then + CRLFAILED=$RET + html_failed "${CU_ACTION} ($RET) " + cert_log "ERROR: ${CU_ACTION} failed $RET" + else + html_passed "${CU_ACTION}" + fi + + return $RET +} + +################################ ocspr ################################## +# local shell function to call ocsresp, also: writes action and options to +# stdout, sets variable RET and writes results to the html file results +######################################################################### +ocspr() +{ + echo "$SCRIPTNAME: ${OR_ACTION} --------------------------" + + OCSPRESP="ocspresp" + echo "$OCSPRESP $*" + ${PROFTOOL} ${BINDIR}/$OCSPRESP $* + RET=$? + if [ "$RET" -ne 0 ]; then + OCSPFAILED=$RET + html_failed "${OR_ACTION} ($RET) " + cert_log "ERROR: ${OR_ACTION} failed $RET" + else + html_passed "${OR_ACTION}" + fi + + return $RET +} + +modu() +{ + echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" + + MODUTIL="modutil" + echo "$MODUTIL $*" + # echo is used to press Enter expected by modutil + echo | ${BINDIR}/$MODUTIL $* + RET=$? + if [ "$RET" -ne 0 ]; then + MODFAILED=$RET + html_failed "${CU_ACTION} ($RET) " + cert_log "ERROR: ${CU_ACTION} failed $RET" + else + html_passed "${CU_ACTION}" + fi + + return $RET +} + +############################# cert_init_cert ########################## +# local shell function to initialize creation of client and server certs +######################################################################## +cert_init_cert() +{ + CERTDIR="$1" + CERTNAME="$2" + CERTSERIAL="$3" + DOMAIN="$4" + + if [ ! -d "${CERTDIR}" ]; then + mkdir -p "${CERTDIR}" + else + echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists" + fi + cd "${CERTDIR}" + CERTDIR="." + + PROFILEDIR=`cd ${CERTDIR}; pwd` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + PROFILEDIR=`cygpath -m ${PROFILEDIR}` + fi + if [ -n "${MULTIACCESS_DBM}" ]; then + PROFILEDIR="multiaccess:${DOMAIN}" + fi + + noise +} + +############################# hw_acc ################################# +# local shell function to add hw accelerator modules to the db +######################################################################## +hw_acc() +{ + HW_ACC_RET=0 + HW_ACC_ERR="" + if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then + echo "creating $CERTNAME s cert with hwaccelerator..." + #case $ACCELERATOR in + #rainbow) + + echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so " + echo " -dbdir ${PROFILEDIR} 2>&1 " + echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \ + -dbdir ${PROFILEDIR} 2>&1 + if [ "$?" -ne 0 ]; then + echo "modutil -add rainbow failed in `pwd`" + HW_ACC_RET=1 + HW_ACC_ERR="modutil -add rainbow" + fi + + echo "modutil -add ncipher " + echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so " + echo " -dbdir ${PROFILEDIR} 2>&1 " + echo | ${BINDIR}/modutil -add ncipher \ + -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \ + -dbdir ${PROFILEDIR} 2>&1 + if [ "$?" -ne 0 ]; then + echo "modutil -add ncipher failed in `pwd`" + HW_ACC_RET=`expr $HW_ACC_RET + 2` + HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher" + fi + if [ "$HW_ACC_RET" -ne 0 ]; then + html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) " + else + html_passed "Adding HW accelerators to certDB for ${CERTNAME}" + fi + + fi + return $HW_ACC_RET +} + +############################# cert_create_cert ######################### +# local shell function to create client certs +# initialize DB, import +# root cert +# add cert to DB +######################################################################## +cert_create_cert() +{ + cert_init_cert "$1" "$2" "$3" "$4" + + CU_ACTION="Initializing ${CERTNAME}'s Cert DB" + certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB" + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + hw_acc + + CU_ACTION="Import Root CA for $CERTNAME" + certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${R_CADIR}/TestCA.ca.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Import DSA Root CA for $CERTNAME" + certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \ + -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + + if [ -z "$NSS_DISABLE_ECC" ] ; then + CU_ACTION="Import EC Root CA for $CERTNAME" + certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ + -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + fi + + cert_add_cert "$5" + return $? +} + +############################# cert_add_cert ############################ +# local shell function to add client certs to an existing CERT DB +# generate request +# sign request +# import Cert +# +######################################################################## +cert_add_cert() +{ + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Sign ${CERTNAME}'s Request" + certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Import $CERTNAME's Cert" + certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + cert_log "SUCCESS: $CERTNAME's Cert Created" + +# +# Generate and add DSA cert +# + CU_ACTION="Generate DSA Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Sign ${CERTNAME}'s DSA Request" + certu -C -c "TestCA-dsa" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" "$1" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Import $CERTNAME's DSA Cert" + certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + cert_log "SUCCESS: $CERTNAME's DSA Cert Created" + +# Generate DSA certificate signed with RSA + CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Sign ${CERTNAME}'s DSA Request with RSA" +# Avoid conflicting serial numbers with TestCA issuer by keeping +# this set far away. A smaller number risks colliding with the +# extended ssl user certificates. + NEWSERIAL=`expr ${CERTSERIAL} + 20000` + certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" "$1" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Import $CERTNAME's mixed DSA Cert" + certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created" + +# +# Generate and add EC cert +# + if [ -z "$NSS_DISABLE_ECC" ] ; then + CURVE="secp384r1" + CU_ACTION="Generate EC Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Sign ${CERTNAME}'s EC Request" + certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Import $CERTNAME's EC Cert" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + cert_log "SUCCESS: $CERTNAME's EC Cert Created" + +# Generate EC certificate signed with RSA + CU_ACTION="Generate mixed EC Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA" +# Avoid conflicting serial numbers with TestCA issuer by keeping +# this set far away. A smaller number risks colliding with the +# extended ssl user certificates. + NEWSERIAL=`expr ${CERTSERIAL} + 10000` + certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Import $CERTNAME's mixed EC Cert" + certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created" + fi + + return 0 +} + +################################# cert_all_CA ################################ +# local shell function to build the additional Temp. Certificate Authority (CA) +# used for the "real life" ssl test with 2 different CA's in the +# client and in the server's dir +########################################################################## +cert_all_CA() +{ + echo nss > ${PWFILE} + + ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1" + + ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" + ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3" + ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4" + + + + ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" + ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6" + ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7" + + rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert + + # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last + # in the chain + + +# +# Create DSA version of TestCA + ALL_CU_SUBJECT="CN=NSS Test CA (DSA), O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_dsa_CA $CADIR TestCA-dsa -x "CTu,CTu,CTu" ${D_CA} "1" +# +# Create DSA versions of the intermediate CA certs + ALL_CU_SUBJECT="CN=NSS Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_dsa_CA $SERVER_CADIR serverCA-dsa -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" + ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_dsa_CA $SERVER_CADIR chain-1-serverCA-dsa "-c serverCA-dsa" "u,u,u" ${D_SERVER_CA} "3" + ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_dsa_CA $SERVER_CADIR chain-2-serverCA-dsa "-c chain-1-serverCA-dsa" "u,u,u" ${D_SERVER_CA} "4" + + ALL_CU_SUBJECT="CN=NSS Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_dsa_CA $CLIENT_CADIR clientCA-dsa -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" + ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_dsa_CA $CLIENT_CADIR chain-1-clientCA-dsa "-c clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "6" + ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_dsa_CA $CLIENT_CADIR chain-2-clientCA-dsa "-c chain-1-clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "7" + + rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert +# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last +# in the chain + + + + + if [ -z "$NSS_DISABLE_ECC" ] ; then +# +# Create EC version of TestCA + CA_CURVE="secp521r1" + ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE} +# +# Create EC versions of the intermediate CA certs + ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE} + + ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE} + + rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert +# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last +# in the chain + + fi +} + +################################# cert_CA ################################ +# local shell function to build the Temp. Certificate Authority (CA) +# used for testing purposes, creating a CA Certificate and a root cert +########################################################################## +cert_CA() +{ + CUR_CADIR=$1 + NICKNAME=$2 + SIGNER=$3 + TRUSTARG=$4 + DOMAIN=$5 + CERTSERIAL=$6 + + echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME ==========================" + + if [ ! -d "${CUR_CADIR}" ]; then + mkdir -p "${CUR_CADIR}" + fi + cd ${CUR_CADIR} + pwd + + LPROFILE=`pwd` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + LPROFILE=`cygpath -m ${LPROFILE}` + fi + if [ -n "${MULTIACCESS_DBM}" ]; then + LPROFILE="multiaccess:${DOMAIN}" + fi + + if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB + CU_ACTION="Creating CA Cert DB" + certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1 + if [ "$RET" -ne 0 ]; then + Exit 5 "Fatal - failed to create CA $NICKNAME " + fi + + CU_ACTION="Loading root cert module to CA Cert DB" + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + echo "$SCRIPTNAME: Certificate initialized ----------" + fi + + + ################# Creating CA Cert ###################################### + # + CU_ACTION="Creating CA Cert $NICKNAME " + CU_SUBJECT=$ALL_CU_SUBJECT + certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \ + -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT +5 +6 +9 +n +y +-1 +n +5 +6 +7 +9 +n +CERTSCRIPT + + if [ "$RET" -ne 0 ]; then + echo "return value is $RET" + Exit 6 "Fatal - failed to create CA cert" + fi + + ################# Exporting Root Cert ################################### + # + CU_ACTION="Exporting Root Cert" + certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert + if [ "$RET" -ne 0 ]; then + Exit 7 "Fatal - failed to export root cert" + fi + cp root.cert ${NICKNAME}.ca.cert +} + + + + + +################################ cert_dsa_CA ############################# +# local shell function to build the Temp. Certificate Authority (CA) +# used for testing purposes, creating a CA Certificate and a root cert +# This is the ECC version of cert_CA. +########################################################################## +cert_dsa_CA() +{ + CUR_CADIR=$1 + NICKNAME=$2 + SIGNER=$3 + TRUSTARG=$4 + DOMAIN=$5 + CERTSERIAL=$6 + + echo "$SCRIPTNAME: Creating an DSA CA Certificate $NICKNAME ==========================" + + if [ ! -d "${CUR_CADIR}" ]; then + mkdir -p "${CUR_CADIR}" + fi + cd ${CUR_CADIR} + pwd + + LPROFILE=. + if [ -n "${MULTIACCESS_DBM}" ]; then + LPROFILE="multiaccess:${DOMAIN}" + fi + + ################# Creating an DSA CA Cert ############################### + # + CU_ACTION="Creating DSA CA Cert $NICKNAME " + CU_SUBJECT=$ALL_CU_SUBJECT + certu -S -n $NICKNAME -k dsa -t $TRUSTARG -v 600 $SIGNER \ + -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ + -m $CERTSERIAL 2>&1 <<CERTSCRIPT +5 +6 +9 +n +y +-1 +n +5 +6 +7 +9 +n +CERTSCRIPT + + if [ "$RET" -ne 0 ]; then + echo "return value is $RET" + Exit 6 "Fatal - failed to create DSA CA cert" + fi + + ################# Exporting DSA Root Cert ############################### + # + CU_ACTION="Exporting DSA Root Cert" + certu -L -n $NICKNAME -r -d ${LPROFILE} -o dsaroot.cert + if [ "$RET" -ne 0 ]; then + Exit 7 "Fatal - failed to export dsa root cert" + fi + cp dsaroot.cert ${NICKNAME}.ca.cert +} + + + + +################################ cert_ec_CA ############################## +# local shell function to build the Temp. Certificate Authority (CA) +# used for testing purposes, creating a CA Certificate and a root cert +# This is the ECC version of cert_CA. +########################################################################## +cert_ec_CA() +{ + CUR_CADIR=$1 + NICKNAME=$2 + SIGNER=$3 + TRUSTARG=$4 + DOMAIN=$5 + CERTSERIAL=$6 + CURVE=$7 + + echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME ==========================" + + if [ ! -d "${CUR_CADIR}" ]; then + mkdir -p "${CUR_CADIR}" + fi + cd ${CUR_CADIR} + pwd + + LPROFILE=. + if [ -n "${MULTIACCESS_DBM}" ]; then + LPROFILE="multiaccess:${DOMAIN}" + fi + + ################# Creating an EC CA Cert ################################ + # + CU_ACTION="Creating EC CA Cert $NICKNAME " + CU_SUBJECT=$ALL_CU_SUBJECT + certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \ + -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ + -m $CERTSERIAL 2>&1 <<CERTSCRIPT +5 +6 +9 +n +y +-1 +n +5 +6 +7 +9 +n +CERTSCRIPT + + if [ "$RET" -ne 0 ]; then + echo "return value is $RET" + Exit 6 "Fatal - failed to create EC CA cert" + fi + + ################# Exporting EC Root Cert ################################ + # + CU_ACTION="Exporting EC Root Cert" + certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert + if [ "$RET" -ne 0 ]; then + Exit 7 "Fatal - failed to export ec root cert" + fi + cp ecroot.cert ${NICKNAME}.ca.cert +} + +############################## cert_smime_client ############################# +# local shell function to create client Certificates for S/MIME tests +############################################################################## +cert_smime_client() +{ + CERTFAILED=0 + echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============" + + cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE} + cert_create_cert ${BOBDIR} "Bob" 40 ${D_BOB} + + echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------" + cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE} + +## XXX With this new script merging ECC and non-ECC tests, the +## call to cert_create_cert ends up creating two separate certs +## one for Eve and another for Eve-ec but they both end up with +## the same Subject Alt Name Extension, i.e., both the cert for +## Eve@bogus.com and the cert for Eve-ec@bogus.com end up +## listing eve@bogus.net in the Certificate Subject Alt Name extension. +## This can cause a problem later when cmsutil attempts to create +## enveloped data and accidently picks up the ECC cert (NSS currently +## does not support ECC for enveloped data creation). This script +## avoids the problem by ensuring that these conflicting certs are +## never added to the same cert database (see comment marked XXXX). + echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------" + cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com" + + #echo "************* Copying CA files to ${SERVERDIR}" + #cp ${CADIR}/*.db . + #hw_acc + + ######################################################################### + # + #cd ${CERTDIR} + #CU_ACTION="Creating ${CERTNAME}'s Server Cert" + #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" + #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \ + # -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1 + + #CU_ACTION="Export Dave's Cert" + #cd ${DAVEDIR} + #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert + + ################# Importing Certificates for S/MIME tests ############### + # + echo "$SCRIPTNAME: Importing Certificates ==============================" + CU_ACTION="Import Bob's cert into Alice's db" + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + -i ${R_BOBDIR}/Bob.cert 2>&1 + + CU_ACTION="Import Dave's cert into Alice's DB" + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + -i ${R_DAVEDIR}/Dave.cert 2>&1 + + CU_ACTION="Import Dave's cert into Bob's DB" + certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ + -i ${R_DAVEDIR}/Dave.cert 2>&1 + + CU_ACTION="Import Eve's cert into Alice's DB" + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + -i ${R_EVEDIR}/Eve.cert 2>&1 + + CU_ACTION="Import Eve's cert into Bob's DB" + certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ + -i ${R_EVEDIR}/Eve.cert 2>&1 + + if [ -z "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: Importing EC Certificates ==============================" + CU_ACTION="Import Bob's EC cert into Alice's db" + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + -i ${R_BOBDIR}/Bob-ec.cert 2>&1 + + CU_ACTION="Import Dave's EC cert into Alice's DB" + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 + + CU_ACTION="Import Dave's EC cert into Bob's DB" + certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ + -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 + +## XXXX Do not import Eve's EC cert until we can make sure that +## the email addresses listed in the Subject Alt Name Extension +## inside Eve's ECC and non-ECC certs are different. +# CU_ACTION="Import Eve's EC cert into Alice's DB" +# certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ +# -i ${R_EVEDIR}/Eve-ec.cert 2>&1 + +# CU_ACTION="Import Eve's EC cert into Bob's DB" +# certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ +# -i ${R_EVEDIR}/Eve-ec.cert 2>&1 + fi + + if [ "$CERTFAILED" != 0 ] ; then + cert_log "ERROR: SMIME failed $RET" + else + cert_log "SUCCESS: SMIME passed" + fi +} + +############################## cert_extended_ssl ####################### +# local shell function to create client + server certs for extended SSL test +######################################################################## +cert_extended_ssl() +{ + + ################# Creating Certs for extended SSL test #################### + # + CERTFAILED=0 + echo "$SCRIPTNAME: Creating Certificates, issued by the last ===============" + echo " of a chain of CA's which are not in the same database============" + + echo "Server Cert" + cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER} + + CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" + certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 + + CU_ACTION="Generate Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request (ext)" + cp ${CERTDIR}/req ${SERVER_CADIR} + certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)" + certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)" + certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1 + +# +# Repeat the above for DSA certs +# + CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)" + cp ${CERTDIR}/req ${SERVER_CADIR} + certu -C -c "chain-2-serverCA-dsa" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ + -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 + + CU_ACTION="Import Client DSA Root CA -t T,, for $CERTNAME (ext.)" + certu -A -n "clientCA-dsa" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${CLIENT_CADIR}/clientCA-dsa.ca.cert" 2>&1 +# +# done with DSA certs +# +# Repeat again for mixed DSA certs +# + CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)" + cp ${CERTDIR}/req ${SERVER_CADIR} + certu -C -c "chain-2-serverCA" -m 202 -v 60 -d "${P_SERVER_CADIR}" \ + -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 + +# CU_ACTION="Import Client mixed DSA Root CA -t T,, for $CERTNAME (ext.)" +# certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \ +# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \ +# 2>&1 + + if [ -z "$NSS_DISABLE_ECC" ] ; then +# +# Repeat the above for EC certs +# + EC_CURVE="secp256r1" + CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" + cp ${CERTDIR}/req ${SERVER_CADIR} + certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + + CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)" + certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1 +# +# done with EC certs +# +# Repeat again for mixed EC certs +# + EC_CURVE="secp256r1" + CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)" + cp ${CERTDIR}/req ${SERVER_CADIR} + certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \ + -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 + +# CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)" +# certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \ +# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \ +# 2>&1 + fi + + echo "Importing all the server's own CA chain into the servers DB" + for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; + do + N=`basename $CA | sed -e "s/.ca.cert//"` + if [ $N = "serverCA" -o $N = "serverCA-ec" -o $N = "serverCA-dsa" ] ; then + T="-t C,C,C" + else + T="-t u,u,u" + fi + CU_ACTION="Import $N CA $T for $CERTNAME (ext.) " + certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${CA}" 2>&1 + done +#============ + echo "Client Cert" + cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT} + + CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" + certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 + + CU_ACTION="Generate Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \ + -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request (ext)" + cp ${CERTDIR}/req ${CLIENT_CADIR} + certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)" + certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)" + certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1 + +# +# Repeat the above for DSA certs +# + CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)" + cp ${CERTDIR}/req ${CLIENT_CADIR} + certu -C -c "chain-2-clientCA-dsa" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ + -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 + + CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)" + certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \ + -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1 +# +# done with DSA certs +# +# +# Repeat the above for mixed DSA certs +# + CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)" + cp ${CERTDIR}/req ${CLIENT_CADIR} + certu -C -c "chain-2-clientCA" -m 302 -v 60 -d "${P_CLIENT_CADIR}" \ + -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 + +# CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)" +# certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \ +# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1 +# +# done with mixed DSA certs +# + + if [ -z "$NSS_DISABLE_ECC" ] ; then +# +# Repeat the above for EC certs +# + CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" + cp ${CERTDIR}/req ${CLIENT_CADIR} + certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + + CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" + certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \ + -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 +# +# done with EC certs +# +# +# Repeat the above for mixed EC certs +# + CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)" + cp ${CERTDIR}/req ${CLIENT_CADIR} + certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \ + -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 + +# CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" +# certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \ +# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 +# +# done with mixed EC certs +# + fi + + echo "Importing all the client's own CA chain into the servers DB" + for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ; + do + N=`basename $CA | sed -e "s/.ca.cert//"` + if [ $N = "clientCA" -o $N = "clientCA-ec" -o $N = "clientCA-dsa" ] ; then + T="-t T,C,C" + else + T="-t u,u,u" + fi + CU_ACTION="Import $N CA $T for $CERTNAME (ext.)" + certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${CA}" 2>&1 + done + if [ "$CERTFAILED" != 0 ] ; then + cert_log "ERROR: EXT failed $RET" + else + cert_log "SUCCESS: EXT passed" + fi +} + +############################## cert_ssl ################################ +# local shell function to create client + server certs for SSL test +######################################################################## +cert_ssl() +{ + ################# Creating Certs for SSL test ########################### + # + CERTFAILED=0 + echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" + cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT} + + echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" + echo " ${HOSTADDR} ------------------------------------" + cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER} + echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" + echo " ${HOSTADDR}-sni --------------------------------" + CERTSERIAL=101 + CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}" + cert_add_cert + CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC" + certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" + + CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC" + certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" + + if [ -z "$NSS_DISABLE_ECC" ] ; then + CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC" + certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" + fi +# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER} +# echo "************* Copying CA files to ${SERVERDIR}" +# cp ${CADIR}/*.db . +# hw_acc +# CU_ACTION="Creating ${CERTNAME}'s Server Cert" +# CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" +# certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \ +# -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1 + + if [ "$CERTFAILED" != 0 ] ; then + cert_log "ERROR: SSL failed $RET" + else + cert_log "SUCCESS: SSL passed" + fi + + echo "$SCRIPTNAME: Creating database for OCSP stapling tests ===============" + echo "cp -r ${SERVERDIR} ${STAPLINGDIR}" + cp -r ${R_SERVERDIR} ${R_STAPLINGDIR} + pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR} + pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR} +} + +############################## cert_stresscerts ################################ +# local shell function to create client certs for SSL stresstest +######################################################################## +cert_stresscerts() +{ + + ############### Creating Certs for SSL stress test ####################### + # + CERTDIR="$CLIENTDIR" + cd "${CERTDIR}" + + PROFILEDIR=`cd ${CERTDIR}; pwd` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + PROFILEDIR=`cygpath -m ${PROFILEDIR}` + fi + if [ -n "${MULTIACCESS_DBM}" ]; then + PROFILEDIR="multiaccess:${D_CLIENT}" + fi + CERTFAILED=0 + echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" + + CONTINUE=$GLOB_MAX_CERT + CERTSERIAL=10 + + while [ $CONTINUE -ge $GLOB_MIN_CERT ] + do + CERTNAME="TestUser$CONTINUE" +# cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL + cert_add_cert + CERTSERIAL=`expr $CERTSERIAL + 1 ` + CONTINUE=`expr $CONTINUE - 1 ` + done + if [ "$CERTFAILED" != 0 ] ; then + cert_log "ERROR: StressCert failed $RET" + else + cert_log "SUCCESS: StressCert passed" + fi +} + +############################## cert_fips ##################################### +# local shell function to create certificates for FIPS tests +############################################################################## +cert_fips() +{ + CERTFAILED=0 + echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates ==============" + cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}" + + CU_ACTION="Initializing ${CERTNAME}'s Cert DB" + certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 + + CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 + + echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------" + CU_ACTION="Enable FIPS mode on database for ${CERTNAME}" + echo "modutil -dbdir ${PROFILEDIR} -fips true " + ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT +y +MODSCRIPT + RET=$? + if [ "$RET" -ne 0 ]; then + html_failed "${CU_ACTION} ($RET) " + cert_log "ERROR: ${CU_ACTION} failed $RET" + else + html_passed "${CU_ACTION}" + fi + + CU_ACTION="Generate Certificate for ${CERTNAME}" + CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US" + certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1 + if [ "$RET" -eq 0 ]; then + cert_log "SUCCESS: FIPS passed" + fi +} + +############################## cert_eccurves ########################### +# local shell function to create server certs for all EC curves +######################################################################## +cert_eccurves() +{ + ################# Creating Certs for EC curves test ######################## + # + if [ -z "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: Creating Server CA Issued Certificate for " + echo " EC Curves Test Certificates ------------------------------------" + + cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES} + + CU_ACTION="Initializing EC Curve's Cert DB" + certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Loading root cert module to EC Curve's Cert DB" + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 + + CU_ACTION="Import EC Root CA for $CERTNAME" + certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ + -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1 + + CURVE_LIST="nistp256 nistp384 nistp521" + CERTSERIAL=2000 + + for CURVE in ${CURVE_LIST} + do + CERTFAILED=0 + CERTNAME="Curve-${CURVE}" + CERTSERIAL=`expr $CERTSERIAL + 1 ` + CU_ACTION="Generate EC Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + if [ $RET -eq 0 ] ; then + CU_ACTION="Sign ${CERTNAME}'s EC Request" + certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 + fi + + if [ $RET -eq 0 ] ; then + CU_ACTION="Import $CERTNAME's EC Cert" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + fi + done + + fi # $NSS_DISABLE_ECC +} + +########################### cert_extensions_test ############################# +# local shell function to test cert extensions generation +############################################################################## +cert_extensions_test() +{ + COUNT=`expr ${COUNT} + 1` + CERTNAME=TestExt${COUNT} + CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + + echo + echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \ + -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ + -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE} + echo "certutil options:" + cat ${TARG_FILE} + ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \ + -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ + -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE} + RET=$? + if [ "${RET}" -ne 0 ]; then + CERTFAILED=1 + html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate" + cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed" + return 1 + fi + + echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME} + EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}` + RET=$? + echo "${EXTLIST}" + if [ "${RET}" -ne 0 ]; then + CERTFAILED=1 + html_failed "${TESTNAME} (${COUNT}) - List Certificate" + cert_log "ERROR: ${TESTNAME} - List Certificate failed" + return 1 + fi + + for FL in `echo ${FILTERLIST} | tr \| ' '`; do + FL="`echo ${FL} | tr _ ' '`" + EXPSTAT=0 + if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then + EXPSTAT=1 + FL=`echo ${FL} | tr -d '!'` + fi + echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1 + RET=$? + if [ "${RET}" -ne "${EXPSTAT}" ]; then + CERTFAILED=1 + html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}" + cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed" + return 1 + fi + done + + html_passed "${TESTNAME} (${COUNT})" + return 0 +} + +############################## cert_extensions ############################### +# local shell function to run cert extensions tests +############################################################################## +cert_extensions() +{ + CERTNAME=TestExt + cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS} + TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args + + COUNT=0 + while read ARG OPT FILTERLIST; do + if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then + continue + fi + if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then + TESTNAME="${FILTERLIST}" + continue + fi + if [ X"${ARG}" = "X=" ]; then + cert_extensions_test + rm -f ${TARG_FILE} + else + echo ${ARG} >> ${TARG_FILE} + fi + done < ${QADIR}/cert/certext.txt +} + +cert_make_with_param() +{ + DIRPASS="$1" + CERTNAME="$2" + MAKE="$3" + SUBJ="$4" + EXTRA="$5" + EXPECT="$6" + TESTNAME="$7" + + echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA} + ${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA} + + RET=$? + if [ "${RET}" -ne "${EXPECT}" ]; then + # if we expected failure to create, then delete unexpected certificate + if [ "${EXPECT}" -ne 0 ]; then + ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME} + fi + + CERTFAILED=1 + html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}" + cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed" + return 1 + fi + + html_passed "${TESTNAME} (${COUNT})" + return 0 +} + +cert_list_and_count_dns() +{ + DIRPASS="$1" + CERTNAME="$2" + EXPECT="$3" + EXPECTCOUNT="$4" + TESTNAME="$5" + + echo certutil ${DIRPASS} -L ${CERTNAME} + ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} + + RET=$? + if [ "${RET}" -ne "${EXPECT}" ]; then + CERTFAILED=1 + html_failed "${TESTNAME} (${COUNT}) - list and count" + cert_log "ERROR: ${TESTNAME} - list and count failed" + return 1 + fi + + LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS` + if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then + CERTFAILED=1 + html_failed "${TESTNAME} (${COUNT}) - list and count" + cert_log "ERROR: ${TESTNAME} - list and count failed" + return 1 + fi + + html_passed "${TESTNAME} (${COUNT})" + return 0 +} + +cert_dump_ext_to_file() +{ + DIRPASS="$1" + CERTNAME="$2" + OID="$3" + OUTFILE="$4" + EXPECT="$5" + TESTNAME="$6" + + echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} + echo "writing output to ${OUTFILE}" + ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE} + + RET=$? + if [ "${RET}" -ne "${EXPECT}" ]; then + CERTFAILED=1 + html_failed "${TESTNAME} (${COUNT}) - dump to file" + cert_log "ERROR: ${TESTNAME} - dump to file failed" + return 1 + fi + + html_passed "${TESTNAME} (${COUNT})" + return 0 +} + +cert_delete() +{ + DIRPASS="$1" + CERTNAME="$2" + EXPECT="$3" + TESTNAME="$4" + + echo certutil ${DIRPASS} -D ${CERTNAME} + ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME} + + RET=$? + if [ "${RET}" -ne "${EXPECT}" ]; then + CERTFAILED=1 + html_failed "${TESTNAME} (${COUNT}) - delete cert" + cert_log "ERROR: ${TESTNAME} - delete cert failed" + return 1 + fi + + html_passed "${TESTNAME} (${COUNT})" + return 0 +} + +cert_inc_count() +{ + COUNT=`expr ${COUNT} + 1` +} + +############################## cert_crl_ssl ############################ +# test adding subject-alt-name, dumping, and adding generic extension +######################################################################## +cert_san_and_generic_extensions() +{ + EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der + + DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}" + CERTNAME="-n WithSAN" + MAKE="-S -t ,, -x -z ${R_NOISE_FILE}" + SUBJ="CN=example.com" + + TESTNAME="san-and-generic-extensions" + + cert_inc_count + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ + "--extSAN example.com" 255 \ + "create cert with invalid SAN parameter" + + cert_inc_count + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ + "--extSAN example.com,dns:www.example.com" 255 \ + "create cert with invalid SAN parameter" + + TN="create cert with valid SAN parameter" + + cert_inc_count + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ + "--extSAN dns:example.com,dns:www.example.com" 0 \ + "${TN}" + + cert_inc_count + cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \ + "${TN}" + + cert_inc_count + cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \ + "dump extension 2.5.29.17 to file ${EXTDUMP}" + + cert_inc_count + cert_delete "${DIR}" "${CERTNAME}" 0 \ + "${TN}" + + cert_inc_count + cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \ + "expect failure to list cert, because we deleted it" + + cert_inc_count + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ + "--extGeneric ${EXTDUMP}" 255 \ + "create cert with invalid generic ext parameter" + + cert_inc_count + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ + "--extGeneric not-critical:${EXTDUMP}" 255 \ + "create cert with invalid generic ext parameter" + + cert_inc_count + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ + "--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \ + "create cert with invalid generic ext parameter" + + TN="create cert with valid generic ext parameter" + + cert_inc_count + cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ + "--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \ + "${TN}" + + cert_inc_count + cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \ + "${TN}" + + cert_inc_count + cert_delete "${DIR}" "${CERTNAME}" 0 \ + "${TN}" + + cert_inc_count + cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \ + "expect failure to list cert, because we deleted it" +} + +############################## cert_crl_ssl ############################ +# local shell function to generate certs and crls for SSL tests +######################################################################## +cert_crl_ssl() +{ + + ################# Creating Certs ################################### + # + CERTFAILED=0 + CERTSERIAL=${CRL_GRP_1_BEGIN} + + cd $CADIR + + PROFILEDIR=`cd ${CLIENTDIR}; pwd` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + PROFILEDIR=`cygpath -m ${PROFILEDIR}` + fi + CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1` + echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ===" + CU_ACTION="Creating client test certs" + + while [ $CERTSERIAL -le $CRL_GRPS_END ] + do + CERTNAME="TestUser$CERTSERIAL" + cert_add_cert + CERTSERIAL=`expr $CERTSERIAL + 1 ` + done + + #################### CRL Creation ############################## + CRL_GEN_RES=0 + echo "$SCRIPTNAME: Creating CA CRL =====================================" + + CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1` + CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END} + CRL_FILE=${CRL_FILE_GRP_1} + + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` + CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority" + CRL_GRP_END_=`expr ${CRL_GRP_END} - 1` + crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \ + -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE +addext reasonCode 0 4 +addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA" +EOF_CRLINI +# This extension should be added to the list, but currently nss has bug +#addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1 + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_1}_or + + + CU_ACTION="Generating CRL (DSA) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-dsa authority" + +# Until Bug 292285 is resolved, do not encode x400 Addresses. After +# the bug is resolved, reintroduce "x400Address:x400Address" within +# addext issuerAltNames ... + crlu -q -d $CADIR -G -n "TestCA-dsa" -f ${R_PWFILE} \ + -o ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE +addext reasonCode 0 4 +addext issuerAltNames 0 "rfc822Name:ca-dsaemail@ca.com|dnsName:ca-dsa.com|directoryName:CN=NSS Test CA (DSA),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-dsa.com|ipAddress:192.168.0.1|registerID=reg CA (DSA)" +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_1}_or-dsa + + + + if [ -z "$NSS_DISABLE_ECC" ] ; then + CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority" + +# Until Bug 292285 is resolved, do not encode x400 Addresses. After +# the bug is resolved, reintroduce "x400Address:x400Address" within +# addext issuerAltNames ... + crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \ + -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE +addext reasonCode 0 4 +addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)" +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_1}_or-ec + fi + + echo test > file + ############################# Modification ################################## + + echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============" + sleep 2 + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` + CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` + CU_ACTION="Modify CRL by adding one more cert" + crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \ + -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_END} $CRL_GRP_DATE +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_1}_or1 + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or" + + + CU_ACTION="Modify CRL (DSA) by adding one more cert" + crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1-dsa \ + -i ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_END} $CRL_GRP_DATE +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_1}_or1-dsa + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa" + + + if [ -z "$NSS_DISABLE_ECC" ] ; then + CU_ACTION="Modify CRL (ECC) by adding one more cert" + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \ + -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_END} $CRL_GRP_DATE +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_1}_or1-ec + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec" + fi + + ########### Removing one cert ${UNREVOKED_CERT_GRP_1} ####################### + echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ===============" + CU_ACTION="Modify CRL by removing one cert" + sleep 2 + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` + crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \ + -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI +update=$CRLUPDATE +rmcert ${UNREVOKED_CERT_GRP_1} +EOF_CRLINI + chmod 600 ${CRL_FILE_GRP_1} + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1" + + + CU_ACTION="Modify CRL (DSA) by removing one cert" + sleep 2 + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` + crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \ + -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI +update=$CRLUPDATE +rmcert ${UNREVOKED_CERT_GRP_1} +EOF_CRLINI + chmod 600 ${CRL_FILE_GRP_1} + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-dsa" + + + + if [ -z "$NSS_DISABLE_ECC" ] ; then + CU_ACTION="Modify CRL (ECC) by removing one cert" + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \ + -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI +update=$CRLUPDATE +rmcert ${UNREVOKED_CERT_GRP_1} +EOF_CRLINI + chmod 600 ${CRL_FILE_GRP_1}-ec + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec" + fi + + ########### Creating second CRL which includes groups 1 and 2 ############## + CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1` + CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END} + + echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ===============" + sleep 2 + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` + CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` + CU_ACTION="Creating CRL for groups 1 and 2" + crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2} \ + -i ${CRL_FILE_GRP_1} <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE +addext invalidityDate 0 $CRLUPDATE +rmcert ${UNREVOKED_CERT_GRP_2} +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_2} + if [ -z "$NSS_DISABLE_ECC" ] ; then + CU_ACTION="Creating CRL (ECC) for groups 1 and 2" + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \ + -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE +addext invalidityDate 0 $CRLUPDATE +rmcert ${UNREVOKED_CERT_GRP_2} +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_2}-ec + fi + + ########### Creating second CRL which includes groups 1, 2 and 3 ############## + CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1` + CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END} + + + + echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3 ===============" + sleep 2 + CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` + CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` + CU_ACTION="Creating CRL for groups 1, 2 and 3" + crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3} \ + -i ${CRL_FILE_GRP_2} <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE +rmcert ${UNREVOKED_CERT_GRP_3} +addext crlNumber 0 2 +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_3} + if [ -z "$NSS_DISABLE_ECC" ] ; then + CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3" + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \ + -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE +rmcert ${UNREVOKED_CERT_GRP_3} +addext crlNumber 0 2 +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_3}-ec + fi + + ############ Importing Server CA Issued CRL for certs of first group ####### + + echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}" + CU_ACTION="Importing CRL for groups 1" + crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}" + crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}" + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + if [ -z "$NSS_DISABLE_ECC" ] ; then + CU_ACTION="Importing CRL (ECC) for groups 1" + crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}" + crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \ + -d "${R_SERVERDIR}" + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + fi + + if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then + cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES" + else + cert_log "SUCCESS: SSL CRL prep passed" + fi +} + +################# +# Verify the we can successfully change the password on the database +# +cert_test_password() +{ + CERTFAILED=0 + echo "$SCRIPTNAME: Create A Password Test Cert ==============" + cert_init_cert "${DBPASSDIR}" "Password Test Cert" 1000 "${D_DBPASSDIR}" + + echo "$SCRIPTNAME: Create A Password Test Ca --------" + ALL_CU_SUBJECT="CN=NSS Password Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1" + + # now change the password + CU_ACTION="Changing password on ${CERTNAME}'s Cert DB" + certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1 + + # finally make sure we can use the old key with the new password + CU_ACTION="Generate Certificate for ${CERTNAME} with new password" + CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1 + if [ "$RET" -eq 0 ]; then + cert_log "SUCCESS: PASSWORD passed" + fi + CU_ACTION="Verify Certificate for ${CERTNAME} with new password" + certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 +} + +############################### +# test if we can distrust a certificate. +# +# we create 3 new certs: +# 1 leaf signed by the trusted root. +# 1 intermediate signed by the trusted root. +# 1 leaf signed by the intermediate. +# +# we mark the first leaf and the intermediate as explicitly untrusted. +# we then try to verify the two leaf certs for our possible usages. +# All verification should fail. +# +cert_test_distrust() +{ + echo "$SCRIPTNAME: Creating Distrusted Certificate" + cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST} + CU_ACTION="Mark CERT as unstrusted" + certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1 + echo "$SCRIPTNAME: Creating Distrusted Intermediate" + CERTNAME="DistrustedCA" + ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1 + CU_ACTION="Import Distrusted Intermediate" + certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1 + + # now create the last leaf signed by our distrusted CA + # since it's not signed by TestCA it requires more steps. + CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA" + CERTNAME="LeafChainedToDistrustedCA" + CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" + cp ${CERTDIR}/req ${CADIR} + certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert -t u,u,u" + certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}.cert" 2>&1 + + RETEXPECTED=255 + CU_ACTION="Verify ${CERTNAME} Cert for SSL Server" + certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Verify ${CERTNAME} Cert for SSL Client" + certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Verify ${CERTNAME} Cert for Email signer" + certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Verify ${CERTNAME} Cert for Email recipient" + certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder" + certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Verify ${CERTNAME} Cert for Object Signer" + certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + + CERTNAME="Distrusted" + CU_ACTION="Verify ${CERTNAME} Cert for SSL Server" + certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Verify ${CERTNAME} Cert for SSL Client" + certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Verify ${CERTNAME} Cert for Email signer" + certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Verify ${CERTNAME} Cert for Email recipient" + certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder" + certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Verify ${CERTNAME} Cert for Object Signer" + certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + RETEXPECTED=0 +} + +cert_test_ocspresp() +{ + echo "$SCRIPTNAME: OCSP response creation selftest" + OR_ACTION="perform selftest" + RETEXPECTED=0 + ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1 +} + +############################## cert_cleanup ############################ +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +cert_cleanup() +{ + cert_log "$SCRIPTNAME: finished $SCRIPTNAME" + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +cert_init +cert_all_CA +cert_extended_ssl +cert_ssl +cert_smime_client +if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then + cert_fips +fi +cert_eccurves +cert_extensions +cert_san_and_generic_extensions +cert_test_password +cert_test_distrust +cert_test_ocspresp + +if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then + cert_crl_ssl +else + echo "$SCRIPTNAME: Skipping CRL Tests" +fi + +if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then + cert_stresscerts +fi + +cert_iopr_setup + +cert_cleanup diff --git a/security/nss/tests/cert/certext.txt b/security/nss/tests/cert/certext.txt new file mode 100644 index 000000000..4bcda814f --- /dev/null +++ b/security/nss/tests/cert/certext.txt @@ -0,0 +1,130 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# File syntax: +# '#' comments. +# If the line starts from '!'('! TEST_N Test Name String'), +# then 'Test Name String' will be the name of a test(starting +# from second space till the rest of the line). +# All uncommented lines are hard codded answers to certutil +# extension questions. +# Line '= N string1|string2|string3': '=' is a stop sign +# of certutil inputs and start of the test. 'N' is the number +# of extension that will be tested. 'string1|string2|string3' +# are grep patterns for test result verification. '_' in stringN +# will be replaced to a space. +# ################################################################ +! TEST_1 Certificate Key Usage Extension +0 +1 +2 +3 +4 +5 +6 +10 +n += 1 Certificate_Key_Usage|Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing +# ################################################################ +! TEST_2 Certificate Key Usage Extension +0 +1 +2 +3 +4 +5 +6 +10 +y += 1 Certificate_Key_Usage|Digital_Signature|Critical:_True +# ################################################################ +! TEST_3 Certificate Basic Constraints Extension +y +-1 +n += 2 Name:_Certificate_Basic_Constraints|Data:_Is_a_CA_with_no_maximum +# ################################################################ +! TEST_4 Certificate Basic Constraints Extension +n +-1 +y += 2 Name:_Certificate_Basic_Constraints|Data:_Is_not_a_CA|Critical:_True +# ################################################################ +! TEST_5 Certificate Authority Key Identifier Extension +y +12341235123 + + +y += 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Key_ID:|12341235123 +# ################################################################ +! TEST_6 Certificate Authority Key Identifier Extension +y + +3 +test.com + +214123 +y += 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Issuer:|DNS_name:_"test.com"|Serial_Number:|214123 +# ################################################################ +! TEST_7 CRL Distribution Points Extension +1 +2 +rfc822@name.tld +3 +test.com +8 +1.2.3.4 +9 +OID.0.2.213 +10 +0 +10 +n +n += 4 Name:_CRL_Distribution_Points|rfc822@name.tld +# ################################################################# +! TEST_8 CRL Distribution Points Extension +2 +SN=asdfsdf +4 +3 +test.com +10 +n +n += 4 Name:_CRL_Distribution_Points|asdfsdf|Reasons:|DNS_name:_"test.com" +# ################################################################ +! TEST_9 Certificate Type Extension +0 +1 +2 +10 +n += 5 Name:_Certificate_Type|Data:_<SSL_Client,SSL_Server,S/MIME> +# ################################################################ +! TEST_10 Extended Key Usage Extension +0 +1 +2 +3 +4 +5 +6 +10 +y += 6 Name:_Extended_Key_Usage|Critical:_True|TLS_Web_Server_Authentication_Certificate|TLS_Web_Client_Authentication_Certificate|Code_Signing_Certificate|E-Mail_Protection_Certificate|Time_Stamping_Certifcate|OCSP_Responder_Certificate|Strong_Crypto_Export_Approved +# ################################################################ +! TEST_11 Certificate Key Usage Extension + +1 +2 +3 +4 +5 +6 +10 +n += 1 Certificate_Key_Usage|!Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh new file mode 100755 index 000000000..4c3fa57a0 --- /dev/null +++ b/security/nss/tests/chains/chains.sh @@ -0,0 +1,1308 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/cert/chains.sh +# +# Script to test certificate chains validity. +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## + +########################### is_httpserv_alive ########################## +# local shell function to exit with a fatal error if selfserver is not +# running +######################################################################## +is_httpserv_alive() +{ + if [ ! -f "${HTTPPID}" ]; then + echo "$SCRIPTNAME: Error - httpserv PID file ${HTTPPID} doesn't exist" + sleep 5 + if [ ! -f "${HTTPPID}" ]; then + Exit 9 "Fatal - httpserv pid file ${HTTPPID} does not exist" + fi + fi + + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_HTTPPID} + else + PID=`cat ${HTTPPID}` + fi + + echo "kill -0 ${PID} >/dev/null 2>/dev/null" + kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable" + + echo "httpserv with PID ${PID} found at `date`" +} + +########################### wait_for_httpserv ########################## +# local shell function to wait until httpserver is running and initialized +######################################################################## +wait_for_httpserv() +{ + echo "trying to connect to httpserv at `date`" + echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v" + ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v + if [ $? -ne 0 ]; then + sleep 5 + echo "retrying to connect to httpserv at `date`" + echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v" + ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v + if [ $? -ne 0 ]; then + html_failed "Waiting for Server" + fi + fi + is_httpserv_alive +} + +########################### kill_httpserv ############################## +# local shell function to kill the httpserver after the tests are done +######################################################################## +kill_httpserv() +{ + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_HTTPPID} + else + PID=`cat ${HTTPPID}` + fi + + echo "trying to kill httpserv with PID ${PID} at `date`" + + if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then + echo "${KILL} ${PID}" + ${KILL} ${PID} + else + echo "${KILL} -USR1 ${PID}" + ${KILL} -USR1 ${PID} + fi + wait ${PID} + + # On Linux httpserv needs up to 30 seconds to fully die and free + # the port. Wait until the port is free. (Bug 129701) + if [ "${OS_ARCH}" = "Linux" ]; then + echo "httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;" + until ${BINDIR}/httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null; do + echo "RETRY: httpserv -b -p ${NSS_AIA_PORT} 2>/dev/null;" + sleep 1 + done + fi + + echo "httpserv with PID ${PID} killed at `date`" + + rm ${HTTPPID} + html_detect_core "kill_httpserv core detection step" +} + +########################### start_httpserv ############################# +# local shell function to start the httpserver with the parameters required +# for this test and log information (parameters, start time) +# also: wait until the server is up and running +######################################################################## +start_httpserv() +{ + HTTP_METHOD=$1 + + if [ -n "$testname" ] ; then + echo "$SCRIPTNAME: $testname ----" + fi + echo "httpserv starting at `date`" + ODDIR="${HOSTDIR}/chains/OCSPD" + echo "httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \\" + echo " -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \\" + echo " -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \\" + echo " -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \\" + echo " -i ${HTTPPID} $verbose &" + ${PROFTOOL} ${BINDIR}/httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \ + -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \ + -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \ + -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \ + -i ${HTTPPID} $verbose & + RET=$? + + # The PID $! returned by the MKS or Cygwin shell is not the PID of + # the real background process, but rather the PID of a helper + # process (sh.exe). MKS's kill command has a bug: invoking kill + # on the helper process does not terminate the real background + # process. Our workaround has been to have httpserv save its PID + # in the ${HTTPPID} file and "kill" that PID instead. But this + # doesn't work under Cygwin; its kill command doesn't recognize + # the PID of the real background process, but it does work on the + # PID of the helper process. So we save the value of $! in the + # SHELL_HTTPPID variable, and use it instead of the ${HTTPPID} + # file under Cygwin. (In fact, this should work in any shell + # other than the MKS shell.) + SHELL_HTTPPID=$! + wait_for_httpserv + + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_HTTPPID} + else + PID=`cat ${HTTPPID}` + fi + + echo "httpserv with PID ${PID} started at `date`" +} + +############################# chains_init ############################## +# local shell function to initialize this script +######################################################################## +chains_init() +{ + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + if [ -z "${INIT_SOURCED}" ] ; then + cd ../common + . ./init.sh + fi + + SCRIPTNAME="chains.sh" + + CHAINS_DIR="${HOSTDIR}/chains" + mkdir -p ${CHAINS_DIR} + cd ${CHAINS_DIR} + + CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios" + + CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//") + CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000) + + PK7_NONCE=${CERT_SN_CNT} + SCEN_CNT=${CERT_SN_CNT} + + AIA_FILES="${HOSTDIR}/aiafiles" + + CU_DATA=${HOSTDIR}/cu_data + CRL_DATA=${HOSTDIR}/crl_data + + DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10) + NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT} + DEFAULT_UNUSED_PORT=$(expr ${PORT:-8631} + 11) + NSS_UNUSED_PORT=${NSS_UNUSED_PORT:-$DEFAULT_UNUSED_PORT} + NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"} + NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp} + NSS_AIA_OCSP=${NSS_AIA_OCSP:-$NSS_AIA_HTTP/ocsp} + NSS_OCSP_UNUSED=${NSS_AIA_OCSP_UNUSED:-"http://${HOSTADDR}:${NSS_UNUSED_PORT}"} + + html_head "Certificate Chains Tests" +} + +chains_run_httpserv() +{ + HTTP_METHOD=$1 + + if [ -n "${NSS_AIA_PATH}" ]; then + HTTPPID=${NSS_AIA_PATH}/http_pid.$$ + mkdir -p "${NSS_AIA_PATH}" + SAVEPWD=`pwd` + cd "${NSS_AIA_PATH}" + # Start_httpserv sets environment variables, which are required for + # correct cleanup. (Running it in a subshell doesn't work, the + # value of $SHELL_HTTPPID wouldn't arrive in this scope.) + start_httpserv ${HTTP_METHOD} + cd "${SAVEPWD}" + fi +} + +chains_stop_httpserv() +{ + if [ -n "${NSS_AIA_PATH}" ]; then + kill_httpserv + fi +} + +############################ chains_cleanup ############################ +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +chains_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +############################ print_cu_data ############################# +# local shell function to print certutil input data +######################################################################## +print_cu_data() +{ + echo "=== Certutil input data ===" + cat ${CU_DATA} + echo "===" +} + +set_cert_sn() +{ + if [ -z "${SERIAL}" ]; then + CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1) + CERT_SN=${CERT_SN_CNT} + else + echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null + if [ $? -eq 0 ]; then + CERT_SN=$(echo ${SERIAL} | cut -b 2-) + CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN}) + else + CERT_SN=${SERIAL} + fi + fi +} + +############################# create_db ################################ +# local shell function to create certificate database +######################################################################## +create_db() +{ + DB=$1 + + [ -d "${DB}" ] && rm -rf ${DB} + mkdir -p ${DB} + + echo "${DB}passwd" > ${DB}/dbpasswd + + TESTNAME="Creating DB ${DB}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -N -d ${DB} -f ${DB}/dbpasswd" + ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +########################### create_root_ca ############################# +# local shell function to generate self-signed root certificate +######################################################################## +create_root_ca() +{ + ENTITY=$1 + ENTITY_DB=${ENTITY}DB + + set_cert_sn + date >> ${NOISE_FILE} 2>&1 + + CTYPE_OPT= + if [ -n "${CTYPE}" ]; then + CTYPE_OPT="-k ${CTYPE}" + fi + + echo "5 +6 +9 +n +y +-1 +n +5 +6 +7 +9 +n +" > ${CU_DATA} + + TESTNAME="Creating Root CA ${ENTITY}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}" + print_cu_data + ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" + + TESTNAME="Exporting Root CA ${ENTITY}.der" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der" + ${BINDIR}/certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +########################### create_cert_req ############################ +# local shell function to generate certificate sign request +######################################################################## +create_cert_req() +{ + ENTITY=$1 + TYPE=$2 + + ENTITY_DB=${ENTITY}DB + + REQ=${ENTITY}Req.der + + date >> ${NOISE_FILE} 2>&1 + + CTYPE_OPT= + if [ -n "${CTYPE}" ]; then + CTYPE_OPT="-k ${CTYPE}" + fi + + CA_FLAG= + EXT_DATA= + OPTIONS= + + if [ "${TYPE}" != "EE" ]; then + CA_FLAG="-2" + EXT_DATA="y +-1 +y +" + fi + + process_crldp + + echo "${EXT_DATA}" > ${CU_DATA} + + TESTNAME="Creating ${TYPE} certifiate request ${REQ}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}" + print_cu_data + ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +############################ create_entity ############################# +# local shell function to create certificate chain entity +######################################################################## +create_entity() +{ + ENTITY=$1 + TYPE=$2 + + if [ -z "${ENTITY}" ]; then + echo "Configuration error: Unnamed entity" + exit 1 + fi + + DB=${ENTITY}DB + ENTITY_DB=${ENTITY}DB + + case "${TYPE}" in + "Root") + create_db "${DB}" + create_root_ca "${ENTITY}" + ;; + "Intermediate" | "Bridge" | "EE") + create_db "${DB}" + create_cert_req "${ENTITY}" "${TYPE}" + ;; + "*") + echo "Configuration error: Unknown type ${TYPE}" + exit 1 + ;; + esac +} + +######################################################################## +# List of global variables related to certificate extensions processing: +# +# Generated by process_extensions and functions called from it: +# OPTIONS - list of command line policy extensions +# DATA - list of inpud data related to policy extensions +# +# Generated by parse_config: +# POLICY - list of certificate policies +# MAPPING - list of policy mappings +# INHIBIT - inhibit flag +# AIA - AIA list +######################################################################## + +############################ process_policy ############################ +# local shell function to process policy extension parameters and +# generate input for certutil +######################################################################## +process_policy() +{ + if [ -n "${POLICY}" ]; then + OPTIONS="${OPTIONS} --extCP" + + NEXT= + for ITEM in ${POLICY}; do + if [ -n "${NEXT}" ]; then + DATA="${DATA}y +" + fi + + NEXT=1 + DATA="${DATA}${ITEM} +1 + +n +" + done + + DATA="${DATA}n +n +" + fi +} + +########################### process_mapping ############################ +# local shell function to process policy mapping parameters and +# generate input for certutil +######################################################################## +process_mapping() +{ + if [ -n "${MAPPING}" ]; then + OPTIONS="${OPTIONS} --extPM" + + NEXT= + for ITEM in ${MAPPING}; do + if [ -n "${NEXT}" ]; then + DATA="${DATA}y +" + fi + + NEXT=1 + IDP=`echo ${ITEM} | cut -d: -f1` + SDP=`echo ${ITEM} | cut -d: -f2` + DATA="${DATA}${IDP} +${SDP} +" + done + + DATA="${DATA}n +n +" + fi +} + +########################### process_inhibit############################# +# local shell function to process inhibit extension and generate input +# for certutil +######################################################################## +process_inhibit() +{ + if [ -n "${INHIBIT}" ]; then + OPTIONS="${OPTIONS} --extIA" + + DATA="${DATA}${INHIBIT} +n +" + fi +} + +############################# process_aia ############################## +# local shell function to process AIA extension parameters and +# generate input for certutil +######################################################################## +process_aia() +{ + if [ -n "${AIA}" ]; then + OPTIONS="${OPTIONS} --extAIA" + + DATA="${DATA}1 +" + + for ITEM in ${AIA}; do + PK7_NONCE=`expr $PK7_NONCE + 1` + + echo ${ITEM} | grep ":" > /dev/null + if [ $? -eq 0 ]; then + CERT_NICK=`echo ${ITEM} | cut -d: -f1` + CERT_ISSUER=`echo ${ITEM} | cut -d: -f2` + CERT_LOCAL="${CERT_NICK}${CERT_ISSUER}.der" + CERT_PUBLIC="${HOST}-$$-${CERT_NICK}${CERT_ISSUER}-${PK7_NONCE}.der" + else + CERT_LOCAL="${ITEM}.p7" + CERT_PUBLIC="${HOST}-$$-${ITEM}-${PK7_NONCE}.p7" + fi + + DATA="${DATA}7 +${NSS_AIA_HTTP}/${CERT_PUBLIC} +" + + if [ -n "${NSS_AIA_PATH}" ]; then + cp ${CERT_LOCAL} ${NSS_AIA_PATH}/${CERT_PUBLIC} 2> /dev/null + chmod a+r ${NSS_AIA_PATH}/${CERT_PUBLIC} + echo ${NSS_AIA_PATH}/${CERT_PUBLIC} >> ${AIA_FILES} + fi + done + + DATA="${DATA}0 +n +n" + fi +} + +process_ocsp() +{ + if [ -n "${OCSP}" ]; then + OPTIONS="${OPTIONS} --extAIA" + + if [ "${OCSP}" = "offline" ]; then + MY_OCSP_URL=${NSS_OCSP_UNUSED} + else + MY_OCSP_URL=${NSS_AIA_OCSP} + fi + + DATA="${DATA}2 +7 +${MY_OCSP_URL} +0 +n +n +" + fi +} + +process_crldp() +{ + if [ -n "${CRLDP}" ]; then + OPTIONS="${OPTIONS} -4" + + EXT_DATA="${EXT_DATA}1 +" + + for ITEM in ${CRLDP}; do + CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl" + + EXT_DATA="${EXT_DATA}7 +${NSS_AIA_HTTP}/${CRL_PUBLIC} +" + done + + EXT_DATA="${EXT_DATA}-1 +-1 +-1 +n +n +" + fi +} + +process_ku_ns_eku() +{ + if [ -n "${EXT_KU}" ]; then + OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}" + fi + if [ -n "${EXT_NS}" ]; then + EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1) + EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2) + + OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}" + DATA="${DATA}${EXT_NS_CODE} +-1 +n +" + fi + if [ -n "${EXT_EKU}" ]; then + OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}" + fi +} + +copy_crl() + +{ + if [ -z "${NSS_AIA_PATH}" ]; then + return; + fi + + CRL_LOCAL="${COPYCRL}.crl" + CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl" + + cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null + chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC} + echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES} +} + +########################## process_extension ########################### +# local shell function to process entity extension parameters and +# generate input for certutil +######################################################################## +process_extensions() +{ + OPTIONS= + DATA= + + process_policy + process_mapping + process_inhibit + process_aia + process_ocsp + process_ku_ns_eku +} + +############################## sign_cert ############################### +# local shell function to sign certificate sign reuqest +######################################################################## +sign_cert() +{ + ENTITY=$1 + ISSUER=$2 + TYPE=$3 + + [ -z "${ISSUER}" ] && return + + ENTITY_DB=${ENTITY}DB + ISSUER_DB=${ISSUER}DB + REQ=${ENTITY}Req.der + CERT=${ENTITY}${ISSUER}.der + + set_cert_sn + + EMAIL_OPT= + if [ "${TYPE}" = "Bridge" ]; then + EMAIL_OPT="-7 ${ENTITY}@${ISSUER}" + + [ -n "${EMAILS}" ] && EMAILS="${EMAILS}," + EMAILS="${EMAILS}${ENTITY}@${ISSUER}" + fi + + process_extensions + + echo "${DATA}" > ${CU_DATA} + + TESTNAME="Creating certficate ${CERT} signed by ${ISSUER}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}" + print_cu_data + ${BINDIR}/certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" + + TESTNAME="Importing certificate ${CERT} to ${ENTITY_DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}" + ${BINDIR}/certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +############################# create_pkcs7############################## +# local shell function to package bridge certificates into pkcs7 +# package +######################################################################## +create_pkcs7() +{ + ENTITY=$1 + ENTITY_DB=${ENTITY}DB + + TESTNAME="Generating PKCS7 package from ${ENTITY_DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "cmsutil -O -r \"${EMAILS}\" -d ${ENTITY_DB} > ${ENTITY}.p7" + ${BINDIR}/cmsutil -O -r "${EMAILS}" -d ${ENTITY_DB} > ${ENTITY}.p7 + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +############################# import_key ############################### +# local shell function to import private key + cert into database +######################################################################## +import_key() +{ + KEY_NAME=$1.p12 + DB=$2 + + KEY_FILE=../OCSPD/${KEY_NAME} + + TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss" + ${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +export_key() +{ + KEY_NAME=$1.p12 + DB=$2 + + TESTNAME="Exporting $1 as ${KEY_NAME} from ${DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss" + ${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +############################# import_cert ############################## +# local shell function to import certificate into database +######################################################################## +import_cert() +{ + IMPORT=$1 + DB=$2 + + CERT_NICK=`echo ${IMPORT} | cut -d: -f1` + CERT_ISSUER=`echo ${IMPORT} | cut -d: -f2` + CERT_TRUST=`echo ${IMPORT} | cut -d: -f3` + + if [ "${CERT_ISSUER}" = "x" ]; then + CERT_ISSUER= + CERT=${CERT_NICK}.cert + CERT_FILE="${QADIR}/libpkix/certs/${CERT}" + elif [ "${CERT_ISSUER}" = "d" ]; then + CERT_ISSUER= + CERT=${CERT_NICK}.der + CERT_FILE="../OCSPD/${CERT}" + else + CERT=${CERT_NICK}${CERT_ISSUER}.der + CERT_FILE=${CERT} + fi + + IS_ASCII=`grep -c -- "-----BEGIN CERTIFICATE-----" ${CERT_FILE}` + + ASCII_OPT= + if [ "${IS_ASCII}" -gt 0 ]; then + ASCII_OPT="-a" + fi + + TESTNAME="Importing certificate ${CERT} to ${DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t \"${CERT_TRUST}\" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}" + ${BINDIR}/certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t "${CERT_TRUST}" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +import_crl() +{ + IMPORT=$1 + DB=$2 + + CRL_NICK=`echo ${IMPORT} | cut -d: -f1` + CRL_FILE=${CRL_NICK}.crl + + if [ ! -f "${CRL_FILE}" ]; then + return + fi + + TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}" + ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +create_crl() +{ + ISSUER=$1 + ISSUER_DB=${ISSUER}DB + + CRL=${ISSUER}.crl + + DATE=$(date -u '+%Y%m%d%H%M%SZ') + DATE_LAST="${DATE}" + + UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ') + + echo "update=${DATE}" > ${CRL_DATA} + echo "nextupdate=${UPDATE}" >> ${CRL_DATA} + + TESTNAME="Create CRL for ${ISSUER_DB}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}" + echo "=== Crlutil input data ===" + cat ${CRL_DATA} + echo "===" + ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +revoke_cert() +{ + ISSUER=$1 + ISSUER_DB=${ISSUER}DB + + CRL=${ISSUER}.crl + + set_cert_sn + + DATE=$(date -u '+%Y%m%d%H%M%SZ') + while [ "${DATE}" = "${DATE_LAST}" ]; do + sleep 1 + DATE=$(date -u '+%Y%m%d%H%M%SZ') + done + DATE_LAST="${DATE}" + + echo "update=${DATE}" > ${CRL_DATA} + echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA} + + TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}" + echo "=== Crlutil input data ===" + cat ${CRL_DATA} + echo "===" + ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +######################################################################## +# List of global variables related to certificate verification: +# +# Generated by parse_config: +# DB - DB used for testing +# FETCH - fetch flag (used with AIA extension) +# POLICY - list of policies +# TRUST - trust anchor +# TRUST_AND_DB - Examine both trust anchors and the cert db for trust +# VERIFY - list of certificates to use as vfychain parameters +# EXP_RESULT - expected result +# REV_OPTS - revocation options +######################################################################## + +############################# verify_cert ############################## +# local shell function to verify certificate validity +######################################################################## +verify_cert() +{ + ENGINE=$1 + + DB_OPT= + FETCH_OPT= + POLICY_OPT= + TRUST_OPT= + VFY_CERTS= + VFY_LIST= + TRUST_AND_DB_OPT= + + if [ -n "${DB}" ]; then + DB_OPT="-d ${DB}" + fi + + if [ -n "${FETCH}" ]; then + FETCH_OPT="-f" + if [ -z "${NSS_AIA_HTTP}" ]; then + echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined" + return + fi + fi + + if [ -n "${TRUST_AND_DB}" ]; then + TRUST_AND_DB_OPT="-T" + fi + + for ITEM in ${POLICY}; do + POLICY_OPT="${POLICY_OPT} -o ${ITEM}" + done + + for ITEM in ${TRUST}; do + echo ${ITEM} | grep ":" > /dev/null + if [ $? -eq 0 ]; then + CERT_NICK=`echo ${ITEM} | cut -d: -f1` + CERT_ISSUER=`echo ${ITEM} | cut -d: -f2` + CERT=${CERT_NICK}${CERT_ISSUER}.der + + TRUST_OPT="${TRUST_OPT} -t ${CERT}" + else + TRUST_OPT="${TRUST_OPT} -t ${ITEM}" + fi + done + + for ITEM in ${VERIFY}; do + CERT_NICK=`echo ${ITEM} | cut -d: -f1` + CERT_ISSUER=`echo ${ITEM} | cut -d: -f2` + + if [ "${CERT_ISSUER}" = "x" ]; then + CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert" + VFY_CERTS="${VFY_CERTS} ${CERT}" + VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert" + elif [ "${CERT_ISSUER}" = "d" ]; then + CERT="../OCSPD/${CERT_NICK}.der" + VFY_CERTS="${VFY_CERTS} ${CERT}" + VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert" + else + CERT=${CERT_NICK}${CERT_ISSUER}.der + VFY_CERTS="${VFY_CERTS} ${CERT}" + VFY_LIST="${VFY_LIST} ${CERT}" + fi + done + + VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}" + VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" + + TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "vfychain ${VFY_OPTS_ALL}" + + if [ -z "${MEMLEAK_DBG}" ]; then + VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1) + RESULT=$? + echo "${VFY_OUT}" + else + VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE}) + RESULT=$? + echo "${VFY_OUT}" + fi + + echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null + E5990=$? + echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null + E8030=$? + + if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then + echo "Result of this test is not valid due to network time out." + html_unknown "${SCENARIO}${TESTNAME}" + return + fi + + echo "Returned value is ${RESULT}, expected result is ${EXP_RESULT}" + + if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then + html_passed "${SCENARIO}${TESTNAME}" + elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then + html_passed "${SCENARIO}${TESTNAME}" + else + html_failed "${SCENARIO}${TESTNAME}" + fi +} + +check_ocsp() +{ + OCSP_CERT=$1 + + CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1` + CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2` + + if [ "${CERT_ISSUER}" = "x" ]; then + CERT_ISSUER= + CERT=${CERT_NICK}.cert + CERT_FILE="${QADIR}/libpkix/certs/${CERT}" + elif [ "${CERT_ISSUER}" = "d" ]; then + CERT_ISSUER= + CERT=${CERT_NICK}.der + CERT_FILE="../OCSPD/${CERT}" + else + CERT=${CERT_NICK}${CERT_ISSUER}.der + CERT_FILE=${CERT} + fi + + # sample line: + # URI: "http://ocsp.server:2601" + OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//") + OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/") + + echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20" + tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20 + return $? +} + +############################ parse_result ############################## +# local shell function to process expected result value +# this function was created for case that expected result depends on +# some conditions - in our case type of cert DB +# +# default results are pass and fail +# this function added parsable values in format: +# type1:value1 type2:value2 .... typex:valuex +# +# allowed types are dbm, sql, all (all means all other cases) +# allowed values are pass and fail +# +# if this format is not used, EXP_RESULT will stay unchanged (this also +# covers pass and fail states) +######################################################################## +parse_result() +{ + for RES in ${EXP_RESULT} + do + RESTYPE=$(echo ${RES} | cut -d: -f1) + RESSTAT=$(echo ${RES} | cut -d: -f2) + + if [ "${RESTYPE}" = "${NSS_DEFAULT_DB_TYPE}" -o "${RESTYPE}" = "all" ]; then + EXP_RESULT=${RESSTAT} + break + fi + done +} + +############################ parse_config ############################## +# local shell function to parse and process file containing certificate +# chain configuration and list of tests +######################################################################## +parse_config() +{ + SCENARIO= + LOGNAME= + + while read KEY VALUE + do + case "${KEY}" in + "entity") + ENTITY="${VALUE}" + TYPE= + ISSUER= + CTYPE= + POLICY= + MAPPING= + INHIBIT= + AIA= + CRLDP= + OCSP= + DB= + EMAILS= + EXT_KU= + EXT_NS= + EXT_EKU= + SERIAL= + EXPORT_KEY= + ;; + "type") + TYPE="${VALUE}" + ;; + "issuer") + if [ -n "${ISSUER}" ]; then + if [ -z "${DB}" ]; then + create_entity "${ENTITY}" "${TYPE}" + fi + sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}" + fi + + ISSUER="${VALUE}" + POLICY= + MAPPING= + INHIBIT= + AIA= + EXT_KU= + EXT_NS= + EXT_EKU= + ;; + "ctype") + CTYPE="${VALUE}" + ;; + "policy") + POLICY="${POLICY} ${VALUE}" + ;; + "mapping") + MAPPING="${MAPPING} ${VALUE}" + ;; + "inhibit") + INHIBIT="${VALUE}" + ;; + "aia") + AIA="${AIA} ${VALUE}" + ;; + "crldp") + CRLDP="${CRLDP} ${VALUE}" + ;; + "ocsp") + OCSP="${VALUE}" + ;; + "db") + DB="${VALUE}DB" + create_db "${DB}" + ;; + "import") + IMPORT="${VALUE}" + import_cert "${IMPORT}" "${DB}" + import_crl "${IMPORT}" "${DB}" + ;; + "import_key") + IMPORT="${VALUE}" + import_key "${IMPORT}" "${DB}" + ;; + "crl") + ISSUER="${VALUE}" + create_crl "${ISSUER}" + ;; + "revoke") + REVOKE="${VALUE}" + ;; + "serial") + SERIAL="${VALUE}" + ;; + "export_key") + EXPORT_KEY=1 + ;; + "copycrl") + COPYCRL="${VALUE}" + copy_crl "${COPYCRL}" + ;; + "verify") + VERIFY="${VALUE}" + TRUST= + TRUST_AND_DB= + POLICY= + FETCH= + EXP_RESULT= + REV_OPTS= + USAGE_OPT= + ;; + "cert") + VERIFY="${VERIFY} ${VALUE}" + ;; + "testdb") + if [ -n "${VALUE}" ]; then + DB="${VALUE}DB" + else + DB= + fi + ;; + "trust") + TRUST="${TRUST} ${VALUE}" + ;; + "trust_and_db") + TRUST_AND_DB=1 + ;; + "fetch") + FETCH=1 + ;; + "result") + EXP_RESULT="${VALUE}" + parse_result + ;; + "rev_type") + REV_OPTS="${REV_OPTS} -g ${VALUE}" + ;; + "rev_flags") + REV_OPTS="${REV_OPTS} -h ${VALUE}" + ;; + "rev_mtype") + REV_OPTS="${REV_OPTS} -m ${VALUE}" + ;; + "rev_mflags") + REV_OPTS="${REV_OPTS} -s ${VALUE}" + ;; + "scenario") + SCENARIO="${VALUE}: " + + CHAINS_DIR="${HOSTDIR}/chains/${VALUE}" + mkdir -p ${CHAINS_DIR} + cd ${CHAINS_DIR} + + if [ -n "${MEMLEAK_DBG}" ]; then + LOGNAME="libpkix-${VALUE}" + LOGFILE="${LOGDIR}/${LOGNAME}" + fi + + SCEN_CNT=$(expr ${SCEN_CNT} + 1) + ;; + "sleep") + sleep ${VALUE} + ;; + "break") + break + ;; + "check_ocsp") + TESTNAME="Test that OCSP server is reachable" + check_ocsp ${VALUE} + if [ $? -ne 0 ]; then + html_failed "$TESTNAME" + break; + else + html_passed "$TESTNAME" + fi + ;; + "ku") + EXT_KU="${VALUE}" + ;; + "ns") + EXT_NS="${VALUE}" + ;; + "eku") + EXT_EKU="${VALUE}" + ;; + "usage") + USAGE_OPT="-u ${VALUE}" + ;; + "") + if [ -n "${ENTITY}" ]; then + if [ -z "${DB}" ]; then + create_entity "${ENTITY}" "${TYPE}" + fi + sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}" + if [ "${TYPE}" = "Bridge" ]; then + create_pkcs7 "${ENTITY}" + fi + if [ -n "${EXPORT_KEY}" ]; then + export_key "${ENTITY}" "${DB}" + fi + ENTITY= + fi + + if [ -n "${VERIFY}" ] && \ + [ -z "$NSS_DISABLE_LIBPKIX" ]; then + verify_cert "-pp" + if [ -n "${VERIFY_CLASSIC_ENGINE_TOO}" ] && \ + [ -z "$NSS_DISABLE_LIBPKIX" ]; then + verify_cert "" + verify_cert "-p" + fi + VERIFY= + fi + + if [ -n "${REVOKE}" ]; then + revoke_cert "${REVOKE}" "${DB}" + REVOKE= + fi + ;; + *) + if [ `echo ${KEY} | cut -b 1` != "#" ]; then + echo "Configuration error: Unknown keyword ${KEY}" + exit 1 + fi + ;; + esac + done + + if [ -n "${MEMLEAK_DBG}" ]; then + log_parse + html_msg $? 0 "${SCENARIO}Memory leak checking" + fi +} + +process_scenario() +{ + SCENARIO_FILE=$1 + + > ${AIA_FILES} + + parse_config < "${QADIR}/chains/scenarios/${SCENARIO_FILE}" + + while read AIA_FILE + do + rm ${AIA_FILE} 2> /dev/null + done < ${AIA_FILES} + rm ${AIA_FILES} +} + +# process ocspd.cfg separately +chains_ocspd() +{ + process_scenario "ocspd.cfg" +} + +# process ocsp.cfg separately +chains_method() +{ + process_scenario "method.cfg" +} + +############################# chains_main ############################## +# local shell function to process all testing scenarios +######################################################################## +chains_main() +{ + while read LINE + do + [ `echo ${LINE} | cut -b 1` != "#" ] || continue + + [ ${LINE} != 'ocspd.cfg' ] || continue + [ ${LINE} != 'method.cfg' ] || continue + + process_scenario ${LINE} + done < "${CHAINS_SCENARIOS}" +} + +################################ main ################################## + +chains_init +VERIFY_CLASSIC_ENGINE_TOO= +chains_ocspd +VERIFY_CLASSIC_ENGINE_TOO=1 +chains_run_httpserv get +chains_method +chains_stop_httpserv +chains_run_httpserv post +chains_method +chains_stop_httpserv +VERIFY_CLASSIC_ENGINE_TOO= +chains_run_httpserv random +chains_main +chains_stop_httpserv +chains_run_httpserv get-unknown +chains_main +chains_stop_httpserv +chains_cleanup diff --git a/security/nss/tests/chains/ocspd-config/ocspd-certs.sh b/security/nss/tests/chains/ocspd-config/ocspd-certs.sh new file mode 100755 index 000000000..2f7d45898 --- /dev/null +++ b/security/nss/tests/chains/ocspd-config/ocspd-certs.sh @@ -0,0 +1,116 @@ +#!/bin/bash + +DATA_DIR=$1 +OCSP_DIR=$2 +CERT_DIR=$3 + +TEST_PWD="nssnss" +CONF_TEMPLATE="ocspd.conf.template" + +convert_cert() +{ + CERT_NAME=$1 + CERT_SIGNER=$2 + + openssl x509 -in ${DATA_DIR}/${CERT_NAME}${CERT_SIGNER}.der -inform DER -out ${DATA_DIR}/${CERT_NAME}.pem -outform PEM +} + +convert_crl() +{ + CRL_NAME=$1 + + openssl crl -in ${DATA_DIR}/${CRL_NAME}.crl -inform DER -out ${DATA_DIR}/${CRL_NAME}crl.pem -outform PEM +} + +convert_key() +{ + KEY_NAME=$1 + + pk12util -o ${DATA_DIR}/${KEY_NAME}.p12 -n ${KEY_NAME} -d ${DATA_DIR}/${KEY_NAME}DB -k ${DATA_DIR}/${KEY_NAME}DB/dbpasswd -W ${TEST_PWD} + openssl pkcs12 -in ${DATA_DIR}/${KEY_NAME}.p12 -out ${DATA_DIR}/${KEY_NAME}.key.tmp -passin pass:${TEST_PWD} -passout pass:${TEST_PWD} + + STATUS=0 + cat ${DATA_DIR}/${KEY_NAME}.key.tmp | while read LINE; do + echo "${LINE}" | grep "BEGIN ENCRYPTED PRIVATE KEY" > /dev/null && STATUS=1 + [ ${STATUS} -eq 1 ] && echo "${LINE}" + echo "${LINE}" | grep "END ENCRYPTED PRIVATE KEY" > /dev/null && break + done > ${DATA_DIR}/${KEY_NAME}.key + + rm ${DATA_DIR}/${KEY_NAME}.key.tmp +} + +create_conf() +{ + CONF_FILE=$1 + CA=$2 + OCSP=$3 + PORT=$4 + + cat ${CONF_TEMPLATE} | \ + sed "s:@DIR@:${OCSP_DIR}:" | \ + sed "s:@CA_CERT@:${DATA_DIR}/${CA}.pem:" | \ + sed "s:@CA_CRL@:${DATA_DIR}/${CA}crl.pem:" | \ + sed "s:@CA_KEY@:${DATA_DIR}/${CA}.key:" | \ + sed "s:@OCSP_PID@:${OCSP}.pid:" | \ + sed "s:@PORT@:${PORT}:" \ + > ${CONF_FILE} +} + +copy_cert() +{ + CERT_NAME=$1 + CERT_SIGNER=$2 + + cp ${DATA_DIR}/${CERT_NAME}${CERT_SIGNER}.der ${CERT_DIR}/${CERT_NAME}.cert +} + + +copy_key() +{ + KEY_NAME=$1 + + cp ${DATA_DIR}/${KEY_NAME}.p12 ${CERT_DIR}/${KEY_NAME}.p12 +} + +convert_cert OCSPRoot +convert_crl OCSPRoot +convert_key OCSPRoot + +convert_cert OCSPCA1 OCSPRoot +convert_crl OCSPCA1 +convert_key OCSPCA1 + +convert_cert OCSPCA2 OCSPRoot +convert_crl OCSPCA2 +convert_key OCSPCA2 + +convert_cert OCSPCA3 OCSPRoot +convert_crl OCSPCA3 +convert_key OCSPCA3 + +create_conf ocspd0.conf OCSPRoot ocspd0 2600 +create_conf ocspd1.conf OCSPCA1 ocspd1 2601 +create_conf ocspd2.conf OCSPCA2 ocspd2 2602 +create_conf ocspd3.conf OCSPCA3 ocspd3 2603 + +copy_cert OCSPRoot +copy_cert OCSPCA1 OCSPRoot +copy_cert OCSPCA2 OCSPRoot +copy_cert OCSPCA3 OCSPRoot +copy_cert OCSPEE11 OCSPCA1 +copy_cert OCSPEE12 OCSPCA1 +copy_cert OCSPEE13 OCSPCA1 +copy_cert OCSPEE14 OCSPCA1 +copy_cert OCSPEE15 OCSPCA1 +copy_cert OCSPEE21 OCSPCA2 +copy_cert OCSPEE22 OCSPCA2 +copy_cert OCSPEE23 OCSPCA2 +copy_cert OCSPEE31 OCSPCA3 +copy_cert OCSPEE32 OCSPCA3 +copy_cert OCSPEE33 OCSPCA3 + +copy_key OCSPRoot +copy_key OCSPCA1 +copy_key OCSPCA2 +copy_key OCSPCA3 + diff --git a/security/nss/tests/chains/ocspd-config/ocspd.conf.template b/security/nss/tests/chains/ocspd-config/ocspd.conf.template new file mode 100644 index 000000000..456c74a16 --- /dev/null +++ b/security/nss/tests/chains/ocspd-config/ocspd.conf.template @@ -0,0 +1,46 @@ +[ ocspd ] + +default_ocspd = OCSPD_default + +[ OCSPD_default ] + +dir = @DIR@ +db = $dir/index.txt +md = sha1 + +ca_certificate = $dir/@CA_CERT@ +ocspd_certificate = $dir/@CA_CERT@ +ocspd_key = $dir/@CA_KEY@ +pidfile = $dir/@OCSP_PID@ + +user = nobody +group = nobody + +bind = * +port = @PORT@ + +max_req_size = 8192 +threads_num = 150 +max_timeout_secs = 5 +crl_auto_reload = 3600 +crl_check_validity = 600 +crl_reload_expired = yes +response = ocsp_response +dbms = dbms_file + +[ ocsp_response ] + +dir = @DIR@ +next_update_days = 0 +next_update_mins = 5 + +[ dbms_file ] + +0.ca = @first_ca + +[ first_ca ] + +crl_url = file:///@DIR@/@CA_CRL@ +ca_url = file:///@DIR@/@CA_CERT@ +server_cert = file:///@DIR@/@CA_CERT@ + diff --git a/security/nss/tests/chains/ocspd-config/readme b/security/nss/tests/chains/ocspd-config/readme new file mode 100644 index 000000000..5069af6fe --- /dev/null +++ b/security/nss/tests/chains/ocspd-config/readme @@ -0,0 +1,3 @@ +OBSOLETE + +tests have been changed to use a local ocsp server (using httpserv) diff --git a/security/nss/tests/chains/scenarios/aia.cfg b/security/nss/tests/chains/scenarios/aia.cfg new file mode 100644 index 000000000..df3b1ef02 --- /dev/null +++ b/security/nss/tests/chains/scenarios/aia.cfg @@ -0,0 +1,35 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario AIA + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + +entity CA2 + type Intermediate + issuer CA1 + aia CA1:Root + +entity User + type EE + issuer CA2 + +testdb User + +verify User:CA2 + cert CA2:CA1 + trust Root: + result fail + +verify User:CA2 + cert CA2:CA1 + trust Root: + fetch + result pass + diff --git a/security/nss/tests/chains/scenarios/anypolicy.cfg b/security/nss/tests/chains/scenarios/anypolicy.cfg new file mode 100644 index 000000000..fd647ad23 --- /dev/null +++ b/security/nss/tests/chains/scenarios/anypolicy.cfg @@ -0,0 +1,77 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario AnyPolicy + +entity RootCA + type Root + +entity CA1 + type Intermediate + issuer RootCA + policy any + +entity CA2 + type Intermediate + issuer CA1 + policy OID.1.0 + inhibit 0 + +entity CA3 + type Intermediate + issuer CA1 + policy OID.1.0 + +entity User1 + type EE + issuer CA2 + policy OID.1.0 + +entity User2 + type EE + issuer CA2 + policy any + +entity User3 + type EE + issuer CA3 + policy any + +db All + +import RootCA:: +import CA1:RootCA: +import CA2:CA1: +import CA3:CA1: + +verify User1:CA2 + trust RootCA + policy OID.1.0 + result pass + +verify User1:CA2 + trust RootCA + policy OID.2.0 + result fail + +verify User2:CA2 + trust RootCA + policy OID.1.0 + result fail + +verify User2:CA2 + trust RootCA + policy OID.2.0 + result fail + +verify User3:CA3 + trust RootCA + policy OID.1.0 + result pass + +verify User3:CA3 + trust RootCA + policy OID.2.0 + result fail + diff --git a/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg new file mode 100644 index 000000000..9dd84a797 --- /dev/null +++ b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg @@ -0,0 +1,399 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario AnyPolicyWithLevel + +entity RootCA + type Root + +entity CA1 + type Intermediate + issuer RootCA + policy any + inhibit 1 + +entity CA12 + type Intermediate + issuer CA1 + policy any + +entity CA13 + type Intermediate + issuer CA12 + policy OID.1.0 + +entity EE1 + type EE + issuer CA13 + policy OID.1.0 + +entity CA22 + type Intermediate + issuer CA1 + policy any + +entity CA23 + type Intermediate + issuer CA22 + policy any + +entity EE2 + type EE + issuer CA23 + policy OID.1.0 + +entity CA32 + type Intermediate + issuer CA1 + policy any + inhibit 1 + +entity CA33 + type Intermediate + issuer CA32 + policy any + +entity EE3 + type EE + issuer CA33 + policy OID.1.0 + +entity CA42 + type Intermediate + issuer CA1 + policy any + policy OID.1.0 + +entity CA43 + type Intermediate + issuer CA42 + policy any + policy OID.1.0 + +entity EE4 + type EE + issuer CA43 + policy OID.1.0 + +entity CA52 + type Intermediate + issuer CA1 + policy any + policy OID.1.0 + +entity CA53 + type Intermediate + issuer CA52 + policy any + +entity EE5 + type EE + issuer CA53 + policy OID.1.0 + +entity CA61 + type Intermediate + issuer RootCA + policy any + inhibit 5 + +entity CA62 + type Intermediate + issuer CA61 + policy any + +entity EE62 + type EE + issuer CA62 + policy OID.1.0 + +entity CA63 + type Intermediate + issuer CA62 + policy any + +entity EE63 + type EE + issuer CA63 + policy OID.1.0 + +entity CA64 + type Intermediate + issuer CA63 + policy any + +entity EE64 + type EE + issuer CA64 + policy OID.1.0 + +entity CA65 + type Intermediate + issuer CA64 + policy any + +entity EE65 + type EE + issuer CA65 + policy OID.1.0 + +entity CA66 + type Intermediate + issuer CA65 + policy any + +entity EE66 + type EE + issuer CA66 + policy OID.1.0 + +entity CA67 + type Intermediate + issuer CA66 + policy any + +entity EE67 + type EE + issuer CA67 + policy OID.1.0 + +db All + +verify EE1:CA13 + cert RootCA: + cert CA1:RootCA + cert CA12:CA1 + cert CA13:CA12 + trust RootCA: + policy OID.1.0 + result pass + +verify EE1:CA13 + cert RootCA: + cert CA1:RootCA + cert CA12:CA1 + cert CA13:CA12 + trust RootCA: + policy OID.2.0 + result fail + +verify EE1:CA13 + cert RootCA: + cert CA1:RootCA + cert CA12:CA1 + cert CA13:CA12 + trust RootCA: + policy OID.2.5.29.32.0 + result pass + +verify EE2:CA23 + cert RootCA: + cert CA1:RootCA + cert CA22:CA1 + cert CA23:CA22 + trust RootCA: + policy OID.1.0 + result fail + +verify EE2:CA23 + cert RootCA: + cert CA1:RootCA + cert CA22:CA1 + cert CA23:CA22 + trust RootCA: + policy OID.2.0 + result fail + +verify EE2:CA23 + cert RootCA: + cert CA1:RootCA + cert CA22:CA1 + cert CA23:CA22 + trust RootCA: + policy OID.2.5.29.32.0 + result fail + +verify EE2:CA23 + cert RootCA: + cert CA1:RootCA + cert CA22:CA1 + cert CA23:CA22 + trust RootCA: + result pass + +verify EE3:CA33 + cert RootCA: + cert CA1:RootCA + cert CA32:CA1 + cert CA33:CA32 + trust RootCA: + policy OID.1.0 + result fail + +verify EE3:CA33 + cert RootCA: + cert CA1:RootCA + cert CA32:CA1 + cert CA33:CA32 + trust RootCA: + policy OID.2.0 + result fail + +verify EE3:CA33 + cert RootCA: + cert CA1:RootCA + cert CA32:CA1 + cert CA33:CA32 + trust RootCA: + policy OID.2.5.29.32.0 + result fail + +verify EE3:CA33 + cert RootCA: + cert CA1:RootCA + cert CA32:CA1 + cert CA33:CA32 + trust RootCA: + result pass + +verify EE4:CA43 + cert RootCA: + cert CA1:RootCA + cert CA42:CA1 + cert CA43:CA42 + trust RootCA: + policy OID.1.0 + result pass + +verify EE4:CA43 + cert RootCA: + cert CA1:RootCA + cert CA42:CA1 + cert CA43:CA42 + trust RootCA: + policy OID.2.0 + result fail + +verify EE4:CA43 + cert RootCA: + cert CA1:RootCA + cert CA42:CA1 + cert CA43:CA42 + trust RootCA: + policy OID.2.5.29.32.0 + result pass + +verify EE5:CA53 + cert RootCA: + cert CA1:RootCA + cert CA52:CA1 + cert CA53:CA52 + trust RootCA: + policy OID.1.0 + result fail + +verify EE5:CA53 + cert RootCA: + cert CA1:RootCA + cert CA52:CA1 + cert CA53:CA52 + trust RootCA: + policy OID.2.0 + result fail + +verify EE5:CA53 + cert RootCA: + cert CA1:RootCA + cert CA52:CA1 + cert CA53:CA52 + trust RootCA: + policy OID.2.5.29.32.0 + result fail + +verify EE5:CA53 + cert RootCA: + cert CA1:RootCA + cert CA52:CA1 + cert CA53:CA52 + trust RootCA: + result pass + +verify EE62:CA62 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result pass + +verify EE63:CA63 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result pass + +verify EE64:CA64 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result pass + +verify EE65:CA65 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result pass + +verify EE66:CA66 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result pass + +verify EE67:CA67 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result fail + diff --git a/security/nss/tests/chains/scenarios/bridge.cfg b/security/nss/tests/chains/scenarios/bridge.cfg new file mode 100644 index 000000000..14dba6adc --- /dev/null +++ b/security/nss/tests/chains/scenarios/bridge.cfg @@ -0,0 +1,106 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario Bridge + +entity Army + type Root + +entity Navy + type Root + +entity Bridge + type Bridge + issuer Army + issuer Navy + +entity User + type EE + issuer Bridge + +db All + +import Army:: +import Navy:: + +verify User:Bridge + cert Bridge:Navy + trust Navy + result pass + +verify User:Bridge + cert Bridge:Army + trust Army + result pass + +verify User:Bridge + cert Bridge:Navy + trust Army + result fail + +import Bridge:Army: +import Bridge:Navy: + +verify User:Bridge + trust Army + result pass + +verify User:Bridge + trust Navy + result pass + +db ArmyOnly + +import Army::C,, + +verify User:Bridge + result fail + +verify User:Bridge + cert Bridge:Navy + result fail + +verify User:Bridge + cert Bridge:Navy + cert Navy: + result fail + +verify User:Bridge + cert Bridge:Navy + cert Navy: + trust Navy: + result pass + +verify User:Bridge + cert Bridge:Navy + trust Navy: + result pass + +db NavyOnly + +import Navy::C,, + +verify User:Bridge + result fail + +verify User:Bridge + cert Bridge:Army + result fail + +verify User:Bridge + cert Bridge:Army + cert Army: + result fail + +verify User:Bridge + cert Bridge:Army + cert Army: + trust Army: + result pass + +verify User:Bridge + cert Bridge:Army + trust Army: + result pass + diff --git a/security/nss/tests/chains/scenarios/bridgewithaia.cfg b/security/nss/tests/chains/scenarios/bridgewithaia.cfg new file mode 100644 index 000000000..640edb87a --- /dev/null +++ b/security/nss/tests/chains/scenarios/bridgewithaia.cfg @@ -0,0 +1,54 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario BridgeWithAIA + +entity Army + type Root + +entity Navy + type Root + +entity Bridge + type Bridge + issuer Army + issuer Navy + +entity CA1 + type Intermediate + issuer Bridge + aia Bridge + +entity EE1 + type EE + issuer CA1 + +testdb EE1 + +verify EE1:CA1 + cert CA1:Bridge + trust Army: + result fail + +verify EE1:CA1 + cert CA1:Bridge + trust Army: + fetch +# should pass, bug 435314 +# temporary result - test fails only with dbm cert db + result dbm:fail all:pass + +verify EE1:CA1 + cert CA1:Bridge + trust Navy: + fetch + result pass + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:Army + trust Navy: + fetch + result pass + diff --git a/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg new file mode 100644 index 000000000..914828ea1 --- /dev/null +++ b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg @@ -0,0 +1,89 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario BridgeWithHalfAIA + +entity Army + type Root + +entity Navy + type Root + +entity Bridge + type Bridge + issuer Army + issuer Navy + +entity CA1 + type Intermediate + issuer Bridge + aia Bridge + +entity EE1 + type EE + issuer CA1 + +entity CA2 + type Intermediate + issuer Bridge + aia Bridge:Navy + +entity EE2 + type EE + issuer CA2 + +testdb EE1 + +verify EE1:CA1 + cert CA1:Bridge + trust Army: + result fail + +verify EE1:CA1 + cert CA1:Bridge + trust Army: + fetch +# should pass, bug 435314 +# temporary result - test fails only with dbm cert db + result dbm:fail all:pass + +verify EE1:CA1 + cert CA1:Bridge + trust Navy: + fetch + result pass + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:Army + trust Navy: + fetch + result pass + +verify EE2:CA2 + cert Bridge:Army + trust Army: + fetch + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:Army + trust Army: + fetch + result pass + +verify EE2:CA2 + cert CA2:Bridge + trust Navy: + fetch + result pass + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:Army + trust Navy: + fetch + result pass + diff --git a/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg new file mode 100644 index 000000000..f7554cabc --- /dev/null +++ b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg @@ -0,0 +1,187 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario BridgeWithPolicyExtensionAndMapping + +entity Army + type Root + +entity Navy + type Root + +entity CAArmy + type Intermediate + issuer Army + policy OID.1.0 + policy OID.1.1 + +entity CANavy + type Intermediate + issuer Navy + policy OID.2.0 + policy OID.2.1 + +entity Bridge + type Bridge + issuer CAArmy + policy OID.1.0 + policy OID.1.1 + mapping OID.1.1:OID.2.1 + issuer CANavy + policy OID.2.0 + policy OID.2.1 + mapping OID.2.1:OID.1.1 + +entity CA1 + type Intermediate + issuer Bridge + policy OID.1.1 + policy OID.2.1 + +entity CA2 + type Intermediate + issuer Bridge + policy OID.1.0 + policy OID.2.0 + +entity EE1 + type EE + issuer CA1 + policy OID.2.1 + +entity EE2 + type EE + issuer CA2 + policy OID.2.0 + +testdb + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.1.0 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.1.1 + result pass + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.2.0 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.2.1 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.1.0 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.1.1 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.2.0 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.2.1 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.1.0 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.1.1 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.2.0 + result pass + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.2.1 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.1.0 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.1.1 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.2.0 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.2.1 + result fail + diff --git a/security/nss/tests/chains/scenarios/crldp.cfg b/security/nss/tests/chains/scenarios/crldp.cfg new file mode 100644 index 000000000..a9949ae40 --- /dev/null +++ b/security/nss/tests/chains/scenarios/crldp.cfg @@ -0,0 +1,105 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario CRLDP + +entity Root + type Root + +entity CA0 + type Intermediate + issuer Root + +entity CA1 + type Intermediate + crldp CA0 + issuer CA0 + serial 10 + aia CA0:Root + +entity EE11 + type EE + crldp CA0 + issuer CA1 + +entity CA2 + type Intermediate + crldp CA0 + issuer CA0 + serial 20 + aia CA0:Root + +entity EE21 + type EE + issuer CA2 + +entity EE1 + type EE + crldp CA0 + issuer CA0 + serial 30 + aia CA0:Root + +entity EE2 + type EE + crldp CA0 + issuer CA0 + serial 40 + aia CA0:Root + +crl Root +crl CA0 +crl CA1 +crl CA2 + +revoke CA0 + serial 20 + +revoke CA0 + serial 40 + +copycrl CA0 + +db All + +import Root::CTu,CTu,CTu + +# intermediate CA - OK, EE - OK +verify EE11:CA1 + cert CA1:CA0 + trust Root: + fetch + rev_type chain + rev_flags requireFreshInfo + rev_mtype crl + result pass + +# intermediate CA - revoked, EE - OK +verify EE21:CA2 + cert CA2:CA0 + trust Root: + fetch + rev_type chain + rev_flags requireFreshInfo + rev_mtype crl + result fail + +# direct EE - OK +verify EE1:CA0 + trust Root: + fetch + rev_type leaf + rev_flags requireFreshInfo + rev_mtype crl + result pass + +# direct EE - revoked +verify EE2:CA0 + trust Root: + fetch + rev_type leaf + rev_flags requireFreshInfo + rev_mtype crl + result fail + diff --git a/security/nss/tests/chains/scenarios/dsa.cfg b/security/nss/tests/chains/scenarios/dsa.cfg new file mode 100644 index 000000000..896e455fe --- /dev/null +++ b/security/nss/tests/chains/scenarios/dsa.cfg @@ -0,0 +1,72 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario DSA + +entity Root + type Root + ctype dsa + +entity CA1 + type Intermediate + issuer Root + ctype dsa + +entity EE1 + type EE + issuer CA1 + ctype dsa + +entity CA2 + type Intermediate + issuer Root + ctype dsa + +entity EE2 + type EE + issuer CA2 + ctype rsa + +entity CA3 + type Intermediate + issuer Root + ctype rsa + +entity EE3 + type EE + issuer CA3 + ctype dsa + +entity CA4 + type Intermediate + issuer Root + ctype rsa + +entity EE4 + type EE + issuer CA4 + ctype rsa + +db All + +verify EE1:CA1 + cert CA1:Root + trust Root: + result pass + +verify EE2:CA2 + cert CA2:Root + trust Root: + result pass + +verify EE3:CA3 + cert CA3:Root + trust Root: + result pass + +verify EE4:CA4 + cert CA4:Root + trust Root: + result pass + diff --git a/security/nss/tests/chains/scenarios/explicitPolicy.cfg b/security/nss/tests/chains/scenarios/explicitPolicy.cfg new file mode 100644 index 000000000..20f79c45b --- /dev/null +++ b/security/nss/tests/chains/scenarios/explicitPolicy.cfg @@ -0,0 +1,78 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario explicitPolicy + +entity Root + type Root + +entity nonEVCA + type Intermediate + issuer Root + +entity EVCA + type Intermediate + issuer Root + policy OID.1.0 + +entity otherEVCA + type Intermediate + issuer Root + policy OID.2.0 + +entity validEV + type EE + issuer EVCA + policy OID.1.0 + +entity invalidEV + type EE + issuer nonEVCA + policy OID.1.0 + +entity wrongEVOID + type EE + issuer otherEVCA + policy OID.1.0 + +db All + +verify validEV:EVCA + cert EVCA:Root + cert Root: + trust Root: + policy OID.1.0 + result pass + +verify invalidEV:nonEVCA + cert nonEVCA:Root + cert Root: + trust Root: + policy OID.1.0 + result fail + +verify wrongEVOID:otherEVCA + cert otherEVCA:Root + cert Root: + trust Root: + policy OID.1.0 + result fail + +import Root::C,C,C + +verify validEV:EVCA + cert EVCA:Root + policy OID.1.0 + result pass + +verify invalidEV:nonEVCA + cert nonEVCA:Root + policy OID.1.0 + result fail + +verify wrongEVOID:otherEVCA + cert otherEVCA:Root + policy OID.1.0 + result fail + diff --git a/security/nss/tests/chains/scenarios/extension.cfg b/security/nss/tests/chains/scenarios/extension.cfg new file mode 100644 index 000000000..fd1c3a0da --- /dev/null +++ b/security/nss/tests/chains/scenarios/extension.cfg @@ -0,0 +1,102 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario Extension + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + policy OID.1.0 + +entity CA2 + type Intermediate + issuer CA1 + policy OID.1.0 + +entity User + type EE + issuer CA2 + policy OID.1.0 + +db All + +verify User:CA2 + cert CA2:CA1 + cert CA1:Root + cert Root: + trust Root: + policy OID.1.0 + result pass + +verify User:CA2 + cert CA2:CA1 + cert CA1:Root + cert Root: + trust Root: + policy OID.2.0 + result fail + +verify User:CA2 + cert CA2:CA1 + cert CA1:Root + trust CA1:Root + policy OID.1.0 + result pass + +verify User:CA2 + cert CA2:CA1 + cert CA1:Root + trust CA1:Root + policy OID.2.0 + result fail + +verify User:CA2 + cert CA2:CA1 + trust CA2:CA1 + policy OID.1.0 + result pass + +verify User:CA2 + cert CA2:CA1 + trust CA2:CA1 + policy OID.2.0 + result fail + +import Root:: +import CA1:Root: +import CA2:CA1: + +verify User:CA2 + trust Root + policy OID.1.0 + result pass + +verify User:CA2 + trust Root + policy OID.2.0 + result fail + +verify User:CA2 + trust CA1 + policy OID.1.0 + result pass + +verify User:CA2 + trust CA1 + policy OID.2.0 + result fail + +verify User:CA2 + trust CA2 + policy OID.1.0 + result pass + +verify User:CA2 + trust CA2 + policy OID.2.0 + result fail + diff --git a/security/nss/tests/chains/scenarios/extension2.cfg b/security/nss/tests/chains/scenarios/extension2.cfg new file mode 100644 index 000000000..9a6a7cd2d --- /dev/null +++ b/security/nss/tests/chains/scenarios/extension2.cfg @@ -0,0 +1,140 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario Extension2 + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + policy OID.1.0 + policy OID.2.0 + +entity CA2 + type Intermediate + issuer CA1 + policy OID.1.0 + policy OID.2.0 + +entity User1 + type EE + issuer CA2 + policy OID.1.0 + +entity User2 + type EE + issuer CA2 + policy OID.1.0 + policy OID.2.0 + +db All + +verify User1:CA2 + cert CA2:CA1 + cert CA1:Root + cert Root: + trust Root: + policy OID.1.0 + result pass + +verify User1:CA2 + cert CA2:CA1 + cert CA1:Root + cert Root: + trust Root: + policy OID.2.0 + result fail + +verify User1:CA2 + cert CA2:CA1 + cert CA1:Root + trust CA1:Root + policy OID.1.0 + result pass + +verify User1:CA2 + cert CA2:CA1 + cert CA1:Root + trust CA1:Root + policy OID.2.0 + result fail + +verify User1:CA2 + cert CA2:CA1 + trust CA2:CA1 + policy OID.1.0 + result pass + +verify User1:CA2 + cert CA2:CA1 + trust CA2:CA1 + policy OID.2.0 + result fail + +import Root:: +import CA1:Root: +import CA2:CA1: + +verify User1:CA2 + trust Root + policy OID.1.0 + result pass + +verify User1:CA2 + trust Root + policy OID.2.0 + result fail + +verify User1:CA2 + trust CA1 + policy OID.1.0 + result pass + +verify User1:CA2 + trust CA1 + policy OID.2.0 + result fail + +verify User1:CA2 + trust CA2 + policy OID.1.0 + result pass + +verify User1:CA2 + trust CA2 + policy OID.2.0 + result fail + +verify User2:CA2 + trust Root + policy OID.1.0 + result pass + +verify User2:CA2 + trust Root + policy OID.2.0 + result pass + +verify User2:CA2 + trust CA1 + policy OID.1.0 + result pass + +verify User2:CA2 + trust CA1 + policy OID.2.0 + result pass + +verify User2:CA2 + trust CA2 + policy OID.1.0 + result pass + +verify User2:CA2 + trust CA2 + policy OID.2.0 + result pass + diff --git a/security/nss/tests/chains/scenarios/mapping.cfg b/security/nss/tests/chains/scenarios/mapping.cfg new file mode 100644 index 000000000..d4e4a296d --- /dev/null +++ b/security/nss/tests/chains/scenarios/mapping.cfg @@ -0,0 +1,63 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario Mapping + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + policy OID.1.0 + mapping OID.1.0:OID.1.1 + +entity CA2 + type Intermediate + issuer CA1 + policy OID.1.1 + +entity User + type EE + issuer CA2 + policy OID.1.1 + +db All + +import Root:: +import CA1:Root: +import CA2:CA1: + +verify User:CA2 + trust Root + policy OID.1.0 +# should fail, bug 430859 + result pass + +verify User:CA2 + trust Root + policy OID.1.1 +# should pass, bug 430859 + result fail + +verify User:CA2 + trust CA1 + policy OID.1.0 + result fail + +verify User:CA2 + trust CA1 + policy OID.1.1 + result pass + +verify User:CA2 + trust CA2 + policy OID.1.0 + result fail + +verify User:CA2 + trust CA2 + policy OID.1.1 + result pass + diff --git a/security/nss/tests/chains/scenarios/mapping2.cfg b/security/nss/tests/chains/scenarios/mapping2.cfg new file mode 100644 index 000000000..cae1daf07 --- /dev/null +++ b/security/nss/tests/chains/scenarios/mapping2.cfg @@ -0,0 +1,71 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario Mapping2 + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + policy OID.1.0 + +entity CA2 + type Intermediate + issuer CA1 + policy OID.1.0 + mapping OID.1.0:OID.1.1 + +entity CA3 + type Intermediate + issuer CA2 + policy OID.1.1 + +entity User + type EE + issuer CA3 + policy OID.1.1 + +db All + +import Root:: +import CA1:Root: +import CA2:CA1: +import CA3:CA2: + +verify User:CA3 + trust Root + policy OID.1.0 +# should fail, bug 430859 + result pass + +verify User:CA3 + trust Root + policy OID.1.1 +# should pass, bug 430859 + result fail + +verify User:CA3 + trust CA1 + policy OID.1.0 +# should fail, bug 430859 + result pass + +verify User:CA3 + trust CA1 + policy OID.1.1 +# should pass, bug 430859 + result fail + +verify User:CA3 + trust CA2 + policy OID.1.0 + result fail + +verify User:CA3 + trust CA2 + policy OID.1.1 + result pass + diff --git a/security/nss/tests/chains/scenarios/megabridge_3_2.cfg b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg new file mode 100644 index 000000000..f1d4545fc --- /dev/null +++ b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg @@ -0,0 +1,130 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario MegaBridge_3_2 + +entity Root1 + type Root + +entity Root2 + type Root + +entity Root3 + type Root + +entity Root4 + type Root + +entity Root5 + type Root + +entity Root6 + type Root + +entity Root7 + type Root + +entity Root8 + type Root + +entity Root9 + type Root + +entity Bridge11 + type Bridge + issuer Root1 + issuer Root2 + issuer Root3 + +entity Bridge12 + type Bridge + issuer Root4 + issuer Root5 + issuer Root6 + +entity Bridge13 + type Bridge + issuer Root7 + issuer Root8 + issuer Root9 + +entity Bridge21 + type Bridge + issuer Bridge11 + issuer Bridge12 + issuer Bridge13 + +entity CA1 + type Intermediate + issuer Bridge21 + +entity EE1 + type EE + issuer CA1 + +testdb EE1 + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge11 + cert Bridge11:Root1 + trust Root1: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge11 + cert Bridge11:Root2 + trust Root2: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge11 + cert Bridge11:Root3 + trust Root3: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge12 + cert Bridge12:Root4 + trust Root4: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge12 + cert Bridge12:Root5 + trust Root5: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge12 + cert Bridge12:Root6 + trust Root6: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge13 + cert Bridge13:Root7 + trust Root7: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge13 + cert Bridge13:Root8 + trust Root8: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge13 + cert Bridge13:Root9 + trust Root9: + result pass + diff --git a/security/nss/tests/chains/scenarios/method.cfg b/security/nss/tests/chains/scenarios/method.cfg new file mode 100644 index 000000000..4223c39cc --- /dev/null +++ b/security/nss/tests/chains/scenarios/method.cfg @@ -0,0 +1,25 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario Method + +check_ocsp OCSPEE11OCSPCA1:d + +testdb ../OCSPD/Client + +#EE - OK, CA - OK +verify OCSPEE11OCSPCA1:d + cert OCSPCA1OCSPRoot:d + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result pass + +#EE - revoked, CA - OK +verify OCSPEE12OCSPCA1:d + cert OCSPCA1OCSPRoot:d + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result fail diff --git a/security/nss/tests/chains/scenarios/nameconstraints.cfg b/security/nss/tests/chains/scenarios/nameconstraints.cfg new file mode 100644 index 000000000..6eda441ce --- /dev/null +++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg @@ -0,0 +1,161 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario TrustAnchors + +db trustanchors + +import NameConstraints.ca:x:CT,C,C +# Name Constrained CA: Name constrained to permited DNSName ".example" +import NameConstraints.ncca:x:CT,C,C +import NameConstraints.dcisscopy:x:CT,C,C + +# Intermediate 1: Name constrained to permited DNSName ".example" + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid" +# altDNS: test.invalid +# Fail: CN not in name constraints, altDNS not in name constraints +verify NameConstraints.server1:x + cert NameConstraints.intermediate:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN +# Fail: CN not in name constraints +verify NameConstraints.server2:x + cert NameConstraints.intermediate:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example" +# altDNS: test.example +verify NameConstraints.server3:x + cert NameConstraints.intermediate:x + result pass + +# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints) + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid" +# altDNS: test.invalid +# Fail: CN not in name constraints, altDNS not in name constraints +verify NameConstraints.server4:x + cert NameConstraints.intermediate2:x + cert NameConstraints.intermediate:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN +# Fail: CN not in name constraints +verify NameConstraints.server5:x + cert NameConstraints.intermediate2:x + cert NameConstraints.intermediate:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example" +# altDNS: test.example +verify NameConstraints.server6:x + cert NameConstraints.intermediate2:x + cert NameConstraints.intermediate:x + result pass + +# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3" +# Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo" +# and a permitted DNSName of "foo.example" + +# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2" +# No name constraints present +# Signed by Intermediate 3 (inherits name constraints) + +# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN +verify NameConstraints.server7:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result pass + +# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN +verify NameConstraints.server8:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result pass + +# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN +# Fail: ST is missing in the DirectoryName, thus not matching name constraints +verify NameConstraints.server9:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result fail + +# Subject: "C=US, ST=CA, O=Foo, CN=bar.example" +# Fail: CN not in name constraints +verify NameConstraints.server10:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result fail + +# Subject: "C=US, ST=CA, O=Foo, CN=site.example" +# altDNS:foo.example +# Pass: Ignores CN constraint name violation because SAN is present +verify NameConstraints.server11:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result pass + +# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed" +# Fail: CN does not match DNS name constraints - even though is not 'DNS shaped' +verify NameConstraints.server12:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result fail + +# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2" +# No name constraints present +# Signed by Intermediate 3. +# Intermediate 5's subject is not in Intermediate 3's permitted +# names, so all certs issued by it are invalid. + +# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example" +# Fail: Org matches Intermediate 5's name constraints, but does not match +# Intermediate 3' name constraints +verify NameConstraints.server13:x + cert NameConstraints.intermediate5:x + cert NameConstraints.intermediate3:x + result fail + +# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example" +# Fail: Matches Intermediate 5's name constraints, but fails because +# Intermediate 5 does not match Intermediate 3's name constraints +verify NameConstraints.server14:x + cert NameConstraints.intermediate5:x + cert NameConstraints.intermediate3:x + result fail + +# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6" +# No name constraints present +# Signed by Named Constrained CA (inherits root name constraints) + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid" +# altDNS: testfoo.invalid +# Fail: CN not in name constraints, altDNS not in name constraints +verify NameConstraints.server15:x + cert NameConstraints.intermediate6:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN +# Fail: CN not in name constraints +verify NameConstraints.server16:x + cert NameConstraints.intermediate6:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example" +# altDNS: test4.example +verify NameConstraints.server17:x + cert NameConstraints.intermediate6:x + result pass + +# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com" +verify NameConstraints.dcissblocked:x + result fail + +# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr" +verify NameConstraints.dcissallowed:x + result pass + + diff --git a/security/nss/tests/chains/scenarios/ocsp.cfg b/security/nss/tests/chains/scenarios/ocsp.cfg new file mode 100644 index 000000000..cdfff89fe --- /dev/null +++ b/security/nss/tests/chains/scenarios/ocsp.cfg @@ -0,0 +1,177 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario OCSP + +check_ocsp OCSPEE11OCSPCA1:d + +db OCSPRoot +import OCSPRoot:d:CT,C,C + +db OCSPCA1 +import_key OCSPCA1 + +crl OCSPCA1 + +revoke OCSPCA1 + serial 3 + +revoke OCSPCA1 + serial 4 + +testdb OCSPRoot + +#EE - OK, CA - OK +verify OCSPEE11OCSPCA1:d + cert OCSPCA1OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result pass + +#EE - revoked, CA - OK +verify OCSPEE12OCSPCA1:d + cert OCSPCA1OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result fail + +#EE - unknown +verify OCSPEE15OCSPCA1:d + cert OCSPCA1OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + result pass + +#EE - unknown, requireFreshInfo +verify OCSPEE15OCSPCA1:d + cert OCSPCA1OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result fail + +#EE - OK, CA - revoked, leaf, no fresh info +verify OCSPEE21OCSPCA2:d + cert OCSPCA2OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + result pass + +#EE - OK, CA - revoked, leaf, requireFreshInfo +verify OCSPEE21OCSPCA2:d + cert OCSPCA2OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result fail + +#EE - OK, CA - revoked, chain, requireFreshInfo +verify OCSPEE21OCSPCA2:d + cert OCSPCA2OCSPRoot:d + trust OCSPRoot + rev_type chain + rev_flags requireFreshInfo + rev_mtype ocsp + result fail + +#EE - OK, CA - unknown +verify OCSPEE31OCSPCA3:d + cert OCSPCA3OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + result pass + +#EE - OK, CA - unknown, requireFreshInfo +verify OCSPEE31OCSPCA3:d + cert OCSPCA3OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result fail + +#EE - revoked, doNotUse +verify OCSPEE12OCSPCA1:d + cert OCSPCA1OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + rev_mflags doNotUse + result pass + +#EE - revoked, forbidFetching +verify OCSPEE12OCSPCA1:d + cert OCSPCA1OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + rev_mflags forbidFetching + result pass + +#EE - unknown status, failIfNoInfo +verify OCSPEE15OCSPCA1:d + cert OCSPCA1OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + rev_mflags failIfNoInfo + result fail + +#EE - OK, CA - revoked, leaf, failIfNoInfo +verify OCSPEE21OCSPCA2:d + cert OCSPCA2OCSPRoot:d + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + rev_mflags failIfNoInfo + result fail + +testdb OCSPCA1 + +#EE - OK on OCSP, revoked locally - should fail ?? +# two things about this test: crl is not imported into the db and +# cert 13 is not revoked by crl. +verify OCSPEE13OCSPCA1:d + cert OCSPCA1OCSPRoot:d + trust OCSPCA1 + rev_type leaf + rev_flags testLocalInfoFirst + rev_mtype ocsp + result pass + +db OCSPRoot1 +import OCSPRoot:d:CT,C,C + +verify OCSPEE23OCSPCA2:d + cert OCSPCA2OCSPRoot:d + trust OCSPRoot + rev_type chain + rev_mtype ocsp + rev_type leaf + rev_mtype ocsp + result fail + +db OCSPRoot2 +import OCSPRoot:d:T,, + +# bug 527438 +# expected result of this test is FAIL +verify OCSPEE23OCSPCA2:d + cert OCSPCA2OCSPRoot:d + trust OCSPRoot + rev_type chain + rev_mtype ocsp + rev_type leaf + rev_mtype ocsp + result pass + diff --git a/security/nss/tests/chains/scenarios/ocspd.cfg b/security/nss/tests/chains/scenarios/ocspd.cfg new file mode 100644 index 000000000..e48f9068e --- /dev/null +++ b/security/nss/tests/chains/scenarios/ocspd.cfg @@ -0,0 +1,172 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario OCSPD + +#root CA +entity OCSPRoot + type Root + export_key + +#CA - OK +entity OCSPCA1 + type Intermediate + issuer OCSPRoot + serial 1 + ocsp online + export_key + +#CA - revoked +entity OCSPCA2 + type Intermediate + issuer OCSPRoot + serial 2 + ocsp online + export_key + +#CA - unknown status +entity OCSPCA3 + type Intermediate + issuer OCSPRoot + serial 3 + ocsp offline + export_key + +#EE - OK +entity OCSPEE11 + type EE + issuer OCSPCA1 + serial 1 + ocsp online + +#EE - revoked on OCSP +entity OCSPEE12 + type EE + issuer OCSPCA1 + serial 2 + ocsp online + +#EE - revoked on CRL +entity OCSPEE13 + type EE + issuer OCSPCA1 + serial 3 + ocsp online + +#EE - revoked on OCSP and CRL +entity OCSPEE14 + type EE + issuer OCSPCA1 + serial 4 + ocsp online + +#EE - unknown status +entity OCSPEE15 + type EE + issuer OCSPCA1 + serial 5 + ocsp offline + +#EE - valid EE, revoked CA +entity OCSPEE21 + type EE + issuer OCSPCA2 + serial 1 + ocsp online + +#EE - revoked EE, revoked CA +entity OCSPEE22 + type EE + issuer OCSPCA2 + serial 2 + ocsp online + +#EE - revoked EE, CA pointing to invalid OCSP +entity OCSPEE23 + type EE + issuer OCSPCA2 + serial 3 + ocsp offline + +#EE - valid EE, CA pointing to invalid OCSP +entity OCSPEE31 + type EE + issuer OCSPCA3 + serial 1 + ocsp online + +#EE - revoked EE, CA pointing to invalid OCSP +entity OCSPEE32 + type EE + issuer OCSPCA3 + serial 2 + ocsp online + +#EE - EE pointing to invalid OCSP, CA pointing to invalid OCSP +entity OCSPEE33 + type EE + issuer OCSPCA3 + serial 3 + ocsp offline + +crl OCSPRoot + +revoke OCSPRoot + serial 2 + +crl OCSPCA1 + +revoke OCSPCA1 + serial 2 + +revoke OCSPCA1 + serial 4 + +crl OCSPCA2 + +revoke OCSPCA2 + serial 2 + +revoke OCSPCA2 + serial 3 + +crl OCSPCA3 + +revoke OCSPCA3 + serial 2 + +revoke OCSPCA3 + serial 3 + +# Used for running a single OCSP server (httpserv) instance that can +# handle multiple CAs, e.g.: +# httpserv -p 8641 -d . -f dbpasswd \ +# -A OCSPRoot -C OCSPRoot.crl -A OCSPCA1 -C OCSPCA1.crl \ +# -A OCSPCA2 -C OCSPCA2.crl -A OCSPCA3 -C OCSPCA3.crl +db Server +import OCSPRoot::CT,C,C +import_key OCSPRoot +import_key OCSPCA1 +import_key OCSPCA2 +import_key OCSPCA3 + +# A DB containing all certs, but no keys. +# Useful for manual OCSP client testing, e.g.: +# ocspclnt -d . -S OCSPEE12OCSPCA1 -u s +db Client +import OCSPRoot::CT,C,C +import OCSPCA1OCSPRoot:: +import OCSPCA2OCSPRoot:: +import OCSPCA3OCSPRoot:: +import OCSPEE11OCSPCA1:: +import OCSPEE12OCSPCA1:: +import OCSPEE13OCSPCA1:: +import OCSPEE14OCSPCA1:: +import OCSPEE15OCSPCA1:: +import OCSPEE21OCSPCA2:: +import OCSPEE22OCSPCA2:: +import OCSPEE23OCSPCA2:: +import OCSPEE31OCSPCA3:: +import OCSPEE32OCSPCA3:: +import OCSPEE33OCSPCA3:: diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg new file mode 100644 index 000000000..d2a8c7143 --- /dev/null +++ b/security/nss/tests/chains/scenarios/realcerts.cfg @@ -0,0 +1,29 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario RealCerts + +db All + +import TestCA.ca:x:CT,C,C +import TestUser50:x: +import TestUser51:x: +import PayPalRootCA:x:CT,C,C +import PayPalICA:x: +import PayPalEE:x: +import BrAirWaysBadSig:x: + +verify TestUser50:x + result pass + +verify TestUser51:x + result pass + +verify PayPalEE:x + policy OID.2.16.840.1.114412.1.1 + result pass + +verify BrAirWaysBadSig:x + result fail + diff --git a/security/nss/tests/chains/scenarios/revoc.cfg b/security/nss/tests/chains/scenarios/revoc.cfg new file mode 100644 index 000000000..a4ec78622 --- /dev/null +++ b/security/nss/tests/chains/scenarios/revoc.cfg @@ -0,0 +1,86 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario Revocation + +entity Root + type Root + serial 10 + +entity CA0 + type Intermediate + issuer Root + serial 11 + +entity CA1 + type Intermediate + issuer CA0 + serial 12 + +entity EE11 + type EE + issuer CA1 + serial 13 + +entity EE12 + type EE + issuer CA1 + serial 14 + +entity CA2 + type Intermediate + issuer CA0 + serial 15 + +entity EE21 + type EE + issuer CA2 + serial 16 + +crl Root +crl CA0 +crl CA1 +crl CA2 + +revoke CA1 + serial 14 + +revoke CA0 + serial 15 + +db All + +import Root::CTu,CTu,CTu +import CA0:Root: +import CA1:CA0: +import CA2:CA0: + +# EE11 - not revoked +verify EE11:CA1 + trust Root: + rev_type leaf + rev_mtype crl + result pass + +# EE12 - revoked +verify EE12:CA1 + trust Root: + rev_type leaf + rev_mtype crl + result fail + +# EE11 - CA1 not revoked +verify EE11:CA1 + trust Root: + rev_type chain + rev_mtype crl + result pass + +# EE21 - CA2 revoked +verify EE21:CA2 + trust Root: + rev_type chain + rev_mtype crl + result fail + diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios new file mode 100644 index 000000000..d26c3f92e --- /dev/null +++ b/security/nss/tests/chains/scenarios/scenarios @@ -0,0 +1,24 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +bridge.cfg +megabridge_3_2.cfg +extension.cfg +extension2.cfg +anypolicy.cfg +anypolicywithlevel.cfg +explicitPolicy.cfg +mapping.cfg +mapping2.cfg +aia.cfg +bridgewithaia.cfg +bridgewithhalfaia.cfg +bridgewithpolicyextensionandmapping.cfg +realcerts.cfg +dsa.cfg +revoc.cfg +ocsp.cfg +crldp.cfg +trustanchors.cfg +nameconstraints.cfg diff --git a/security/nss/tests/chains/scenarios/trustanchors.cfg b/security/nss/tests/chains/scenarios/trustanchors.cfg new file mode 100644 index 000000000..db18990ac --- /dev/null +++ b/security/nss/tests/chains/scenarios/trustanchors.cfg @@ -0,0 +1,114 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario TrustAnchors + +entity RootCA + type Root + +entity CA1 + type Intermediate + issuer RootCA + +entity CA2 + type Intermediate + issuer CA1 + +entity EE1 + type EE + issuer CA2 + +entity OtherRoot + type Root + +entity OtherIntermediate + type Intermediate + issuer OtherRoot + +entity EE2 + type EE + issuer OtherIntermediate + +# Scenarios where trust only comes from the DB +db DBOnly + +import RootCA::CT,C,C +import CA1:RootCA: + +# Simple chaining - no trust anchors +verify EE1:CA2 + cert CA2:CA1 + result pass + +# Simple trust anchors - ignore the Cert DB +verify EE1:CA2 + trust CA2:CA1 + result pass + +# Redundant trust - trust anchor and DB +verify EE1:CA2 + cert CA2:CA1 + trust RootCA + result pass + + +# Scenarios where trust only comes from trust anchors +db TrustOnly + +# Simple checking - direct trust anchor +verify EE1:CA2 + cert CA2:CA1 + cert CA1:RootCA: + trust RootCA: + result pass + +# Partial chain (not self-signed), with a trust anchor +verify EE1:CA2 + trust CA2:CA1 + result pass + + +# Scenarios where trust comes from both trust anchors and the DB +db TrustAndDB + +import RootCA::CT,C,C +import CA1:RootCA: + +# Check that trust in the DB works +verify EE1:CA2 + cert CA2:CA1 + result pass + +# Check that trust anchors work +verify EE2:OtherIntermediate + cert OtherIntermediate:OtherRoot + trust OtherRoot: + result pass + +# Check that specifying a trust anchor still allows searching the cert DB +verify EE1:CA2 + trust_and_db + cert CA2:CA1 + trust OtherIntermediate:OtherRoot + trust OtherRoot: + result pass + +# Scenarios where the trust DB has explicitly distrusted one or more certs, +# even when the trust anchors indicate trust +db ExplicitDistrust + +import RootCA::CT,C,C +import CA1:RootCA:p,p,p +import OtherRoot::p,p,p + +# Verify that a distrusted intermediate, but trusted root, is rejected. +verify EE1:CA2 + cert CA2:CA1 + trust CA1:RootCA + result fail + +# Verify that a trusted intermediate, but distrusted root, is accepted. +verify EE2:OtherIntermediate + trust OtherIntermediate:OtherRoot + result pass diff --git a/security/nss/tests/cipher/cipher.sh b/security/nss/tests/cipher/cipher.sh new file mode 100755 index 000000000..1d2561d9c --- /dev/null +++ b/security/nss/tests/cipher/cipher.sh @@ -0,0 +1,140 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/cipher/cipher.sh +# +# Script to test NSS ciphers +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## cipher_init ############################# +# local shell function to initialize this script +######################################################################## +cipher_init() +{ + SCRIPTNAME="cipher.sh" + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + if [ -z "${INIT_SOURCED}" ] ; then + cd ../common + . ./init.sh + fi + SCRIPTNAME="cipher.sh" + html_head "Cipher Tests" + + CIPHERDIR=${HOSTDIR}/cipher + CIPHERTESTDIR=${QADIR}/../cmd/bltest + GCMTESTDIR=${QADIR}/../cmd/pk11gcmtest + D_CIPHER="Cipher.$version" + + CIPHER_TXT=${QADIR}/cipher/cipher.txt + GCM_TXT=${QADIR}/cipher/gcm.txt + + mkdir -p ${CIPHERDIR} + + cd ${CIPHERDIR} + P_CIPHER=. + if [ -n "${MULTIACCESS_DBM}" ]; then + P_CIPHER="multiaccess:${D_CIPHER}" + fi +} + +############################## cipher_main ############################# +# local shell function to test NSS ciphers +######################################################################## +cipher_main() +{ + while read EXP_RET PARAM TESTNAME + do + if [ -n "$EXP_RET" -a "$EXP_RET" != "#" ] ; then + PARAM=`echo $PARAM | sed -e "s/_-/ -/g"` + TESTNAME=`echo $TESTNAME | sed -e "s/_/ /g"` + echo "$SCRIPTNAME: $TESTNAME --------------------------------" + failedStr="" + inOff=0 + res=0 + while [ $inOff -lt 8 ] + do + outOff=0 + while [ $outOff -lt 8 ] + do + echo "bltest -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff" + ${PROFTOOL} ${BINDIR}/bltest${PROG_SUFFIX} -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff + if [ $? -ne 0 ]; then + failedStr="$failedStr[$inOff:$outOff]" + fi + outOff=`expr $outOff + 1` + done + inOff=`expr $inOff + 1` + done + if [ -n "$failedStr" ]; then + html_msg 1 $EXP_RET "$TESTNAME (Failed in/out offset pairs:" \ + " $failedStr)" + else + html_msg $res $EXP_RET "$TESTNAME" + fi + fi + done < ${CIPHER_TXT} +} + +############################## cipher_gcm ############################# +# local shell function to test NSS AES GCM +######################################################################## +cipher_gcm() +{ + while read EXP_RET INPUT_FILE TESTNAME + do + if [ -n "$EXP_RET" -a "$EXP_RET" != "#" ] ; then + TESTNAME=`echo $TESTNAME | sed -e "s/_/ /g"` + echo "$SCRIPTNAME: $TESTNAME --------------------------------" + echo "pk11gcmtest aes kat gcm $GCMTESTDIR/tests/$INPUT_FILE" + ${PROFTOOL} ${BINDIR}/pk11gcmtest aes kat gcm $GCMTESTDIR/tests/$INPUT_FILE + html_msg $? $EXP_RET "$TESTNAME" + fi + done < ${GCM_TXT} +} + +############################## cipher_cleanup ############################ +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +cipher_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +# When building without softoken, bltest isn't built. It was already +# built and the cipher suite run as part of an nss-softoken build. +if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then + echo "bltest not built, skipping this test." >> ${LOGFILE} + res=0 + html_msg $res $EXP_RET "$TESTNAME" + return 0 +fi +cipher_init +# Skip cipher_main if this an NSS without softoken build. +if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then + cipher_main +fi +# Skip cipher_gcm if this is a softoken only build. +if [ "${NSS_BUILD_SOFTOKEN_ONLY}" != "1" ]; then + cipher_gcm +fi +cipher_cleanup diff --git a/security/nss/tests/cipher/cipher.txt b/security/nss/tests/cipher/cipher.txt new file mode 100644 index 000000000..4e47a9f97 --- /dev/null +++ b/security/nss/tests/cipher/cipher.txt @@ -0,0 +1,57 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file defines the cipher tests +# +# expected +# return bltest Test Case name +# value params +# ------- ---------- --------------- + 0 des_ecb_-E DES_ECB_Encrypt + 0 des_ecb_-D DES_ECB_Decrypt + 0 des_cbc_-E DES_CBC_Encrypt + 0 des_cbc_-D DES_CBC_Decrypt + 0 des3_ecb_-E DES3_ECB_Encrypt + 0 des3_ecb_-D DES3_ECB_Decrypt + 0 des3_cbc_-E DES3_CBC_Encrypt + 0 des3_cbc_-D DES3_CBC_Decrypt + 0 aes_ecb_-E AES_ECB_Encrypt + 0 aes_ecb_-D AES_ECB_Decrypt + 0 aes_cbc_-E AES_CBC_Encrypt + 0 aes_cbc_-D AES_CBC_Decrypt + 0 aes_ctr AES_CTR + 0 aes_cts AES_CTS + 0 aes_gcm AES_GCM + 0 camellia_ecb_-E Camellia_ECB_Encrypt + 0 camellia_ecb_-D Camellia_ECB_Decrypt + 0 camellia_cbc_-E Camellia_CBC_Encrypt + 0 camellia_cbc_-D Camellia_CBC_Decrypt + 0 seed_ecb_-E SEED_ECB_Encrypt + 0 seed_ecb_-D SEED_ECB_Decrypt + 0 seed_cbc_-E SEED_CBC_Encrypt + 0 seed_cbc_-D SEED_CBC_Decrypt + 0 chacha20_poly1305_-E ChaCha20_Poly1305_Encrypt + 0 chacha20_poly1305_-D ChaCha20_Poly1305_Decrypt + 0 rc2_ecb_-E RC2_ECB_Encrypt + 0 rc2_ecb_-D RC2_ECB_Decrypt + 0 rc2_cbc_-E RC2_CBC_Encrypt + 0 rc2_cbc_-D RC2_CBC_Decrypt + 0 rc4_-E RC4_Encrypt + 0 rc4_-D RC4_Decrypt + 0 rsa_-E RSA_Encrypt + 0 rsa_-D RSA_Decrypt + 0 rsa_oaep_-E RSA_EncryptOAEP + 0 rsa_oaep_-D RSA_DecryptOAEP + 0 rsa_pss_-S RSA_SignPSS + 0 rsa_pss_-V RSA_CheckSignPSS + 0 rsa_-K RSA_Populate + 0 dsa_-S DSA_Sign + 0 dsa_-V DSA_Verify + 0 md2_-H MD2_Hash + 0 md5_-H MD5_Hash + 0 sha1_-H SHA1_Hash + 0 sha224_-H SHA224_Hash + 0 sha256_-H SHA256_Hash + 0 sha384_-H SHA384_Hash + 0 sha512_-H SHA512_Hash diff --git a/security/nss/tests/cipher/dsa.txt b/security/nss/tests/cipher/dsa.txt new file mode 100644 index 000000000..f2d3401f4 --- /dev/null +++ b/security/nss/tests/cipher/dsa.txt @@ -0,0 +1,13 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables test coverage of the dsa performance tests +# +# +# mode keysize bufsize repetitions cxrepetitions + dsa 64 20 200 5 + dsa 96 20 200 3 + dsa 128 20 200 3 + dsa 256 20 200 3 + dsa 384 20 200 3 diff --git a/security/nss/tests/cipher/gcm.txt b/security/nss/tests/cipher/gcm.txt new file mode 100644 index 000000000..4550faf49 --- /dev/null +++ b/security/nss/tests/cipher/gcm.txt @@ -0,0 +1,16 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file defines the AES GCM tests +# +# expected +# return pk11gcmtest Test Case name +# value input file +# ------- ---------------------- ----------------------- + 0 gcmDecrypt128.rsp NIST_AES128_GCM_Decrypt + 0 gcmDecrypt192.rsp NIST_AES192_GCM_Decrypt + 0 gcmDecrypt256.rsp NIST_AES256_GCM_Decrypt + 0 gcmEncryptExtIV128.rsp NIST_AES128_GCM_Encrypt + 0 gcmEncryptExtIV192.rsp NIST_AES192_GCM_Encrypt + 0 gcmEncryptExtIV256.rsp NIST_AES256_GCM_Encrypt diff --git a/security/nss/tests/cipher/hash.txt b/security/nss/tests/cipher/hash.txt new file mode 100644 index 000000000..9bee5ba11 --- /dev/null +++ b/security/nss/tests/cipher/hash.txt @@ -0,0 +1,11 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables test coverage of the cryptographic hash performance tests +# +# +# mode bufsize repetitions + md2 10240 5000 + md5 10240 100000 + sha1 10240 100000 diff --git a/security/nss/tests/cipher/performance.sh b/security/nss/tests/cipher/performance.sh new file mode 100755 index 000000000..dd7c74ee2 --- /dev/null +++ b/security/nss/tests/cipher/performance.sh @@ -0,0 +1,156 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This is just a quick script so we can still run our testcases. +# Longer term we need a scriptable test environment.. +# +. ../common/init.sh +CURDIR=`pwd` +if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + CURDIR=`cygpath -m ${CURDIR}` +fi + +CIPHERDIR=${HOSTDIR}/cipher +SKTESTS=${CURDIR}/symmkey.txt +RSATESTS=${CURDIR}/rsa.txt +DSATESTS=${CURDIR}/dsa.txt +HASHTESTS=${CURDIR}/hash.txt +SKPERFOUT=${CIPHERDIR}/skperfout.data +RSAPERFOUT=${CIPHERDIR}/rsaperfout.data +DSAPERFOUT=${CIPHERDIR}/dsaperfout.data +HASHPERFOUT=${CIPHERDIR}/hashperfout.data +PERFRESULTS=${HOSTDIR}/performance.html + +echo "<HTML><BODY>" >> ${PERFRESULTS} + +mkdir -p ${CIPHERDIR} +cd ${CIPHERDIR} + +if [ -z $1 ]; then + TESTSET="all" +else + TESTSET=$1 +fi + +if [ $TESTSET = "all" -o $TESTSET = "symmkey" ]; then +echo "<TABLE BORDER=1><TR><TH COLSPAN=6>Symmetric Key Cipher Performance</TH></TR>" >> ${PERFRESULTS} +echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>SYMMETRIC KEY SIZE (bits)</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS} + +while read mode keysize bufsize reps cxreps +do + if [ $mode != "#" ]; then + echo "bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps" + ${BINDIR}/bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${SKPERFOUT} + mv "tmp.in.0" "$mode.in" + mv tmp.key $mode.key + if [ -f tmp.iv ]; then + mv tmp.iv $mode.iv + fi + echo "bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out" + ${BINDIR}/bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out >> ${SKPERFOUT} + echo "bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv" + ${BINDIR}/bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv >> ${SKPERFOUT} + fi +done < ${SKTESTS} + +while read md buf sk rps cxrps cx op +do + if [ $md != "#" ]; then + echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$sk</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS} + fi +done < ${SKPERFOUT} + +echo "</TABLE><BR>" >> ${PERFRESULTS} + +fi + +if [ $TESTSET = "all" -o $TESTSET = "rsa" ]; then +while read mode keysize bufsize exp reps cxreps +do + if [ $mode != "#" ]; then + echo "bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps" + ${BINDIR}/bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps >> ${RSAPERFOUT} + mv "tmp.in.0" "$mode.in" + mv tmp.key $mode.key + echo "bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out" + ${BINDIR}/bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${RSAPERFOUT} + echo "bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv" + ${BINDIR}/bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv >> ${RSAPERFOUT} + fi +done < ${RSATESTS} + +echo "<TABLE BORDER=1><TR><TH COLSPAN=7>RSA Cipher Performance</TH></TR>" >> ${PERFRESULTS} +echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>KEY SIZE (bits)</TH><TH>PUBLIC EXPONENT</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS} + +while read md buf mod pe rps cxrps cx op +do + if [ $md != "#" ]; then + echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$mod</TD><TD align=right>$pe</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS} + fi +done < ${RSAPERFOUT} + +echo "</TABLE><BR>" >> ${PERFRESULTS} +fi + +if [ $TESTSET = "all" -o $TESTSET = "dsa" ]; then + +while read mode keysize bufsize reps cxreps +do + if [ $mode != "#" ]; then + echo "bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps" + ${BINDIR}/bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${DSAPERFOUT} + mv "tmp.in.0" "$mode.in" + mv tmp.key $mode.key + rm -f $mode.out + echo "bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out" + ${BINDIR}/bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT} + echo "bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out" + ${BINDIR}/bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT} + fi +done < ${DSATESTS} + +echo "<TABLE BORDER=1><TR><TH COLSPAN=6>DSA Cipher Performance</TH></TR>" >> ${PERFRESULTS} +echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>KEY SIZE (bits)</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS} + +while read md buf mod rps cxrps cx op +do + if [ $md != "#" ]; then + echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$mod</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS} + fi +done < ${DSAPERFOUT} + +echo "</TABLE><BR>" >> ${PERFRESULTS} +fi + +if [ $TESTSET = "all" -o $TESTSET = "hash" ]; then +while read mode bufsize reps +do + if [ $mode != "#" ]; then + echo "bltest -N -m $mode -b $bufsize" + ${BINDIR}/bltest -N -m $mode -b $bufsize + mv "tmp.in.0" "$mode.in" + echo "bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out" + ${BINDIR}/bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out >> ${HASHPERFOUT} + fi +done < ${HASHTESTS} + +echo "<TABLE BORDER=1><TR><TH COLSPAN=6>Hash Cipher Performance</TH></TR>" >> ${PERFRESULTS} +echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>REPETITIONS</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS} + +while read md buf rps cxrps cx op +do + if [ $md != "#" ]; then + echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$rps</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS} + fi +done < ${HASHPERFOUT} + +echo "</TABLE><BR>" >> ${PERFRESULTS} +fi + +#rm -f ${TEMPFILES} +cd ${CURDIR} + +echo "</BODY></HTML>" >> ${PERFRESULTS} diff --git a/security/nss/tests/cipher/rsa.txt b/security/nss/tests/cipher/rsa.txt new file mode 100644 index 000000000..aad71261b --- /dev/null +++ b/security/nss/tests/cipher/rsa.txt @@ -0,0 +1,11 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables test coverage of the rsa performance tests +# +# +# mode keysize bufsize exponent repetitions cxrepetitions + rsa 32 32 17 1000 5 + rsa 64 64 3 500 3 + rsa 128 128 65537 200 3 diff --git a/security/nss/tests/cipher/symmkey.txt b/security/nss/tests/cipher/symmkey.txt new file mode 100644 index 000000000..ad4b11ab4 --- /dev/null +++ b/security/nss/tests/cipher/symmkey.txt @@ -0,0 +1,36 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables test coverage of the symmetric key performance tests +# +# +# mode keysize bufsize repetitions cxrepetitions + des_ecb 8 8192 1000 100000 + des_cbc 8 8192 1000 100000 + des3_ecb 24 8192 1000 100000 + des3_cbc 24 8192 1000 100000 + rc2_ecb 5 8192 1000 100000 + rc2_ecb 8 8192 1000 100000 + rc2_ecb 16 8192 1000 100000 + rc2_cbc 5 8192 1000 100000 + rc2_cbc 8 8192 1000 100000 + rc2_cbc 16 8192 1000 100000 + rc4 5 8192 10000 100000 + rc4 8 8192 10000 100000 + rc4 16 8192 10000 100000 + rc4 24 8192 10000 100000 + aes_ecb 16 8192 10000 100000 + aes_cbc 16 8192 10000 100000 + aes_ecb 32 8192 10000 100000 + aes_cbc 32 8192 10000 100000 + aes_ctr 16 8192 10000 100000 + aes_ctr 32 8192 10000 100000 + aes_gcm 16 8192 10000 100000 + aes_gcm 32 8192 10000 100000 + camellia_ecb 16 8192 10000 100000 + camellia_cbc 16 8192 10000 100000 + camellia_ecb 32 8192 10000 100000 + camellia_cbc 32 8192 10000 100000 + seed_ecb 16 8192 10000 100000 + seed_cbc 16 8192 10000 100000 diff --git a/security/nss/tests/clean_tbx b/security/nss/tests/clean_tbx new file mode 100755 index 000000000..4de955576 --- /dev/null +++ b/security/nss/tests/clean_tbx @@ -0,0 +1,172 @@ +#! /bin/perl + +####################################################################### +# +# /u/sonmi/bin/clean_tbx.pl +# +# this script is supposed to remove tinderbox QA if: +# QA has passed, there are 2+ newer QA dirs of the same machine and +# platform (32/64) and it is older than 2 hours +# QA has failed, there are 2+ newer QA dirsof the same machine and +# platform (32/64) with _identical failures and it is older than +# 2 hours +# directory is older than 48 hours +# +####################################################################### + +use Time::Local; + +$ANY_TBX_KEEP_HOURS=48; +$NOT_FAILED_TBX_KEEP_HOURS=24; +$PASSED_TBX_KEEP_HOURS=2; +$IF_TBX_KEEP_HOURS=2; +$PASSED_NEWER_DIRS=2; +$IF_NEWER_DIRS=2; +$verbose = 1; + +$TBX_TESTDIR="/share/builds/mccrel3/nss/nsstip/tinderbox/tests_results/security"; +$FTP_STAGE="/u/sonmi/tmp/ftp_stage/tinderbox"; + +@tbx_dirs = (); + +$eANY_TBX_KEEP=$ANY_TBX_KEEP_HOURS*60*60; +$ePASSED_TBX_KEEP=$PASSED_TBX_KEEP_HOURS*60*60; +$eIF_TBX_KEEP=$IF_TBX_KEEP_HOURS*60*60; +$eNOT_FAILED_TBX_KEEP=$NOT_FAILED_TBX_KEEP_HOURS*60*60; + +$year, $month, $days, $hours, $minutes, $seconds; +$efulldate=0; + +$fulldate=0; + +$no_bits=""; +$last_no_bits=""; + +$host=""; +$last_host=""; + +@tbx_dirs = `ls -r $TBX_TESTDIR`; #sort first by host, + #then 64, + #then newest - oldest +debug ("found $#tbx_dirs directories "); + +($seconds, $minutes, $hours, $days, $month, $year) = localtime; + +debug ("$seconds, $minutes, $hours, $days, $month, $year"); + +$enow = timelocal(localtime); + +sub debug; +sub warning; +sub error; +sub msg; +sub init; +sub check_tbx_dirs; + +sub check_tbx_dirs +{ + my $platform_idx=0; # counts directories per platform, newest + # to oldest (ignores incomplete) + my $passed_idx=0; # counts passed directories newest to oldest + my $QAstatus="unknown"; + foreach $tbx_dir (@tbx_dirs) { + $tbx_dir =~ s/\n//g; + $fulldate = $tbx_dir; + $fulldate =~ s/^.*-(20.*-..\...$)/$1/; + $day = $month = $year = $hour = $min = $fulldate; + $host = $tbx_dir; + $host =~ s/-20.*//; + $no_bits = $host; + $host =~ s/64$//; + $no_bits =~ s/.*64$/64/; + $no_bits =~ s/^[^6].*/other/; + $year =~ s/(....).*/$1/; + $month =~ s/....(..).*/$1/; + $day =~ s/......(..).*/$1/; + $hour =~ s/........-(..).*/$1/; + $min =~ s/.*\.(..)$/$1/; + + + if ( -f "$TBX_TESTDIR/$tbx_dir/QAstatus" ) { + $QAstatus=`cat $TBX_TESTDIR/$tbx_dir/QAstatus 2>/dev/null`; + $QAstatus =~ s/\n$//g; + } else { + $QAstatus="unknown"; + } + + $efulldate = timelocal( 0, $min, $hour, $day, $month-1, $year-1900); + if ( "$host" !~ "$last_host" || "$no_bits" !~ "$last_no_bits" ) { + if ( $QAstatus !~ "QA running" ) { + $platform_idx = 0; + } else { + $platform_idx = -1; + } + $passed_idx = 0; + + $last_host = $host; + $last_no_bits = $no_bits; + } else { + $platform_idx ++; + $passed_idx++ if ( $QAstatus =~ "QA passed" ) ; + } + + debug ("$tbx_dir host $host date $fulldate bits $no_bits $year/$month/$day $hour:$min QAstatus $QAstatus pli $platform_idx pai $passed_idx"); + + if ( $passed_idx > $PASSED_NEWER_DIRS && $QAstatus =~ "QA passed" ) { + $ekeeptime=$efulldate + $ePASSED_TBX_KEEP; + #($s, $m, $h, $d, $mo, $y) = localtime($ekeeptime); + #debug ("$passed_idx > $PASSED_NEWER_DIRS ekeeptime ($s, $m, $h, $d, $mo, $y) == $ekeeptime"); + rm_tbx ("Passed $PASSED_TBX_KEEP_HOURS + hours old") if ( $ekeeptime <= $enow ); + } elsif ( $QAstatus !~ "QA failed" ) { + $ekeeptime=$efulldate + $eNOT_FAILED_TBX_KEEP; + rm_tbx ("Not failed $NOT_FAILED_TBX_KEEP_HOURS + hours old") if ( $ekeeptime <= $enow ); + } else { + $ekeeptime=$efulldate + $eANY_TBX_KEEP; + rm_tbx ("Passed 2+ hours old") if ( $ekeeptime <= $enow ); + } + if ( $QAstatus =~ "QA failed" ) { + $ekeeptime=$efulldate + $eIF_TBX_KEEP; + #FIXME - compare to the previous failure by filtering and + #FIXME diffing the results.html files (first grep failed) + } + } + +} + +sub rm_tbx() +{ + +debug ("DELETING $tbx_dir... (@_[0]) "); +system("rm -rf $TBX_TESTDIR/$tbx_dir"); +#debug ("rm -rf $TBX_TESTDIR/$tbx_dir"); + +} + +sub msg +{ + my $i; + for ($i = 0; $i <= $#_ ; $i++ ) { + print "@_[$i] "; + } + print "\n"; + +} +sub error +{ + msg ("ERROR: " ,@_ ); +} + +sub warning +{ + msg ("WARNING:" ,@_ ); +} +sub debug +{ + if ( $verbose == 1 ) { + msg ("DEBUG: " ,@_ ); + } elsif ( $verbose == 2 ) { + msg (@_ ); + } +} + +check_tbx_dirs; diff --git a/security/nss/tests/cmdtests/cmdtests.sh b/security/nss/tests/cmdtests/cmdtests.sh new file mode 100644 index 000000000..cc925b213 --- /dev/null +++ b/security/nss/tests/cmdtests/cmdtests.sh @@ -0,0 +1,101 @@ +#! /bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# Script to run small tests to test specific crashes of NSS +# +# needs to work on all Unix and Windows platforms +# +# included from +# -------------- +# all.sh +# +# tests implemented: +# vercrt (verify encryption cert - bugzilla bug 119059) +# vercrtfps (verify encryption cert in fips mode - bugzilla bug 119214) +# test3 (CERT_FindUserCertByUsage called 2nd time - bug 118864) +# +# special strings +# --------------- +# +######################################################################## + +############################## cmdtests_init ########################### +# local shell function to initialize this script +######################################################################## +cmdtests_init() +{ + SCRIPTNAME=cmdtests.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=cmdtests.sh + html_head "Tests in cmd/tests" + +# grep "SUCCESS: cmd/tests passed" $CERT_LOG_FILE >/dev/null || { +# Exit 15 "Fatal - cert.sh needs to pass first" +# } + + CMDTESTSDIR=${HOSTDIR}/cmd/tests + COPYDIR=${CMDTESTSDIR}/copydir + + R_CMDTESTSDIR=../cmd/tests + R_COPYDIR=../cmd/tests/copydir + P_R_COPYDIR=${R_COPYDIR} + + if [ -n "${MULTIACCESS_DBM}" ]; then + P_R_COPYDIR="multiaccess:Cmdtests.$version" + fi + + mkdir -p ${CMDTESTSDIR} + mkdir -p ${COPYDIR} + mkdir -p ${CMDTESTSDIR}/html + + cd ${CMDTESTSDIR} +} + +############################## ct_vercrt ################################## +# CERT_VerifyCert should not fail when verifying encryption cert +# Bugzilla Bug 119059 +######################################################################## +#ct_vercrt() +#{ + # echo "$SCRIPTNAME: Verify encryption certificate ----------------------" + # echo "vercrt" + # vercrt + # ret=$? + # html_msg $ret 0 "Verify encryption certificate (vercrt)" +# +#} + + +############################## cmdtests_cleanup ######################## +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +cmdtests_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +cmdtests_init + +#ct_vercrt +cmdtests_cleanup diff --git a/security/nss/tests/common/Makefile b/security/nss/tests/common/Makefile new file mode 100644 index 000000000..7faa677d2 --- /dev/null +++ b/security/nss/tests/common/Makefile @@ -0,0 +1,24 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +CORE_DEPTH = ../.. + +include $(CORE_DEPTH)/coreconf/config.mk + +objdir_name: + @echo $(OBJDIR_NAME) + +os_arch: + @echo $(OS_ARCH) + +dll_prefix: + @echo $(DLL_PREFIX) + +dll_suffix: + @echo $(DLL_SUFFIX) + +freebl_lowhash: + @echo $(FREEBL_LOWHASH) diff --git a/security/nss/tests/common/cleanup.sh b/security/nss/tests/common/cleanup.sh new file mode 100755 index 000000000..40d8bc40f --- /dev/null +++ b/security/nss/tests/common/cleanup.sh @@ -0,0 +1,55 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +if [ -z "${CLEANUP}" -o "${CLEANUP}" = "${SCRIPTNAME}" ]; then + echo + echo "SUMMARY:" + echo "========" + echo "NSS variables:" + echo "--------------" + echo "HOST=${HOST}" + echo "DOMSUF=${DOMSUF}" + echo "BUILD_OPT=${BUILD_OPT}" + if [ "${OS_ARCH}" = "Linux" ]; then + echo "USE_X32=${USE_X32}" + fi + echo "USE_64=${USE_64}" + echo "NSS_CYCLES=\"${NSS_CYCLES}\"" + echo "NSS_TESTS=\"${NSS_TESTS}\"" + echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\"" + echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\"" + echo "NSS_AIA_PATH=${NSS_AIA_PATH}" + echo "NSS_AIA_HTTP=${NSS_AIA_HTTP}" + echo "NSS_AIA_OCSP=${NSS_AIA_OCSP}" + echo "IOPR_HOSTADDR_LIST=${IOPR_HOSTADDR_LIST}" + echo "PKITS_DATA=${PKITS_DATA}" + echo + echo "Tests summary:" + echo "--------------" + LINES_CNT=$(cat ${RESULTS} | grep ">Passed<" | wc -l | sed s/\ *//) + echo "Passed: ${LINES_CNT}" + FAILED_CNT=$(cat ${RESULTS} | grep ">Failed<" | wc -l | sed s/\ *//) + echo "Failed: ${FAILED_CNT}" + CORE_CNT=$(cat ${RESULTS} | grep ">Failed Core<" | wc -l | sed s/\ *//) + echo "Failed with core: ${CORE_CNT}" + ASAN_CNT=$(cat $LOGFILE | grep "SUMMARY: AddressSanitizer" | wc -l | sed s/\ *//) + echo "ASan failures: ${ASAN_CNT}" + LINES_CNT=$(cat ${RESULTS} | grep ">Unknown<" | wc -l | sed s/\ *//) + echo "Unknown status: ${LINES_CNT}" + if [ ${LINES_CNT} -gt 0 ]; then + echo "TinderboxPrint:Unknown: ${LINES_CNT}" + fi + echo + + html "END_OF_TEST<BR>" + html "</BODY></HTML>" + rm -f ${TEMPFILES} 2>/dev/null + if [ ${FAILED_CNT} -gt 0 ] || [ ${ASAN_CNT} -gt 0 ]; then + exit 1 + fi + +fi diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh new file mode 100644 index 000000000..3598e8223 --- /dev/null +++ b/security/nss/tests/common/init.sh @@ -0,0 +1,672 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/common/init.sh +# +# initialization for NSS QA, can be included multiple times +# from all.sh and the individual scripts +# +# variables, utilities and shellfunctions global to NSS QA +# needs to work on all Unix and Windows platforms +# +# included from +# ------------- +# all.sh +# ssl.sh +# sdr.sh +# cipher.sh +# perf.sh +# cert.sh +# smime.sh +# tools.sh +# fips.sh +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +# NOTE: +# ----- +# Unlike the old QA this is based on files sourcing each other +# This is done to save time, since a great portion of time is lost +# in calling and sourcing the same things multiple times over the +# network. Also, this way all scripts have all shell function available +# and a completely common environment +# +######################################################################## + +NSS_STRICT_SHUTDOWN=1 +export NSS_STRICT_SHUTDOWN + +# Init directories based on HOSTDIR variable +if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + init_directories() + { + TMP=${HOSTDIR} #TMP=${TMP-/tmp} + TEMP=${TMP} + TMPDIR=${TMP} + + CADIR=${HOSTDIR}/CA + SERVERDIR=${HOSTDIR}/server + CLIENTDIR=${HOSTDIR}/client + ALICEDIR=${HOSTDIR}/alicedir + BOBDIR=${HOSTDIR}/bobdir + DAVEDIR=${HOSTDIR}/dave + EVEDIR=${HOSTDIR}/eve + FIPSDIR=${HOSTDIR}/fips + DBPASSDIR=${HOSTDIR}/dbpass + ECCURVES_DIR=${HOSTDIR}/eccurves + DISTRUSTDIR=${HOSTDIR}/distrust + + SERVER_CADIR=${HOSTDIR}/serverCA + CLIENT_CADIR=${HOSTDIR}/clientCA + EXT_SERVERDIR=${HOSTDIR}/ext_server + EXT_CLIENTDIR=${HOSTDIR}/ext_client + + IOPR_CADIR=${HOSTDIR}/CA_iopr + IOPR_SSL_SERVERDIR=${HOSTDIR}/server_ssl_iopr + IOPR_SSL_CLIENTDIR=${HOSTDIR}/client_ssl_iopr + IOPR_OCSP_CLIENTDIR=${HOSTDIR}/client_ocsp_iopr + + CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions + STAPLINGDIR=${HOSTDIR}/stapling + SSLGTESTDIR=${HOSTDIR}/ssl_gtests + GTESTDIR=${HOSTDIR}/gtests + + PWFILE=${HOSTDIR}/tests.pw + NOISE_FILE=${HOSTDIR}/tests_noise + CORELIST_FILE=${HOSTDIR}/clist + + FIPSPWFILE=${HOSTDIR}/tests.fipspw + FIPSBADPWFILE=${HOSTDIR}/tests.fipsbadpw + FIPSP12PWFILE=${HOSTDIR}/tests.fipsp12pw + + echo "fIps140" > ${FIPSPWFILE} + echo "fips104" > ${FIPSBADPWFILE} + echo "pKcs12fips140" > ${FIPSP12PWFILE} + + noise + + P_SERVER_CADIR=${SERVER_CADIR} + P_CLIENT_CADIR=${CLIENT_CADIR} + + if [ -n "${MULTIACCESS_DBM}" ]; then + P_SERVER_CADIR="multiaccess:${D_SERVER_CA}" + P_CLIENT_CADIR="multiaccess:${D_CLIENT_CA}" + fi + + + # a new log file, short - fast to search, mostly for tools to + # see if their portion of the cert has succeeded, also for me - + CERT_LOG_FILE=${HOSTDIR}/cert.log #the output.log is so crowded... + + TEMPFILES=foobar # keep "${PWFILE} ${NOISE_FILE}" around + + export HOSTDIR + } + +# Generate noise file + noise() + { + # NOTE: these keys are only suitable for testing, as this whole thing + # bypasses the entropy gathering. Don't use this method to generate + # keys and certs for product use or deployment. + ps -efl > ${NOISE_FILE} 2>&1 + ps aux >> ${NOISE_FILE} 2>&1 + date >> ${NOISE_FILE} 2>&1 + } + +# Print selected environment variable (used for backup) + env_backup() + { + echo "HOSTDIR=\"${HOSTDIR}\"" + echo "TABLE_ARGS=" + echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}" + echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\"" + echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\"" + echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}" + echo "export NSS_DEFAULT_DB_TYPE" + echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}" + echo "export NSS_ENABLE_PKIX_VERIFY" + echo "init_directories" + } + +# Exit shellfunction to clean up at exit (error, regular or signal) + Exit() + { + if [ -n "$1" ] ; then + echo "$SCRIPTNAME: Exit: $* - FAILED" + html_failed "$*" + fi + echo "</TABLE><BR>" >> ${RESULTS} + if [ -n "${SERVERPID}" -a -f "${SERVERPID}" ]; then + ${KILL} `cat ${SERVERPID}` + fi + cd ${QADIR} + . common/cleanup.sh + case $1 in + [0-4][0-9]|[0-9]) + exit $1; + ;; + *) + exit 1 + ;; + esac + } + + detect_core() + { + [ ! -f $CORELIST_FILE ] && touch $CORELIST_FILE + mv $CORELIST_FILE ${CORELIST_FILE}.old + coreStr=`find $HOSTDIR -type f -name '*core*'` + res=0 + if [ -n "$coreStr" ]; then + sum $coreStr > $CORELIST_FILE + res=`cat $CORELIST_FILE ${CORELIST_FILE}.old | sort | uniq -u | wc -l` + fi + return $res + } + +#html functions to give the resultfiles a consistant look + html() ######################### write the results.html file + { # 3 functions so we can put targets in the output.log easier + echo $* >>${RESULTS} + } + increase_msg_id() + { + MSG_ID=`cat ${MSG_ID_FILE}` + MSG_ID=`expr ${MSG_ID} + 1` + echo ${MSG_ID} > ${MSG_ID_FILE} + } + html_passed_ignore_core() + { + increase_msg_id + html "<TR><TD>#${MSG_ID}: $1 ${HTML_PASSED}" + echo "${SCRIPTNAME}: #${MSG_ID}: $* - PASSED" + } + html_passed() + { + html_detect_core "$@" || return + html_passed_ignore_core "$@" + } + html_failed_ignore_core() + { + increase_msg_id + html "<TR><TD>#${MSG_ID}: $1 ${HTML_FAILED}" + echo "${SCRIPTNAME}: #${MSG_ID}: $* - FAILED" + } + html_failed() + { + html_detect_core "$@" || return + html_failed_ignore_core "$@" || return + } + html_unknown_ignore_core() + { + increase_msg_id + html "<TR><TD>#${MSG_ID}: $1 ${HTML_UNKNOWN}" + echo "${SCRIPTNAME}: #${MSG_ID}: $* - UNKNOWN" + } + html_unknown() + { + html_detect_core "$@" || return + increase_msg_id + html "<TR><TD>#${MSG_ID}: $1 ${HTML_UNKNOWN}" + echo "${SCRIPTNAME}: #${MSG_ID}: $* - UNKNOWN" + } + html_detect_core() + { + detect_core + if [ $? -ne 0 ]; then + increase_msg_id + html "<TR><TD>#${MSG_ID}: $* ${HTML_FAILED_CORE}" + echo "${SCRIPTNAME}: #${MSG_ID}: $* - Core file is detected - FAILED" + return 1 + fi + return 0 + } + html_head() + { + + html "<TABLE BORDER=1 ${TABLE_ARGS}><TR><TH COLSPAN=3>$*</TH></TR>" + html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" + echo "$SCRIPTNAME: $* ===============================" + } + html_msg() + { + if [ $1 -ne $2 ] ; then + html_failed "$3" "$4" + else + html_passed "$3" "$4" + fi + } + HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>' + HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>' + HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>' + HTML_UNKNOWN='</TD><TD>Unknown</TD><TR>' + TABLE_ARGS= + + +#directory name init + SCRIPTNAME=init.sh + + mozilla_root=`(cd ../../..; pwd)` + MOZILLA_ROOT=${MOZILLA_ROOT-$mozilla_root} + + qadir=`(cd ..; pwd)` + QADIR=${QADIR-$qadir} + + common=${QADIR}/common + COMMON=${TEST_COMMON-$common} + export COMMON + + DIST=${DIST-${MOZILLA_ROOT}/dist} + TESTDIR=${TESTDIR-${MOZILLA_ROOT}/tests_results/security} + + # Allow for override options from a config file + if [ -n "${OBJDIR}" -a -f ${DIST}/${OBJDIR}/platform.cfg ]; then + . ${DIST}/${OBJDIR}/platform.cfg + fi + + # only need make if we don't already have certain variables set + if [ -z "${OBJDIR}" -o -z "${OS_ARCH}" -o -z "${DLL_PREFIX}" -o -z "${DLL_SUFFIX}" ]; then + MAKE=gmake + $MAKE -v >/dev/null 2>&1 || MAKE=make + $MAKE -v >/dev/null 2>&1 || { echo "You are missing make."; exit 5; } + MAKE="$MAKE --no-print-directory" + fi + + if [ "${OBJDIR}" = "" ]; then + if [ -f ${DIST}/latest ]; then + OBJDIR=$(cat ${DIST}/latest) + else + OBJDIR=`($MAKE -s -C $COMMON objdir_name)` + fi + fi + if [ "${OS_ARCH}" = "" ]; then + OS_ARCH=`(cd $COMMON; $MAKE os_arch)` + fi + if [ "${DLL_PREFIX}" = "" ]; then + DLL_PREFIX=`(cd $COMMON; $MAKE dll_prefix)` + fi + if [ "${DLL_SUFFIX}" = "" ]; then + DLL_SUFFIX=`(cd $COMMON; $MAKE dll_suffix)` + fi + OS_NAME=`uname -s | sed -e "s/-[0-9]*\.[0-9]*//" | sed -e "s/-WOW64//"` + + BINDIR="${DIST}/${OBJDIR}/bin" + + # Pathnames constructed from ${TESTDIR} are passed to NSS tools + # such as certutil, which don't understand Cygwin pathnames. + # So we need to convert ${TESTDIR} to a Windows pathname (with + # regular slashes). + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + TESTDIR=`cygpath -m ${TESTDIR}` + QADIR=`cygpath -m ${QADIR}` + fi + + # Same problem with MSYS/Mingw, except we need to start over with pwd -W + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "MINGW32_NT" ]; then + mingw_mozilla_root=`(cd ../../..; pwd -W)` + MINGW_MOZILLA_ROOT=${MINGW_MOZILLA_ROOT-$mingw_mozilla_root} + TESTDIR=${MINGW_TESTDIR-${MINGW_MOZILLA_ROOT}/tests_results/security} + fi + + # Same problem with MSYS/Mingw, except we need to start over with pwd -W + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "MINGW32_NT" ]; then + mingw_mozilla_root=`(cd ../../..; pwd -W)` + MINGW_MOZILLA_ROOT=${MINGW_MOZILLA_ROOT-$mingw_mozilla_root} + TESTDIR=${MINGW_TESTDIR-${MINGW_MOZILLA_ROOT}/tests_results/security} + fi + echo testdir is $TESTDIR + +#in case of backward comp. tests the calling scripts set the +#PATH and LD_LIBRARY_PATH and do not want them to be changed + if [ -z "${DON_T_SET_PATHS}" -o "${DON_T_SET_PATHS}" != "TRUE" ] ; then + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" != "CYGWIN_NT" -a "$OS_NAME" != "MINGW32_NT" ]; then + PATH=.\;${DIST}/${OBJDIR}/bin\;${DIST}/${OBJDIR}/lib\;$PATH + PATH=`perl ../path_uniq -d ';' "$PATH"` + elif [ "${OS_ARCH}" = "Android" ]; then + # android doesn't have perl, skip the uniq step + PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:$PATH + else + PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:/bin:/usr/bin:$PATH + # added /bin and /usr/bin in the beginning so a local perl will + # be used + PATH=`perl ../path_uniq -d ':' "$PATH"` + fi + + LD_LIBRARY_PATH=${DIST}/${OBJDIR}/lib:$LD_LIBRARY_PATH + SHLIB_PATH=${DIST}/${OBJDIR}/lib:$SHLIB_PATH + LIBPATH=${DIST}/${OBJDIR}/lib:$LIBPATH + DYLD_LIBRARY_PATH=${DIST}/${OBJDIR}/lib:$DYLD_LIBRARY_PATH + fi + + if [ ! -d "${TESTDIR}" ]; then + echo "$SCRIPTNAME init: Creating ${TESTDIR}" + mkdir -p ${TESTDIR} + fi + +#HOST and DOMSUF are needed for the server cert + + DOMAINNAME=`which domainname` + if [ -z "${DOMSUF}" -a $? -eq 0 -a -n "${DOMAINNAME}" ]; then + DOMSUF=`domainname` + fi + + case $HOST in + *\.*) + if [ -z "${DOMSUF}" ]; then + DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"` + fi + HOST=`echo $HOST | sed -e "s/\..*//"` + ;; + ?*) + ;; + *) + HOST=`uname -n` + case $HOST in + *\.*) + if [ -z "${DOMSUF}" ]; then + DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"` + fi + HOST=`echo $HOST | sed -e "s/\..*//"` + ;; + ?*) + ;; + *) + echo "$SCRIPTNAME: Fatal HOST environment variable is not defined." + exit 1 #does not need to be Exit, very early in script + ;; + esac + ;; + esac + + if [ -z "${DOMSUF}" -a "${OS_ARCH}" != "Android" ]; then + echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined." + exit 1 #does not need to be Exit, very early in script + fi + +#HOSTADDR was a workaround for the dist. stress test, and is probably +#not needed anymore (purpose: be able to use IP address for the server +#cert instead of PC name which was not in the DNS because of dyn IP address + if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then + if [ -z "${DOMSUF}" ]; then + HOSTADDR=${HOST} + else + HOSTADDR=${HOST}.${DOMSUF} + fi + else + HOSTADDR=${IP_ADDRESS} + fi + +#if running remote side of the distributed stress test we need to use +#the files that the server side gives us... + if [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then + for w in `ls -rtd ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null | + sed -e "s/.*${HOST}.//"` ; do + version=$w + done + HOSTDIR=${TESTDIR}/${HOST}.$version + echo "$SCRIPTNAME init: HOSTDIR $HOSTDIR" + echo $HOSTDIR + if [ ! -d $HOSTDIR ] ; then + echo "$SCRIPTNAME: Fatal: Remote side of dist. stress test " + echo " - server HOSTDIR $HOSTDIR does not exist" + exit 1 #does not need to be Exit, very early in script + fi + fi + +#find the HOSTDIR, where the results are supposed to go + if [ -n "${HOSTDIR}" ]; then + version=`echo $HOSTDIR | sed -e "s/.*${HOST}.//"` + else + if [ -f "${TESTDIR}/${HOST}" ]; then + version=`cat ${TESTDIR}/${HOST}` + else + version=1 + fi +#file has a tendency to disappear, messing up the rest of QA - +#workaround to find the next higher number if version file is not there + if [ -z "${version}" ]; then # for some strange reason this file + # gets truncated at times... Windos + for w in `ls -d ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null | + sort -t '.' -n | sed -e "s/.*${HOST}.//"` ; do + version=`expr $w + 1` + done + if [ -z "${version}" ]; then + version=1 + fi + fi + expr $version + 1 > ${TESTDIR}/${HOST} + + HOSTDIR=${TESTDIR}/${HOST}'.'$version + + mkdir -p ${HOSTDIR} + fi + +#result and log file and filename init, + if [ -z "${LOGFILE}" ]; then + LOGFILE=${HOSTDIR}/output.log + fi + if [ ! -f "${LOGFILE}" ]; then + touch ${LOGFILE} + fi + if [ -z "${RESULTS}" ]; then + RESULTS=${HOSTDIR}/results.html + fi + if [ ! -f "${RESULTS}" ]; then + cp ${COMMON}/results_header.html ${RESULTS} + html "<H4>Platform: ${OBJDIR}<BR>" + html "Test Run: ${HOST}.$version</H4>" + html "${BC_ACTION}" + html "<HR><BR>" + html "<HTML><BODY>" + + echo "********************************************" | tee -a ${LOGFILE} + echo " Platform: ${OBJDIR}" | tee -a ${LOGFILE} + echo " Results: ${HOST}.$version" | tee -a ${LOGFILE} + echo "********************************************" | tee -a ${LOGFILE} + echo "$BC_ACTION" | tee -a ${LOGFILE} +#if running remote side of the distributed stress test +# let the user know who it is... + elif [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then + echo "********************************************" | tee -a ${LOGFILE} + echo " Platform: ${OBJDIR}" | tee -a ${LOGFILE} + echo " Results: ${HOST}.$version" | tee -a ${LOGFILE} + echo " remote side of distributed stress test " | tee -a ${LOGFILE} + echo " `uname -n -s`" | tee -a ${LOGFILE} + echo "********************************************" | tee -a ${LOGFILE} + fi + + echo "$SCRIPTNAME init: Testing PATH $PATH against LIB $LD_LIBRARY_PATH" |\ + tee -a ${LOGFILE} + + KILL="kill" + + if [ `uname -s` = "SunOS" ]; then + PS="/usr/5bin/ps" + else + PS="ps" + fi +#found 3 rsh's so far that do not work as expected - cygnus mks6 +#(restricted sh) and mks 7 - if it is not in c:/winnt/system32 it +#needs to be set in the environ.ksh + if [ -z "$RSH" ]; then + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + RSH=/cygdrive/c/winnt/system32/rsh + elif [ "${OS_ARCH}" = "WINNT" ]; then + RSH=c:/winnt/system32/rsh + else + RSH=rsh + fi + fi + + +#more filename and directoryname init + CURDIR=`pwd` + + CU_ACTION='Unknown certutil action' + + # would like to preserve some tmp files, also easier to see if there + # are "leftovers" - another possibility ${HOSTDIR}/tmp + + init_directories + + FIPSCERTNICK="FIPS_PUB_140_Test_Certificate" + + # domains to handle ipc based access to databases + D_CA="TestCA.$version" + D_ALICE="Alice.$version" + D_BOB="Bob.$version" + D_DAVE="Dave.$version" + D_EVE="Eve.$version" + D_SERVER_CA="ServerCA.$version" + D_CLIENT_CA="ClientCA.$version" + D_SERVER="Server.$version" + D_CLIENT="Client.$version" + D_FIPS="FIPS.$version" + D_DBPASS="DBPASS.$version" + D_ECCURVES="ECCURVES.$version" + D_EXT_SERVER="ExtendedServer.$version" + D_EXT_CLIENT="ExtendedClient.$version" + D_CERT_EXTENSTIONS="CertExtensions.$version" + D_DISTRUST="Distrust.$version" + + # we need relative pathnames of these files abd directories, since our + # tools can't handle the unix style absolut pathnames on cygnus + + R_CADIR=../CA + R_SERVERDIR=../server + R_CLIENTDIR=../client + R_IOPR_CADIR=../CA_iopr + R_IOPR_SSL_SERVERDIR=../server_ssl_iopr + R_IOPR_SSL_CLIENTDIR=../client_ssl_iopr + R_IOPR_OCSP_CLIENTDIR=../client_ocsp_iopr + R_ALICEDIR=../alicedir + R_BOBDIR=../bobdir + R_DAVEDIR=../dave + R_EVEDIR=../eve + R_EXT_SERVERDIR=../ext_server + R_EXT_CLIENTDIR=../ext_client + R_CERT_EXT=../cert_extensions + R_STAPLINGDIR=../stapling + R_SSLGTESTDIR=../ssl_gtests + R_GTESTDIR=../gtests + + # + # profiles are either paths or domains depending on the setting of + # MULTIACCESS_DBM + # + P_R_CADIR=${R_CADIR} + P_R_ALICEDIR=${R_ALICEDIR} + P_R_BOBDIR=${R_BOBDIR} + P_R_DAVEDIR=${R_DAVEDIR} + P_R_EVEDIR=${R_EVEDIR} + P_R_SERVERDIR=${R_SERVERDIR} + P_R_CLIENTDIR=${R_CLIENTDIR} + P_R_EXT_SERVERDIR=${R_EXT_SERVERDIR} + P_R_EXT_CLIENTDIR=${R_EXT_CLIENTDIR} + if [ -n "${MULTIACCESS_DBM}" ]; then + P_R_CADIR="multiaccess:${D_CA}" + P_R_ALICEDIR="multiaccess:${D_ALICE}" + P_R_BOBDIR="multiaccess:${D_BOB}" + P_R_DAVEDIR="multiaccess:${D_DAVE}" + P_R_EVEDIR="multiaccess:${D_EVE}" + P_R_SERVERDIR="multiaccess:${D_SERVER}" + P_R_CLIENTDIR="multiaccess:${D_CLIENT}" + P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}" + P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}" + fi + + R_PWFILE=../tests.pw + R_NOISE_FILE=../tests_noise + + R_FIPSPWFILE=../tests.fipspw + R_FIPSBADPWFILE=../tests.fipsbadpw + R_FIPSP12PWFILE=../tests.fipsp12pw + + trap "Exit $0 Signal_caught" 2 3 + + export PATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH DYLD_LIBRARY_PATH + export DOMSUF HOSTADDR + export KILL PS + export MOZILLA_ROOT DIST TESTDIR OBJDIR QADIR + export LOGFILE SCRIPTNAME + +#used for the distributed stress test, the server generates certificates +#from GLOB_MIN_CERT to GLOB_MAX_CERT +# NOTE - this variable actually gets initialized by directly by the +# ssl_dist_stress.shs sl_ds_init() before init is called - need to change +# in both places. speaking of data encapsulatioN... + + if [ -z "$GLOB_MIN_CERT" ] ; then + GLOB_MIN_CERT=0 + fi + if [ -z "$GLOB_MAX_CERT" ] ; then + GLOB_MAX_CERT=200 + fi + if [ -z "$MIN_CERT" ] ; then + MIN_CERT=$GLOB_MIN_CERT + fi + if [ -z "$MAX_CERT" ] ; then + MAX_CERT=$GLOB_MAX_CERT + fi + + ################################################# + # CRL SSL testing constatnts + # + + + CRL_GRP_1_BEGIN=40 + CRL_GRP_1_RANGE=3 + UNREVOKED_CERT_GRP_1=41 + + CRL_GRP_2_BEGIN=43 + CRL_GRP_2_RANGE=6 + UNREVOKED_CERT_GRP_2=46 + + CRL_GRP_3_BEGIN=49 + CRL_GRP_3_RANGE=4 + UNREVOKED_CERT_GRP_3=51 + + TOTAL_CRL_RANGE=`expr ${CRL_GRP_1_RANGE} + ${CRL_GRP_2_RANGE} + \ + ${CRL_GRP_3_RANGE}` + + TOTAL_GRP_NUM=3 + + RELOAD_CRL=1 + + NSS_DEFAULT_DB_TYPE="dbm" + export NSS_DEFAULT_DB_TYPE + + MSG_ID_FILE="${HOSTDIR}/id" + MSG_ID=0 + echo ${MSG_ID} > ${MSG_ID_FILE} + + ################################################# + # Interoperability testing constatnts + # + # if suite is setup for testing, IOPR_HOSTADDR_LIST should have + # at least one host name(FQDN) + # Example IOPR_HOSTADDR_LIST="goa1.SFBay.Sun.COM" + + if [ -z "`echo ${IOPR_HOSTADDR_LIST} | grep '[A-Za-z]'`" ]; then + IOPR=0 + else + IOPR=1 + fi + ################################################# + + if [ "${OS_ARCH}" != "WINNT" -a "${OS_ARCH}" != "Android" ]; then + ulimit -c unlimited + fi + + SCRIPTNAME=$0 + INIT_SOURCED=TRUE #whatever one does - NEVER export this one please +fi diff --git a/security/nss/tests/common/parsegtestreport.sed b/security/nss/tests/common/parsegtestreport.sed new file mode 100644 index 000000000..d7c6ddada --- /dev/null +++ b/security/nss/tests/common/parsegtestreport.sed @@ -0,0 +1,8 @@ +/\<testcase/{ + s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/ + t end + s/^.* name="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/ + t end +} +d +: end diff --git a/security/nss/tests/common/results_header.html b/security/nss/tests/common/results_header.html new file mode 100644 index 000000000..c09685b11 --- /dev/null +++ b/security/nss/tests/common/results_header.html @@ -0,0 +1,6 @@ +<HTML> +<HEAD> +<TITLE>Test Report for NSS</TITLE> +</HEAD> +<BODY BGCOLOR="#FFFFFF"> +<CENTER><H3>Test Report for NSS</H3></CENTER> diff --git a/security/nss/tests/core_watch b/security/nss/tests/core_watch new file mode 100755 index 000000000..a627983a3 --- /dev/null +++ b/security/nss/tests/core_watch @@ -0,0 +1,45 @@ +############################################################# +# script to watch for cores during QA runs, so they won't overwrite one +# another +# Not activated for efficiency reasons, and problems on MKS, us +# only when needed and remember to remove afterwards +############################################################# + +############################################################# +# to activate put the following into all.sh (after the HOSTDIR +# has been exported +############################################################# +# sh `dirname $0`/core_watch $HOSTDIR ${HOSTDIR} & +# CORE_WATCH_PID=$! +# if [ -n "${KILLPIDS}" ] +# then +# echo $CORE_WATCH_PID >>"${KILLPIDS}" +# fi +############################################################# + +############################################################# +# or put the following into nssqa to watch the whole RESULTDIR +# start it shortly before run_all +# +# NOTE: the more efficient way is above, this is potentially going +# thru 1000ds of files every 30 seconds +############################################################# +# sh `dirname $0`/core_watch $RESULTDIR & +# echo $! >>"${KILLPIDS}" #so Exit() can hopefully kill the core_watch +############################################################# + +# in both cases remember to kill the process when done, since +# the PIDs that end up in ${KILLPIDS} might not work for all OS +# something like "kill_by_name core_watch + +echo $$ >>"${KILLPIDS}" #so Exit() can hopefully kill this shell +while [ 1 ] +do + for w in `find $1 -name "core" -print` + do + echo "Found core $w" + mv $w $w.`date +%H%M%S` + done + sleep 30 +done + diff --git a/security/nss/tests/crmf/crmf.sh b/security/nss/tests/crmf/crmf.sh new file mode 100644 index 000000000..6059c1991 --- /dev/null +++ b/security/nss/tests/crmf/crmf.sh @@ -0,0 +1,89 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/crmf/crmf.sh +# +# Script to test NSS crmf library (a static library) +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## smime_init ############################## +# local shell function to initialize this script +######################################################################## +crmf_init() +{ + SCRIPTNAME=crmf.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + html_head "CRMF/CMMF Tests" + + # cmrf uses the S/MIME certs to test with + grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { + Exit 11 "Fatal - S/MIME of cert.sh needs to pass first" + } + + CRMFDIR=${HOSTDIR}/crmf + R_CRMFDIR=../crmf + mkdir -p ${CRMFDIR} + cd ${CRMFDIR} +} + +############################## crmf_main ############################## +# local shell function to test basic CRMF request and CMMF responses +# from 1 --> 2" +######################################################################## +crmf_main() +{ + echo "$SCRIPTNAME: CRMF/CMMF Tests ------------------------------" + echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode" + ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode + html_msg $? 0 "CRMF test" "." + + echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf" + ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf + html_msg $? 0 "CMMF test" "." + +# Add tests for key recovery and challange as crmftest's capabilities increase + +} + +############################## crmf_cleanup ########################### +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +crmf_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +crmf_init +crmf_main +crmf_cleanup + diff --git a/security/nss/tests/dbtests/dbtests.sh b/security/nss/tests/dbtests/dbtests.sh new file mode 100755 index 000000000..7b1ee351f --- /dev/null +++ b/security/nss/tests/dbtests/dbtests.sh @@ -0,0 +1,262 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/dbtest/dbtest.sh +# +# Certificate generating and handeling for NSS QA, can be included +# multiple times from all.sh and the individual scripts +# +# needs to work on all Unix and Windows platforms +# +# included from (don't expect this to be up to date) +# -------------------------------------------------- +# all.sh +# ssl.sh +# smime.sh +# tools.sh +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +# FIXME - Netscape - NSS +######################################################################## + +############################## dbtest_init ############################### +# local shell function to initialize this script +######################################################################## +dbtest_init() +{ + SCRIPTNAME="dbtests.sh" + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + if [ -z "${INIT_SOURCED}" ] ; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + + SCRIPTNAME="dbtests.sh" + RONLY_DIR=${HOSTDIR}/ronlydir + EMPTY_DIR=${HOSTDIR}/emptydir + CONFLICT_DIR=${HOSTDIR}/conflictdir + + html_head "CERT and Key DB Tests" + +} + +############################## dbtest_cleanup ############################ +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +dbtest_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + chmod a+rw $RONLY_DIR + . common/cleanup.sh +} + +Echo() +{ + echo + echo "---------------------------------------------------------------" + echo "| $*" + echo "---------------------------------------------------------------" +} +dbtest_main() +{ + cd ${HOSTDIR} + + + Echo "test opening the database read/write in a nonexisting directory" + ${BINDIR}/certutil -L -X -d ./non_existent_dir + ret=$? + if [ $ret -ne 255 ]; then + html_failed "Certutil succeeded in a nonexisting directory $ret" + else + html_passed "Certutil didn't work in a nonexisting dir $ret" + fi + ${BINDIR}/dbtest -r -d ./non_existent_dir + ret=$? + if [ $ret -ne 46 ]; then + html_failed "Dbtest readonly succeeded in a nonexisting directory $ret" + else + html_passed "Dbtest readonly didn't work in a nonexisting dir $ret" + fi + + Echo "test force opening the database in a nonexisting directory" + ${BINDIR}/dbtest -f -d ./non_existent_dir + ret=$? + if [ $ret -ne 0 ]; then + html_failed "Dbtest force failed in a nonexisting directory $ret" + else + html_passed "Dbtest force succeeded in a nonexisting dir $ret" + fi + + Echo "test opening the database readonly in an empty directory" + mkdir $EMPTY_DIR + ${BINDIR}/tstclnt -h ${HOST} -d $EMPTY_DIR + ret=$? + if [ $ret -ne 1 ]; then + html_failed "Tstclnt succeded in an empty directory $ret" + else + html_passed "Tstclnt didn't work in an empty dir $ret" + fi + ${BINDIR}/dbtest -r -d $EMPTY_DIR + ret=$? + if [ $ret -ne 46 ]; then + html_failed "Dbtest readonly succeeded in an empty directory $ret" + else + html_passed "Dbtest readonly didn't work in an empty dir $ret" + fi + rm -rf $EMPTY_DIR/* 2>/dev/null + ${BINDIR}/dbtest -i -d $EMPTY_DIR + ret=$? + if [ $ret -ne 0 ]; then + html_failed "Dbtest logout after empty DB Init loses key $ret" + else + html_passed "Dbtest logout after empty DB Init has key" + fi + rm -rf $EMPTY_DIR/* 2>/dev/null + ${BINDIR}/dbtest -i -p pass -d $EMPTY_DIR + ret=$? + if [ $ret -ne 0 ]; then + html_failed "Dbtest password DB Init loses needlogin state $ret" + else + html_passed "Dbtest password DB Init maintains needlogin state" + fi + rm -rf $EMPTY_DIR/* 2>/dev/null + ${BINDIR}/certutil -D -n xxxx -d $EMPTY_DIR #created DB + ret=$? + if [ $ret -ne 255 ]; then + html_failed "Certutil succeeded in deleting a cert in an empty directory $ret" + else + html_passed "Certutil didn't work in an empty dir $ret" + fi + rm -rf $EMPTY_DIR/* 2>/dev/null + Echo "test force opening the database readonly in a empty directory" + ${BINDIR}/dbtest -r -f -d $EMPTY_DIR + ret=$? + if [ $ret -ne 0 ]; then + html_failed "Dbtest force readonly failed in an empty directory $ret" + else + html_passed "Dbtest force readonly succeeded in an empty dir $ret" + fi + + Echo "test opening the database r/w in a readonly directory" + mkdir $RONLY_DIR + cp -r ${CLIENTDIR}/* $RONLY_DIR + chmod -w $RONLY_DIR $RONLY_DIR/* + + # On Mac OS X 10.1, if we do a "chmod -w" on files in an + # NFS-mounted directory, it takes several seconds for the + # first open to see the files are readonly, but subsequent + # opens immediately see the files are readonly. As a + # workaround we open the files once first. (Bug 185074) + if [ "${OS_ARCH}" = "Darwin" ]; then + cat $RONLY_DIR/* > /dev/null + fi + + # skipping the next two tests when user is root, + # otherwise they would fail due to rooty powers + if [ $UID -ne 0 ]; then + ${BINDIR}/dbtest -d $RONLY_DIR + ret=$? + if [ $ret -ne 46 ]; then + html_failed "Dbtest r/w succeeded in a readonly directory $ret" + else + html_passed "Dbtest r/w didn't work in an readonly dir $ret" + fi + else + html_passed "Skipping Dbtest r/w in a readonly dir because user is root" + fi + if [ $UID -ne 0 ]; then + ${BINDIR}/certutil -D -n "TestUser" -d . + ret=$? + if [ $ret -ne 255 ]; then + html_failed "Certutil succeeded in deleting a cert in a readonly directory $ret" + else + html_passed "Certutil didn't work in an readonly dir $ret" + fi + else + html_passed "Skipping Certutil delete cert in a readonly directory test because user is root" + fi + + Echo "test opening the database ronly in a readonly directory" + + ${BINDIR}/dbtest -d $RONLY_DIR -r + ret=$? + if [ $ret -ne 0 ]; then + html_failed "Dbtest readonly failed in a readonly directory $ret" + else + html_passed "Dbtest readonly succeeded in a readonly dir $ret" + fi + + Echo "test force opening the database r/w in a readonly directory" + ${BINDIR}/dbtest -d $RONLY_DIR -f + ret=$? + if [ $ret -ne 0 ]; then + html_failed "Dbtest force failed in a readonly directory $ret" + else + html_passed "Dbtest force succeeded in a readonly dir $ret" + fi + + Echo "ls -l $RONLY_DIR" + ls -ld $RONLY_DIR $RONLY_DIR/* + + mkdir ${CONFLICT_DIR} + Echo "test creating a new cert with a conflicting nickname" + cd ${CONFLICT_DIR} + pwd + ${BINDIR}/certutil -N -d ${CONFLICT_DIR} -f ${R_PWFILE} + ret=$? + if [ $ret -ne 0 ]; then + html_failed "Nicknane conflict test failed, couldn't create database $ret" + else + ${BINDIR}/certutil -A -n alice -t ,, -i ${R_ALICEDIR}/Alice.cert -d ${CONFLICT_DIR} + ret=$? + if [ $ret -ne 0 ]; then + html_failed "Nicknane conflict test failed, couldn't import alice cert $ret" + else + ${BINDIR}/certutil -A -n alice -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR} + ret=$? + if [ $ret -eq 0 ]; then + html_failed "Nicknane conflict test failed, could import conflict nickname $ret" + else + html_passed "Nicknane conflict test, could not import conflict nickname $ret" + fi + fi + fi + + Echo "test importing an old cert to a conflicting nickname" + # first, import the certificate + ${BINDIR}/certutil -A -n bob -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR} + # now import with a different nickname + ${BINDIR}/certutil -A -n alice -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR} + # the old one should still be there... + ${BINDIR}/certutil -L -n bob -d ${CONFLICT_DIR} + ret=$? + if [ $ret -ne 0 ]; then + html_failed "Nicknane conflict test-setting nickname conflict incorrectly worked" + else + html_passed "Nicknane conflict test-setting nickname conflict was correctly rejected" + fi + +} + +################## main ################################################# + +dbtest_init +dbtest_main 2>&1 +dbtest_cleanup diff --git a/security/nss/tests/dbupgrade/dbupgrade.sh b/security/nss/tests/dbupgrade/dbupgrade.sh new file mode 100755 index 000000000..0302e6143 --- /dev/null +++ b/security/nss/tests/dbupgrade/dbupgrade.sh @@ -0,0 +1,106 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/dbupgrade/dbupgrade.sh +# +# Script to upgrade databases to Shared DB +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################ dbupgrade_init ############################ +# local shell function to initialize this script +######################################################################## +dbupgrade_init() +{ + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ${QADIR}/common + . ./init.sh + fi + + if [ ! -r "${CERT_LOG_FILE}" ]; then # we need certificates here + cd ${QADIR}/cert + . ./cert.sh + fi + + if [ ! -d ${HOSTDIR}/SDR ]; then # we also need sdr as well + cd ${QADIR}/sdr + . ./sdr.sh + fi + + SCRIPTNAME=dbupgrade.sh + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + echo "$SCRIPTNAME: DB upgrade tests ===============================" +} + +############################ dbupgrade_main ############################ +# local shell function to upgrade certificate databases +######################################################################## +dbupgrade_main() +{ + # 'reset' the databases to initial values + echo "Reset databases to their initial values:" + cd ${HOSTDIR} + ${BINDIR}/certutil -D -n objsigner -d alicedir 2>&1 + ${BINDIR}/certutil -M -n FIPS_PUB_140_Test_Certificate -t "C,C,C" -d fips -f ${FIPSPWFILE} 2>&1 + ${BINDIR}/certutil -L -d fips 2>&1 + rm -f smime/alicehello.env + + # test upgrade to the new database + echo "nss" > ${PWFILE} + html_head "Legacy to shared Library update" + dirs="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server SDR server serverCA ssl_gtests stapling tools/copydir" + for i in $dirs + do + echo $i + if [ -d $i ]; then + echo "upgrading db $i" + ${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1 + html_msg $? 0 "Upgrading $i" + else + echo "skipping db $i" + html_msg 0 0 "No directory $i" + fi + done + + if [ -d fips ]; then + echo "upgrading db fips" + ${BINDIR}/certutil -S -g 1024 -n tmprsa -t "u,u,u" -s "CN=tmprsa, C=US" -x -d sql:fips -f ${FIPSPWFILE} -z ${NOISE_FILE} 2>&1 + html_msg $? 0 "Upgrading fips" + # remove our temp certificate we created in the fist token + ${BINDIR}/certutil -F -n tmprsa -d sql:fips -f ${FIPSPWFILE} 2>&1 + ${BINDIR}/certutil -L -d sql:fips 2>&1 + fi + + html "</TABLE><BR>" +} + +########################## dbupgrade_cleanup ########################### +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +dbupgrade_cleanup() +{ + cd ${QADIR} + . common/cleanup.sh +} + +################################# main ################################# + +dbupgrade_init +dbupgrade_main +dbupgrade_cleanup diff --git a/security/nss/tests/dll_version.sh b/security/nss/tests/dll_version.sh new file mode 100755 index 000000000..79a128585 --- /dev/null +++ b/security/nss/tests/dll_version.sh @@ -0,0 +1,50 @@ +#!/bin/sh + +# version controll for DLLs +# ToDo: make version parameter or find version from first occurance of 3.x +# make the 3 a variable..., include the header + +#OS=`uname -s` +#DSO_SUFFIX=so +#if [ "$OS" = "HP-UX" ]; then + #DSO_SUFFIX=sl +#fi +#what libnss3.$DSO_SUFFIX | grep NSS +#what libsmime3.$DSO_SUFFIX | grep NSS +#what libssl3.$DSO_SUFFIX | grep NSS +#ident libnss3.$DSO_SUFFIX | grep NSS +#ident libsmime3.$DSO_SUFFIX | grep NSS +#ident libssl3.$DSO_SUFFIX | grep NSS + +for w in `find . -name "libnss3.s[ol]" ; find . -name "libsmime3.s[ol]"; find . -name "libssl3.s[ol]"` +do + NOWHAT=FALSE + NOIDENT=FALSE + echo $w + what $w | grep NSS || NOWHAT=TRUE + ident $w | grep NSS || NOIDENT=TRUE + if [ $NOWHAT = TRUE ] + then + echo "ERROR what $w does not contain NSS" + fi + if [ $NOIDENT = TRUE ] + then + echo "ERROR ident $w does not contain NSS" + fi +done +#for w in `find . -name "libnss3.s[ol]" ; find . -name "libsmime3.s[ol]"; find . +#-name "libssl3.s[ol]"` +#do + #NOWHAT=FALSE + #NOIDENT=FALSE + #echo $w + #what $w | grep NSS || NOWHAT=TRUE + #ident $w | grep NSS || NOIDENT=TRUE + #if [ $NOWHAT = TRUE -a $NOIDENT = TRUE ] + #then + #echo "WARNING what and ident $w does not contain NSS" + #strings $w | grep NSS | grep '3.2' || echo "ERROR strings does +#not either..." + #fi +#done + diff --git a/security/nss/tests/doc/clean.gif b/security/nss/tests/doc/clean.gif Binary files differnew file mode 100644 index 000000000..08781cb2b --- /dev/null +++ b/security/nss/tests/doc/clean.gif diff --git a/security/nss/tests/doc/nssqa.txt b/security/nss/tests/doc/nssqa.txt new file mode 100755 index 000000000..34fa0955b --- /dev/null +++ b/security/nss/tests/doc/nssqa.txt @@ -0,0 +1,108 @@ +The new QA wrapper consistst mainly of 2 scripts, nssqa and qa_stat, both +include a common header (header) and a common environment (set_environment). +Also used is mksymlinks and path_uniq. + +The scripts that are used on a daily basis are located in /u/sonmi/bin. + +Parameters and Options are the same for both scripts. + +Parameters +---------- + nssversion (supported: 30b, 31, tip) + builddate (default - today, format mmdd) + +Options +------- + -y answer all questions with y - use at your own risk... ignores warnings + -s silent (only usefull with -y) + -h, -? -help you guessed right - displays the usage + -d debug + -f <filename> - write the (error)output to filename + -m <mailinglist> - send filename to mailinglist (csl) only useful + with -f on nssqa + -l <mozroot> run on a local build - does not work at this time + -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.<scriptname> + +nssqa and qa_stat are Beta at the most +-------------------------- +Please be aware that + +-) machinenames are still hardcoded --FIXED +-) other very iPlanet specific environments and features are being used. + +-d Debug option will be removed from cron in a few weeks - or maybe not +-l QA on local build is not fully implemented yet + +Please do not use on Windows 95 and 98, ME platforms yet. + +use -d if script behaves strange or exits unexpectedly + +How to use QA +------------- +To test a build, first run nssqa on the required QA platforms (some +buildplatforms require QA to be run on additional platforms - for +example Solaris 2.6 has to be tested on 2.8 32 and 64bit) If QA has +been run on multiple or all required platforms it makes sense to run +qa_stat on the output of nssqa as well. +Before used on a new system (even if the same platform has been +tested before) please use completely interactive, to see what the +variables are being initialized to, and read the warnings. Same is +true if being run from a different user account than svbld. + +In any case, if you are using it, please let me know the results. + +Pseudocode Description of nssqa: +-------------------------------- +not quite up to date + + header:init (global) + set flags and variables to default values + signal trap (for interupts and kills) + set HOST and DOMSUF variables if running from cron + parse parameters and options + determine os and set up the environment (espec. PATH) + set the directories to run in (influenced by parameters and -l option) + set and initialize the tmp / debugging / output files + + nssqa:init (local) + locking: if nssqa is already running on this systems (yes-exit, + no-lockfile) + set HOST and DOMSUF variables if running interavtively + set flag to kill remaining selfserv processes during cleanup + if QA platform different from build platform create neccessary + symbolic links + wait for the build to finish (max of 5h) + + main: + repeated per test (optimized, debug, 32, 64 bit) + set flags for this run of all.sh (optimized, debug, 32, 64 bit) + set the DIST directory (where the binaries reside) + kill running selfservers (sorry - just don't use the svbld + account if you need to do your own testing... I will fix + selfserv as soon as I can - but it hangs too often and + disturbs all following QA) + run all.sh + + header:exit (global) + remove temporary files + kill remaining selfservers + send email to the list + + + errorhandling + Option / Parameter errors: Exit with usage information + + Severe errors: Exit wit errormessage + example: directory in which all.sh resides does not exist + can't create files or directories + build not done after 5 hours + is already running + + Other errors: User is prompted with the "errormessage - continue (y/n)?" + example: local DIST dir does not exist (continues with next all.sh) + outputdirectory does not exist (user can specify other) + + Signals 2, 3, 15 are treated as severe errors + + + diff --git a/security/nss/tests/doc/platform_specific_problems b/security/nss/tests/doc/platform_specific_problems new file mode 100644 index 000000000..92a22ca03 --- /dev/null +++ b/security/nss/tests/doc/platform_specific_problems @@ -0,0 +1,110 @@ +I will, eventually convert all files here to html - just right now I have no +time to do it. Anyone who'd like to - please feel free, mail me the file and +I will check it in +sonmi@netscape.com + + +The NSS 3.1 SSL Stress Tests fail for me on FreeBSD 3.5. The end of the output +of './ssl.sh stress' looks like this: + +********************* Stress Test **************************** +********************* Stress SSL2 RC4 128 with MD5 **************************** +selfserv -p 8443 -d +/local/llennox/NSS-PSM/mozilla/tests_results/security/conrail.20/server -n +conrail.cs.columbia.edu -w nss -i /tmp/tests_pid.5505 & strsclnt -p 8443 -d . -w nss -c 1000 -C A conrail.cs.columbia.edu +strsclnt: -- SSL: Server Certificate Validated. +strsclnt: PR_NewTCPSocket returned error -5974: +Insufficient system resources. +Terminated +********************* Stress SSL3 RC4 128 with MD5 **************************** +selfserv -p 8443 -d +/local/llennox/NSS-PSM/mozilla/tests_results/security/conrail.20/server -n +conrail.cs.columbia.edu -w nss -i /tmp/tests_pid.5505 & strsclnt -p 8443 -d . -w nss -c 1000 -C c conrail.cs.columbia.edu +strsclnt: -- SSL: Server Certificate Validated. +strsclnt: PR_NewTCPSocket returned error -5974: +Insufficient system resources. +Terminated + +Running ktrace on the process (ktrace is a system-call tracer, the equivalent of +Linux's strace) reveals that socket() failed with ENOBUFS after it was called +for the 953rd time for the first test, and it failed after the 27th time it was +called for the second test. + +The failure is consistent, both for debug and optimized builds; I haven't tested +to see whether the count of socket() failures is consistent. + +All the other NSS tests pass successfully. + + +------- Additional Comments From Nelson Bolyard 2000-11-01 23:08 ------- + +I see no indication of any error on NSS's part from this description. +It sounds like an OS kernel configuration problem on the +submittor's system. The stress test is just that. It stresses +the server by pounding it with SSL connections. Apparently this +test exhausts some kernel resource on the submittor's system. + +The only change to NSS that might be beneficial to this test +would be to respond to this error by waiting and trying again +for some limited number of times, rather than immediately +treating it as a fatal error. + +However, while such a change might make the test appear to pass, +it would merely be hiding a very serious problem, namely, +chronic system resource exhaustion. + +So, I suggest that, in this case, the failure serves the useful +purpose of revealing the system problem, which needs to be +cured apart from any changes to NSS. + +I'll leave this bug open for a few more days, to give others +a chance to persuade me that some NSS change would and should +solve this problem. + + +------- Additional Comments From Jonathan Lennox 2000-11-02 13:13 ------- + +Okay, some more investigation leads me to agree with you. What's happening is +that the TCP connections from the stress test stick around in TIME_WAIT for two +minutes; my kernel is only configured to support 1064 simultaneous open sockets, +which isn't enough for the 2K sockets opened by the stress test plus the 100 or +so normally in use on my system. + +So I'd just suggest adding a note to the NSS test webpage to the effect of "The +SSL stress test opens 2,048 TCP connections in quick succession. Kernel data +structures may remain allocated for these connections for up to two minutes. +Some systems may not be configured to allow this many simulatenous connections +by default; if the stress tests fail, try increasing the number of simultaneous +sockets supported." + +On FreeBSD, you can display the number of simultaneous sockets with the command + sysctl kern.ipc.maxsockets +which on my system returns 1064. + +It looks like this can be fixed with the kernel config option + options NMBCLUSTERS=[something-large] +or by increasing the 'maxusers' parameter. + +It looks like more recent FreeBSD implementations still have this limitation, +and the same solutions apply, plus you can alternatively specify the maxsockets +parameter in the boot loader. + + +--------------------------------- + +hpux HP-UX hp64 B.11.00 A 9000/800 2014971275 two-user license + +we had to change following kernelparameters to make our tests pass + +1. maxfiles. old value = 60. new value = 100. +2. nkthread. old value = 499. new value = 1328. +3. max_thread_proc. old value = 64. new value = 512. +4. maxusers. old value = 32. new value = 64. +5. maxuprc. old value = 75. new value = 512. +6. nproc. old formula = 20+8*MAXUSERS, which evaluated to 276. + new value (note: not a formula) = 750. + +A few other kernel parameters were also changed automatically +as a result of the above changes. + + diff --git a/security/nss/tests/doc/qa_wrapper.html b/security/nss/tests/doc/qa_wrapper.html new file mode 100755 index 000000000..755cca236 --- /dev/null +++ b/security/nss/tests/doc/qa_wrapper.html @@ -0,0 +1,269 @@ +<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> +<html> +<head> + <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> + <meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; U; SunOS 5.8 sun4u) [Netscape]"> +</head> +<body text="#000000" bgcolor="#FFFFFF" link="#0000EE" vlink="#551A8B" alink="#FF0000"> + +<h3> +<b><font face="Times New Roman,Times">Author Sonja Mirtitsch</font></b></h3> + +<h3> +<b><font face="Times New Roman,Times">Last updated: 4/4/2001</font></b></h3> + +<h1> +<b><font face="Times New Roman,Times">NSS 3.2.QA Wrapper</font></b></h1> + +<p><br>The QA wrapper tests the nightly builds of NSS. The actual +tests are being run are called from the QA script all.sh. I will add documentation +for the actual QA soon. The main purpose of the wrapper is: find out which +build (NSS version, date, Build Platform) to test on which machine (OS, +OS version) and construct a summary report, which is then mailed to the +nss developers (aka mailing list nss-qa-report@netscape.com). Please see +also the <a href="#advertisement">feature</a> section. +<p><a href="#nssqa">nssqa</a> - the script that calls the actual +qa script all.sh +<br><a href="#qa_stat">qa_stat</a> - sends out status reports +<br><a href="#qaclean">qaclean</a> - if everything else fails +<p>Sample <a href="/u/sonmi/doc/publish/glob_result.html">global result</a>, +<a href="/u/sonmi/doc/publish/results.html">individual result </a>and <a href="/u/sonmi/doc/publish/output.log">log +files</a> +<p>The QA wrapper consistst mainly of scripts, most located in security/nss/tests +and subdirectories, but run from /u/sonmi/bin +<p>nssqa and qa_stat, the main scripts both include a common header (<a href="../header">header</a>) +and a common environment (<a href="../set_environment">set_environment</a>). +<br>Also used is <a href="../mksymlinks">mksymlinks</a> and <a href="../path_uniq">path_uniq</a> +and <a href="#qaclean">qaclean</a>. +<p>The scripts that are used on a daily basis are located in /u/sonmi/bin +and checked into security/nss/tests +<p>Parameters and Options are the same for most scripts. +<p><a NAME="Parameters"></a><b><u><font size=+1>Parameters</font></u></b> +<br> nssversion (supported: 30b, 31, tip, default tip) +<br> builddate (default - today, format mmdd) +<p><a NAME="Options"></a><b><u><font size=+1>Options</font></u></b> +<br> -y answer all questions with y - use at your own +risk... ignores warnings +<br> -s silent (only usefull with -y) +<br> -h, -? -help you guessed right - displays the usage +<br> -d debug +<br> -f <filename> - write the (error)output to filename +<br> -fcron writes resultfile in the same location as +would the -cron +<br> -m <mailinglist> - send filename to mailinglist +(csl) only useful +<br> with -f on nssqa +<br> -l <mozroot> run on a local build - does not +work at this time +<br> -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.<scriptname> +<br> +<p>Please be aware that some iPlanet specific environments and features +are being used. +<p>-d Debug option might be removed from cron in a few weeks - or maybe +not +<br>-l QA on local build is not fully implemented yet - will not be implemented, +all.sh can be called directly instead +<p>Please do not use on Windows 95 and 98, ME platforms yet. +<p>use -d if script behaves strange or exits unexpectedly +<p><b><font size=+1>How to use the QA-wrapper</font></b> +<br>To test a build, first run nssqa on the required QA platforms (some +buildplatforms require QA to be run on additional platforms - for example +Solaris 2.6 has to be tested on 2.8 32 and 64bit) If QA has been run on +multiple or all required platforms it makes sense to run qa_stat on the +output of nssqa as well. +<br>Before used on a new system (even if the same platform has been tested +before) please use completely interactive, to see what the variables are +being initialized to, and read the warnings. Same is true if being run +from a different user account than svbld. +<p>In any case, if you are using it, please let me know the results. +<p><a NAME="nssqa"></a><b><u><font size=+1>nssqa:</font></u></b> +<p>the script that calls the actual qa script all.sh +<p>nssqa <a href="#Parameters">parameters</a> and <a href="#Options">options</a> +<p><a href="../nssqa">view the script</a> +<p><b><u><font size=+1>Pseudocode Description of nssqa</font></u></b> +<br>not quite up to date +<p> header:init (global) +<br> set flags and variables +to default values +<br> signal trap (for interupts +and kills) +<br> set HOST and DOMSUF variables +if running from cron +<br> parse parameters and options +<br> determine os and set up +the environment (espec. PATH) +<br> set the directories to run +in (influenced by parameters and -l option)<br> + set the directories for backward +compatibility testing +<br> set and initialize the tmp +/ debugging / output files +<p> nssqa:init (local) +<br> locking: if nssqa is already +running on this systems (yes-exit, +<br> +no-lockfile) +<br> set HOST and DOMSUF variables +if running interavtively +<br> set flag to kill remaining +selfserv processes during cleanup +<br> if QA platform different +from build platform create neccessary +<br> +symbolic links +<br> wait for the build to finish +(max of 5h) +<p> main: +<br> repeated per test (optimized, +debug, 32, 64 bit) +<br> +set flags for this run of all.sh (optimized, debug, 32, 64 bit) +<br> +set the DIST directory (where the binaries reside) +<br> +kill running selfservers (sorry - just don't use the svbld +<br> +account if you need to do your own testing... I will fix +<br> +selfserv as soon as I can - but it hangs too often and +<br> +disturbs all following QA) +<br> +run all.sh +<p> header:exit (global) +<br> remove temporary files +<p> kill remaining selfservers +<br> send email to the list +<br> +<p> errorhandling +<br> Option / Parameter errors: +Exit with usage information +<p> Severe errors: Exit wit errormessage +<br> +example: directory in which all.sh resides does not exist +<br> +can't create files or directories +<br> +build not done after 5 hours +<br> +is already running +<p> Other errors: User is prompted +with the "errormessage - continue (y/n)?" +<br> +example: local DIST dir does not exist (continues with next all.sh) +<br> +outputdirectory does not exist (user can specify other) +<p> Signals 2, 3, 15 are treated +as severe errors +<br> +<br> +<br> +<p><img SRC="clean.gif" height=129 width=92 align=LEFT><a NAME="qaclean"></a><b><u><font size=+2>qaclean:</font></u></b>/u/sonmi/bin/qaclean +<br> +<p>Use qaclean as user "svbld" to get the propper permissions. It is supposed +to clean up after a "hanging" QA and will also brutally kill, interupt +and disturb any other nss related test or performance meassurement on the +named machine. NT and 2000 might require an additional reboot, since the +ps is not so good about telling us the actual programmname - so we can't +kill them... Please note that this is a brute force script, it should not +be used on a regular basis, file a bug whenever you have to use it, since +hanging QA is nothing that should occur frequently +<p> <a href="../qaclean">view the script</a> +<p>What it does: +<ol> +<li> +see if there is a lockfile (/tmp/nssqa.$$ or $TMP/nssqa.$$)</li> + +<br>if yes: +<ol>kill the process of the lockfile <font color="#666666">(future expansion +and if possible it's children )</font> +<br>rm the lockfile</ol> + +<li> +kill selfservers</li> + +<li> +kill whatever other qa related processes might be hanging</li> + +<li> +clean up tmp files</li> +</ol> +<b>QAClean Parameters:</b> +<br> machinename. +<br> for example +<br> qaclean kentuckyderby +<br> started on any machine, will clean up on kentuckyderby +<p><a NAME="qa_stat"></a><b><u><font size=+2>qa_stat</font></u></b> +<p>qa_stat is the script that is being started from the svbld cron on kentuckyderby +every morning at 10:00 and runs some (very primitive) analysis on the qa +results. +<br>I'd like to rewrite the whole thing in perl, and in a few weeks I might +just do this... +<p> <a href="../qa_stat">view the script</a> +<p>qa_stat <a href="#Parameters">parameters</a> and <a href="#Options">options</a> +<p><a NAME="advertisement"></a><b><u><font size=+1>Why we need the QA wrapper</font></u></b> +<p>We need the new QA wrapper, because we have to test on so many platforms, +that running the tests and evaluating the results for the nightly builds +took about an average workday. +<p><b><font size=+1>New Features:</font></b> +<ul> +<li> +runs from <b>cron</b> / rsh or <b>interactive</b> if desired</li> + +<li> +generates <b>summary</b> (no need to look through 60-90 directories)</li> + +<li> +sends <b>email</b> about results</li> + +<li> +automatically <b>recognizes common errors</b> and problems and conflicts +and corrects them</li> + +<br>(or attempts to correct them :-) +<li> +automatically determines <b>which build </b>to test (waits if build in +progress, exits if no build)</li> + +<li> +runs on <b>all required platforms</b> (Windows 98 and before not functional +yet)</li> + +<li> +Windows version runs on <b>free Cygnus</b> as well as on MKS</li> + +<li> +debug mode, normal mode and silent mode</li> + +<li> +<b>locking</b> mechanism so it won't run twice</li> + +<li> +<b>cleanup</b> after being killed and most errors (no remaining selfservers, +tmpfiles, lock files)</li> +</ul> +The 1st script is started via cron between 5:00 and 8:00 am on different +systems, and starts QA on the nightly build. At 10:00 the next script is +started, and sends a QA summary to the nss developers. +<p><b>Cygnus Advantages</b>: +<ul> +<li> +<b>free</b></li> + +<li> +better handling of <b>processes</b> (background, processIDs, Signals)</li> + +<li> +Unix / Linux <b>compatible</b> sh / bash</li> +</ul> +<b>Disadvantages</b> +<ul> +<li> +MKS functionality needs to be preserved (makes <b>8 Windows platforms</b> +instead of 4 for the QA suites - makes 32 testruns on Windows alone)</li> + +<br>In certain functionality's <b>slow</b> +<br><b></b> </ul> +<b>Porting the windows QA to Uwin as well is also being considered</b> +</body> +</html> diff --git a/security/nss/tests/dummy/dummy.sh b/security/nss/tests/dummy/dummy.sh new file mode 100644 index 000000000..27d3c9cf4 --- /dev/null +++ b/security/nss/tests/dummy/dummy.sh @@ -0,0 +1,19 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/dummy/dummy.sh +# +# Minimal test that doesn't do anything +# +# NSS_TESTS="dummy" can be used for quick testing of the +# test script infrastructure, without running any of the tests +# +######################################################################## + +# html_failed "dummy test fail" +html_passed "dummy test ok" diff --git a/security/nss/tests/ec/ec.sh b/security/nss/tests/ec/ec.sh new file mode 100755 index 000000000..9869b6590 --- /dev/null +++ b/security/nss/tests/ec/ec.sh @@ -0,0 +1,37 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/ec/ec.sh +# +# needs to work on all Unix and Windows platforms +# this is a meta script to drive all ec tests +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## run_tests ############################### +# run test suites defined in ECTESTS variable +######################################################################## +run_ec_tests() +{ + for ECTEST in ${ECTESTS} + do + SCRIPTNAME=${ECTEST}.sh + echo "Running ec tests for ${ECTEST}" + echo "TIMESTAMP ${ECTEST} BEGIN: `date`" + (cd ${QADIR}/ec; . ./${SCRIPTNAME} 2>&1) + echo "TIMESTAMP ${ECTEST} END: `date`" + done +} + +ECTESTS="ecperf ectest" +run_ec_tests diff --git a/security/nss/tests/ec/ecperf.sh b/security/nss/tests/ec/ecperf.sh new file mode 100755 index 000000000..501488e08 --- /dev/null +++ b/security/nss/tests/ec/ecperf.sh @@ -0,0 +1,52 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/ec/ecperf.sh +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## ecperf_init ############################# +# local shell function to initialize this script +######################################################################## + +ecperf_init() +{ + SCRIPTNAME="ecperf.sh" + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then + cd ../common + . ./init.sh + fi + SCRIPTNAME="ecperf.sh" + html_head "ecperf test" +} + +ecperf_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +ecperf_init +ECPERF_OUT=$(ecperf 2>&1) +echo "$ECPERF_OUT" +ECPERF_OUT=`echo $ECPERF_OUT | grep -i 'failed\|Assertion failure'` +# TODO: this is a perf test we don't check for performance here but only failed +if [ -n "$ECPERF_OUT" ] ; then + html_failed "ec(perf) test" +else + html_passed "ec(perf) test" +fi +ecperf_cleanup diff --git a/security/nss/tests/ec/ectest.sh b/security/nss/tests/ec/ectest.sh new file mode 100644 index 000000000..e10760565 --- /dev/null +++ b/security/nss/tests/ec/ectest.sh @@ -0,0 +1,93 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/ec/ectest.sh +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## ectest_init ############################# +# local shell function to initialize this script +######################################################################## + +ectest_init() +{ + SCRIPTNAME="ectest.sh" + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then + cd ../common + . ./init.sh + fi + SCRIPTNAME="ectest.sh" + html_head "freebl and pk11 ectest tests" +} + +ectest_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +ectest_genkeydb_test() +{ + certutil -N -d "${HOSTDIR}" -f "${R_PWFILE}" 2>&1 + if [ $? -ne 0 ]; then + return $? + fi + curves=( \ + "curve25519" \ + "secp256r1" \ + "secp384r1" \ + "secp521r1" \ + ) + for curve in "${curves[@]}"; do + echo "Test $curve key generation using certutil ..." + certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE} + if [ $? -ne 0 ]; then + html_failed "ec test certutil keygen - $curve" + else + html_passed "ec test certutil keygen - $curve" + fi + done + echo "Test sect571r1 key generation using certutil that should fail because it's not implemented ..." + certutil -G -d "${HOSTDIR}" -k ec -q sect571r1 -f "${R_PWFILE}" -z ${NOISE_FILE} + if [ $? -eq 0 ]; then + html_failed "ec test certutil keygen - $curve" + else + html_passed "ec test certutil keygen - $curve" + fi +} + +ectest_init +ectest_genkeydb_test +# TODO: expose individual tests and failures instead of overall +if [ -f ${BINDIR}/fbectest ]; then + FB_ECTEST_OUT=$(fbectest -n -d 2>&1) + FB_ECTEST_OUT=`echo $FB_ECTEST_OUT | grep -i 'not okay\|Assertion failure'` + if [ -n "$FB_ECTEST_OUT" ] ; then + html_failed "freebl ec tests" + else + html_passed "freebl ec tests" + fi +fi +if [ -f ${BINDIR}/pk11ectest ]; then + PK11_ECTEST_OUT=$(pk11ectest -n -d 2>&1) + PK11_ECTEST_OUT=`echo $PK11_ECTEST_OUT | grep -i 'not okay\|Assertion failure'` + if [ -n "$PK11_ECTEST_OUT" ] ; then + html_failed "pk11 ec tests" + else + html_passed "pk11 ec tests" + fi +fi +ectest_cleanup diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh new file mode 100755 index 000000000..4153e61aa --- /dev/null +++ b/security/nss/tests/fips/fips.sh @@ -0,0 +1,293 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# mozilla/security/nss/tests/fips/fips.sh +# +# Script to test basic functionallity of NSS in FIPS-compliant mode +# +# needs to work on all Unix and Windows platforms +# +# tests implemented: +# +# special strings +# --------------- +# +######################################################################## + +############################## fips_init ############################## +# local shell function to initialize this script +######################################################################## +fips_init() +{ + SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=fips.sh + html_head "FIPS 140 Compliance Tests" + + grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || { + Exit 15 "Fatal - FIPS of cert.sh needs to pass first" + } + + COPYDIR=${FIPSDIR}/copydir + + R_FIPSDIR=../fips + P_R_FIPSDIR=../fips + R_COPYDIR=../fips/copydir + + if [ -n "${MULTIACCESS_DBM}" ]; then + P_R_FIPSDIR="multiaccess:${D_FIPS}" + fi + + mkdir -p ${FIPSDIR} + mkdir -p ${COPYDIR} + + cd ${FIPSDIR} +} + +############################## fips_140 ############################## +# local shell function to test basic functionality of NSS while in +# FIPS 140 compliant mode +######################################################################## +fips_140() +{ + echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------" + echo "modutil -dbdir ${P_R_FIPSDIR} -list" + ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1 + ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1 + html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1 + html_msg $? 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys -------------------------" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "." + + echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1 + RET=$? + html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "." + echo "certutil -K returned $RET" + + echo "$SCRIPTNAME: Validate the certificate --------------------------" + echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE} + html_msg $? 0 "Validate the certificate (certutil -V -e)" "." + + echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --" + echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "." + + echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------" + echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1 + html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + ret=$? + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + + echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module" + echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + if [ $? -eq 0 ]; then + ret=255 + fi + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys." + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + # certutil -K now returns a failure if no keys are found. This verifies that + # our delete succeded. + html_msg $? 255 "List the FIPS module keys (certutil -K)" "." + + + echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" + echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + ret=$? + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys --------------------------" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "." + + + echo "$SCRIPTNAME: Delete the certificate from the FIPS module" + echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1 + html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + if [ $? -eq 0 ]; then + ret=255 + fi + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + + echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" + echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." + + echo "$SCRIPTNAME: List the FIPS module certificates -----------------" + echo "certutil -d ${P_R_FIPSDIR} -L" + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` + ret=$? + echo "${certs}" + if [ ${ret} -eq 0 ]; then + echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null + ret=$? + fi + html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." + + echo "$SCRIPTNAME: List the FIPS module keys --------------------------" + echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "List the FIPS module keys (certutil -K)" "." + + + echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------" + echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}" + ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1 + html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "." + + echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------" + echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n" + ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1 + html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "." + + LIBDIR="${DIST}/${OBJDIR}/lib" + MANGLEDIR="${FIPSDIR}/mangle" + + # There are different versions of cp command on different systems, some of them + # copies only symlinks, others doesn't have option to disable links, so there + # is needed to copy files one by one. + echo "mkdir ${MANGLEDIR}" + mkdir ${MANGLEDIR} + for lib in `ls ${LIBDIR}`; do + echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}" + cp ${LIBDIR}/${lib} ${MANGLEDIR} + done + + echo "$SCRIPTNAME: Detect mangled softoken--------------------------" + SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} + + echo "mangling ${SOFTOKEN}" + echo "mangle -i ${SOFTOKEN} -o -8 -b 5" + # If nss was built without softoken use the system installed one. + # It's location must be specified by the package maintainer. + if [ ! -e ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then + echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}" + cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR} + fi + ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1 + if [ $? -eq 0 ]; then + if [ "${OS_ARCH}" = "WINNT" ]; then + DBTEST=`which dbtest` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + DBTEST=`cygpath -m ${DBTEST}` + MANGLEDIR=`cygpath -u ${MANGLEDIR}` + fi + echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}" + PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + elif [ "${OS_ARCH}" = "HP-UX" ]; then + echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + elif [ "${OS_ARCH}" = "AIX" ]; then + echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + elif [ "${OS_ARCH}" = "Darwin" ]; then + echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + else + echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" + LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + RESULT=$? + fi + + html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "." + else + html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}" + fi +} + +############################## fips_cleanup ############################ +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +fips_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +fips_init +fips_140 +fips_cleanup +echo "fips.sh done" diff --git a/security/nss/tests/gtests/gtests.sh b/security/nss/tests/gtests/gtests.sh new file mode 100755 index 000000000..f91349b9e --- /dev/null +++ b/security/nss/tests/gtests/gtests.sh @@ -0,0 +1,88 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# similar to all.sh this file runs drives gtests. +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## gtest_init ############################## +# local shell function to initialize this script +######################################################################## +gtest_init() +{ + cd "$(dirname "$1")" + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd common + . ./init.sh + fi + + SCRIPTNAME=gtests.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi +} + +########################## gtest_start ############################# +# Local function to actually start the test +#################################################################### +gtest_start() +{ + echo "gtests: ${GTESTS}" + for i in ${GTESTS}; do + if [ ! -f ${BINDIR}/$i ]; then + html_unknown "Skipping $i (not built)" + continue + fi + GTESTDIR="${HOSTDIR}/$i" + html_head "$i" + if [ ! -d "$GTESTDIR" ]; then + mkdir -p "$GTESTDIR" + fi + cd "$GTESTDIR" + GTESTREPORT="$GTESTDIR/report.xml" + PARSED_REPORT="$GTESTDIR/report.parsed" + echo "executing $i" + ${BINDIR}/$i -d "$GTESTDIR" --gtest_output=xml:"${GTESTREPORT}" \ + --gtest_filter="${GTESTFILTER-*}" + html_msg $? 0 "$i run successfully" + echo "test output dir: ${GTESTREPORT}" + echo "executing sed to parse the xml report" + sed -f ${COMMON}/parsegtestreport.sed "${GTESTREPORT}" > "${PARSED_REPORT}" + echo "processing the parsed report" + cat "${PARSED_REPORT}" | while read result name; do + if [ "$result" = "notrun" ]; then + echo "$name" SKIPPED + elif [ "$result" = "run" ]; then + html_passed_ignore_core "$name" + else + html_failed_ignore_core "$name" + fi + done + done +} + +gtest_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# +GTESTS="der_gtest pk11_gtest util_gtest" +gtest_init $0 +gtest_start +gtest_cleanup diff --git a/security/nss/tests/header b/security/nss/tests/header new file mode 100644 index 000000000..5a1dead72 --- /dev/null +++ b/security/nss/tests/header @@ -0,0 +1,1636 @@ +#! /bin/sh + +######################################################################## +# +# /u/sonmi/bin/header - /u/svbld/bin/init/nss/header +# +# variables, utilities and shellfunctions global to NSS QA +# needs to work on all Unix platforms +# +# included from (don't expect this to be up to date) +# -------------------------------------------------- +# qa_stat +# mksymlinks +# nssqa +# +# parameters +# ---------- +# nssversion (supported: 30b, 31, 332, tip 32) +# builddate (default - today) +# +# options +# ------- +# -y answer all questions with y - use at your own risk... ignores warnings +# -s silent (only usefull with -y) +# -h, -? - you guessed right - displays this text +# -d debug +# -f <filename> - write the (error)output to filename +# -fcronfile produces the resultfiles in the same locations +# as would have been produced with -cron +# -m <mailinglist> - send filename to mailinglist (csl) only useful +# with -f +# -ml <mailinglist> - send link to filename to mailinglist (csl) +# only useful with -f +# -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.<scriptname> +# -t run on a tinderbox build that means: local, from the startlocation +# -l <mozroot directory> run on a local build mozroot +# -ln <mozroot> copy a networkbuild to a local directory mozroot, +# used for networkindipendend QA +# -lt try to copy a networkbuild to a local directory, if not possible +# run on the network +# used for networkindipendend QA +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +# moduls (not yet) +# ---------------- +# --# INIT +# --# USERCOM +# --# UTILS +# +# FIXME - split in init / usercom / utils +# +######################################################################## + +#------------------------------# INIT #------------------------------ + +# below the option flags get initialized + +if [ -z "$QASCRIPT_DIR" ] +then + QASCRIPT_DIR=`dirname $0` + if [ "$QASCRIPT_DIR" = '.' ] + then + QASCRIPT_DIR=`pwd` + fi +fi +export QASCRIPT_DIR + +O_HWACC=OFF +if [ -z "$O_ALWAYS_YES" ] ; then + O_ALWAYS_YES=OFF # turned on by -y answer all questions with y +fi + +if [ -z "$O_INIT" ] # header is global, some including scripts may not +then # want the init to run, the others don't need to bother + O_INIT=ON +fi +if [ -z "$O_PARAM" ] # header is global, some including scripts may not +then # require parameters, the others don't need to bother + O_PARAM=ON +fi +if [ -z "$O_OPTIONS" ] # header is global, some including scripts may not +then # permit options, they don't need to bother + O_OPTIONS=OFF +fi +O_SILENT=OFF # turned on by -s silent (only usefull with -y) +if [ -z "$O_DEBUG" ] ; then + O_DEBUG=OFF # turned on by -d - calls to Debug produce output when ON +fi +O_FILE=OFF # turned on by -f echo all output to a file $FILENAME +O_CRON=OFF # turned on by -cron cron use only +O_CRONFILE=OFF # turned on by -cron cron and -fcron +O_LOCAL=OFF # turned on by -l* run on a local build in $LOCAL_MOZROOT +O_LN=OFF # turned on by -ln and -lt, test a networkbuild locally +O_MAIL=OFF # turned on by -m - sends email +O_MAIL_LINK=OFF # turned on by -ml - sends email +O_TBX=OFF # turned on by -t run on a tinderbox build + # that means: local, from the startlocation + +if [ -z "$DOMSUF" ] +then + + DOMSUF=red.iplanet.com + DS_WAS_SET=FALSE +else + DS_WAS_SET=TRUE +fi + +TMPFILES="" + +WAIT_FOR=600 # if waiting for an event sleep n seconds before rechecking + # recomended value 10 minutes 600 +WAIT_TIMES=30 # recheck n times before giving up - recomended 30 - total of 5h + +if [ -z "$QAYEAR" ] # may I introduce - the y2k+1 bug? QA for last year +then # might not work + QAYEAR=`date +%Y` +fi + +if [ -z "$TMP" ] +then + if [ -z "$TEMP" ] + then + TMP="/tmp" + else + TMP=$TEMP + fi +fi +if [ ! -w "$TMP" ] +then + echo "Can't write to tmp directory $TMP - exiting" + echo "Can't write to tmp directory $TMP - exiting" >&2 + exit 1 +fi + +KILLPIDS="$TMP/killpids.$$" +export KILLERPIDS +TMPFILES="$TMPFILES $KILLPIDS" + +KILL_SELFSERV=OFF # if sourcing script sets this to on cleanup will also + # kill the running selfserv processes + + # Set the masterbuilds +if [ -z "$UX_MASTERBUILD" ] +then + UX_MASTERBUILD=booboo_Solaris8 + #if [ ! -d $UX_MASTERBUILD ] ; then + #UX_MASTERBUILD=booboo_Solaris8_forte6 + #fi + UX_MB_WAS_SET=FALSE +else + UX_MB_WAS_SET=TRUE +fi +if [ -z "$NT_MASTERBUILD" ] +then + NT_MASTERBUILD=blowfish_NT4.0_Win95 + NT_MB_WAS_SET=FALSE # in this case later functions can override if + # they find a different build that looks like NT +else + NT_MB_WAS_SET=TRUE +fi +if [ -z "$MASTERBUILD" ] +then + MASTERBUILD=$UX_MASTERBUILD +fi + + # Set the default build +if [ -z "$BUILDNUMBER" ] +then + BUILDNUMBER=1 +fi +export BUILDNUMBER +O_LDIR=OFF #local QA dir for NT, temporary + +if [ -z "$WIN_WAIT_FOREVER" ] # header is global, some including scripts +then # want the init to wait forever for directories to + # appear (windows only) if OFF exit, if ON wait forever + WIN_WAIT_FOREVER=OFF +fi + + # NOTE: following variables have to change + # from release to release +if [ -z "$BC_MASTER" ] # master directory for backwardscompatibility testing +then + RH="NO" + grep 7.1 /etc/redhat-release > /dev/null 2>/dev/null && RH="YES" + grep 7.2 /etc/redhat-release > /dev/null 2>/dev/null && RH="YES" + + if [ "$RH" = "YES" ] + then # NSS-3-3-1RTM + BC_UX_MASTER=nss331/builds/20010928.2.331-RTM/booboo_Solaris8 + BC_NT_MASTER=nss331/builds/20010928.2.331-RTM/blowfish_NT4.0_Win95 + else # NSS-3-2-2RTM + BC_UX_MASTER=nss322/builds/20010820.1/y2sun2_Solaris8 + BC_NT_MASTER=nss322/builds/20010820.1/blowfish_NT4.0_Win95 + fi + BC_MASTER=$BC_UX_MASTER + BC_MASTER_WAS_SET=FALSE +else + BC_MASTER_WAS_SET=TRUE +fi +BC_RELEASE=3.2 +export BC_RELEASE + +EARLY_EXIT=TRUE #before the report file has been created, causes Exit to + #create it + +UX_D0=/share/builds/mccrel3/nss + +################################### glob_init ########################## +# global shell function, main initialisation function +######################################################################## +glob_init() +{ + if [ $O_PARAM = "ON" ] ; then + eval_opts $* # parse parameters and options - set flags + fi + # if running from cron HOST needs to be known early, + init_host # so the output file name can be constructed. + Debug "Setting up environment...( $QASCRIPT_DIR/set_environment) " + . $QASCRIPT_DIR/set_environment #finds out if we are running on Windows + Debug "OPerating system: $os_name $os_full" + umask 0 + init_dirs + init_files + init_vars +} + +################################### init_vars ########################### +# global shell function, sets the environment variables, part of init +######################################################################## +init_vars() +{ + if [ -z "$LOGNAME" ] + then + if [ $O_WIN = "ON" ] + then + LOGNAME=$USERNAME + else + LOGNAME=$USER + fi + if [ -z "$LOGNAME" ] + then + LOGNAME=$UNAME + if [ -z "$LOGNAME" ] + then + LOGNAME=`basename $HOME` + fi + fi + fi + if [ -z "$LOGNAME" ] + then + Exit "Can't determine current user" + fi + case $HOST in + iws-perf) + O_HWACC=ON + HWACC_LIST="rainbow ncipher" + #MODUTIL="-add rainbow -libfile /usr/lib/libcryptoki22.so" + export HWACC_LIST + ;; + *) + O_HWACC=OFF + ;; + esac + export O_HWACC +} + +######################################################################## +# functions below deal with setting up the directories and PATHs for +# all different flavors of OS (Unix, Linux, NT MKS, NT Cygnus) and QA +# (Standard, local tinderbox) +######################################################################## + +########################## find_nt_masterbuild ######################### +# global shell function, sets the nt masterbuild directories, part of init +######################################################################## +find_nt_masterbuild() +{ + NT_MASTERDIR=${DAILY_BUILD}/${NT_MASTERBUILD} + if [ "${NT_MB_WAS_SET}" = "FALSE" -a ! -d $NT_MASTERDIR ] ; then + if [ -d ${DAILY_BUILD}/*NT4* ] ; then + NT_MASTERBUILD=` cd ${DAILY_BUILD}; ls -d *NT4* ` + Debug "NT_MASTERBUILD $NT_MASTERBUILD" + NT_MASTERDIR=${DAILY_BUILD}/${NT_MASTERBUILD} + fi + fi + Debug "NT_MASTERDIR $NT_MASTERDIR" +} + +################################### set_daily_build_dirs ########################### +# global shell function, sets directories +######################################################################## +set_daily_build_dirs() +{ + if [ "$O_LOCAL" = "ON" -a "$O_LN" = "OFF" ] ; then + DAILY_BUILD=${LOCAL_MOZROOT} # on local builds NSS_VER_DIR and DAILY_BUILD are + # set to the LOCAL_MOZROOT, since it is not sure + # if ../.. (DAILY_BUILD) even exists + LOCALDIST=${LOCAL_MOZROOT}/dist + elif [ "$O_TBX" = "ON" ] ; then + DAILY_BUILD="$TBX_DAILY_BUILD" + LOCALDIST=${UXDIST} + else + DAILY_BUILD=${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.${BUILDNUMBER} + LOCALDIST=${DAILY_BUILD}/${MASTERBUILD}/mozilla/dist + fi +} + +map_os64() +{ + IS_64="" + case `uname -s` in + #OSF1) has been done already - always 64 bit + SunOS) + MAPPED_OS=Solaris*8 + IS_64=`(isainfo -v | grep 64)>/dev/null 2>/dev/null && echo 64 bit` + if [ "$O_TBX" = "OFF" ] ; then + set_osdir + if [ -n "$IS_64" ] + then #Wait for the 64 bit build to finish... + Debug Testing build for $MAPPED_OS in $OSDIR + Wait ${OSDIR}/SVbuild.InProgress.1 0 + fi + fi + ;; + AIX) + IS_64=`lslpp -l | grep "bos.64bit"> /dev/null && echo 64 bit` + ;; + HP-UX) + IS_64=`getconf KERNEL_BITS | grep 64 >/dev/null && echo 64 bit` + ;; + esac + Debug "Mapped OS to $MAPPED_OS" +} + + + +################################### copy_to_local ######################## +# global shell function, copies the necessary directories from the +# daily build aerea to the local disk +######################################################################## +copy_to_local() +{ + Debug "Copy network directories to local directories" + C2L_ERROR=0 + if [ ! -d ${LOCAL_MOZROOT}/dist ] ; then + mkdir -p ${LOCAL_MOZROOT}/dist || C2L_ERROR=1 + fi + if [ ! -d ${LOCAL_MOZROOT}/security/nss ] ; then + mkdir -p ${LOCAL_MOZROOT}/security/nss || C2L_ERROR=2 + fi + if [ $C2L_ERROR != 0 ] ; then + Exit "copy_to_local: Can t make necesssary directories ($C2L_ERROR ) " + fi + if [ ! -d ${LOCAL_MOZROOT}/security/nss/tests ] ; then + cp -r ${TESTSCRIPTDIR} ${LOCAL_MOZROOT}/security/nss || C2L_ERROR=1 + fi + if [ ! -d ${LOCAL_MOZROOT}/security/coreconf ] ; then + cp -r ${MOZILLA_ROOT}/security/coreconf ${LOCAL_MOZROOT}/security || C2L_ERROR=2 + fi + + NO_DIRS=0; + if [ "$O_WIN" = "ON" ] ; then + OS_TARGET=WINNT;export OS_TARGET + fi + unset BUILD_OPT;export BUILD_OPT; + unset USE_64;export USE_64; +#FIXME only tested on 64 bit Solaris and only got 32 bit builds + while [ $NO_DIRS -lt 4 ] ; do + # first time thru: Debug 32 bit NT + set_objdir + Debug "Copying ${OBJDIR}..." + if [ ! -d ${LOCAL_MOZROOT}/dist/${OBJDIR} ] ; then + cp -r ${LOCALDIST}/${OBJDIR} ${LOCAL_MOZROOT}/dist || C2L_ERROR=3 + fi + NO_DIRS=`expr $NO_DIRS + 1` + if [ $NO_DIRS = 1 ] ; then # 2nd time: OPT 32 bit NT + BUILD_OPT=1; export BUILD_OPT; + elif [ $NO_DIRS = 2 ] ; then # 3rd time: OPT, either 64 bit or Win95 or force exit + if [ "$O_WIN" = "ON" ] ; then + OS_TARGET=WIN95;export OS_TARGET + else + map_os64 + if [ -z "$IS_64" ] ; then #32 bit platform + NO_DIRS=4 + else + USE_64=1; export USE_64 + fi + fi + elif [ $NO_DIRS = 3 ] ; then # 4th time: Debug either 64 bit or Win95 + unset BUILD_OPT;export BUILD_OPT; + fi + + + done + if [ $C2L_ERROR != 0 ] ; then + Exit "copy_to_local: Can t copy necesssary directories ($C2L_ERROR ) " + fi + unset TESTSCRIPTDIR + unset TESTDIR + unset RESULTDIR + O_LN=OFF #from here on pretend it is regular -l local QA FIXME, might cause + #problems with the backwardcompatibility tests + Debug "Successfully copied network directories to local directories" +} + +################################### local_dirs ########################### +# global shell function, sets the directories for local QA +######################################################################## +local_dirs() +{ + Debug "Set directories for local QA" + #if [ "$O_WIN" = "ON" ] ; then + #win_set_tmp + #fi + NSS_VER_DIR=${LOCAL_MOZROOT} # on local builds NSS_VER_DIR and DAILY_BUILD are + # set to the LOCAL_MOZROOT, since it is not sure + # if ../../../.. (NSS_VER_DIR) even exists + if [ -z "${RESULTDIR}" ] ; then # needs to be local as well + Debug "Setting RESULTDIR for local QA" + RESULTDIR="${LOCAL_MOZROOT}/tests_results/security/${HOST}-`date +%Y%m%d-%H.%M`" + fi + set_daily_build_dirs + UX_MASTERDIR=`dirname ${LOCAL_MOZROOT}` + NT_MASTERDIR=$UX_MASTERDIR + MOZILLA_ROOT=${LOCAL_MOZROOT} + + UXDIST=${MOZILLA_ROOT}/dist + NTDIST=${UXDIST} + + if [ -z "${TESTDIR}" ] ; then + Debug "Setting TESTDIR for local QA" + TESTDIR=${RESULTDIR} + fi + if [ -n "$TESTDIR" ] ; then + if [ ! -d $TESTDIR ] ; then + Debug "Making TESTDIR for local QA" + mkdir -p $TESTDIR + fi + fi + export TESTDIR + Debug "RESULTDIR $RESULTDIR TESTDIR $TESTDIR" + + TESTSCRIPTDIR=${LOCAL_MOZROOT}/security/nss/tests + COMMON=${TESTSCRIPTDIR}/common + + set_objdir + debug_dirs + export_dirs +} + + +################################### tbx_dirs ########################### +# global shell function, sets the directories for tinderbox QA +######################################################################## +tbx_dirs() +{ + Debug "Set directories for tinderbox" + if [ "$O_WIN" = "ON" ] ; then + win_set_d1 # we need the NSS_VER_DIR later + else + NSS_VER_DIR="$UX_D0"/nss$NSSVER + fi + if [ -z "${RESULTDIR}" ] ; then # needs to be different for tinderbox + Debug "Setting RESULTDIR for tinderbox" + TBX_NOBITS="" + echo $QASCRIPT_DIR | grep 64 >/dev/null && TBX_NOBITS=64 + TRD="${HOST}${TBX_NOBITS}-`date +%Y%m%d-%H.%M`" + RESULTDIR="${NSS_VER_DIR}/tinderbox/tests_results/security/${TRD}" + if [ ${DOMSUF} = "mcom.com" -o ${DOMSUF} = "netscape.com" -o ${DOMSUF} = "nscp.aoltw.net" ] ; then + URL="sbs-rel.nscp.aoltw.net" + else + URL="cindercone.red.iplanet.com" + fi + if [ "$O_WIN" = "ON" ] ; then + RESULTDIRURL="<a title=\"QA Results\" href=\"http://${URL}${UX_D0}/nsstip/tinderbox/tests_results/security/${TRD}\">QA</a>" + else + RESULTDIRURL="<a title=\"QA Results\" href=\"http://${URL}${RESULTDIR}\">QA</a>" + fi + Debug "RESULTDIRURL TinderboxPrint:$RESULTDIRURL" + fi + TBX_DAILY_BUILD=`cd ../../../../..;pwd` + NSS_VER_DIR="${TBX_DAILY_BUILD}/../.." + TBX_LOGFILE_DIR=`ls ${NSS_VER_DIR}/logs/tinderbox | sed -e 's/ .*//g'` + if [ -z "$TBX_LOGFILE_DIR" ] ; then + TBX_LOGFILE_DIR=`ls ${NSS_VER_DIR}/logs/tbx | sed -e 's/ .*//g'` + TBX_LOGFILE_DIR="${NSS_VER_DIR}/logs/tbx/${TBX_LOGFILE_DIR}" + else + TBX_LOGFILE_DIR="${NSS_VER_DIR}/logs/tinderbox/${TBX_LOGFILE_DIR}" + fi + Debug "Set TBX_LOGFILE_DIR ${TBX_LOGFILE_DIR}" + + set_daily_build_dirs + UX_MASTERDIR=`cd ../../../..;pwd` + NT_MASTERDIR=$UX_MASTERDIR + MOZILLA_ROOT=$UX_MASTERDIR/mozilla + + UXDIST=${MOZILLA_ROOT}/dist + NTDIST=${UXDIST} + + if [ -z "${TESTDIR}" ] ; then + Debug "Setting TESTDIR for tinderbox" + TESTDIR=${RESULTDIR} + fi + if [ -n "$TESTDIR" ] ; then + if [ ! -d $TESTDIR ] ; then + Debug "Making TESTDIR for tinderbox" + mkdir -p $TESTDIR + fi + fi + Debug "Making QAstatus file" + echo "QA running" >${TESTDIR}/QAstatus + export TESTDIR + Debug "RESULTDIR $RESULTDIR TESTDIR $TESTDIR" + + TESTSCRIPTDIR=`pwd` + COMMON=${TESTSCRIPTDIR}/common + + set_objdir + debug_dirs + export_dirs +} + +################################### init_mcom ########################### +# global shell function, sets domain specific variables for AOL's +# domains according to Bishakha's instructions +######################################################################## +init_mcom() +{ + Debug "Running in mcom or netscape domain - changing directories..." + if [ "${UX_MB_WAS_SET}" = "FALSE" ] ; then #in case it was set + # before script was called use these values + UX_MASTERBUILD=spd04_Solaris8 + fi + if [ "${NT_MB_WAS_SET}" = "FALSE" ] ; then + NT_MASTERBUILD=spd06_NT4 + fi + + MASTERBUILD=$UX_MASTERBUILD + if [ "${BC_MASTER_WAS_SET}" = "FALSE" ] ; then + BC_UX_MASTER=nss322/builds/20010820.1/y2sun2_Solaris8 + BC_NT_MASTER=nss322/builds/20010820.1/blowfish_NT4.0_Win95 + BC_MASTER=$BC_UX_MASTER + fi + UX_D0=/share/builds/sbsrel2/nss + URL="sbs-rel.nscp.aoltw.net" +} +################################### init_dirs ########################### +# global shell function, sets the directories for standard QA +# calls special functions for tinderbox, windows or local QA, part of init +######################################################################## +init_dirs() +{ + if [ ${DOMSUF} = "mcom.com" -o ${DOMSUF} = "netscape.com" -o ${DOMSUF} = "nscp.aoltw.net" ] ; then + init_mcom + fi + if [ $O_WIN = "ON" ] ; then + win_set_tmp + write_to_tmpfile + MASTERBUILD=$NT_MASTERBUILD + BC_MASTER=$BC_NT_MASTER + fi + if [ "$O_LOCAL" = "ON" -a $O_LN = "OFF" ] ; then # if it is a LN we need to know + # all the directories off the network first to copy them + local_dirs # O_LOCAL alone assumes that all the directories are already there + return + elif [ "$O_TBX" = "ON" ] ; then + tbx_dirs + return + elif [ "$O_WIN" = "ON" ] ; then + win_set_d1 + else + NSS_VER_DIR="$UX_D0"/nss$NSSVER + fi + #set -x + + set_daily_build_dirs + + if [ -z "${BCDIST}" ] ; then + #BCDIST=/share/builds/mccrel3/nss/${BC_MASTER}/mozilla/dist + BCDIST=${NSS_VER_DIR}/../${BC_MASTER}/mozilla/dist + if [ ! -d $BCDIST -a `basename $0` != jssqa ] ; then + ask "Backward compatibility directory $BCDIST does not exist, continue" "y" "n" || Exit + fi + fi + + UX_MASTERDIR=${DAILY_BUILD}/${UX_MASTERBUILD} + find_nt_masterbuild + + if [ "$O_WIN" = "ON" ] + then + MOZILLA_ROOT=${NT_MASTERDIR}/mozilla + else + MOZILLA_ROOT=${UX_MASTERDIR}/mozilla + fi + + UXDIST=${UX_MASTERDIR}/mozilla/dist + NTDIST=${NT_MASTERDIR}/mozilla/dist + + if [ -z "${RESULTDIR}" ] ; then + RESULTDIR=${UX_MASTERDIR}/mozilla/tests_results/security + fi + + if [ -n "$PRODUCT_TO_TEST" -a "$PRODUCT_TO_TEST" = "JSS" ] ; then + + if [ "$O_WIN" = "ON" ] ; then + JSS_NSS_SRC_DIR=$JSS_NSS_NT_SRC_DIR + fi + TESTSCRIPTDIR=${NSS_VER_DIR}/../${JSS_NSS_SRC_DIR}/mozilla/security/nss/tests + else + TESTSCRIPTDIR=${MOZILLA_ROOT}/security/nss/tests + fi + + if [ ! -d $TESTSCRIPTDIR -a `basename $0` != jssqa ] ; then + if [ "$O_WIN" = "ON" -a "$WIN_WAIT_FOREVER" = "ON" ] + then + WaitForever $TESTSCRIPTDIR/all.sh 1 + else + Exit "Test directory $TESTSCRIPTDIR does not exist" + fi + fi + + COMMON=${TESTSCRIPTDIR}/common + if [ "$O_LOCAL" = "ON" -a $O_LN = "ON" ] ; then # if it is a LN we need to know + # all the directories off the network first to copy them + copy_to_local + local_dirs + fi + #set +x + + + set_objdir + debug_dirs + export_dirs +} + +debug_dirs() +{ + Debug "NTDIST $NTDIST" + Debug "UXDIST $UXDIST" + Debug "TESTSCRIPTDIR $TESTSCRIPTDIR" + Debug "RESULTDIR $RESULTDIR" + Debug "TMP $TMP" + Debug "LOCALDIST_BIN $LOCALDIST_BIN" + Debug "COMMON $COMMON" + Debug "MOZILLA_ROOT $MOZILLA_ROOT" + Debug "BCDIST $BCDIST" +} + +export_dirs() +{ + export NSS_VER_DIR DAILY_BUILD NTDIST UXDIST RESULTDIR TESTSCRIPTDIR BCDIST + export UX_MASTERDIR NT_MASTERDIR COMMON MOZILLA_ROOT +} + +set_osdir() +{ + OSDIR=${DAILY_BUILD}/*${MAPPED_OS}* +} + +################################### init_files ########################### +# global shell function, sets filenames, initializes files, part of init +######################################################################## +init_files() +{ + if [ $O_CRONFILE = "ON" ] + then + Debug "attempting to create resultfiles" + if [ "$O_TBX" = "ON" ] ; then + NEWFILENAME=${TBX_LOGFILE_DIR}/qa.log + if [ ! -w ${TBX_LOGFILE_DIR} ] ; then + Exit "can't touch $NEWFILENAME" + fi + else + NEWFILENAME=$RESULTDIR/$HOST.`basename $0` + fi + if [ ! -d $RESULTDIR ] + then + mkdir -p $RESULTDIR || Exit "Error: can't make $RESULTDIR" + fi + if [ ! -w $RESULTDIR ] ; then + Exit "can't touch $NEWFILENAME" + fi + Debug "About to touch $NEWFILENAME " + touch $NEWFILENAME || Exit "Error: can't touch $NEWFILENAME" + if [ "$O_TBX" = "ON" ] ; then + echo "QA results in $RESULTDIR" >>$NEWFILENAME || Exit "Error: can't write to $NEWFILENAME" + fi + Debug "About to cat $FILENAME >>$NEWFILENAME " + cat $FILENAME >>$NEWFILENAME || Exit "Error: can't append $FILENAME to $NEWFILENAME" + TMPFILES="$TMPFILES $FILENAME" + FILENAME=$NEWFILENAME + Debug "Writing output to $FILENAME" + fi + +} + +################################### write_to_tmpfile ########################## +# global shell function, for NT and cron operation, first a tmpfile +# needs to be created +######################################################################## +write_to_tmpfile() +{ + O_CRONFILE=ON + O_FILE=ON + FILENAME=${TMP}/nsstmp.$$ # for now write to the temporary file + # since we don't know the hostname yet + # will be inserted to the real file later + TMPFILES="$TMPFILES nsstmp.$$" + touch $FILENAME || Exit "Error: can't touch $FILENAME" + Debug "Writing output to $FILENAME" +} + +############################# turn_on_cronoptions ###################### +# global shell function, turns on options needed for cron and tinderbox +######################################################################## +turn_on_cronoptions() +{ + O_CRON=ON + O_SILENT=ON + O_DEBUG=ON # FIXME take out! + O_ALWAYS_YES=ON + write_to_tmpfile +} + +########################## test_mozroot ########################## +# global shell function, determines if the variable LOCAL_MOZROOT is set, +# and is usable as mozilla root diretory for a local QA +################################################################### +test_mozroot() +{ + PWD=`pwd` + Debug "LOCAL_MOZROOT = $LOCAL_MOZROOT" + case "$LOCAL_MOZROOT" in + [0-9-]*|tip) + glob_usage "Error: -"$1" requires a directoryname to follow (start with a letter) " + ;; + \.\.) + LOCAL_MOZROOT=`dirname $PWD` + ;; + \.) + LOCAL_MOZROOT=$PWD + ;; + \.\/*) + LOCAL_MOZROOT=`echo $LOCAL_MOZROOT | sed -e "s/^\.//"` + LOCAL_MOZROOT="${PWD}${LOCAL_MOZROOT}" + ;; + \.\.\/*) + LOCAL_MOZROOT="${PWD}/${LOCAL_MOZROOT}" + ;; + \/*|[a-zA-Z]:\/*) + ;; + ?*) + LOCAL_MOZROOT="${PWD}/${LOCAL_MOZROOT}" + ;; + *) + glob_usage "Error: -"$1" requires a directoryname to follow" + ;; + esac + Debug "Reformated MOZROOT to $LOCAL_MOZROOT" + if [ "$1" = "ln" ] ; then + LOCAL_MOZROOT_PARENT=`dirname $LOCAL_MOZROOT` + if [ ! -d $LOCAL_MOZROOT_PARENT -o ! -w $LOCAL_MOZROOT_PARENT -o \ + ! -x $LOCAL_MOZROOT_PARENT ] ; then + Exit "Error: Can't create $LOCAL_MOZROOT (permissions)" + fi + if [ ! -d "$LOCAL_MOZROOT" ] ; then + mkdir $LOCAL_MOZROOT || + Exit "Error: Can't create mozroot $LOCAL_MOZROOT (mkdir failed)" + else + ask "mozroot $LOCAL_MOZROOT exists - continue (y will remove dir) ?" \ + "y" "n" || Exit + rm -rf $LOCAL_MOZROOT/dist $LOCAL_MOZROOT/security $LOCAL_MOZROOT/tests_results || + Exit "Error: Can't clean mozroot $LOCAL_MOZROOT" + fi + fi + if [ ! -d "$LOCAL_MOZROOT" ] ; then + glob_usage "Error: mozilla root $LOCAL_MOZROOT not a valid directory" + fi +} + +################################### eval_opts ########################## +# global shell function, evapuates options and parameters, sets flags +# variables and defaults +######################################################################## +eval_opts() +{ + while [ -n "$1" ] + do + case $1 in + -cron) + turn_on_cronoptions + ;; + -T*|-t*) + O_TBX=ON + turn_on_cronoptions + O_SILENT=OFF #FIXME debug only + ;; + -S*|-s*) + O_SILENT=ON + ;; + -Y*|-y) + Debug "Option -y dedectet" + O_ALWAYS_YES=ON + ;; + -d*|-D) + O_DEBUG=ON + #set -x + ;; + -ml|-ML) + O_MAIL_LINK=ON + shift + MAILINGLIST=$1 + if [ -z "$MAILINGLIST" ] + then + glob_usage "Error: -m requires a mailinglist to follow, for example sonmi,wtc,nelsonb " + fi + Debug "Sending link to result to $MAILINGLIST" + ;; + -m|-M) + O_MAIL=ON + shift + MAILINGLIST=$1 + if [ -z "$MAILINGLIST" ] + then + glob_usage "Error: -m requires a mailinglist to follow, for example sonmi,wtc,nelsonb " + fi + Debug "Sending result to $MAILINGLIST" + ;; + -fcron*|-F[Cc][Rr][Oo][Nn]*) + write_to_tmpfile + ;; + -f|-F) + O_FILE=ON + shift + FILENAME=$1 + if [ -z "$FILENAME" ] + then + glob_usage "Error: -f requires a filename to follow" + fi + #rm -f $FILENAME 2>/dev/null + touch $FILENAME || Exit "Error: can't touch $FILENAME" + #NOTE we append rather that creating + Debug "Writing output to $FILENAME" + ;; + -h|-help|"-?") + glob_usage + ;; + -ln) + if [ `basename $0` != nssqa ] ; then + glob_usage "Error: Can't handle option $1" + fi + O_LOCAL=ON + O_LN=ON + shift + LOCAL_MOZROOT=$1 + test_mozroot ln + ;; + -lt) + if [ `basename $0` != nssqa ] ; then + glob_usage "Error: Can't handle option $1" + fi + O_LN=ON + O_LOCAL=ON + ;; + -l) + if [ `basename $0` != nssqa ] ; then + glob_usage "Error: Can't handle option $1" + fi + O_LOCAL=ON + shift + LOCAL_MOZROOT=$1 + test_mozroot l + ;; + -p) + shift + PORT=$1 + export PORT + ;; + -*) + glob_usage "Error: Can't handle option $1" + ;; + tip|3.|3..) + NSSVER=$1 + if [ -z "$NSSVER" ] ; then + glob_usage "Error: illegal parameter" + fi + ;; + [01][0-9][0123][0-9]) + BUILDDATE=$1 + if [ -z "$BUILDDATE" ] ; then + glob_usage "Error: illegal parameter" + fi + ;; + ?*) + glob_usage "Error: Can't handle parameter $1" + ;; + esac + shift + done + + if [ -z "$PORT" -a "$O_TBX" = "ON" ] ; then + PORT=8444 + export PORT + if [ -z "$NSSVER" ] ; then + NSSVER="tip" + Debug "NSS Version: Parameters missing - defaulting to tip!" + fi + elif [ -z "$NSSVER" ] ; then + NSSVER="tip" + Debug "NSS Version: Parameters missing - defaulting to tip!" + fi + if [ -z "$BUILDDATE" ] ; then + BUILDDATE=`date +%m%d` + Debug "Builddate: Parameters missing - defaulting to today!" + fi + + Debug "Builddate $BUILDDATE NssVersion $NSSVER" + export BUILDDATE NSSVER + export O_CRON O_SILENT O_DEBUG O_ALWAYS_YES O_TBX +} + +win_set_tmp() +{ + TMP=`echo "$TMP" | sed -e 's/ /\/t/g' -e 's//\/b/' -e 's/\\\/\//g'` + Debug "TMP reformated to $TMP" +} + +######################### win_set_d1 ################################ +# global shell function, interactively finds the directories in case +# windows can't get to the default +######################################################################## +win_set_d1() +{ + Debug "set Windows Directories..." + #win_set_tmp + if [ "$O_CYGNUS" = ON ] + then + NSS_VER_DIR=/cygdrive/w/nss/nss$NSSVER + else + NSS_VER_DIR=w:/nss/nss$NSSVER + fi + if [ ! -w $NSS_VER_DIR ] + then + Echo "Windows special... can't write in $NSS_VER_DIR" + if [ "$O_CYGNUS" = ON ] + then + NSS_VER_DIR=/cygdrive/u/nss/nss$NSSVER + else + NSS_VER_DIR="u:/nss/nss$NSSVER" + fi + else + Debug "NSS_VER_DIR set to $NSS_VER_DIR" + return + fi + + while [ ! -w $NSS_VER_DIR ] + do + if [ "$O_CRONFILE" = "ON" ] + then + Exit "cant write in $NSS_VER_DIR" + fi + Warning "cant write in $NSS_VER_DIR" + Echo "input start directory (u:/nss, d:/src/nss, f:/shared/nss) " + read D + if [ -n "$D" ] + then + NSS_VER_DIR=$D/nss$NSSVER + fi + done + Debug "NSS_VER_DIR set to $NSS_VER_DIR" +} + +########################### init_host ################################## +# global shell function, sets required variables HOST and DOMSUF, and asks +# the user if it has been set right +######################################################################## +set_host() +{ + init_host +} +init_host() +{ + if [ `basename $0` != nssqa ] ; then + return + fi + + init_host_done=0 + + if [ $DS_WAS_SET = FALSE ] #give chance to overwrite, espec. for NT + then + Debug "Domainname was not set..." + DOMSUF=`domainname 2>/dev/null` + if [ -z "$DOMSUF" ] + then + Debug "domainname command did not work ..." + DOMSUF=`echo $HOST | grep '\.' | sed -e "s/[^\.]*\.//"` + + if [ -z "$DOMSUF" ] + then + Debug "Domainname not part of the hostname" + DOMSUF=`cat /etc/defaultdomain 2>/dev/null` + if [ -z "$DOMSUF" ] + then + Debug "Domainname needs to be hardcoded to red.iplanet.com" + DOMSUF="red.iplanet.com" + fi + fi + fi + fi + case $HOST in + *\.*) + Debug "HOSTNAME $HOST contains Dot" + HOST=`echo $HOST | sed -e "s/\..*//"` + ;; + esac + if [ -z "$HOST" ] + then + HOST=`uname -n` + case $HOST in + *\.*) + Debug "HOSTNAME $HOST contains Dot" + HOST=`echo $HOST | sed -e "s/\..*//"` + ;; + esac + fi + if [ $O_DEBUG = "ON" ] + then + while [ $init_host_done -eq 0 ] + do + Echo + ask "DOMSUF=$DOMSUF, HOST=$HOST - OK", "y" "n" && + init_host_done=1 + if [ $init_host_done -eq 0 ] + then + Echo "input DOMSUF: " + read D + if [ -n "$D" ] + then + DOMSUF=$D + fi + Echo "input HOST: " + read H + if [ -n "$H" ] + then + HOST=$H + fi + fi + done + fi + export HOST DOMSUF + Debug "HOST: $HOST, DOMSUF: $DOMSUF" +} + +#-----------------------------# UTILS #---------------------------------- + +########################### qa_stat_get_sysinfo ######################## +# local shell function, tries to determine the QA operating system +######################################################################## +qa_stat_get_sysinfo() +{ + case $1 in + ?*) REM_SYS=$1 + GET_SYSINFO="rsh $1" + ;; + *) REM_SYS="" + GET_SYSINFO="" + ;; + esac + QA_SYS=`$GET_SYSINFO uname -sr` + echo $QA_SYS | grep Linux >/dev/null && + QA_RHVER=`$GET_SYSINFO cat /etc/redhat-release` + if [ -n "$QA_RHVER" ] + then + QA_OS=`echo $REM_SYS $QA_RHVER | sed -e "s/Red Hat /RH /" \ + -e "s/ release//"` + else + case $QA_SYS in + *SunOS*5.[89]*) + ISAINFO=`$GET_SYSINFO isainfo -v` + IS_64=`echo $ISAINFO | grep 64 >/dev/null && \ + echo 64 bit` + IS_I386=`echo $ISAINFO | grep i386 >/dev/null && \ + echo i86pc` + if [ -n "$IS_I386" ] ; then IS_64="$IS_I386"; fi; + if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi; + ;; + *HP*) + IS_64=`$GET_SYSINFO getconf KERNEL_BITS | + grep 64 >/dev/null && echo 64 bit` + if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi; + ;; + *AIX*) + IS_64=`$GET_SYSINFO lslpp -l | + grep "bos.64bit"> /dev/null && echo 64 bit` + if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi; + ;; + esac + QA_OS=`echo "$REM_SYS $QA_SYS $IS_64"` + fi + if [ "$O_SILENT" != ON ] ; then + echo $QA_OS + fi + QA_OS_STRING=`echo $QA_OS | sed -e "s/^[_ ]//" -e "s/ /_/g"` +} + +################################### set_objdir ######################### +# global shell function, sets the object directories and DIST +######################################################################## +set_objdir() +{ + Debug "set object dir" + OBJDIR=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name` + OS_ARCH=`cd ${TESTSCRIPTDIR}/common; gmake os_arch` + + #at this point $MASTERBUILD needs to be either NT or unix + + set_daily_build_dirs + LOCALDIST_BIN=${LOCALDIST}/${OBJDIR}/bin + DIST=$LOCALDIST + + if [ -z "${TEST_LEVEL}" ] ; then + TEST_LEVEL=0 + fi + bc ${TEST_LEVEL} #set the path for the backward compatibility test + + PATH_CONTAINS_BIN="TRUE" + export PATH_CONTAINS_BIN + + export OBJDIR OS_ARCH LOCALDIST LOCALDIST_BIN DIST PATH +} + +########################### bc ######################################### +# global shell function , sets paths for the backward compatibility test +######################################################################## +bc() +{ + if [ -n "$PRODUCT_TO_TEST" -a "$PRODUCT_TO_TEST" = "JSS" ] ; then + TESTDIR=${RESULTDIR} + BC_ACTION="" + DON_T_SET_PATHS="FALSE" #let init.sh override - FIXME - check if necessary + return + fi + DON_T_SET_PATHS="TRUE" + case $1 in + 0) + #unset TESTDIR + TESTDIR=${RESULTDIR} + if [ "$O_WIN" = "ON" -a "$O_CYGNUS" != ON ] ; then + PATH="$TESTSCRIPTDIR;$LOCALDIST_BIN;$BASEPATH" + else + PATH=$TESTSCRIPTDIR:$LOCALDIST_BIN:$BASEPATH + fi + BC_ACTION="" + DON_T_SET_PATHS="FALSE" #let init.sh override - FIXME - check if necessary + ;; + *) + if [ "$O_LOCAL" = "ON" ] ; then + Exit "FIXME Can't run backwardcompatibility tests locally yet" + fi + TESTSCRIPTDIR=${BCDIST}/../security/nss/tests + COMMON=${TESTSCRIPTDIR}/common + TESTDIR=${RESULTDIR}/bct + BC_ACTION="backward compatibility of binaries in $BC_MASTER to new libs" + BCDIST_BIN=${BCDIST}/${OBJDIR}/bin + LD_LIBRARY_PATH=${LOCALDIST}/${OBJDIR}/lib + if [ "$O_WIN" = "ON" ] ; then + if [ "$O_CYGNUS" = ON ] ; then + PATH=$TESTSCRIPTDIR:$BCDIST_BIN:$BASEPATH:$LD_LIBRARY_PATH + else + PATH="$TESTSCRIPTDIR;$BCDIST_BIN;$BASEPATH;$LD_LIBRARY_PATH" + fi + else + PATH=$TESTSCRIPTDIR:$BCDIST_BIN:$BASEPATH + fi + Debug "1st stage of backward compatibility test" + ;; + esac + if [ -n "$TESTDIR" ] ; then + if [ ! -d $TESTDIR ] ; then + mkdir -p $TESTDIR + fi + export TESTDIR + fi + SHLIB_PATH=${LD_LIBRARY_PATH} + LIBPATH=${LD_LIBRARY_PATH} + Debug "PATH $PATH" + Debug "LD_LIBRARY_PATH $LD_LIBRARY_PATH" + export PATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH + export DON_T_SET_PATHS BC_ACTION + export TESTSCRIPTDIR COMMON +} + +########################### Ps ######################################### +# global shell function , attempts a platform specific ps +######################################################################## +Ps() +{ +#AIX, OSF ps -ef, solaris /usr/5bin/ps -ef, win ps -ef but no user id +#linux ps -ef, HP + + if [ $os_name = "SunOS" ] + then + /usr/5bin/ps -ef + else + ps -ef + fi +} + +########################### kill_by_name ################################ +# global shell function , kills the process whose name is given as +# parameter +######################################################################## +kill_by_name() +{ + for PID in `Ps | grep "$1" | grep -v grep | \ + sed -e "s/^ *//g" -e "s/^[^ ]* //" -e "s/^ *//g" -e "s/ .*//g"` + do + if [ $O_WIN = "ON" -a $O_CYGNUS = "ON" ] + then + ask "Do you want to kill Process $PID (`Ps | grep $PID | \ + grep -v grep | awk '{ print $1, $2, $6, $7, $8, $9 }' | \ + sed -e "s/[0-9]:[0-6][0-9]//g" | grep $PID `)" \ + "y" "n" && { + kill $PID + sleep 1 + kill -9 $PID 2>/dev/null + } + else + ask "Do you want to kill Process $PID (`Ps | grep $PID | \ + grep -v grep | awk '{ print $1, $2, $8, $9, $10, $11 }' | \ + sed -e "s/[0-9]:[0-6][0-9]//g" | grep $PID `)" \ + "y" "n" && { + kill $PID + sleep 1 + kill -9 $PID 2>/dev/null + } + fi + done +} + +############################### early_exit ################################### +# global shell function , attempts a little more usefull user notification +# of a complete failure +######################################################################## + +early_exit() +{ + if [ -z "$DOCDIR" ] + then + DOCDIR=`dirname $0`/../doc + fi + if [ -f $DOCDIR/QAerror.html ] + then + Debug "Found QA errorheader" + rm ${FILENAME}.err 2>/dev/null + cp $DOCDIR/QAerror.html ${FILENAME}.err + echo "$1" >>${FILENAME}.err + echo '</font></b></h1>' >>${FILENAME}.err + if [ -n "$FILENAME" -a -f "$FILENAME" ] + then + cat $FILENAME | sed -e "s/^/<br>/" >>${FILENAME}.err + fi + echo '</body></html>' >>${FILENAME}.err + cat ${FILENAME}.err | $RMAIL $MAILINGLIST + + rm ${FILENAME}.err 2>/dev/null + #echo "cat ${FILENAME}.err | $RMAIL $MAILINGLIST " + fi +} + +############################### Exit ################################### +# global shell function , central exiting point +# cleanup: temporary files, kill the remaining selfservers if sourcing +# script sets KILL_SELFSERV +######################################################################## +Exit() +{ + Echo $1 + if [ "$O_CRON" = "OFF" ] + then + echo $1 >&2 + fi + if [ -f "${KILLPIDS}" ] + then + Debug "Attempting to kill background processes...`cat ${KILLPIDS}`" + kill `cat "${KILLPIDS}"` + sleep 1 + kill -9 `cat "${KILLPIDS}"` + fi + if [ -n "${TMPFILES}" ] + then + Debug "rm -f ${TMPFILES}" + rm -f $TMPFILES 2>/dev/null + fi + O_ALWAYS_YES=ON # set to non-interactive - don't ask anymore questions here + if [ $KILL_SELFSERV = "ON" ] + then + kill_by_name selfserv + fi + if [ $O_MAIL_LINK = "ON" -a $O_FILE = "ON" ] + then + if [ $EARLY_EXIT = TRUE ] #before the report file has been created + then + early_exit "$1" + else + head -3 $FILENAME >$ML_FILE + echo "Content-Type: text/plain; charset=us-ascii; format=flowed + Content-Transfer-Encoding: 7bit + +" >>$ML_FILE + echo $HREF_TMP_HTML_FILE >>$ML_FILE + cat $ML_FILE | $RMAIL $MAILINGLIST + fi + +#FIXME - early exit etc + elif [ $O_MAIL = "ON" -a $O_FILE = "ON" ] + then + if [ $EARLY_EXIT = TRUE ] #before the report file has been created + then + early_exit "$1" + elif [ -n "$FILENAME" -a -f "$FILENAME" ] + then + cat $FILENAME | $RMAIL $MAILINGLIST + fi + #rm $FILENAME 2>/dev/null + elif [ $O_MAIL = "ON" -a $EARLY_EXIT = TRUE ] + then + early_exit "$1" + rm $FILENAME 2>/dev/null + fi + #chmod a+rw ${RESULTDIR} ${RESULTDIR}/* ${RESULTDIR}/*/* & + if [ -n "$O_TBX" -a "$O_TBX" = "ON" ] ; then + rm ${TESTDIR}/QAstatus + + if [ "$1" = "killed... cleaning up..." ] ; then + echo "QA killed" >${TESTDIR}/QAstatus + elif [ "$TBX_EXIT" = 0 ] ; then + echo "QA passed" >${TESTDIR}/QAstatus + else + echo "QA failed" >${TESTDIR}/QAstatus + fi + + exit $TBX_EXIT + + else + exit + fi +} + +trap "rm -f ${TMPFILES} 2>/dev/null; Exit 'killed... cleaning up...'" 2 3 15 + +################################ Wait ################################## +# global shell function to wait for an event to happen, 1st parameter +# filename to watch, 2nd parameter 0 - wait for it to disappear, 1 wait +# for it to be created. +# uses the variables WAIT_FOR and WAIT_TIMES +# WAIT_FOR: if waiting for an event sleep n seconds before rechecking +# recomended value 10 minutes 600 +# WAIT_TIMES: recheck n times before giving up to prevent endless loop +# recomended 30 - total of 5h +######################################################################## + +Wait() +{ + i=0 + Debug "Waiting for $1" + while [ $i -lt $WAIT_TIMES ] + do + i=`expr $i + 1` + if [ -f "$1" -a $2 -eq 1 ] # if file exists and is supposed to + then + return + fi + if [ ! -f "$1" -a $2 -eq 0 ] # not exists and not supposed to exist + then + return + fi + Debug "Waiting for $1, loop #$i, about to sleep $WAIT_FOR seconds zzzz..." + sleep $WAIT_FOR + done + TOTAL=`expr $WAIT_TIMES \* $WAIT_FOR / 60` + Exit "I HAVE WAITED LONG ENOUGH FOR $1 NOW, I'M GONE! (THAT WAS A TOTAL OF $TOTAL MINUTES) I have better things to do... " +} + +################################ WaitForever ################################## +# global shell function to wait for an event to happen, 1st parameter +# filename to watch, 2nd parameter 0 - wait for it to disappear, 1 wait +# for it to be created. +# because we daon't have any relyable cron on NT... +######################################################################## + +WaitForever() +{ + i=0 + Debug "Waiting for $1" + TOTAL=0 + while [ 1 ] + do + i=`expr $i + 1` + if [ -f "$1" -a $2 -eq 1 ] # if file exists and is supposed to + then + return + fi + if [ ! -f "$1" -a $2 -eq 0 ] # not exists and not supposed to exist + then + return + fi + Debug "Waiting for $1, loop #$i, about to sleep $WAIT_FOR seconds Total $TOTAL" + sleep $WAIT_FOR + TOTAL=`expr $i \* $WAIT_FOR / 60` + if [ -n "$MAX_FOREVER" ] # we are cheating. Forever can be very short... + then + if [ "$TOTAL" -gt "$MAX_FOREVER" ] + then + Exit "I HAVE WAITED LONG ENOUGH FOR $1 NOW, I'M GONE! (THAT WAS A TOTAL OF $TOTAL MINUTES) I have better things to do... " + fi + fi + done +} +################################### is_running ######################### +# global shell function , implements primitive locking mechanism +# filename is passed as a parameter, if filename.* exists we assume calling +# script is running already and exit, otherwise filename.processid is +# created +######################################################################## +is_running() +{ + Debug "Testing if $0 is already running... file ${1} - ${1}.$$" + if [ -f ${1}.* ] + then + Exit "$0 seems to be running already ($1 exists) - Exiting" + fi + TMPFILES="$TMPFILES ${1}.$$" + echo "running $0 on `date` PID $$" >${1}.$$ + Debug "wrote \"running $0 on `date` PID $$\" to ${1}.$$" + +} + +#---------------------------# USERCOM #--------------------------------- +############################## Echo ##################################### +# global shell function , depending on the options the output gets written +# to a file, or is being discarded +# FIXME \n and \c are mistreates by differnet shells, and linux has /bin/echo +# instead of /usr/bin/echo +######################################################################## +Echo () +{ + if [ $O_SILENT = OFF ] + then + echo "$*" + #/usr/bin/echo "$*" + fi + if [ $O_FILE = ON ] + then + echo "$*" >>$FILENAME + fi +} + +################################### ask ################################ +# global shell function, Asks the a question, and gives the returns 0 +# on the 1st choice, 1 on the 2nd choice +# +# PARAMETERS: +# $1 question text +# $2 1st choice +# $3 2nd choice +# +# MODIFIERS: +# -y O_ALWAYS_YES will assume a first choice always (not neccessaryly "y") +# +# RETURN: +# 0 - User picked 1st choice +# 1 - User picked 2nd choice +# +# EXAMPLE +# ask "Would you like to continue" "y" "n" || Exit +# will produce the string "Would you like to continue (y/n) ?", +# read input from keyboard (or assume a yes with option -y) +# - on a yes it will return 0, on a no it will return 1, the +# shell interprets it as error and the || Exit will be executed +# +# NOTE: NEVER use "n" as the second parameter - it will mess up -y +# don't ask "Continue" "n" "y" || Exit # it will Exit on a "y" +# +######################################################################## +Ask() +{ + ask $* +} + +ask() +{ + if [ $O_ALWAYS_YES = ON ] + then + Echo "$1 ($2/$3) ?" + Echo "YES!" + return 0 + fi + A="" + while [ 1 ] + do + + Echo "$1 ($2/$3) ?" + read A + if [ -n "$A" ] + then + if [ $A = $2 ] + then + return 0 + elif [ $A = $3 ] + then + return 1 + fi + fi + done + return 0 +} + +################################### Warning ############################ +# global shell function, Asks the user a "... continue? (y/n)" question, +# and exits when the user answers with no +# NOTE -y will answer the warnings always with yes +######################################################################## +Warning () +{ + ask "WARNING: $0: \n $* continue " "y" "n" || Exit +} + +################################### Debug ############################ +# global shell function, when option -d Debugging output is written +######################################################################## +Debug() +{ + if [ $O_DEBUG = ON ] + then + Echo "DEBUG: (`date +%H:%M`) $0: $*" + fi +} + +################################### line ############################### +# global shell function, supposed to make output more readable... +######################################################################## +line() +{ +Echo +#Echo "=======================================================================" +#Echo +} + +################################### opt_usage ########################## +# global shell function, tells user about available options +######################################################################## +opt_usage() +{ + if [ $O_OPTIONS = "ON" ] + then + Echo + line + Echo + Echo " -y answer all questions with y - use at your own risk..." + Echo " -s silent (only usefull with -y)" + Echo " -h, -? - you guessed right - displays this text" + Echo " -d debug" + Echo " -f <filename> - write the (error)output to filename" + Echo " -fcronfile produces the resultfiles in the same locations" + Echo " as would have been produced with -cron" + Echo " -m <mailinglist> - send filename to mailinglist (csl " + Echo " example sonmi,nelsonb,wtc) only useful with -f" + Echo " -ml <mailinglist> - send link to filename to mailinglist " + Echo " (csl example sonmi,nelsonb,wtc) only useful with -f" + Echo " -cron equivalient to -y -s -d -f \$RESULTDIR/\$HOST.nssqa" + Echo " -t run on a tinderbox build (included -cron)" + if [ `basename $0` = nssqa ] ; then + Echo " -l <mozroot> run on a local build" + Echo " -ln <mozroot> copy a networkbuild to a local directory " + Echo " mozroot, used for networkindipendend QA " + Echo " -lt try to copy a networkbuild to a local directory, if" + Echo " not possible run on the network + Echo " used for networkindipendend QA + fi +# +# special strings + fi + +} + +################################### glob_usage ######################### +# global shell function, how to use the calling script (parameters, options) +######################################################################## +glob_usage() +{ + line + Echo $1 + Echo + if [ $O_OPTIONS = "ON" ] + then + Echo "usage $0 [options] nssversion builddate" + else + Echo "usage $0 nssversion builddate" + fi + + Echo " for example: $0 30b 0926" + Echo " $0 31 1002" + opt_usage + Echo + Exit "$1" +} + +tell() +{ + if [ $O_SILENT = OFF ] + then + line + pwd + ls -CF + line + fi + if [ $O_FILE = ON ] + then + line + pwd >>$FILENAME + ls -CF >>$FILENAME + line + fi +} + +if [ $O_INIT = "ON" ] +then + glob_init $* +fi +EARLY_EXIT=FALSE diff --git a/security/nss/tests/iopr/cert_iopr.sh b/security/nss/tests/iopr/cert_iopr.sh new file mode 100644 index 000000000..bb1bf047c --- /dev/null +++ b/security/nss/tests/iopr/cert_iopr.sh @@ -0,0 +1,405 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/iopr/cert_iopr.sh +# +# Certificate generating and handeling for NSS interoperability QA. This file +# is included from cert.sh +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## + +IOPR_CERT_SOURCED=1 + +######################################################################## +# function wraps calls to pk12util, also: writes action and options +# to stdout. +# Params are the same as to pk12util. +# Returns pk12util status +# +pk12u() +{ + echo "${CU_ACTION} --------------------------" + + echo "pk12util $@" + ${BINDIR}/pk12util $@ + RET=$? + + return $RET +} + +######################################################################## +# Initializes nss db directory and files if they don't exists +# Params: +# $1 - directory location +# +createDBDir() { + trgDir=$1 + + if [ -z "`ls $trgDir | grep db`" ]; then + trgDir=`cd ${trgDir}; pwd` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + trgDir=`cygpath -m ${trgDir}` + fi + + CU_ACTION="Initializing DB at ${trgDir}" + certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Loading root cert module to Cert DB at ${trgDir}" + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + fi +} +######################################################################## +# takes care of downloading config, cert and crl files from remote +# location. +# Params: +# $1 - name of the host file will be downloaded from +# $2 - path to the file as it appeared in url +# $3 - target directory the file will be saved at. +# Returns tstclnt status. +# +download_file() { + host=$1 + filePath=$2 + trgDir=$3 + + file=$trgDir/`basename $filePath` + + createDBDir $trgDir || return $RET + +# echo wget -O $file http://${host}${filePath} +# wget -O $file http://${host}${filePath} +# ret=$? + + req=$file.$$ + echo "GET $filePath HTTP/1.0" > $req + echo >> $req + + echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \ + -v -w ${R_PWFILE} -o + ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \ + -v -w ${R_PWFILE} -o < $req > $file + ret=$? + rm -f $_tmp; + return $ret +} + +######################################################################## +# Uses pk12util, certutil of cerlutil to import files to an nss db located +# at <dir>(the value of $1 parameter). Chooses a utility to use based on +# a file extension. Initializing a db if it does not exists. +# Params: +# $1 - db location directory +# $2 - file name to import +# $3 - nick name an object in the file will be associated with +# $4 - trust arguments +# Returns status of import +# +importFile() { + dir=$1\ + file=$2 + certName=$3 + certTrust=$4 + + [ ! -d $dir ] && mkdir -p $dir; + + createDBDir $dir || return $RET + + case `basename $file | sed 's/^.*\.//'` in + p12) + CU_ACTION="Importing p12 $file to DB at $dir" + pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr + [ $? -ne 0 ] && return 1 + CU_ACTION="Modifying trust for cert $certName at $dir" + certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" + return $? + ;; + + crl) + CU_ACTION="Importing crl $file to DB at $dir" + crlu -d ${dir} -I -n TestCA -i $file + return $? + ;; + + crt | cert) + CU_ACTION="Importing cert $certName with trust $certTrust to $dir" + certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \ + -i "$file" + return $? + ;; + + *) + echo "Unknown file extension: $file:" + return 1 + ;; + esac +} + + +######################################################################### +# Downloads and installs test certs and crl from a remote webserver. +# Generates server cert for reverse testing if reverse test run is turned on. +# Params: +# $1 - host name to download files from. +# $2 - directory at which CA cert will be installed and used for +# signing a server cert. +# $3 - path to a config file in webserver context. +# $4 - ssl server db location +# $5 - ssl client db location +# $5 - ocsp client db location +# +# Returns 0 upon success, otherwise, failed command error code. +# +download_install_certs() { + host=$1 + caDir=$2 + confPath=$3 + sslServerDir=$4 + sslClientDir=$5 + ocspClientDir=$6 + + [ ! -d "$caDir" ] && mkdir -p $caDir; + + #======================================================= + # Getting config file + # + download_file $host "$confPath/iopr_server.cfg" $caDir + RET=$? + if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then + html_failed "Fail to download website config file(ws: $host)" + return 1 + fi + + . $caDir/iopr_server.cfg + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to source config file(ws: $host)" + return $RET + fi + + #======================================================= + # Getting CA file + # + + #----------------- !!!WARNING!!! ----------------------- + # Do NOT copy this scenario. CA should never accompany its + # cert with the private key when deliver cert to a customer. + #----------------- !!!WARNING!!! ----------------------- + + download_file $host $certDir/$caCertName.p12 $caDir + RET=$? + if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then + html_failed "Fail to download $caCertName cert(ws: $host)" + return 1 + fi + tmpFiles="$caDir/$caCertName.p12" + + importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C" + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import $caCertName cert to CA DB(ws: $host)" + return $RET + fi + + CU_ACTION="Exporting Root CA cert(ws: $host)" + certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert + if [ "$RET" -ne 0 ]; then + Exit 7 "Fatal - failed to export $caCertName cert" + fi + + #======================================================= + # Check what tests we want to run + # + doSslTests=0; doOcspTests=0 + # XXX remove "_new" from variables below + [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1 + [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1 + + if [ $doSslTests -eq 1 ]; then + if [ "$reverseRunCGIScript" ]; then + [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir; + #======================================================= + # Import CA cert to server DB + # + importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \ + "TC,C,C" + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import server-client-CA cert to \ + server DB(ws: $host)" + return $RET + fi + + #======================================================= + # Creating server cert + # + CERTNAME=$HOSTADDR + + CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \ + L=Mountain View, ST=California, C=US" + certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\ + -o $sslServerDir/req 2>&1 + tmpFiles="$tmpFiles $sslServerDir/req" + + # NOTE: + # For possible time synchronization problems (bug 444308) we generate + # certificates valid also some time in past (-w -1) + + CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)" + certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \ + -d "${caDir}" \ + -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \ + -f "${R_PWFILE}" 2>&1 + + importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",," + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import $CERTNAME cert to server\ + DB(ws: $host)" + return $RET + fi + tmpFiles="$tmpFiles $caDir/$CERTNAME.cert" + + #======================================================= + # Download and import CA crl to server DB + # + download_file $host "$certDir/$caCrlName.crl" $sslServerDir + RET=$? + if [ $? -ne 0 ]; then + html_failed "Fail to download $caCertName crl\ + (ws: $host)" + return $RET + fi + tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl" + + importFile $sslServerDir $sslServerDir/TestCA.crl + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import TestCA crt to server\ + DB(ws: $host)" + return $RET + fi + fi # if [ "$reverseRunCGIScript" ] + + [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir; + #======================================================= + # Import CA cert to ssl client DB + # + importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \ + "TC,C,C" + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import server-client-CA cert to \ + server DB(ws: $host)" + return $RET + fi + fi + + if [ $doOcspTests -eq 1 ]; then + [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir; + #======================================================= + # Import CA cert to ocsp client DB + # + importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \ + "TC,C,C" + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import server-client-CA cert to \ + server DB(ws: $host)" + return $RET + fi + fi + + #======================================================= + # Import client certs to client DB + # + for fileName in $downloadFiles; do + certName=`echo $fileName | sed 's/\..*//'` + + if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then + clientDir=$ocspClientDir + elif [ $doSslTests -eq 1 ]; then + clientDir=$sslClientDir + else + continue + fi + + download_file $host "$certDir/$fileName" $clientDir + RET=$? + if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then + html_failed "Fail to download $certName cert(ws: $host)" + return $RET + fi + tmpFiles="$tmpFiles $clientDir/$fileName" + + importFile $clientDir $clientDir/$fileName $certName ",," + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import $certName cert to client DB\ + (ws: $host)" + return $RET + fi + done + + rm -f $tmpFiles + + return 0 +} + + +######################################################################### +# Initial point for downloading config, cert, crl files for multiple hosts +# involved in interoperability testing. Called from nss/tests/cert/cert.sh +# It will only proceed with downloading if environment variable +# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space. +# +# Returns 1 if interoperability testing is off, 0 otherwise. +# +cert_iopr_setup() { + + if [ "$IOPR" -ne 1 ]; then + return 1 + fi + num=1 + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '` + while [ "$IOPR_HOST_PARAM" ]; do + IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'` + IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'` + [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443 + IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'` + [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr" + + echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\ + $IOPR_CONF_PATH" + + download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \ + ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \ + ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \ + ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} + if [ $? -ne 0 ]; then + echo "wsFlags=\"NOIOPR $wsParam\"" >> \ + ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg + fi + num=`expr $num + 1` + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + done + + return 0 +} diff --git a/security/nss/tests/iopr/ocsp_iopr.sh b/security/nss/tests/iopr/ocsp_iopr.sh new file mode 100644 index 000000000..dcc6e1ffb --- /dev/null +++ b/security/nss/tests/iopr/ocsp_iopr.sh @@ -0,0 +1,231 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/iopr/ocsp_iopr.sh +# +# NSS SSL interoperability QA. This file is included from ssl.sh +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## +IOPR_OCSP_SOURCED=1 + +######################################################################## +# The funtion works with variables defined in interoperability +# configuration file that gets downloaded from a webserver. +# The function sets test parameters defind for a particular type +# of testing. +# +# No return value +# +setTestParam() { + type=$1 + testParam=`eval 'echo $'${type}Param` + testDescription=`eval 'echo $'${type}Descr` + testProto=`eval 'echo $'${type}Proto` + testPort=`eval 'echo $'${type}Port` + testResponder=`eval 'echo $'${type}ResponderCert` + testValidCertNames=`eval 'echo $'${type}ValidCertNames` + testRevokedCertNames=`eval 'echo $'${type}RevokedCertNames` + testStatUnknownCertNames=`eval 'echo $'${type}StatUnknownCertNames` +} + +######################################################################## +# The funtion checks status of a cert using ocspclnt. +# Params: +# dbDir - nss cert db location +# cert - cert in question +# respUrl - responder url is available +# defRespCert - trusted responder cert +# +# Return values: +# 0 - test passed, 1 - otherwise. +# +ocsp_get_cert_status() { + dbDir=$1 + cert=$2 + respUrl=$3 + defRespCert=$4 + + if [ -n "$respUrl" -o -n "$defRespCert" ]; then + if [ -z "$respUrl" -o -z "$defRespCert" ]; then + html_failed "Incorrect test params" + return 1 + fi + clntParam="-l $respUrl -t $defRespCert" + fi + + if [ -z "${MEMLEAK_DBG}" ]; then + outFile=$dbDir/ocsptest.out.$$ + echo "ocspclnt -d $dbDir -S $cert $clntParam" + ${BINDIR}/ocspclnt -d $dbDir -S $cert $clntParam >$outFile 2>&1 + ret=$? + echo "ocspclnt output:" + cat $outFile + [ -z "`grep succeeded $outFile`" ] && ret=1 + + rm -f $outFile + return $ret + fi + + OCSP_ATTR="-d $dbDir -S $cert $clntParam" + ${RUN_COMMAND_DBG} ${BINDIR}/ocspclnt ${OCSP_ATTR} +} + +######################################################################## +# The funtion checks status of a cert using ocspclnt. +# Params: +# testType - type of the test based on type of used responder +# servName - FQDM of the responder server +# dbDir - nss cert db location +# +# No return value +# +ocsp_iopr() { + testType=$1 + servName=$2 + dbDir=$3 + + setTestParam $testType + if [ "`echo $testParam | grep NOCOV`" != "" ]; then + echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \ + "run by server configuration" + return 0 + fi + + if [ -z "${MEMLEAK_DBG}" ]; then + html_head "OCSP testing with responder at $IOPR_HOSTADDR. <br>" \ + "Test Type: $testDescription" + fi + + if [ -n "$testResponder" ]; then + responderUrl="$testProto://$servName:$testPort" + else + responderUrl="" + fi + + if [ -z "${MEMLEAK_DBG}" ]; then + for certName in $testValidCertNames; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + html_msg $? 0 "Getting status of a valid cert ($certName)" \ + "produced a returncode of $ret, expected is 0." + done + + for certName in $testRevokedCertNames; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + html_msg $? 1 "Getting status of a unvalid cert ($certName)" \ + "produced a returncode of $ret, expected is 1." + done + + for certName in $testStatUnknownCertNames; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + html_msg $? 1 "Getting status of a cert with unknown status " \ + "($certName) produced a returncode of $ret, expected is 1." + done + else + for certName in $testValidCertNames $testRevokedCertNames \ + $testStatUnknownCertName; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + done + fi +} + +##################################################################### +# Initial point for running ocsp test againt multiple hosts involved in +# interoperability testing. Called from nss/tests/ocsp/ocsp.sh +# It will only proceed with test run for a specific host if environment variable +# IOPR_HOSTADDR_LIST was set, had the host name in the list +# and all needed file were successfully downloaded and installed for the host. +# +# Returns 1 if interoperability testing is off, 0 otherwise. +# +ocsp_iopr_run() { + NO_ECC_CERTS=1 # disable ECC for interoperability tests + + if [ "$IOPR" -ne 1 ]; then + return 1 + fi + cd ${CLIENTDIR} + + if [ -n "${MEMLEAK_DBG}" ]; then + html_head "Memory leak checking - IOPR" + fi + + num=1 + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + while [ "$IOPR_HOST_PARAM" ]; do + IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'` + IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'` + [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443 + + . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg + RES=$? + + num=`expr $num + 1` + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + + if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then + continue + fi + + #======================================================= + # Check what server is configured to run ssl tests + # + [ -z "`echo ${supportedTests_new} | grep -i ocsp`" ] && continue; + + # Testing directories defined by webserver. + if [ -n "${MEMLEAK_DBG}" ]; then + LOGNAME=iopr-${IOPR_HOSTADDR} + LOGFILE=${LOGDIR}/${LOGNAME}.log + fi + + # Testing directories defined by webserver. + echo "Testing ocsp interoperability. + Client: local(tstclnt). + Responder: remote($IOPR_HOSTADDR)" + + for ocspTestType in ${supportedTests_new}; do + if [ -z "`echo $ocspTestType | grep -i ocsp`" ]; then + continue + fi + if [ -n "${MEMLEAK_DBG}" ]; then + ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \ + ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} 2>> ${LOGFILE} + else + ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \ + ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} + fi + done + + if [ -n "${MEMLEAK_DBG}" ]; then + log_parse + ret=$? + html_msg ${ret} 0 "${LOGNAME}" \ + "produced a returncode of $ret, expected is 0" + fi + + echo "================================================" + echo "Done testing ocsp interoperability with $IOPR_HOSTADDR" + done + + if [ -n "${MEMLEAK_DBG}" ]; then + html "</TABLE><BR>" + fi + + NO_ECC_CERTS=0 + return 0 +} + diff --git a/security/nss/tests/iopr/server_scr/apache_unix.cfg b/security/nss/tests/iopr/server_scr/apache_unix.cfg new file mode 100644 index 000000000..3992bf52d --- /dev/null +++ b/security/nss/tests/iopr/server_scr/apache_unix.cfg @@ -0,0 +1,47 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# Apache OPENSSL configuration file +# + +# +# Define what type of system this is. +# +$clientSys = "openssl"; + +# +# Cipher conversion table file +# +$cipherTableFile = "$certDir/cipher.list"; + +#-------------------------------------------- +# Web server specific variables start here: +# + +# +# Location of installed openssl binary +# +$opensslb = "/usr/local/bin/openssl"; + + +# +# General location of apache server +# +$apacheHttpd="/var/httpd-ssl"; + +# +# HTTP Request file +# +$reqFile = "$apacheHttpd/cgi-bin/sslreq.dat"; + +# +# OpenSSL certificate directory +# +$certDir = "$apacheHttpd/cert"; + +# +# CA certificate file +# +$caCertFile = "$certDir/serverCA.crt"; diff --git a/security/nss/tests/iopr/server_scr/cert_gen.sh b/security/nss/tests/iopr/server_scr/cert_gen.sh new file mode 100644 index 000000000..17771ade1 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/cert_gen.sh @@ -0,0 +1,367 @@ +#!/bin/bash + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +###################################################################################### +# Server and client certs and crl generator functions. Generated files placed in a <dir> +# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory. +# This functions is used for manual webserver configuration and it is not a part of +# nss test run. +# To create certs use the following command: +# sh cert_iopr.sh cert_gen <dir> <cert name> [cert req] +# Where: +# dir - directory where to place created files +# cert name - name of created server cert(FQDN) +# cert req - cert request to be used for cert generation. +# +repAndExec() { + echo + if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then + shift + echo certutil -s "$CU_SUBJECT" $@ + certutil -s "$CU_SUBJECT" $@ + RET=$? + else + echo $@ + $@ + RET=$? + fi + + return $RET +} + +setExtData() { + extData=$1 + + fldNum=0 + extData=`echo $extData | sed 's/,/ /g'` + for extDT in $extData; do + if [ $fldNum -eq 0 ]; then + eval extType=$extDT + fldNum=1 + continue + fi + eval data${fldNum}=$extDT + fldNum=`expr $fldNum + 1` + done +} + +signCert() { + dir=$1 + crtDir=$2 + crtName=$3 + crtSN=$4 + req=$5 + cuAddParam=$6 + extList=$7 + + if [ -z "$certSigner" ]; then + certSigner=TestCA + fi + + extCmdLine="" + extCmdFile=$dir/extInFile; rm -f $extCmdFile + touch $extCmdFile + extList=`echo $extList | sed 's/;/ /g'` + for ext in $extList; do + setExtData $ext + [ -z "$extType" ] && echo "incorrect extention format" && return 1 + case $extType in + ocspDR) + extCmdLine="$extCmdLine -6" + cat <<EOF >> $extCmdFile +5 +9 +y +EOF + break + exit 1 + ;; + AIA) + extCmdLine="$extCmdLine -9" + cat <<EOF >> $extCmdFile +2 +7 +$data1 +0 +n +n +EOF + break + ;; + *) + echo "Unsupported extension type: $extType" + break + ;; + esac + done + echo "cmdLine: $extCmdLine" + echo "cmdFile: "`cat $extCmdFile` + repAndExec \ + certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \ + -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1 + return $RET +} + +createSignedCert() { + dir=$1 + certDir=$2 + certName=$3 + certSN=$4 + certSubj=$5 + keyType=$6 + extList=$7 + + echo Creating cert $certName-$keyType with SN=$certSN + + CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + repAndExec \ + certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \ + -k $keyType -o $dir/req 2>&1 + [ "$RET" -ne 0 ] && return $RET + + signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList + ret=$? + [ "$ret" -ne 0 ] && return $ret + + rm -f $dir/req + + repAndExec \ + certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \ + -i "$dir/${certName}-$keyType.crt" 2>&1 + [ "$RET" -ne 0 ] && return $RET + + cp "$dir/${certName}-$keyType.crt" $certDir + + repAndExec \ + pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \ + -k ${PW_FILE} -W iopr + [ "$RET" -ne 0 ] && return $RET + return 0 +} + +generateAndExportSSLCerts() { + dir=$1 + certDir=$2 + serverName=$3 + servCertReq=$4 + + if [ "$servCertReq" -a -f $servCertReq ]; then + grep REQUEST $servCertReq >/dev/null 2>&1 + signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a` + ret=$? + [ "$ret" -ne 0 ] && return $ret + fi + + certName=$serverName + createSignedCert $dir $certDir $certName 500 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + createSignedCert $dir $certDir $certName 501 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser510 + createSignedCert $dir $certDir $certName 510 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser511 + createSignedCert $dir $certDir $certName 511 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser512 + createSignedCert $dir $certDir $certName 512 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser513 + createSignedCert $dir $certDir $certName 513 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret +} + +generateAndExportOCSPCerts() { + dir=$1 + certDir=$2 + + certName=ocspTrustedResponder + createSignedCert $dir $certDir $certName 525 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDesignatedResponder + createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspTRTestUser514 + createSignedCert $dir $certDir $certName 514 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspTRTestUser516 + createSignedCert $dir $certDir $certName 516 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCATestUser518 + createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCATestUser520 + createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRTestUser522 + createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRTestUser524 + createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + generateAndExportCACert $dir "" TestCA-unknown + [ $? -ne 0 ] && return $ret + + certSigner=TestCA-unknown + + certName=ocspTRUnkownIssuerCert + createSignedCert $dir $certDir $certName 531 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCAUnkownIssuerCert + createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRUnkownIssuerCert + createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certSigner="" + + return 0 +} + +generateAndExportCACert() { + dir=$1 + certDirL=$2 + caName=$3 + + certName=TestCA + [ "$caName" ] && certName=$caName + CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + repAndExec \ + certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \ + -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF +5 +6 +9 +n +y +-1 +n +EOF + + if [ "$certDirL" ]; then + repAndExec \ + certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt + [ "$RET" -ne 0 ] && return $RET + + repAndExec \ + pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr + [ "$RET" -ne 0 ] && return $RET + fi +} + + +generateCerts() { + certDir=$1 + serverName=$2 + reuseCACert=$3 + servCertReq=$4 + + [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1 + [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1 + + mkdir -p $certDir + [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1 + + + dir=/tmp/db.$$ + if [ -z "$reuseCACert" ]; then + if [ -d "$dir" ]; then + rm -f $dir + fi + + PW_FILE=$dir/nss.pwd + NOISE_FILE=$dir/nss.noise + + mkdir -p $dir + [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1 + + echo nss > $PW_FILE + date >> ${NOISE_FILE} 2>&1 + + repAndExec \ + certutil -d $dir -N -f $PW_FILE + [ "$RET" -ne 0 ] && return $RET + + generateAndExportCACert $dir $certDir + [ "$RET" -ne 0 ] && return $RET + else + dir=$reuseCACert + PW_FILE=$dir/nss.pwd + NOISE_FILE=$dir/nss.noise + hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu` + [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \ + return $RET; + fi + + generateAndExportSSLCerts $dir $certDir $serverName $servCertReq + [ "$RET" -ne 0 ] && return $RET + + generateAndExportOCSPCerts $dir $certDir + [ "$RET" -ne 0 ] && return $RET + + crlUpdate=`date +%Y%m%d%H%M%SZ` + crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'` + repAndExec \ + crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI +update=$crlUpdate +nextupdate=$crlNextUpdate +addcert 509-511 $crlUpdate +addcert 516 $crlUpdate +addcert 520 $crlUpdate +addcert 524 $crlUpdate +EOF_CRLINI + [ "$RET" -ne 0 ] && return $RET + + rm -rf $dir + return 0 +} + + +if [ -z "$1" -o -z "$2" ]; then + echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]" + exit 1 +fi +generateCerts $1 $2 "$3" $4 +exit $? diff --git a/security/nss/tests/iopr/server_scr/cipher.list b/security/nss/tests/iopr/server_scr/cipher.list new file mode 100644 index 000000000..668084c37 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/cipher.list @@ -0,0 +1,98 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +nss openssl iis + +# +# SSL v3.0 cipher suites. +# +SSL3_RSA_WITH_NULL_MD5 NULL-MD5 i +SSL3_RSA_WITH_NULL_SHA NULL-SHA z +SSL3_RSA_WITH_RC4_128_MD5 RC4-MD5 c +SSL3_RSA_WITH_RC4_128_SHA RC4-SHA n +SSL3_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA +SSL3_RSA_WITH_DES_CBC_SHA DES-CBC-SHA e +SSL3_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA d + +SSL3_DH_DSS_WITH_DES_CBC_SHA Not_implemented. +SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented. +SSL3_DH_RSA_WITH_DES_CBC_SHA Not_implemented. +SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented. +SSL3_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA s +SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA q +SSL3_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA +SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA + +SSL3_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 +SSL3_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA +SSL3_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA + +SSL3_FORTEZZA_KEA_WITH_NULL_SHA Not_implemented. +SSL3_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not_implemented. +SSL3_FORTEZZA_KEA_WITH_RC4_128_SHA Not_implemented. + +# +# Next four added to have ciphers below for SSL3 protocol +# +SSL3_RSA_WITH_AES_128_CBC_SHA AES128-SHA +SSL3_RSA_WITH_AES_256_CBC_SHA AES256-SHA + +# +#TLS v1.0 cipher suites. +# +TLS_RSA_WITH_NULL_MD5 NULL-MD5 +TLS_RSA_WITH_NULL_SHA NULL-SHA +TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 +TLS_RSA_WITH_RC4_128_SHA RC4-SHA +TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA +TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA +TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA + +TLS_DH_DSS_WITH_DES_CBC_SHA Not_implemented. +TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented. +TLS_DH_RSA_WITH_DES_CBC_SHA Not_implemented. +TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented. +TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA +TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA +TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA +TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA + +TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 +TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA +TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA + +# +#AES ciphersuites from RFC3268, extending TLS v1.0 +# + +TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA +TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA + +TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA +TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA +TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA +TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA + +TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA +TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA +TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA +TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA + +TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA +TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA + +# +#Additional cipher suites +# +#Note: these ciphers can also be used in SSL v3. +# +TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA + +# +# FIPS cipher list +# +TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented +TLS_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented +SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented +SSL3_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented diff --git a/security/nss/tests/iopr/server_scr/client.cgi b/security/nss/tests/iopr/server_scr/client.cgi new file mode 100644 index 000000000..581ad06d1 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/client.cgi @@ -0,0 +1,526 @@ +#!/usr/bin/perl + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +#-------------------------------------------------------------- +# cgi script that parses request argument to appropriate +# open ssl or tstclntw options and starts ssl client. +# + +use CGI qw/:standard/; + +use subs qw(debug); + +#-------------------------------------------------------------- +# Prints out an error string and exits the script with an +# exitStatus. +# Param: +# str : an error string +# exitStat: an exit status of the program +# +sub svr_error { + my ($str, $exitStat) = @_; + + if (!defined $str || $str eq "") { + $str = $ERR; + } + print "SERVER ERROR: $str\n"; + if ($exitStat) { + print end_html if ($osDataArr{wservRun}); + exit $exitStat; + } +} + +#-------------------------------------------------------------- +# Prints out a debug message +# Params: +# str: debug message +# inVal: additional value to print(optional) +# +sub debug { + my ($str, $inVal) = @_; + + print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1); +} + + +#-------------------------------------------------------------- +# Initializes execution context depending on a webserver the +# script is running under. +# +sub init { + %osDataArr = ( + loadSupportedCipthersFn => \&osSpecific, + cipherIsSupportedFn => \&verifyCipherSupport, + cipherListFn => \&convertCipher, + buildCipherTableFn => \&buildCipherTable, + execCmdFn => \&osSpecific, + ); + + $scriptName = $ENV{'SCRIPT_NAME'}; + if (!defined $scriptName) { + $DEBUG=1; + debug "Debug is ON"; + } + $DEBUG=1; + + $svrSoft = $ENV{'SERVER_SOFTWARE'}; + if (defined $svrSoft) { + $_ = $svrSoft; + /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS"); + /.*Apache.*/ && ($osDataArr{wserv} = "Apache"); + $osDataArr{wservRun} = 1; + } else { + $osDataArr{wserv} = "Apache"; + $osDataArr{wservRun} = 0; + } +} + +#-------------------------------------------------------------- +# Function-spigot to handle errors is OS specific functions are +# not implemented for a particular OS. +# Returns: +# always returns 0(failure) +# +sub osSpecific { + $ERR = "This function should be swapped to os specific function."; + return 0; +} + +#-------------------------------------------------------------- +# Sets os specific execution context values. +# Returns: +# 1 upon success, or 0 upon failure(if OS was not recognized) +# +sub setFunctRefs { + + debug("Entering setFunctRefs function", $osDataArr{wserv}); + + if ($osDataArr{wserv} eq "Apache") { + $osDataArr{osConfigFile} = "apache_unix.cfg"; + $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL'; + $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile'; + $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix; + $osDataArr{execCmdFn} = \&execClientCmd_Unix; + } elsif ($osDataArr{wserv} eq "IIS") { + $osDataArr{osConfigFile} = "iis_windows.cfg"; + $osDataArr{suppCiphersCmd} = '$tstclntwb'; + $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile'; + $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win; + $osDataArr{execCmdFn} = \&execClientCmd_Win; + } else { + $ERR = "Unknown Web Server type."; + return 0; + } + return 1; +} + +#-------------------------------------------------------------- +# Parses data from HTTP request. Will print a form if request +# does not contain sufficient number of parameters. +# Returns: +# 1 if request has sufficient number of parameters +# 0 if not. +sub getReqData { + my $debug = param('debug'); + $in_host = param('host'); + $in_port = param('port'); + $in_cert = param('cert'); + $in_cipher = param('cipher'); + + if (!$osDataArr{wservRun}) { + $in_host="goa1"; + $in_port="443"; + $in_cert="TestUser511"; + $in_cipher = "SSL3_RSA_WITH_NULL_SHA"; + } + + debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher"); + + if (defined $debug && $debug == "debug on") { + $DEBUG = 1; + } + + if (!defined $in_host || $in_host eq "" || + !defined $in_port || $in_port eq "" || + !defined $in_cert || $in_cert eq "") { + if ($osDataArr{wservRun}) { + print h1('Command description form:'), + start_form(-method=>"get"), + "Host: ",textfield('host'),p, + "Port: ",textfield('port'),p, + "Cert: ",textfield('cert'),p, + "Cipher: ",textfield('cipher'),p, + checkbox_group(-name=>'debug', + -values=>['debug on ']), + submit, + end_form, + hr; + } else { + print "Printing html form to get client arguments\n"; + } + $ERR = "the following parameters are required: host, port, cert"; + return 0; + } else { + print "<pre>" if ($osDataArr{wservRun}); + return 1; + } +} + + +#-------------------------------------------------------------- +# Building cipher conversion table from file based on the OS. +# Params: +# tfile: cipher conversion file. +# sysName: system name +# tblPrt: returned pointer to a table. +sub buildCipherTable { + my ($tfile, $sysName, $tblPrt) = @_; + my @retArr = @$tblPrt; + my %table, %rtable; + my $strCount = 0; + + debug("Entering getReqData function", "$tfile:$sysName:$tblPrt"); + + ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/); + if (!open(TFILE, "$tfile")) { + $ERR = "Missing cipher conversion table file."; + return 0; + } + foreach (<TFILE>) { + chop; + /^#.*/ && next; + /^\s*$/ && next; + if ($strCount++ == 0) { + my @sysArr = split /\s+/; + $colCount = 0; + for (;$colCount <= $#sysArr;$colCount++) { + last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/); + } + next; + } + my @ciphArr = split /\s+/, $_; + $table{$ciphArr[0]} = $ciphArr[$colCount]; + $rtable{$ciphArr[$colCount]} = $ciphArr[0]; + } + close(TFILE); + $cipherTablePtr[0] = \%table; + $cipherTablePtr[1] = \%rtable; + return 1 +} + +#-------------------------------------------------------------- +# Client configuration function. Loads client configuration file. +# Initiates cipher table. Loads cipher list supported by ssl client. +# +sub configClient { + + debug "Entering configClient function"; + + my $res = &setFunctRefs(); + return $res if (!$res); + + open(CFILE, $osDataArr{'osConfigFile'}) || + ($ERR = "Missing configuration file." && return 0); + foreach (<CFILE>) { + /^#.*/ && next; + chop; + eval $_; + } + close(CFILE); + + local @cipherTablePtr = (); + $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0; + $osDataArr{cipherTable} = $cipherTablePtr[0]; + $osDataArr{rcipherTable} = $cipherTablePtr[1]; + + local $suppCiphersTablePrt; + &{$osDataArr{'loadSupportedCipthersFn'}} || return 0; + $osDataArr{suppCiphersTable} = $suppCiphersTablePrt; +} + +#-------------------------------------------------------------- +# Verifies that a particular cipher is supported. +# Params: +# checkCipher: cipher name +# Returns: +# 1 - cipher is supported(also echos the cipher). +# 0 - not supported. +# +sub verifyCipherSupport { + my ($checkCipher) = @_; + my @suppCiphersTable = @{$osDataArr{suppCiphersTable}}; + + debug("Entering verifyCipherSupport", $checkCipher); + foreach (@suppCiphersTable) { + return 1 if ($checkCipher eq $_); + } + $ERR = "cipher is not supported."; + return 0; +} + +#-------------------------------------------------------------- +# Converts long(?name of the type?) cipher name to +# openssl/tstclntw cipher name. +# Returns: +# 0 if cipher was not listed. 1 upon success. +# +sub convertCipher { + my ($cipher) = @_; + my @retList; + my $resStr; + my %cipherTable = %{$osDataArr{cipherTable}}; + + debug("Entering convertCipher", $cipher); + if (defined $cipher) { + my $cphr = $cipherTable{$cipher}; + if (!defined $cphr) { + $ERR = "cipher is not listed."; + return 0; + } + &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0; + $ciphers = "$cphr"; + return 1; + } + return 0; +} + +################################################################# +# UNIX Apache Specific functions +#---------------------------------------------------------------- + +#-------------------------------------------------------------- +# Executes ssl client command to get a list of ciphers supported +# by client. +# +sub getSupportedCipherList_Unix { + my @arr, @suppCiphersTable; + + debug "Entering getSupportedCipherList_Unix function"; + + eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"'; + if (!open (OUT, "$sLisrCmd|")) { + $ERR="Can not run command to verify supported cipher list."; + return 0; + } + @arr = <OUT>; + chop $arr[0]; + @suppCiphersTable = split /:/, $arr[0]; + debug("Supported ciphers", $arr[0]); + $suppCiphersTablePrt = \@suppCiphersTable; + close(OUT); + return 1; +} + +#-------------------------------------------------------------- +# Lunches ssl client command in response to a request. +# +# +sub execClientCmd_Unix { + my $proto; + local $ciphers; + + debug "Entering execClientCmd_Unix"; + if (defined $in_cipher && $in_cipher ne "") { + my @arr = split /_/, $in_cipher, 2; + $proto = "-".$arr[0]; + $proto =~ tr /SLT/slt/; + $proto = "-tls1" if ($proto eq "-tls"); + return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher)); + $ciphers = "-cipher $ciphers"; + debug("Return from cipher conversion", "$ciphers"); + } + + eval '$command = "'.$osDataArr{'clientRunCmd'}.'"'; + debug("Executing command", $command); + if (!open CMD_OUT, "$command 2>&1 |") { + $ERR = "can not launch client"; + return 0; + } + + my @cmdOutArr = <CMD_OUT>; + + foreach (@cmdOutArr) { + print $_; + } + + my $haveVerify = 0; + my $haveErrors = 0; + foreach (@cmdOutArr) { + chop; + if (/unknown option/) { + $haveErrors++; + svr_error "unknown option\n"; + next; + } + if (/:no ciphers available/) { + $haveErrors++; + svr_error "no cipthers available\n"; + next; + } + if (/verify error:/) { + $haveErrors++; + svr_error "unable to do verification\n"; + next; + } + if (/alert certificate revoked:/) { + $haveErrors++; + svr_error "attempt to connect with revoked sertificate\n"; + next; + } + if (/(error|ERROR)/) { + $haveErrors++; + svr_error "found errors in server log\n"; + next; + } + /verify return:1/ && ($haveVerify = 1); + } + if ($haveVerify == 0) { + svr_error "no 'verify return:1' found in server log\n"; + $haveErrors++; + } + + if ($haveErrors > 0) { + $ERR = "Have $haveErrors server errors"; + debug "Exiting execClientCmd_Unix"; + return 0; + } + debug "Exiting execClientCmd_Unix"; + return 1; +} + +################################################################# +# Windows IIS Specific functions +#---------------------------------------------------------------- + +#-------------------------------------------------------------- +# Executes ssl client command to get a list of ciphers supported +# by client. +# +sub getSupportedCipherList_Win { + my @arr, @suppCiphersTable; + + debug "Entering getSupportedCipherList_Win function"; + + eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"'; + if (!open (OUT, "$sLisrCmd|")) { + $ERR="Can not run command to verify supported cipher list."; + return 0; + } + my $startCipherList = 0; + foreach (<OUT>) { + chop; + if ($startCipherList) { + /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1; + next; + } + /.*from list below.*/ && ($startCipherList = 1); + } + debug("Supported ciphers", join ':', @suppCiphersTable); + $suppCiphersTablePrt = \@suppCiphersTable; + close(OUT); + return 1; +} + +#-------------------------------------------------------------- +# Lunches ssl client command in response to a request. +# +# +sub execClientCmd_Win { + my $proto; + local $ciphers; + + debug "Entering execClientCmd_Win"; + if (defined $in_cipher && $in_cipher ne "") { + my @arr = split /_/, $in_cipher, 2; + $proto = "-2 -3 -T"; + + $proto =~ s/-T// if ($arr[0] eq "TLS"); + $proto =~ s/-3// if ($arr[0] eq "SSL3"); + $proto =~ s/-2// if ($arr[0] eq "SSL2"); + return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher)); + $ciphers = "-c $ciphers"; + debug("Return from cipher conversion", $ciphers); + } + + eval '$command = "'.$osDataArr{'clientRunCmd'}.'"'; + debug("Executing command", $command); + if (!open CMD_OUT, "$command 2>&1 |") { + $ERR = "can not launch client"; + return 0; + } + + my @cmdOutArr = <CMD_OUT>; + + foreach (@cmdOutArr) { + print $_; + } + + my $haveVerify = 0; + my $haveErrors = 0; + foreach (@cmdOutArr) { + chop; + if (/unknown option/) { + $haveErrors++; + svr_error "unknown option\n"; + next; + } + if (/Error performing handshake/) { + $haveErrors++; + svr_error "Error performing handshake\n"; + next; + } + if (/Error creating credentials/) { + $haveErrors++; + svr_error "Error creating credentials\n"; + next; + } + if (/Error .* authenticating server credentials!/) { + $haveErrors++; + svr_error "Error authenticating server credentials\n"; + next; + } + if (/(error|ERROR|Error)/) { + $haveErrors++; + svr_error "found errors in server log\n"; + next; + } + } + + if ($haveErrors > 0) { + $ERR = "Have $haveErrors server errors"; + debug "Exiting execClientCmd_Win"; + return 0; + } + debug "Exiting execClientCmd_Win"; + return 1; +} + +################################################################# +# Main line of execution +#---------------------------------------------------------------- +&init; + +if ($osDataArr{wservRun}) { + print header('text/html'). + start_html('iopr client'); +} + +print "SCRIPT=OK\n"; + +if (!&getReqData) { + svr_error($ERR, 1); +} + +if (!&configClient) { + svr_error($ERR, 1); +} + +&{$osDataArr{'execCmdFn'}} || svr_error; + +if ($osDataArr{wservRun}) { + print "</pre>"; + print end_html; +} diff --git a/security/nss/tests/iopr/server_scr/config b/security/nss/tests/iopr/server_scr/config new file mode 100644 index 000000000..9e65b926c --- /dev/null +++ b/security/nss/tests/iopr/server_scr/config @@ -0,0 +1,17 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +certDir=/iopr +caCertName=TestCA +caCrlName=TestCA +userCertNames="TestUser510 TestUser511" +userRevokedCertNames="TestUser510" +reverseRunCGIScript="/cgi-bin/client.cgi" +supportedTests="SslSingleHs" +# SslSingleHs: ssl single handshake with out client cert auth +SslSingleHsPort=443 +SslSingleHsUrl=/ +SslSingleHsParam=NOAUTH:NOCOV:NOCRL +#ParamSslSingleHandshakeWithOutClientCertAuth="443 / NOAUTH:NOCOV:NOCRL" +#ParamSslSingleHandshakeWithOutClientCertAuth="443 /" diff --git a/security/nss/tests/iopr/server_scr/iis_windows.cfg b/security/nss/tests/iopr/server_scr/iis_windows.cfg new file mode 100644 index 000000000..76499b8b6 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/iis_windows.cfg @@ -0,0 +1,33 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# IIS windows configuration file +# + +# +# Define what type of system this is. +# +$clientSys = "iis"; + +# +# Cipher conversion table file +# +$cipherTableFile = "cipher.list"; + +#-------------------------------------------- +# Web server specific variables start here: +# + +# +# Location of installed tstclntb binary +# +$tstclntwb = "./tstclntw.exe"; + +# +# HTTP Request file +# +$reqFile = "sslreq.dat"; + + diff --git a/security/nss/tests/iopr/server_scr/iopr_server.cfg b/security/nss/tests/iopr/server_scr/iopr_server.cfg new file mode 100644 index 000000000..2b196e015 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/iopr_server.cfg @@ -0,0 +1,67 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +certDir=/iopr +caCertName=TestCA +caCrlName=TestCA + +#old values +userCertNames="TestUser510-rsa TestUser512-rsa" +userRevokedCertNames="TestUser510-rsa" +reverseRunCGIScript="/cgi-bin/client.cgi" +#reverseTestParam=NOREVALL +supportedTests="SslSingleHs SslSecondHs" +#supportedTests="SslSecondHs" + + +downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt" +# Keep a space at the end of +SslClntValidCertName="TestUser512-rsa" +SslClntRevokedCertName="TestUser510-rsa" +reverseRunCGIScript="/cgi-bin/client.cgi" +#reverseTestParam=NOREVALL + +supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder" + +# +# SslSingleHs: ssl single handshake with out client cert auth +SslSingleHsDescr="ssl with single handshake without client cert auth" +SslSingleHsPort=443 +SslSingleHsUrl=/iopr_test/test_pg.html +SslSingleHsParam=NOAUTH + +# +# SslSecondHs: ssl with secondary hs when accessing direcory +# that requires cert verification +SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification" +SslSecondHsPort=443 +SslSecondHsUrl=/iopr_test_2hs/test_pg.html +SslSecondHsParam=NOCOV + +# +# OcspTrustedResponder - trusted responder key is used to sign OCSP response +# +OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response" +OcspTrustedResponderProto=http +OcspTrustedResponderPort=2560 +OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa +OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa" +OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa" +OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa" + +# +# OcspResponderCA - CA key is used to sign OCSP response +# +OcspResponderCADescr="CA key is used to sign OCSP response" +OcspResponderCAValidCertNames="ocspRCATestUser518-rsa" +OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa" +OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa" + +# +# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response +# +OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response" +OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa" +OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa" +OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa" diff --git a/security/nss/tests/iopr/server_scr/sslreq.dat b/security/nss/tests/iopr/server_scr/sslreq.dat new file mode 100644 index 000000000..2f7ad7736 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/sslreq.dat @@ -0,0 +1,2 @@ +GET / HTTP/1.0
+
diff --git a/security/nss/tests/iopr/ssl_iopr.sh b/security/nss/tests/iopr/ssl_iopr.sh new file mode 100644 index 000000000..0f9742662 --- /dev/null +++ b/security/nss/tests/iopr/ssl_iopr.sh @@ -0,0 +1,643 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/iopr/ssl_iopr.sh +# +# NSS SSL interoperability QA. This file is included from ssl.sh +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## +IOPR_SSL_SOURCED=1 + +######################################################################## +# The functions works with variables defined in interoperability +# configuration file that was downloaded from a webserver. +# It tries to find unrevoked cert based on value of variable +# "SslClntValidCertName" defined in the configuration file. +# Params NONE. +# Returns 0 if found, 1 otherwise. +# +setValidCert() { + testUser=$SslClntValidCertName + [ -z "$testUser" ] && return 1 + return 0 +} + +######################################################################## +# The funtions works with variables defined in interoperability +# configuration file that was downloaded from a webserver. +# The function sets port, url, param and description test parameters +# that was defind for a particular type of testing. +# Params: +# $1 - supported types of testing. Currently have maximum +# of two: forward and reverse. But more can be defined. +# No return value +# +setTestParam() { + type=$1 + sslPort=`eval 'echo $'${type}Port` + sslUrl=`eval 'echo $'${type}Url` + testParam=`eval 'echo $'${type}Param` + testDescription=`eval 'echo $'${type}Descr` + [ -z "$sslPort" ] && sslPort=443 + [ -z "$sslUrl" ] && sslUrl="/iopr_test/test_pg.html" + [ "$sslUrl" = "/" ] && sslUrl="/test_pg.html" +} + + +####################################################################### +# local shell function to perform SSL Cipher Suite Coverage tests +# in interoperability mode. Tests run against web server by using nss +# test client +# Params: +# $1 - supported type of testing. +# $2 - testing host +# $3 - nss db location +# No return value +# +ssl_iopr_cov_ext_server() +{ + testType=$1 + host=$2 + dbDir=$3 + + setTestParam $testType + if [ "`echo $testParam | grep NOCOV`" != "" ]; then + echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \ + "run by server configuration" + return 0 + fi + + html_head "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR" \ + "$BYPASS_STRING $NORM_EXT): $testDescription" + + setValidCert; ret=$? + if [ $ret -ne 0 ]; then + html_failed "Fail to find valid test cert(ws: $host)" + return $ret + fi + + SSL_REQ_FILE=${TMP}/sslreq.dat.$$ + echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE + echo >> $SSL_REQ_FILE + + while read ecc tls param testname therest; do + [ -z "$ecc" -o "$ecc" = "#" -o "`echo $testname | grep FIPS`" -o \ + "$ecc" = "ECC" ] && continue; + + echo "$SCRIPTNAME: running $testname ----------------------------" + TLS_FLAG=-T + if [ "$tls" = "TLS" ]; then + TLS_FLAG="" + fi + + resFile=${TMP}/$HOST.tmpRes.$$ + rm $resFile 2>/dev/null + + echo "tstclnt -p ${sslPort} -h ${host} -c ${param} ${TLS_FLAG} \\" + echo " -n $testUser -v -w nss ${CLIEN_OPTIONS} -f \\" + echo " -d ${dbDir} < ${SSL_REQ_FILE} > $resFile" + + ${BINDIR}/tstclnt -p ${sslPort} -h ${host} -c ${param} \ + ${TLS_FLAG} ${CLIEN_OPTIONS} -f -n $testUser -v -w nss \ + -d ${dbDir} < ${SSL_REQ_FILE} >$resFile 2>&1 + ret=$? + grep "ACCESS=OK" $resFile + test $? -eq 0 -a $ret -eq 0 + ret=$? + [ $ret -ne 0 ] && cat $resFile + rm -f $resFile 2>/dev/null + html_msg $ret 0 "${testname}" + done < ${SSLCOV} + rm -f $SSL_REQ_FILE 2>/dev/null + + html "</TABLE><BR>" +} + +####################################################################### +# local shell function to perform SSL Client Authentication tests +# in interoperability mode. Tests run against web server by using nss +# test client +# Params: +# $1 - supported type of testing. +# $2 - testing host +# $3 - nss db location +# No return value +# +ssl_iopr_auth_ext_server() +{ + testType=$1 + host=$2 + dbDir=$3 + + setTestParam $testType + if [ "`echo $testParam | grep NOAUTH`" != "" ]; then + echo "SSL Client Authentication WebServ($IOPR_HOSTADDR) excluded from " \ + "run by server configuration" + return 0 + fi + + html_head "SSL Client Authentication WebServ($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): + $testDescription" + + setValidCert;ret=$? + if [ $ret -ne 0 ]; then + html_failed "Fail to find valid test cert(ws: $host)" + return $ret + fi + + SSL_REQ_FILE=${TMP}/sslreq.dat.$$ + echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE + echo >> $SSL_REQ_FILE + + SSLAUTH_TMP=${TMP}/authin.tl.tmp + grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" > ${SSLAUTH_TMP} + + while read ecc value sparam cparam testname; do + [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue; + + cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" ` + + echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \\" + echo " -d ${dbDir} -v < ${SSL_REQ_FILE}" + + resFile=${TMP}/$HOST.tmp.$$ + rm $rsFile 2>/dev/null + + ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \ + -d ${dbDir} -v < ${SSL_REQ_FILE} >$resFile 2>&1 + ret=$? + grep "ACCESS=OK" $resFile + test $? -eq 0 -a $ret -eq 0 + ret=$? + [ $ret -ne 0 ] && cat $resFile + rm $resFile 2>/dev/null + + html_msg $ret $value "${testname}. Client params: $cparam"\ + "produced a returncode of $ret, expected is $value" + done < ${SSLAUTH_TMP} + rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE} + + html "</TABLE><BR>" +} + +######################################################################## +# local shell function to perform SSL interoperability test with/out +# revoked certs tests. Tests run against web server by using nss +# test client +# Params: +# $1 - supported type of testing. +# $2 - testing host +# $3 - nss db location +# No return value +# +ssl_iopr_crl_ext_server() +{ + testType=$1 + host=$2 + dbDir=$3 + + setTestParam $testType + if [ "`echo $testParam | grep NOCRL`" != "" ]; then + echo "CRL SSL Client Tests of WebServerv($IOPR_HOSTADDR) excluded from " \ + "run by server configuration" + return 0 + fi + + html_head "CRL SSL Client Tests of WebServer($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): $testDescription" + + SSL_REQ_FILE=${TMP}/sslreq.dat.$$ + echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE + echo >> $SSL_REQ_FILE + + SSLAUTH_TMP=${TMP}/authin.tl.tmp + grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" | grep -v bogus | \ + grep -v none > ${SSLAUTH_TMP} + + while read ecc value sparam _cparam testname; do + [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue; + + rev_modvalue=254 + for testUser in $SslClntValidCertName $SslClntRevokedCertName; do + cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" ` + + echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} \\" + echo " -f -d ${dbDir} -v ${cparam} < ${SSL_REQ_FILE}" + resFile=${TMP}/$HOST.tmp.$$ + rm -f $resFile 2>/dev/null + ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \ + -d ${dbDir} -v < ${SSL_REQ_FILE} \ + > $resFile 2>&1 + ret=$? + grep "ACCESS=OK" $resFile + test $? -eq 0 -a $ret -eq 0 + ret=$? + [ $ret -ne 0 ] && ret=$rev_modvalue; + [ $ret -ne 0 ] && cat $resFile + rm -f $resFile 2>/dev/null + + if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then + modvalue=$rev_modvalue + testAddMsg="revoked" + else + testAddMsg="not revoked" + modvalue=$value + fi + html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue" + done + done < ${SSLAUTH_TMP} + rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE} + + html "</TABLE><BR>" +} + + +######################################################################## +# local shell function to perform SSL Cipher Coverage tests of nss server +# by invoking remote test client on web server side. +# Invoked only if reverse testing is supported by web server. +# Params: +# $1 - remote web server host +# $2 - open port to connect to invoke CGI script +# $3 - host where selfserv is running(name of the host nss tests +# are running) +# $4 - port where selfserv is running +# $5 - selfserv nss db location +# No return value +# +ssl_iopr_cov_ext_client() +{ + host=$1 + port=$2 + sslHost=$3 + sslPort=$4 + serDbDir=$5 + + html_head "SSL Cipher Coverage of SelfServ $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT" + + setValidCert + ret=$? + if [ $res -ne 0 ]; then + html_failed "Fail to find valid test cert(ws: $host)" + return $ret + fi + + # P_R_SERVERDIR switch require for selfserv to work. + # Will be restored after test + OR_P_R_SERVERDIR=$P_R_SERVERDIR + P_R_SERVERDIR=$serDbDir + OR_P_R_CLIENTDIR=$P_R_CLIENTDIR + P_R_CLIENTDIR=$serDbDir + testname="" + sparam="-vvvc ABCDEFcdefgijklmnvyz" + # Launch the server + start_selfserv + + while read ecc tls param cipher therest; do + [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue; + echo "============= Beginning of the test ====================" + echo + + is_selfserv_alive + + TEST_IN=${TMP}/${HOST}_IN.tmp.$$ + TEST_OUT=${TMP}/$HOST.tmp.$$ + rm -f $TEST_IN $TEST_OUT 2>/dev/null + + echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser&cipher=$cipher HTTP/1.0" > $TEST_IN + echo >> $TEST_IN + + echo "------- Request ----------------------" + cat $TEST_IN + echo "------- Command ----------------------" + echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h $host \< $TEST_IN \>\> $TEST_OUT + + ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h $host <$TEST_IN > $TEST_OUT + + echo "------- Server output Begin ----------" + cat $TEST_OUT + echo "------- Server output End ----------" + + echo "Checking for errors in log file..." + grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null + if [ $? -eq 0 ]; then + grep "cipher is not supported" $TEST_OUT 2>&1 >/dev/null + if [ $? -eq 0 ]; then + echo "Skiping test: no support for the cipher $cipher on server side" + continue + fi + + grep -i "SERVER ERROR:" $TEST_OUT + ret=$? + if [ $ret -eq 0 ]; then + echo "Found problems. Reseting exit code to failure." + + ret=1 + else + ret=0 + fi + else + echo "Script was not executed. Reseting exit code to failure." + ret=11 + fi + + html_msg $ret 0 "Test ${cipher}. Server params: $sparam " \ + " produced a returncode of $ret, expected is 0" + rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null + done < ${SSLCOV} + kill_selfserv + + P_R_SERVERDIR=$OR_P_R_SERVERDIR + P_R_CLIENTDIR=$OR_P_R_CLIENTDIR + + rm -f ${TEST_IN} ${TEST_OUT} + html "</TABLE><BR>" +} + +######################################################################## +# local shell function to perform SSL Authentication tests of nss server +# by invoking remove test client on web server side +# Invoked only if reverse testing is supported by web server. +# Params: +# $1 - remote web server host +# $2 - open port to connect to invoke CGI script +# $3 - host where selfserv is running(name of the host nss tests +# are running) +# $4 - port where selfserv is running +# $5 - selfserv nss db location +# No return value +# +ssl_iopr_auth_ext_client() +{ + host=$1 + port=$2 + sslHost=$3 + sslPort=$4 + serDbDir=$5 + + html_head "SSL Client Authentication with Selfserv from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT" + + setValidCert + ret=$? + if [ $res -ne 0 ]; then + html_failed "Fail to find valid test cert(ws: $host)" + return $ret + fi + + OR_P_R_SERVERDIR=$P_R_SERVERDIR + P_R_SERVERDIR=${serDbDir} + OR_P_R_CLIENTDIR=$P_R_CLIENTDIR + P_R_CLIENTDIR=${serDbDir} + + SSLAUTH_TMP=${TMP}/authin.tl.tmp + + grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP} + + while read ecc value sparam cparam testname; do + [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue; + + echo "Server params: $sparam" + sparam=$sparam" -vvvc ABCDEFcdefgijklmnvyz" + start_selfserv + + TEST_IN=${TMP}/$HOST_IN.tmp.$$ + TEST_OUT=${TMP}/$HOST.tmp.$$ + rm -f $TEST_IN $TEST_OUT 2>/dev/null + + echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN + echo >> $TEST_IN + + echo "------- Request ----------------------" + cat $TEST_IN + echo "------- Command ----------------------" + echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h $host \< $TEST_IN \>\> $TEST_OUT + + ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h $host <$TEST_IN > $TEST_OUT + + echo "------- Server output Begin ----------" + cat $TEST_OUT + echo "------- Server output End ----------" + + echo "Checking for errors in log file..." + grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null + if [ $? -eq 0 ]; then + echo "Checking for error in log file..." + grep -i "SERVER ERROR:" $TEST_OUT + ret=$? + if [ $ret -eq 0 ]; then + echo "Found problems. Reseting exit code to failure." + ret=1 + else + ret=0 + fi + else + echo "Script was not executed. Reseting exit code to failure." + ret=11 + fi + + html_msg $ret $value "${testname}. Server params: $sparam"\ + "produced a returncode of $ret, expected is $value" + kill_selfserv + rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null + done < ${SSLAUTH_TMP} + + P_R_SERVERDIR=$OR_P_R_SERVERDIR + P_R_CLIENTDIR=$OR_P_R_CLIENTDIR + + rm -f ${SSLAUTH_TMP} ${TEST_IN} ${TEST_OUT} + html "</TABLE><BR>" +} + +######################################################################### +# local shell function to perform SSL CRL testing of nss server +# by invoking remote test client on web server side +# Invoked only if reverse testing is supported by web server. +# Params: +# $1 - remote web server host +# $2 - open port to connect to invoke CGI script +# $3 - host where selfserv is running(name of the host nss tests +# are running) +# $4 - port where selfserv is running +# $5 - selfserv nss db location +# No return value +# +ssl_iopr_crl_ext_client() +{ + host=$1 + port=$2 + sslHost=$3 + sslPort=$4 + serDbDir=$5 + + html_head "CRL SSL Selfserv Tests from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT" + + OR_P_R_SERVERDIR=$P_R_SERVERDIR + P_R_SERVERDIR=${serDbDir} + OR_P_R_CLIENTDIR=$P_R_CLIENTDIR + P_R_CLIENTDIR=$serDbDir + + SSLAUTH_TMP=${TMP}/authin.tl.tmp + grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP} + + while read ecc value sparam _cparam testname; do + [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue; + sparam="$sparam -vvvc ABCDEFcdefgijklmnvyz" + start_selfserv + + for testUser in $SslClntValidCertName $SslClntRevokedCertName; do + + is_selfserv_alive + + TEST_IN=${TMP}/${HOST}_IN.tmp.$$ + TEST_OUT=${TMP}/$HOST.tmp.$$ + rm -f $TEST_IN $TEST_OUT 2>/dev/null + + echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN + echo >> $TEST_IN + + echo "------- Request ----------------------" + cat $TEST_IN + echo "------- Command ----------------------" + echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h ${host} \< $TEST_IN \>\> $TEST_OUT + + ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h ${host} <$TEST_IN > $TEST_OUT + echo "------- Request ----------------------" + cat $TEST_IN + echo "------- Server output Begin ----------" + cat $TEST_OUT + echo "------- Server output End ----------" + + echo "Checking for errors in log file..." + grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null + if [ $? -eq 0 ]; then + grep -i "SERVER ERROR:" $TEST_OUT + ret=$? + if [ $ret -eq 0 ]; then + echo "Found problems. Reseting exit code to failure." + ret=1 + else + ret=0 + fi + else + echo "Script was not executed. Reseting exit code to failure." + ret=11 + fi + + if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then + modvalue=1 + testAddMsg="revoked" + else + testAddMsg="not revoked" + modvalue=0 + fi + + html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue(selfserv args: $sparam)" + rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null + done + kill_selfserv + done < ${SSLAUTH_TMP} + + P_R_SERVERDIR=$OR_P_R_SERVERDIR + P_R_CLIENTDIR=$OR_P_R_CLIENTDIR + + rm -f ${SSLAUTH_TMP} + html "</TABLE><BR>" +} + +##################################################################### +# Initial point for running ssl test againt multiple hosts involved in +# interoperability testing. Called from nss/tests/ssl/ssl.sh +# It will only proceed with test run for a specific host if environment variable +# IOPR_HOSTADDR_LIST was set, had the host name in the list +# and all needed file were successfully downloaded and installed for the host. +# +# Returns 1 if interoperability testing is off, 0 otherwise. +# +ssl_iopr_run() { + if [ "$IOPR" -ne 1 ]; then + return 1 + fi + cd ${CLIENTDIR} + + ORIG_ECC_CERT=${NO_ECC_CERTS} + NO_ECC_CERTS=1 # disable ECC for interoperability tests + + NSS_SSL_ENABLE_RENEGOTIATION=u + export NSS_SSL_ENABLE_RENEGOTIATION + + num=1 + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + while [ "$IOPR_HOST_PARAM" ]; do + IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'` + IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'` + [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443 + + . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg + RES=$? + + if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then + num=`expr $num + 1` + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + continue + fi + + #======================================================= + # Check if server is capable to run ssl tests + # + [ -z "`echo ${supportedTests_new} | grep -i ssl`" ] && continue; + + # Testing directories defined by webserver. + echo "Testing ssl interoperability. + Client: local(tstclnt). + Server: remote($IOPR_HOSTADDR:$IOPR_OPEN_PORT)" + + for sslTestType in ${supportedTests_new}; do + if [ -z "`echo $sslTestType | grep -i ssl`" ]; then + continue + fi + ssl_iopr_cov_ext_server $sslTestType ${IOPR_HOSTADDR} \ + ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} + ssl_iopr_auth_ext_server $sslTestType ${IOPR_HOSTADDR} \ + ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} + ssl_iopr_crl_ext_server $sslTestType ${IOPR_HOSTADDR} \ + ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} + done + + + # Testing selfserv with client located at the webserver. + echo "Testing ssl interoperability. + Client: remote($IOPR_HOSTADDR:$PORT) + Server: local(selfserv)" + ssl_iopr_cov_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \ + ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} + ssl_iopr_auth_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \ + ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} + ssl_iopr_crl_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \ + ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} + echo "================================================" + echo "Done testing interoperability with $IOPR_HOSTADDR" + num=`expr $num + 1` + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + done + NO_ECC_CERTS=${ORIG_ECC_CERTS} + return 0 +} + diff --git a/security/nss/tests/jss_dll_version.sh b/security/nss/tests/jss_dll_version.sh new file mode 100755 index 000000000..cb29c4a1a --- /dev/null +++ b/security/nss/tests/jss_dll_version.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# version controll for DLLs +# ToDo: make version parameter or find version from first occurance of 3.x +# make the 3 a variable..., include the header + +for w in `find . -name "libjss3.s[ol]"` +do + NOWHAT=FALSE + NOIDENT=FALSE + echo $w + what $w | grep JSS || NOWHAT=TRUE + ident $w | grep JSS || NOIDENT=TRUE + if [ $NOWHAT = TRUE ] + then + echo "ERROR what $w does not contain JSS" + fi + if [ $NOIDENT = TRUE ] + then + echo "ERROR ident $w does not contain JSS" + fi +done diff --git a/security/nss/tests/jssdir b/security/nss/tests/jssdir new file mode 100755 index 000000000..1609fbfcf --- /dev/null +++ b/security/nss/tests/jssdir @@ -0,0 +1,28 @@ +if ( "$2" == "" ) then + setenv BUILDDATE `date +%m%d` +else + setenv BUILDDATE $2 +endif + +if ( "$1" == "" ) then + setenv JSSVER tip +else + setenv JSSVER $1 +endif + +if ( ! ${?QAYEAR} ) then + setenv QAYEAR `date +%Y` +else if ( "$QAYEAR" == "" ) then + setenv QAYEAR `date +%Y` + +endif + +setenv JSS_VER_DIR /share/builds/mccrel3/jss/jss$JSSVER +setenv NTDIST ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/blowfish_NT4.0_Win95/mozilla/dist +setenv UXDIST ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/dist +setenv TESTSCRIPTDIR ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/security/jss/tests +setenv RESULTDIR ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/tests_results/security + +cd ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8 +pwd +ls diff --git a/security/nss/tests/jssqa b/security/nss/tests/jssqa new file mode 100755 index 000000000..d5356b9e8 --- /dev/null +++ b/security/nss/tests/jssqa @@ -0,0 +1,220 @@ +#! /bin/sh + +######################################################################## +# +# /u/sonmi/bin/jssqa +# +# this script is supposed to automatically run - now a sanity test, later QA for +# JSS on all required Unix and Windows (NT and 2000) platforms +# +# parameters +# ---------- +# jssversion (supported: 31, tip) +# builddate (default - today) +# +# options +# ------- +# -y answer all questions with y - use at your own risk...ignores warnings +# -s silent (only usefull with -y) +# -h, -? - you guessed right - displays this text +# -d debug +# -f <filename> - write the (error)output to filename +# -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.nssqa +# +######################################################################## + +O_OPTIONS=ON # accept options (see above for listing) +WIN_WAIT_FOREVER=OFF # don't wait for the NSS testdir +PRODUCT_TO_TEST="JSS" +JSS_NSPR_DIR="/share/builds/components/nspr20/v4.1.2" +JSS_NSS_DIR="/share/builds/components/nss/NSS_3_3_1_RTM" +JSS_NSS_UX_SRC_DIR="nss331/builds/20010928.2.331-RTM/booboo_Solaris8" +JSS_NSS_NT_SRC_DIR="nss331/builds/20010928.2.331-RTM/blowfish_NT4.0_Win95" +JSS_NSS_SRC_DIR=$JSS_NSS_UX_SRC_DIR +NATIVE_FLAG="" + +. `dirname $0`/header # utilities, shellfunctions etc, global to NSS and JSS QA + +if [ -z "$O_TBX" -o "$O_TBX" != "ON" ] ; then + is_running ${TMP}/jssqa + # checks if the file exists, if yes Exits, if not + # creates to implement a primitive locking mechanism +fi + +INTERNAL_TOKEN="NSS Certificate DB" +SIGTEST_INTERNAL_TOKEN="Internal Key Storage Token" + +################################ jss_init ######################### +# +# Most of the procedure is setting up the test environment. +# set all necessary dir and file variables, set all paths, copy the shared libs +# Put all the shared libraries into a lib directory, <libdir>. +# including the libjss3.so that was built by the build process. +# set LD_LIBRARY PATH and CLASSPATH +# The xpclass.jar produced by the JSS build needs to be in the classpath. +# The classpath must also include the current directory so we can run our test +# programs. +################################################################################ + +jss_init() +{ + Debug "Jss init" + #correct all directories that the header has set... + NTDIST=`echo $NTDIST | sed -e 's/nss/jss/g'` + UXDIST=`echo $UXDIST | sed -e 's/nss/jss/g'` + RESULTDIR=`echo $RESULTDIR | sed -e 's/nss/jss/g'` + mkdir -p ${RESULTDIR} 2>/dev/null + JSS_LOGFILE=${RESULTDIR}/${HOST}.txt + FILENAME=$JSS_LOGFILE + O_FILE=ON + + MOZILLA_ROOT=`echo $MOZILLA_ROOT | sed -e 's/nss/jss/g'` + + JSS_SAMPLES="$MOZILLA_ROOT/security/jss/samples" + JSS_CLASSPATH=`echo $MOZILLA_ROOT | + sed -e "s/jss$NSSVER.builds/jss$NSSVER\/ships/g" -e "s/mozilla/jss\/${QAYEAR}${BUILDDATE}/"` + Debug "JSS_CLASSPATH=$JSS_CLASSPATH" + Debug "JSS_SAMPLES=$JSS_SAMPLES" + + if [ ! -d $JSS_SAMPLES ] ; then + if [ "$O_WIN" = "ON" -a "$WIN_WAIT_FOREVER" = "ON" ] + then + WaitForever $JSS_SAMPLES/TestKeyGen.java 1 + else + Exit "Test directory $JSS_SAMPLES does not exist" + fi + fi + + PWFILE="$JSS_SAMPLES/passwd" + EMPTYFILE="$JSS_SAMPLES/emptyfile" + rm $PWFILE $EMPTYFILE 2>/dev/null + echo "jss" >$PWFILE + echo "" >$EMPTYFILE + echo "" >>$EMPTYFILE + echo "" >>$EMPTYFILE + + INIT_PATH=$PATH + INIT_LD_LIBRARY_PATH=$LD_LIBRARY_PATH +} + + +jss_mode_init() +{ + OBJDIR=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name` + + LOCALDIST_BIN=`echo $LOCALDIST_BIN | sed -e 's/nss/jss/g'` + LOCALDIST_LIB=$LOCALDIST_BIN/../lib + debug_dirs + + #make testdir/libdir + + JSS_LIBDIR=${RESULTDIR}/${HOST}.libdir/${OBJDIR} + mkdir -p ${JSS_LIBDIR} 2>/dev/null + Debug "JSS_LIBDIR=$JSS_LIBDIR" + + #Put all the shared libraries into a lib directory + Debug "copy all needed libs to ${JSS_LIBDIR}" + cp $JSS_NSPR_DIR/${OBJDIR}/lib/* ${JSS_LIBDIR} + cp $JSS_NSS_DIR/${OBJDIR}/lib/* ${JSS_LIBDIR} + cp $LOCALDIST_LIB/libjss3.* ${JSS_LIBDIR} + #FIXME uncomment above + + if [ $O_DEBUG = ON ] ; then + Debug "ls $JSS_LIBDIR" + ls $JSS_LIBDIR + fi + + #LD_LIBRARY_PATH=$INIT_LD_LIBRARY_PATH:${JSS_LIBDIR} + LD_LIBRARY_PATH=${JSS_LIBDIR} #remove to avoid HP coredump + CLASSPATH="$JSS_CLASSPATH/xpclass.jar:." + + SHLIB_PATH=${LD_LIBRARY_PATH} + LIBPATH=${LD_LIBRARY_PATH} + + PATH=$JSS_NSPR_DIR/${OBJDIR}/bin:$JSS_NSS_DIR/${OBJDIR}//bin:$INIT_PATH + Debug "PATH $PATH" + Debug "LD_LIBRARY_PATH $LD_LIBRARY_PATH" + Debug "CLASSPATH=$CLASSPATH" + + export CLASSPATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH + export TESTSCRIPTDIR COMMON + export_dirs +} + + +################################ jss_test ######################### +# +# go into the build tree. cd to mozilla/security/jss/samples. +# Create NSS directories in this directory with modutil and set the password +# +#6. Create an alias for the "java" and "javac" commands. You'll need to set +#it to whatever version of the JDK you used to build on this platform. For +#example, + #alias java /share/builds/components/cms_jdk/AIX/1.3.0/jre/bin/java + #alias javac /share/builds/components/cms_jdk/AIX/1.3.0/bin/javac +# instead $JAVA and $JAVAC +# 7. Compile the tests. +##################################################################### +jss_test() +{ + O_FILE=OFF + Debug "JSS main test" + #set -x + cd $JSS_SAMPLES + + Debug "Cleaning $JSS_SAMPLES" + rm cert7.db key3.db 2>/dev/null + + Debug "echo | modutil -dbdir . -create -force" + echo | modutil -dbdir . -create -force + Debug "modutil returned $?" + + modutil -dbdir . -list + + Debug "echo | modutil -dbdir . -changepw \"$INTERNAL_TOKEN\" -newpwfile $PWFILE -force" + modutil -dbdir . -changepw "$INTERNAL_TOKEN" -newpwfile $PWFILE -force <$EMPTYFILE + #modutil -dbdir . -changepw "$INTERNAL_TOKEN" -pwfile $PWFILE -newpwfile $PWFILE <$EMPTYFILE + Debug "modutil returned $?" + + Debug "$JAVAC TestKeyGen.java" + $JAVAC TestKeyGen.java + Debug "$JAVAC TestKeyGen.java returned $?" + + Debug "$JAVAC SigTest.java" + $JAVAC SigTest.java + Debug "$JAVAC SigTest.java returned $?" + + echo "Starting new jss test on $HOST" + date + + # Run the actual tests + + Debug "$JAVA $NATIVE_FLAG TestKeyGen ." + $JAVA $NATIVE_FLAG TestKeyGen . + Debug "$JAVA TestKeyGen returned $?" + + Debug "$JAVA $NATIVE_FLAG SigTest . \"$SIGTEST_INTERNAL_TOKEN\"" + $JAVA $NATIVE_FLAG SigTest . "$SIGTEST_INTERNAL_TOKEN" + Debug "$JAVA SigTest returned $?" + + O_FILE=ON +} + +jss_init +jss_mode_init + +if [ "$O_CRON" = "ON" -o "$O_WIN" = "ON" ] +then + jss_test >>$JSS_LOGFILE 2>&1 +else + jss_test 2>&1 | tee -a $JSS_LOGFILE +fi +BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT" +jss_mode_init +if [ "$O_CRON" = "ON" -o "$O_WIN" = "ON" ] +then + jss_test >>$JSS_LOGFILE 2>&1 +else + jss_test 2>&1 | tee -a $JSS_LOGFILE +fi +Exit "jssqa completed. Done `uname -n` $QA_OS_STRING" diff --git a/security/nss/tests/libpkix/cert_trust.map b/security/nss/tests/libpkix/cert_trust.map new file mode 100644 index 000000000..c992435f9 --- /dev/null +++ b/security/nss/tests/libpkix/cert_trust.map @@ -0,0 +1,6 @@ +TestCA.ca CT,C,C +TestUser50 ,, +TestUser51 ,, +PayPalRootCA CT,C,C +PayPalICA ,, +PayPalEE ,, diff --git a/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert b/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert Binary files differnew file mode 100644 index 000000000..30d2f18c3 --- /dev/null +++ b/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert diff --git a/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt b/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt Binary files differnew file mode 100755 index 000000000..efc2f2cd5 --- /dev/null +++ b/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt diff --git a/security/nss/tests/libpkix/certs/GoodCACert.crt b/security/nss/tests/libpkix/certs/GoodCACert.crt Binary files differnew file mode 100644 index 000000000..5aecbc0cf --- /dev/null +++ b/security/nss/tests/libpkix/certs/GoodCACert.crt diff --git a/security/nss/tests/libpkix/certs/NameConstraints.ca.cert b/security/nss/tests/libpkix/certs/NameConstraints.ca.cert Binary files differnew file mode 100644 index 000000000..6d2e8469d --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.ca.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.dcissallowed.cert b/security/nss/tests/libpkix/certs/NameConstraints.dcissallowed.cert Binary files differnew file mode 100644 index 000000000..539adcfee --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.dcissallowed.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.dcissblocked.cert b/security/nss/tests/libpkix/certs/NameConstraints.dcissblocked.cert Binary files differnew file mode 100644 index 000000000..28f84919d --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.dcissblocked.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.dcisscopy.cert b/security/nss/tests/libpkix/certs/NameConstraints.dcisscopy.cert Binary files differnew file mode 100644 index 000000000..a3fbd91f3 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.dcisscopy.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert Binary files differnew file mode 100644 index 000000000..a310aa1ac --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate2.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate2.cert Binary files differnew file mode 100644 index 000000000..fc4b7c1c1 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate2.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate3.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate3.cert Binary files differnew file mode 100644 index 000000000..051e55e56 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate3.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate4.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate4.cert Binary files differnew file mode 100644 index 000000000..6e7efd53e --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate4.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate5.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate5.cert Binary files differnew file mode 100644 index 000000000..823eccc05 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate5.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.intermediate6.cert b/security/nss/tests/libpkix/certs/NameConstraints.intermediate6.cert Binary files differnew file mode 100644 index 000000000..a2f17054e --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.intermediate6.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.ncca.cert b/security/nss/tests/libpkix/certs/NameConstraints.ncca.cert Binary files differnew file mode 100644 index 000000000..ecb24c7d5 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.ncca.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server1.cert b/security/nss/tests/libpkix/certs/NameConstraints.server1.cert Binary files differnew file mode 100644 index 000000000..60e8a1c69 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server1.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server10.cert b/security/nss/tests/libpkix/certs/NameConstraints.server10.cert Binary files differnew file mode 100644 index 000000000..21d9e8767 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server10.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server11.cert b/security/nss/tests/libpkix/certs/NameConstraints.server11.cert Binary files differnew file mode 100644 index 000000000..c458c8ce7 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server11.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server12.cert b/security/nss/tests/libpkix/certs/NameConstraints.server12.cert Binary files differnew file mode 100644 index 000000000..1a4e6fec2 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server12.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server13.cert b/security/nss/tests/libpkix/certs/NameConstraints.server13.cert Binary files differnew file mode 100644 index 000000000..8b7295fb2 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server13.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server14.cert b/security/nss/tests/libpkix/certs/NameConstraints.server14.cert Binary files differnew file mode 100644 index 000000000..8a989f996 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server14.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server15.cert b/security/nss/tests/libpkix/certs/NameConstraints.server15.cert Binary files differnew file mode 100644 index 000000000..69d057c9a --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server15.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server16.cert b/security/nss/tests/libpkix/certs/NameConstraints.server16.cert Binary files differnew file mode 100644 index 000000000..0b24d7abb --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server16.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server17.cert b/security/nss/tests/libpkix/certs/NameConstraints.server17.cert Binary files differnew file mode 100644 index 000000000..2fc9437cd --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server17.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server2.cert b/security/nss/tests/libpkix/certs/NameConstraints.server2.cert Binary files differnew file mode 100644 index 000000000..1c6e5510d --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server2.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server3.cert b/security/nss/tests/libpkix/certs/NameConstraints.server3.cert Binary files differnew file mode 100644 index 000000000..bd93572dd --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server3.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server4.cert b/security/nss/tests/libpkix/certs/NameConstraints.server4.cert Binary files differnew file mode 100644 index 000000000..ca9d1b1c3 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server4.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server5.cert b/security/nss/tests/libpkix/certs/NameConstraints.server5.cert Binary files differnew file mode 100644 index 000000000..1798de766 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server5.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server6.cert b/security/nss/tests/libpkix/certs/NameConstraints.server6.cert Binary files differnew file mode 100644 index 000000000..5698f8ebd --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server6.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server7.cert b/security/nss/tests/libpkix/certs/NameConstraints.server7.cert Binary files differnew file mode 100644 index 000000000..3cf85d047 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server7.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server8.cert b/security/nss/tests/libpkix/certs/NameConstraints.server8.cert Binary files differnew file mode 100644 index 000000000..f0694ed03 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server8.cert diff --git a/security/nss/tests/libpkix/certs/NameConstraints.server9.cert b/security/nss/tests/libpkix/certs/NameConstraints.server9.cert Binary files differnew file mode 100644 index 000000000..517c0ae31 --- /dev/null +++ b/security/nss/tests/libpkix/certs/NameConstraints.server9.cert diff --git a/security/nss/tests/libpkix/certs/OCSPCA1.cert b/security/nss/tests/libpkix/certs/OCSPCA1.cert Binary files differnew file mode 100644 index 000000000..cac92b790 --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPCA1.cert diff --git a/security/nss/tests/libpkix/certs/OCSPCA1.p12 b/security/nss/tests/libpkix/certs/OCSPCA1.p12 Binary files differnew file mode 100644 index 000000000..82cc31034 --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPCA1.p12 diff --git a/security/nss/tests/libpkix/certs/OCSPCA2.cert b/security/nss/tests/libpkix/certs/OCSPCA2.cert Binary files differnew file mode 100644 index 000000000..3dd31100f --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPCA2.cert diff --git a/security/nss/tests/libpkix/certs/OCSPCA2.p12 b/security/nss/tests/libpkix/certs/OCSPCA2.p12 Binary files differnew file mode 100644 index 000000000..1c03d0d7e --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPCA2.p12 diff --git a/security/nss/tests/libpkix/certs/OCSPCA3.cert b/security/nss/tests/libpkix/certs/OCSPCA3.cert Binary files differnew file mode 100644 index 000000000..7d0645830 --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPCA3.cert diff --git a/security/nss/tests/libpkix/certs/OCSPCA3.p12 b/security/nss/tests/libpkix/certs/OCSPCA3.p12 Binary files differnew file mode 100644 index 000000000..610eb50a1 --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPCA3.p12 diff --git a/security/nss/tests/libpkix/certs/OCSPEE11.cert b/security/nss/tests/libpkix/certs/OCSPEE11.cert Binary files differnew file mode 100644 index 000000000..093756d3d --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE11.cert diff --git a/security/nss/tests/libpkix/certs/OCSPEE12.cert b/security/nss/tests/libpkix/certs/OCSPEE12.cert Binary files differnew file mode 100644 index 000000000..14cd5b9ce --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE12.cert diff --git a/security/nss/tests/libpkix/certs/OCSPEE13.cert b/security/nss/tests/libpkix/certs/OCSPEE13.cert Binary files differnew file mode 100644 index 000000000..058b59d80 --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE13.cert diff --git a/security/nss/tests/libpkix/certs/OCSPEE14.cert b/security/nss/tests/libpkix/certs/OCSPEE14.cert Binary files differnew file mode 100644 index 000000000..4f937b9e9 --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE14.cert diff --git a/security/nss/tests/libpkix/certs/OCSPEE15.cert b/security/nss/tests/libpkix/certs/OCSPEE15.cert Binary files differnew file mode 100644 index 000000000..fbb2000dd --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE15.cert diff --git a/security/nss/tests/libpkix/certs/OCSPEE21.cert b/security/nss/tests/libpkix/certs/OCSPEE21.cert Binary files differnew file mode 100644 index 000000000..a3f1305fd --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE21.cert diff --git a/security/nss/tests/libpkix/certs/OCSPEE22.cert b/security/nss/tests/libpkix/certs/OCSPEE22.cert Binary files differnew file mode 100644 index 000000000..198f2068d --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE22.cert diff --git a/security/nss/tests/libpkix/certs/OCSPEE23.cert b/security/nss/tests/libpkix/certs/OCSPEE23.cert Binary files differnew file mode 100644 index 000000000..32b3a631d --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE23.cert diff --git a/security/nss/tests/libpkix/certs/OCSPEE31.cert b/security/nss/tests/libpkix/certs/OCSPEE31.cert Binary files differnew file mode 100644 index 000000000..3df0f62cb --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE31.cert diff --git a/security/nss/tests/libpkix/certs/OCSPEE32.cert b/security/nss/tests/libpkix/certs/OCSPEE32.cert Binary files differnew file mode 100644 index 000000000..9bf5354ab --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE32.cert diff --git a/security/nss/tests/libpkix/certs/OCSPEE33.cert b/security/nss/tests/libpkix/certs/OCSPEE33.cert Binary files differnew file mode 100644 index 000000000..4a3c10228 --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPEE33.cert diff --git a/security/nss/tests/libpkix/certs/OCSPRoot.cert b/security/nss/tests/libpkix/certs/OCSPRoot.cert Binary files differnew file mode 100644 index 000000000..8abc6bc87 --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPRoot.cert diff --git a/security/nss/tests/libpkix/certs/OCSPRoot.p12 b/security/nss/tests/libpkix/certs/OCSPRoot.p12 Binary files differnew file mode 100644 index 000000000..166baf3f4 --- /dev/null +++ b/security/nss/tests/libpkix/certs/OCSPRoot.p12 diff --git a/security/nss/tests/libpkix/certs/PayPalEE.cert b/security/nss/tests/libpkix/certs/PayPalEE.cert Binary files differnew file mode 100644 index 000000000..d71fbb501 --- /dev/null +++ b/security/nss/tests/libpkix/certs/PayPalEE.cert diff --git a/security/nss/tests/libpkix/certs/PayPalICA.cert b/security/nss/tests/libpkix/certs/PayPalICA.cert Binary files differnew file mode 100644 index 000000000..07e025def --- /dev/null +++ b/security/nss/tests/libpkix/certs/PayPalICA.cert diff --git a/security/nss/tests/libpkix/certs/PayPalRootCA.cert b/security/nss/tests/libpkix/certs/PayPalRootCA.cert Binary files differnew file mode 100644 index 000000000..dae019650 --- /dev/null +++ b/security/nss/tests/libpkix/certs/PayPalRootCA.cert diff --git a/security/nss/tests/libpkix/certs/TestCA.ca.cert b/security/nss/tests/libpkix/certs/TestCA.ca.cert Binary files differnew file mode 100644 index 000000000..929b793d3 --- /dev/null +++ b/security/nss/tests/libpkix/certs/TestCA.ca.cert diff --git a/security/nss/tests/libpkix/certs/TestUser50.cert b/security/nss/tests/libpkix/certs/TestUser50.cert Binary files differnew file mode 100644 index 000000000..ed71727fa --- /dev/null +++ b/security/nss/tests/libpkix/certs/TestUser50.cert diff --git a/security/nss/tests/libpkix/certs/TestUser51.cert b/security/nss/tests/libpkix/certs/TestUser51.cert Binary files differnew file mode 100644 index 000000000..1b45db286 --- /dev/null +++ b/security/nss/tests/libpkix/certs/TestUser51.cert diff --git a/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt b/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt Binary files differnew file mode 100644 index 000000000..21f520ee5 --- /dev/null +++ b/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt diff --git a/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt b/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt Binary files differnew file mode 100644 index 000000000..26985c9f6 --- /dev/null +++ b/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt diff --git a/security/nss/tests/libpkix/certs/anchor2dsa b/security/nss/tests/libpkix/certs/anchor2dsa Binary files differnew file mode 100755 index 000000000..a1f9e05f6 --- /dev/null +++ b/security/nss/tests/libpkix/certs/anchor2dsa diff --git a/security/nss/tests/libpkix/certs/crldiff.crl b/security/nss/tests/libpkix/certs/crldiff.crl Binary files differnew file mode 100755 index 000000000..d076ef89f --- /dev/null +++ b/security/nss/tests/libpkix/certs/crldiff.crl diff --git a/security/nss/tests/libpkix/certs/crlgood.crl b/security/nss/tests/libpkix/certs/crlgood.crl Binary files differnew file mode 100755 index 000000000..1ad019ed1 --- /dev/null +++ b/security/nss/tests/libpkix/certs/crlgood.crl diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert Binary files differnew file mode 100755 index 000000000..a1afd6a2d --- /dev/null +++ b/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert Binary files differnew file mode 100755 index 000000000..55568917c --- /dev/null +++ b/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert Binary files differnew file mode 100755 index 000000000..f9c83dc95 --- /dev/null +++ b/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnCert b/security/nss/tests/libpkix/certs/generalName/altNameDnCert Binary files differnew file mode 100755 index 000000000..43dac7341 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameDnCert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff Binary files differnew file mode 100755 index 000000000..04d133f74 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnsCert b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert Binary files differnew file mode 100755 index 000000000..63754141a --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff Binary files differnew file mode 100755 index 000000000..4fe947e73 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff diff --git a/security/nss/tests/libpkix/certs/generalName/altNameEdiCert b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert Binary files differnew file mode 100755 index 000000000..95ec20423 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff Binary files differnew file mode 100755 index 000000000..50e5440d9 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff diff --git a/security/nss/tests/libpkix/certs/generalName/altNameIpCert b/security/nss/tests/libpkix/certs/generalName/altNameIpCert Binary files differnew file mode 100755 index 000000000..5f0e528a1 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameIpCert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff Binary files differnew file mode 100755 index 000000000..2407be54f --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff diff --git a/security/nss/tests/libpkix/certs/generalName/altNameNoneCert b/security/nss/tests/libpkix/certs/generalName/altNameNoneCert Binary files differnew file mode 100755 index 000000000..f9c83dc95 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameNoneCert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOidCert b/security/nss/tests/libpkix/certs/generalName/altNameOidCert Binary files differnew file mode 100755 index 000000000..fa92c9ecd --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameOidCert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff Binary files differnew file mode 100755 index 000000000..635e4d143 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOtherCert b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert Binary files differnew file mode 100755 index 000000000..bdfc7cb6a --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff Binary files differnew file mode 100755 index 000000000..bfc8a7973 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert Binary files differnew file mode 100755 index 000000000..9ad3271ab --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff Binary files differnew file mode 100755 index 000000000..b8e5b2e70 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert b/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert Binary files differnew file mode 100755 index 000000000..89be1811d --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameUriCert b/security/nss/tests/libpkix/certs/generalName/altNameUriCert Binary files differnew file mode 100755 index 000000000..1f46e79f0 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameUriCert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff Binary files differnew file mode 100755 index 000000000..864e86fb5 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff diff --git a/security/nss/tests/libpkix/certs/generalName/altNameX400Cert b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert Binary files differnew file mode 100755 index 000000000..b0d10cf32 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert diff --git a/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff Binary files differnew file mode 100755 index 000000000..652388847 --- /dev/null +++ b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff diff --git a/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu b/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu Binary files differnew file mode 100755 index 000000000..3f3452683 --- /dev/null +++ b/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu diff --git a/security/nss/tests/libpkix/certs/hy2hc-bc b/security/nss/tests/libpkix/certs/hy2hc-bc Binary files differnew file mode 100755 index 000000000..691b8d982 --- /dev/null +++ b/security/nss/tests/libpkix/certs/hy2hc-bc diff --git a/security/nss/tests/libpkix/certs/hy2hy-bc0 b/security/nss/tests/libpkix/certs/hy2hy-bc0 Binary files differnew file mode 100755 index 000000000..18b5fe4a8 --- /dev/null +++ b/security/nss/tests/libpkix/certs/hy2hy-bc0 diff --git a/security/nss/tests/libpkix/certs/issuer-hanfei.crl b/security/nss/tests/libpkix/certs/issuer-hanfei.crl Binary files differnew file mode 100755 index 000000000..6c9f0dbaa --- /dev/null +++ b/security/nss/tests/libpkix/certs/issuer-hanfei.crl diff --git a/security/nss/tests/libpkix/certs/issuer-none.crl b/security/nss/tests/libpkix/certs/issuer-none.crl Binary files differnew file mode 100755 index 000000000..c1c83ba2c --- /dev/null +++ b/security/nss/tests/libpkix/certs/issuer-none.crl diff --git a/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert b/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert Binary files differnew file mode 100755 index 000000000..7eae4863e --- /dev/null +++ b/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert diff --git a/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert b/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert Binary files differnew file mode 100755 index 000000000..a1f9e05f6 --- /dev/null +++ b/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert diff --git a/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert b/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert Binary files differnew file mode 100755 index 000000000..11a132d10 --- /dev/null +++ b/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert diff --git a/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert b/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert Binary files differnew file mode 100755 index 000000000..9b9377119 --- /dev/null +++ b/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert diff --git a/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert b/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert Binary files differnew file mode 100755 index 000000000..f9c83dc95 --- /dev/null +++ b/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert diff --git a/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert b/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert Binary files differnew file mode 100755 index 000000000..c58d9a2aa --- /dev/null +++ b/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert diff --git a/security/nss/tests/libpkix/certs/make-ca-u50-u51 b/security/nss/tests/libpkix/certs/make-ca-u50-u51 new file mode 100755 index 000000000..5d8f920a9 --- /dev/null +++ b/security/nss/tests/libpkix/certs/make-ca-u50-u51 @@ -0,0 +1,37 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +mkdir tmp +cd tmp +dd if=/dev/urandom bs=512 count=1 of=noise +echo "" > pwfile + +certutil -d . -N -f pwfile + +certutil -S -z noise -g 1024 -d . -n ca -s "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t C,C,C -x -m 1 -w -1 -v 600 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598 + +certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598 + +certutil -d . -L -n ca -r > TestCA.ca.cert +certutil -d . -L -n u50 -r > TestUser50.cert +certutil -d . -L -n u51 -r > TestUser51.cert + +echo "Created multiple files in subdirectory tmp: TestCA.ca.cert TestUser50.cert TestUser51.cert" diff --git a/security/nss/tests/libpkix/certs/make-nc b/security/nss/tests/libpkix/certs/make-nc new file mode 100755 index 000000000..aaab1edfa --- /dev/null +++ b/security/nss/tests/libpkix/certs/make-nc @@ -0,0 +1,508 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +mkdir tmp +cd tmp +dd if=/dev/urandom bs=512 count=1 of=noise +echo "" > pwfile + +certutil -d . -N -f pwfile + +certutil -S -z noise -g 1024 -d . -n ca -s "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t C,C,C -x -m 1 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n ica -s "CN=NSS Intermediate CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 20 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT +5 +6 +9 +n +y + +n +3 +.example +1 +n +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server1 -s "CN=test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 40 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server2 -s "CN=another_test.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server3 -s "CN=test.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 42 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n ica2 -s "CN=NSS Intermediate CA 2,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 21 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server4 -s "CN=test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 50 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server5 -s "CN=another_test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 51 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + + +certutil -S -z noise -g 1024 -d . -n server6 -s "CN=test2.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 52 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n ica3 -s "CN=NSS Intermediate CA3,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 21 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT +5 +6 +9 +n +y + +n +3 +foo.example +1 +y +5 +O=Foo,st=ca,c=us +1 +n +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n ica4 -s "CN=NSS Intermediate CA 2,O=Foo,ST=CA,C=US" -t ,, -c ica3 -m 61 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server7 -s "CN=bat.foo.example,ou=bar,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server8 -s "CN=bat.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 42 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server9 -s "CN=bat.foo.example,O=Foo,C=US" -t ,, -c ica4 -m 43 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server10 -s "CN=bar.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 44 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server11 -s "CN=site.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 45 -v 115 -1 -2 -5 -8 foo.example <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server12 -s "CN=Honest Achmed,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 46 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n ica5 -s "CN=NSS Intermediate CA 2,O=OtherOrg,ST=CA,C=US" -t ,, -c ica3 -m 62 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server13 -s "CN=bat.foo.example,O=OtherOrg,ST=CA,C=US" -t ,, -c ica5 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server14 -s "CN=another.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica5 -m 490 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n ncca -s "CN=NSS Name Constrained Root CA,O=BOGUS NSS,L=Mountain View,ST=CA,C=US" -t C,C,C -x -m 2 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT +5 +6 +9 +n +y + +n +3 +.example +1 +n +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n ica6 -s "CN=NSS Intermediate CA6,O=OtherOrg,ST=CA,C=US" -t ,, -c ncca -m 63 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server15 -s "CN=testfoo.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 64 -v 115 -1 -2 -5 -8 testfoo.invalid <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server16 -s "CN=another_test3.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 65 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server17 -s "CN=test4.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 66 -v 115 -1 -2 -5 -8 test4.example <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +#DCISS copy certs +certutil -S -z noise -g 2048 -d . -n dcisscopy -s "E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR" -t C,C,C -x -m 998899 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +#the following cert MUST not pass +certutil -S -z noise -g 2048 -d . -n dcissblocked -s "CN=foo.example.com,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998900 -v 120 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +#the following cert MUST pass +certutil -S -z noise -g 2048 -d . -n dcissallowed -s "CN=foo.example.fr,O=Foo,ST=CA,C=US" -t ,, -c dcisscopy -m 998901 -v 120 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + + + +certutil -d . -L -n ca -r > NameConstraints.ca.cert +certutil -d . -L -n ica -r > NameConstraints.intermediate.cert +certutil -d . -L -n server1 -r > NameConstraints.server1.cert +certutil -d . -L -n server2 -r > NameConstraints.server2.cert +certutil -d . -L -n server3 -r > NameConstraints.server3.cert +certutil -d . -L -n ica2 -r > NameConstraints.intermediate2.cert +certutil -d . -L -n server4 -r > NameConstraints.server4.cert +certutil -d . -L -n server5 -r > NameConstraints.server5.cert +certutil -d . -L -n server6 -r > NameConstraints.server6.cert +certutil -d . -L -n ica3 -r > NameConstraints.intermediate3.cert +certutil -d . -L -n ica4 -r > NameConstraints.intermediate4.cert +certutil -d . -L -n server7 -r > NameConstraints.server7.cert +certutil -d . -L -n server8 -r > NameConstraints.server8.cert +certutil -d . -L -n server9 -r > NameConstraints.server9.cert +certutil -d . -L -n server10 -r > NameConstraints.server10.cert +certutil -d . -L -n server11 -r > NameConstraints.server11.cert +certutil -d . -L -n server11 -r > NameConstraints.server11.cert +certutil -d . -L -n server12 -r > NameConstraints.server12.cert +certutil -d . -L -n ica5 -r > NameConstraints.intermediate5.cert +certutil -d . -L -n server13 -r > NameConstraints.server13.cert +certutil -d . -L -n server14 -r > NameConstraints.server14.cert +certutil -d . -L -n ncca -r > NameConstraints.ncca.cert +certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert +certutil -d . -L -n server15 -r > NameConstraints.server15.cert +certutil -d . -L -n server16 -r > NameConstraints.server16.cert +certutil -d . -L -n server17 -r > NameConstraints.server17.cert +certutil -d . -L -n dcisscopy -r > NameConstraints.dcisscopy.cert +certutil -d . -L -n dcissblocked -r > NameConstraints.dcissblocked.cert +certutil -d . -L -n dcissallowed -r > NameConstraints.dcissallowed.cert + +echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert" diff --git a/security/nss/tests/libpkix/certs/noExtensionsCert b/security/nss/tests/libpkix/certs/noExtensionsCert Binary files differnew file mode 100755 index 000000000..f3dc1c973 --- /dev/null +++ b/security/nss/tests/libpkix/certs/noExtensionsCert diff --git a/security/nss/tests/libpkix/certs/nss2alice b/security/nss/tests/libpkix/certs/nss2alice Binary files differnew file mode 100755 index 000000000..48172a5ed --- /dev/null +++ b/security/nss/tests/libpkix/certs/nss2alice diff --git a/security/nss/tests/libpkix/certs/publicKey/dsaWithParams b/security/nss/tests/libpkix/certs/publicKey/dsaWithParams Binary files differnew file mode 100755 index 000000000..a1f9e05f6 --- /dev/null +++ b/security/nss/tests/libpkix/certs/publicKey/dsaWithParams diff --git a/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams b/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams Binary files differnew file mode 100755 index 000000000..7eae4863e --- /dev/null +++ b/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams diff --git a/security/nss/tests/libpkix/certs/publicKey/labs2yassir b/security/nss/tests/libpkix/certs/publicKey/labs2yassir Binary files differnew file mode 100755 index 000000000..f5fe26115 --- /dev/null +++ b/security/nss/tests/libpkix/certs/publicKey/labs2yassir diff --git a/security/nss/tests/libpkix/certs/publicKey/yassir2labs b/security/nss/tests/libpkix/certs/publicKey/yassir2labs Binary files differnew file mode 100755 index 000000000..f94385403 --- /dev/null +++ b/security/nss/tests/libpkix/certs/publicKey/yassir2labs diff --git a/security/nss/tests/libpkix/certs/sun2sun b/security/nss/tests/libpkix/certs/sun2sun Binary files differnew file mode 100755 index 000000000..c75192be1 --- /dev/null +++ b/security/nss/tests/libpkix/certs/sun2sun diff --git a/security/nss/tests/libpkix/certs/yassir2bcn b/security/nss/tests/libpkix/certs/yassir2bcn Binary files differnew file mode 100755 index 000000000..f9c83dc95 --- /dev/null +++ b/security/nss/tests/libpkix/certs/yassir2bcn diff --git a/security/nss/tests/libpkix/certs/yassir2yassir b/security/nss/tests/libpkix/certs/yassir2yassir Binary files differnew file mode 100755 index 000000000..8444af5a3 --- /dev/null +++ b/security/nss/tests/libpkix/certs/yassir2yassir diff --git a/security/nss/tests/libpkix/common/libpkix_init.sh b/security/nss/tests/libpkix/common/libpkix_init.sh new file mode 100644 index 000000000..01eb070e1 --- /dev/null +++ b/security/nss/tests/libpkix/common/libpkix_init.sh @@ -0,0 +1,324 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# libpkix_init.sh +# + +### when the script is exiting, handle it in the Cleanup routine...the result +### value will get set to 0 if all the tests completed successfully, so we can +### use that value in the handler + +trap 'Cleanup' EXIT + +result=1 +checkmem=0 +arenas=0 +quiet=0 + +doNIST=1 +doNIST_PDTest=0 +doPD=0 +doTop=0 +doModule=0 +doPki=0 +doOCSP=0 +doOCSPTest=0 + +combinedErrors=0 +totalErrors=0 +prematureTermination=0 +errors=0 + +if [ -z "${INIT_SOURCED}" ] ; then + libpkixCommondir=`pwd` + cd ../../common + . ./init.sh > /dev/null + cd ${libpkixCommondir} +fi + +DIST_BIN=${DIST}/${OBJDIR}/bin + +### setup some defaults +WD=`pwd` +prog=`basename $0` +testOut=${HOSTDIR}/${prog}.$$ +testOutMem=${HOSTDIR}/${prog}_mem.$$ + +#################### +# cleanup from tests +#################### +Cleanup() +{ + if [ ${testOut} != "" ]; then + rm -f ${testOut} + fi + + if [ ${testOutMem} != "" ]; then + rm -f ${testOutMem} + fi + + if [ -d ../../nist_pkits/certs ]; then + rm -f ../../nist_pkits/certs + fi + + if [ ${doTop} -eq 1 ]; then + for i in ${linkMStoreNistFiles}; do + if [ -f ${HOSTDIR}/rev_data/multiple_certstores/$i ]; then + rm -f ${HOSTDIR}/rev_data/multiple_certstores/$i + fi + done + if [ -d ${HOSTDIR}/rev_data/multiple_certstores ]; then + rm -fr ${HOSTDIR}/rev_data/multiple_certstores + fi + fi + + if [ ${doModule} -eq 1 ]; then + for i in ${linkModuleNistFiles}; do + if [ -f ${HOSTDIR}/rev_data/local/$i ]; then + rm -f ${HOSTDIR}/rev_data/local/$i + fi + done + for i in ${localCRLFiles}; do + if [ -f ${HOSTDIR}/rev_data/local/$i ]; then + rm -f ${HOSTDIR}/rev_data/local/$i + fi + done + fi + + if [ ${doPki} -eq 1 ]; then + for i in ${linkPkiNistFiles}; do + if [ -f ${HOSTDIR}/rev_data/local/$i ]; then + rm -f ${HOSTDIR}/rev_data/local/$i + fi + done + fi + + return ${result} +} + +### ParseArgs +ParseArgs() # args +{ + while [ $# -gt 0 ]; do + if [ $1 = "-checkmem" ]; then + checkmem=1 + elif [ $1 = "-quiet" ]; then + quiet=1 + elif [ $1 = "-arenas" ]; then + arenas=1 + fi + shift + done +} + +Display() # string +{ + if [ ${quiet} -eq 0 ]; then + echo "$1" + fi +} + +testHeadingEcho() +{ + echo "*******************************************************************************" + echo "START OF TESTS FOR ${testunit}${memText}" + echo "*******************************************************************************" + echo "" +} + +testEndingEcho() +{ + if [ ${totalErrors} -eq 0 ]; then + echo "" + echo "************************************************************" + echo "END OF TESTS FOR ${testunit}: ALL TESTS COMPLETED SUCCESSFULLY" + echo "************************************************************" + echo "" + return 0 + fi + + if [ ${totalErrors} -eq 1 ]; then + plural="" + else + plural="S" + fi + + echo "" + echo "************************************************************" + echo "END OF TESTS FOR ${testunit}: ${totalErrors} TEST${plural} FAILED" + echo "************************************************************" + echo "" + return ${totalErrors} +} + +########### +# RunTests +########### +RunTests() +{ + errors=0 + memErrors=0 + prematureErrors=0 + + failedpgms="" + failedmempgms="" + failedprematurepgms="" + memText="" + arenaCmd="" + + if [ ${checkmem} -eq 1 ]; then + memText=" (Memory Checking Enabled)" + fi + + if [ ${arenas} -eq 1 ]; then + arenaCmd="-arenas" + fi + + # + # Announce start of tests + # + Display "*******************************************************************************" + Display "START OF TESTS FOR PKIX ${testunit} ${memText}" + Display "*******************************************************************************" + Display "" + + # run each test specified by the input redirection below + + while read testPgm args; do + + shortTestPurpose=`echo $args | awk '{print $1 " " $2 " "}'` + fullTestPurpose=${args} + if [ ${doTop} -eq 1 -o ${doModule} -eq 1 -o ${doPki} -eq 1 ]; then + testPurpose=${shortTestPurpose} + else + testPurpose=${fullTestPurpose} + fi + + # If we want shorter command printout for NIST tests, delete next line + testPurpose=${fullTestPurpose} + + # Skip OCSP tests if OCSP is not defined in the environment + if [ ${doOCSPTest} -eq 0 ]; then + hasOCSP=`echo ${args} | grep OCSP-Test` + if [ ! -z "${hasOCSP}" ]; then + Display "SKIPPING ${testPgm} ${testPurpose}" + continue + fi + fi + + if [ ${doNIST} -eq 0 ]; then + hasNIST=`echo ${args} | grep NIST-Test` + if [ ! -z "${hasNIST}" ]; then + Display "SKIPPING ${testPgm} ${testPurpose}" + continue + fi + fi + + # This "if" is not reached when doNIST is not set. The assumption + # is that NIST tests are basic, NIST Path Discovery tests are + # additional + if [ ${doNIST_PDTest} -eq 0 ]; then + hasNIST=`echo ${args} | grep NIST-PDTest` + if [ ! -z "${hasNIST}" ]; then + Display "SKIPPING ${testPgm} ${testPurpose}" + continue + fi + fi + + Display "RUNNING ${testPgm} ${arenaCmd} ${testPurpose}" + + numtests=`expr ${numtests} + 1` + + if [ ${checkmem} -eq 1 ]; then + dbx -C -c "runargs ${arenaCmd} ${args};check -all;run;exit" ${DIST_BIN}/${testPgm} > ${testOut} 2>&1 + else + ${DIST_BIN}/${testPgm} ${arenaCmd} ${args} > ${testOut} 2>&1 + fi + + # Examine output file to see if test failed and keep track of number + # of failures and names of failed tests. This assumes that the test + # uses our utility library for displaying information + + cat ${testOut} | tail -2 | grep "COMPLETED SUCCESSFULLY" >/dev/null 2>&1 + + if [ $? -ne 0 ]; then + testFail=1 + errors=`expr ${errors} + 1` + failedpgms="${failedpgms}\n${testPgm} ${testPurpose} " +# cat ${testOut} + else + testFail=0 + passed=`expr ${passed} + 1` + fi + cat ${testOut} + html_msg ${testFail} 0 "${testPgm} ${arenaCmd} ${shortTestPurpose}" + + if [ ${checkmem} -eq 1 ]; then + grep "(actual leaks:" ${testOut} > ${testOutMem} 2>&1 + if [ $? -ne 0 ]; then + prematureErrors=`expr ${prematureErrors} + 1` + failedprematurepgms="${failedprematurepgms}${testPgm} " + Display "...program terminated prematurely (unable to check for memory leak errors) ..." + else + #grep "(actual leaks: 0" ${testOut} > /dev/null 2>&1 + # special consideration for memory leak in NSS_NoDB_Init + grep "(actual leaks: 1 total size: 4 bytes)" ${testOut} > /dev/null 2>&1 + if [ $? -ne 0 ]; then + memErrors=`expr ${memErrors} + 1` + failedmempgms="${failedmempgms}${testPgm} " + cat ${testOutMem} + fi + fi + fi + + done + + if [ ${errors} -eq 0 ]; then + if [ ${memErrors} -eq 0 ]; then + Display "" + Display "************************************************************" + Display "END OF TESTS FOR PKIX ${testunit}: ALL TESTS COMPLETED SUCCESSFULLY" + Display "************************************************************" + Display "" + return 0 + fi + fi + + if [ ${errors} -eq 1 ]; then + plural="" + else + plural="S" + fi + + Display "" + Display "*******************************************************************************" + Display "END OF TESTS FOR PKIX ${testunit}: ${errors} UNIT TEST${plural} FAILED: ${failedpgms}" + Display "" + if [ ${checkmem} -eq 1 ]; then + if [ ${memErrors} -eq 1 ]; then + memPlural="" + else + memPlural="S" + fi + Display " ${memErrors} MEMORY LEAK TEST${memPlural} FAILED: ${failedmempgms}" + + if [ ${prematureErrors} -ne 0 ]; then + if [ ${prematureErrors} -eq 1 ]; then + prematurePlural="" + else + prematurePlural="S" + fi + Display " ${prematureErrors} MEMORY LEAK TEST${prematurePlural} INDETERMINATE: ${failedprematurepgms}" + fi + + fi + Display "*******************************************************************************" + Display "" + combinedErrors=`expr ${errors} + ${memErrors} + ${prematureErrors}` + + return ${combinedErrors} + +} diff --git a/security/nss/tests/libpkix/common/libpkix_init_nist.sh b/security/nss/tests/libpkix/common/libpkix_init_nist.sh new file mode 100644 index 000000000..d4dfd2a6c --- /dev/null +++ b/security/nss/tests/libpkix/common/libpkix_init_nist.sh @@ -0,0 +1,70 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# libpkix_init_nist.sh +# + +# +# Any test that uses NIST files should have a tag of either NIST-Test or +# NIST-Test-Files-Used at the command option so if there are no NIST files +# installed in the system, the test can be skipped +# + +if [ -z "${NIST_FILES_DIR}" ] ; then + Display "" + Display "*******************************************************************************" + Display "The environment variable NIST_FILES_DIR is not defined. Therefore" + Display "tests depending on it will be skipped. To enable these tests set" + Display "NIST_FILES_DIR to the directory where NIST Certificates and CRLs" + Display "are located." + Display "*******************************************************************************" + Display "" + doNIST=0 +else + + NIST=${NIST_FILES_DIR} + doNIST=1 +fi + +# +# Any tests that use NIST Path Discovery files should have a tag of NIST-PDTest +# at the command option so if there are no NIST Path Discovery files +# installed in the system, the test can be skipped +# +if [ ${doPD} -eq 1 -a -z "${PDVAL}" ] ; then + + Display "" + Display "*******************************************************************************" + Display "The environment variable PDVAL is not defined. Therefore tests" + Display "depending on it will be skipped. To enable these tests set PDVAL to" + Display "the directory where NIST Path Discovery Certificates are located." + Display "*******************************************************************************" + Display "" + doNIST_PDTest=0 +else + + NIST_PDTEST=${PDVAL} + doNIST_PDTest=1 +fi + +# +# Any tests that use an OCSP Server should have a tag of OCSP-Test at the +# command option so if there is no OCSP Server installed in the system, the +# test can be skipped +# +if [ ${doOCSP} -eq 1 -a -z "${OCSP}" ] ; then + + Display "" + Display "*******************************************************************************" + Display "The environment variable OCSP is not defined. Therefore tests" + Display "depending on it will be skipped. To enable these tests set OCSP" + Display "non-NULL (the actual URI used is taken from the AIA extension)." + Display "*******************************************************************************" + Display "" + doOCSPTest=0 +else + doOCSPTest=1 +fi diff --git a/security/nss/tests/libpkix/libpkix.sh b/security/nss/tests/libpkix/libpkix.sh new file mode 100755 index 000000000..25d38ccbe --- /dev/null +++ b/security/nss/tests/libpkix/libpkix.sh @@ -0,0 +1,139 @@ +#! /bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh +# + +totalErrors=0 +pkixErrors=0 +pkixplErrors=0 +checkMemArg="" +arenasArg="" +quietArg="" +memText="" + +############################## libpkix_init ############################### +# local shell function to initialize this script +######################################################################## +libpkix_init() +{ + SCRIPTNAME="libpkix.sh" + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + LIBPKIX_CURDIR=`pwd` + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then + cd ../common + . ./init.sh + fi + cd ${LIBPKIX_CURDIR} + + SCRIPTNAME="libpkix.sh" +} + +############################## libpkix_cleanup ############################ +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +libpkix_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +############################## libpkix_UT_main ############################ +# local shell function to run libpkix unit tests +######################################################################## +ParseArgs () +{ + while [ $# -gt 0 ]; do + if [ $1 == "-checkmem" ]; then + checkMemArg=$1 + memText=" (Memory Checking Enabled)" + elif [ $1 == "-quiet" ]; then + quietArg=$1 + elif [ $1 == "-arenas" ]; then + arenasArg=$1 + fi + shift + done +} + +libpkix_UT_main() +{ + +html_head "LIBPKIX Unit Tests" + +ParseArgs + +echo "*******************************************************************************" +echo "START OF ALL TESTS${memText}" +echo "*******************************************************************************" +echo "" + +echo "RUNNING tests in pkix_pl_test"; +html_msg 0 0 "Running tests in pkix_pl_test:" +cd pkix_pl_tests; +runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +pkixplErrors=$? +html_msg $? 0 "Results of tests in pkix_pl_test" + +echo "RUNNING tests in pkix_test"; +html_msg 0 0 "Running tests in pkix_test:" +cd ../pkix_tests; +runTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +pkixErrors=$? +html_msg $? 0 "Results of tests in pkix_test" + +echo "RUNNING performance tests in sample_apps"; +html_msg 0 0 "Running performance tests in sample_apps:" +cd ../sample_apps; +runPerf.sh ${arenasArg} ${checkMemArg} ${quietArg} +pkixPerfErrors=$? +html_msg $? 0 "Results of performance tests in sample_apps" + +totalErrors=`expr ${pkixErrors} + ${pkixplErrors} + ${pkixPerfErrors}` + +if [ ${totalErrors} -eq 0 ]; then + echo "" + echo "************************************************************" + echo "END OF ALL TESTS: ALL TESTS COMPLETED SUCCESSFULLY" + echo "************************************************************" + html_msg ${totalErrors} 0 "ALL LIBPKIX TESTS COMPLETED SUCCESSFULLY" + + return 0 +fi + +if [ ${totalErrors} -eq 1 ]; then + plural="" +else + plural="S" +fi + +if [ ${totalErrors} -ne 0 ]; then + echo "" + echo "************************************************************" + echo "END OF ALL TESTS: ${totalErrors} TEST${plural} FAILED" + echo "************************************************************" + html_msg 1 0 "${totalErrors} LIBPKIX TEST${plural} FAILED" +return 1 +fi +} + +libpkix_run_tests() +{ + if [ -n "${BUILD_LIBPKIX_TESTS}" ]; then + libpkix_UT_main + fi +} + +################## main ################################################# + +libpkix_init +libpkix_run_tests +libpkix_cleanup diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db b/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db Binary files differnew file mode 100755 index 000000000..f09bebbcf --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db b/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db Binary files differnew file mode 100755 index 000000000..5c3b3ebbb --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl Binary files differnew file mode 100755 index 000000000..d076ef89f --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl Binary files differnew file mode 100755 index 000000000..1ad019ed1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl Binary files differnew file mode 100755 index 000000000..6c9f0dbaa --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl Binary files differnew file mode 100755 index 000000000..c1c83ba2c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt Binary files differnew file mode 100755 index 000000000..89b59d17d --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt Binary files differnew file mode 100755 index 000000000..a80c10cd3 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt Binary files differnew file mode 100755 index 000000000..3cd7bc9bc --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt Binary files differnew file mode 100755 index 000000000..b0119ed26 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt Binary files differnew file mode 100755 index 000000000..f90df0dac --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh new file mode 100755 index 000000000..4c4cebe28 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh @@ -0,0 +1,101 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runPLTests.sh +# + +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +. ./libpkix_init_nist.sh +cd ${curdir} + +numtests=0 +passed=0 +testunit=MODULE +doModule=1 + +### setup NIST files need to link in +linkModuleNistFiles="InvalidDNnameConstraintsTest3EE.crt + InvalidonlySomeReasonsTest21EE.crt + indirectCRLCA3cRLIssuerCRL.crl + nameConstraintsDN3subCA2Cert.crt + nameConstraintsDN4CACert.crt + nameConstraintsDN5CACert.crt + onlyContainsAttributeCertsCACRL.crl + onlyContainsCACertsCACRL.crl + onlyContainsUserCertsCACRL.crl + onlySomeReasonsCA3compromiseCRL.crl + requireExplicitPolicy2CACert.crt + inhibitPolicyMapping5CACert.crt + inhibitAnyPolicy5CACert.crt + inhibitAnyPolicy0CACert.crt + P1Mapping1to234CACert.crt + UserNoticeQualifierTest15EE.crt + UserNoticeQualifierTest16EE.crt + UserNoticeQualifierTest17EE.crt + UserNoticeQualifierTest18EE.crt + CPSPointerQualifierTest20EE.crt" + +if [ -n "${NIST_FILES_DIR}" ]; then + if [ ! -d ${HOSTDIR}/rev_data/local ]; then + mkdir -p ${HOSTDIR}/rev_data/local + fi + + for i in ${linkModuleNistFiles}; do + if [ -f ${HOSTDIR}/rev_data/local/$i ]; then + rm ${HOSTDIR}/rev_data/local/$i + fi + cp ${NIST_FILES_DIR}/$i ${HOSTDIR}/rev_data/local/$i + done + + localCRLFiles="crlgood.crl + crldiff.crl + issuer-hanfei.crl + issuer-none.crl" + + for i in ${localCRLFiles}; do + cp ${curdir}/rev_data/local/$i ${HOSTDIR}/rev_data/local/$i + done +fi + +########## +# main +########## + +ParseArgs $* + +SOCKETTRACE=0 +export SOCKETTRACE + +RunTests <<EOF +pkixutil test_colcertstore NIST-Test-Files-Used rev_data/local ${HOSTDIR} +pkixutil test_pk11certstore -d ../../pkix_pl_tests/module ../../pkix_tests/top/rev_data/crlchecker +pkixutil test_ekuchecker "Test-EKU-without-OID" ENE "" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt +pkixutil test_ekuchecker "Test-EKU-with-good-OID" ENE "1.3.6.1.5.5.7.3.3" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt +pkixutil test_ekuchecker "Test-EKU-with-bad-OID" EE "1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt +pkixutil test_ekuchecker "Test-EKU-with-good-and-bad-OID" EE "1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt +pkixutil test_ekuchecker "Test-EKU-only-EE-with-good-OID" ENE "E1.3.6.1.5.5.7.3.3" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt +pkixutil test_ekuchecker "Test-EKU-only-EE-with-bad-OID" EE "E1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt +pkixutil test_ekuchecker "Test-EKU-serverAuth" ENE "1.3.6.1.5.5.7.3.1" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-clientAuth" ENE "1.3.6.1.5.5.7.3.2" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-codesigning-without-OID" EE "1.3.6.1.5.5.7.3.3" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-emailProtection" ENE "1.3.6.1.5.5.7.3.4" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-timestamping" ENE "1.3.6.1.5.5.7.3.8" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-OCSPSigning" ENE "1.3.6.1.5.5.7.3.9" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-only-EE-serverAuth" ENE "E1.3.6.1.5.5.7.3.1" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-only-EE-clientAuth" ENE "E1.3.6.1.5.5.7.3.2" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-only-EE-codesigning-without-OID" EE "E1.3.6.1.5.5.7.3.3" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-only-EE-emailProtection" ENE "E1.3.6.1.5.5.7.3.4" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-only-EE-timestamping" ENE "E1.3.6.1.5.5.7.3.8" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_ekuchecker "Test-EKU-only-EE-ocspSigning" ENE "E1.3.6.1.5.5.7.3.9" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt +pkixutil test_socket ${HOSTADDR}:2000 +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} + diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db b/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db Binary files differnew file mode 100755 index 000000000..772583d58 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README new file mode 100755 index 000000000..50e1b98ec --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README @@ -0,0 +1,3 @@ +If the total number of CRL files is changed in this directory, +the define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS under the +test directory also need to be changed.
\ No newline at end of file diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl Binary files differnew file mode 100755 index 000000000..d076ef89f --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl Binary files differnew file mode 100755 index 000000000..1ad019ed1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl Binary files differnew file mode 100755 index 000000000..6c9f0dbaa --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl Binary files differnew file mode 100755 index 000000000..c1c83ba2c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh new file mode 100755 index 000000000..7857aad3f --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh @@ -0,0 +1,81 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runPLTests.sh +# + +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +doPD=1 +. ./libpkix_init_nist.sh +cd ${curdir} + +numtests=0 +passed=0 +testunit=PKI +doPki=1 + +### setup NIST files need to link in +linkPkiNistFiles="InvalidDNnameConstraintsTest3EE.crt + InvalidonlySomeReasonsTest21EE.crt + indirectCRLCA3cRLIssuerCRL.crl + nameConstraintsDN3subCA2Cert.crt + nameConstraintsDN4CACert.crt + nameConstraintsDN5CACert.crt + onlyContainsAttributeCertsCACRL.crl + onlyContainsCACertsCACRL.crl + onlyContainsUserCertsCACRL.crl + onlySomeReasonsCA3compromiseCRL.crl + requireExplicitPolicy2CACert.crt + inhibitPolicyMapping5CACert.crt + inhibitAnyPolicy5CACert.crt + inhibitAnyPolicy0CACert.crt + P1Mapping1to234CACert.crt + UserNoticeQualifierTest15EE.crt + UserNoticeQualifierTest16EE.crt + UserNoticeQualifierTest17EE.crt + UserNoticeQualifierTest18EE.crt + CPSPointerQualifierTest20EE.crt" + +if [ -n "${NIST_FILES_DIR}" ]; then + if [ ! -d ${HOSTDIR}/rev_data/local ]; then + mkdir -p ${HOSTDIR}/rev_data/local + fi + + for i in ${linkPkiNistFiles}; do + if [ -f ${HOSTDIR}/rev_data/local/$i ]; then + rm ${HOSTDIR}/rev_data/local/$i + fi + cp ${NIST_FILES_DIR}/$i ${HOSTDIR}/rev_data/local/$i + done +fi + +########## +# main +######### + +TZ=US/Eastern + +ParseArgs $* + +RunTests <<EOF +pkixutil test_cert NIST-Test-Files-Used ../../certs ${HOSTDIR}/rev_data/local +pkixutil test_crl NIST-Test-Files-Used ../../certs +pkixutil test_x500name +pkixutil test_generalname +pkixutil test_date NIST-Test-Files-Used +pkixutil test_crlentry ../../certs +pkixutil test_nameconstraints NIST-Test-Files-Used rev_data/local ${HOSTDIR} +pkixutil test_authorityinfoaccess NIST-PDTest ${NIST_PDTEST} certs/BasicLDAPURIPathDiscoveryOU1EE1.crt certs/BasicHTTPURITrustAnchorRootCert.crt +pkixutil test_subjectinfoaccess NIST-PDTest ${NIST_PDTEST} certs/BasicHTTPURITrustAnchorRootCert.crt certs/BasicLDAPURIPathDiscoveryOU1EE1.crt +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} + + diff --git a/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh new file mode 100755 index 000000000..89ad1cb7a --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh @@ -0,0 +1,67 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runPLTests.sh +# + +curdir=`pwd` +cd ../common +. ./libpkix_init.sh > /dev/null +cd ${curdir} + +testunit="PKIX_PL" + +totalErrors=0 +moduleErrors=0 +systemErrors=0 +pkiErrors=0 +quiet=0 + +checkMemArg="" +arenasArg="" +quietArg="" + +### ParseArgs +myParseArgs() # args +{ + while [ $# -gt 0 ]; do + if [ $1 = "-checkmem" ]; then + checkMemArg=$1 + elif [ $1 = "-quiet" ]; then + quietArg=$1 + quiet=1 + elif [ $1 = "-arenas" ]; then + arenasArg=$1 + fi + shift + done +} + +myParseArgs $* + +testHeadingEcho + +echo "RUNNING tests in pki"; +cd pki; +runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +pkiErrors=$? + +echo "RUNNING tests in system"; +cd ../system; +runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +systemErrors=$? + +echo "RUNNING tests in module"; +cd ../module; +runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +moduleErrors=$? + +totalErrors=`expr $moduleErrors + $systemErrors + $pkiErrors` + +testEndingEcho + +exit ${totalErrors} + diff --git a/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh new file mode 100755 index 000000000..ec166cd08 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh @@ -0,0 +1,46 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runPLTests.sh +# + +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +cd ${curdir} + +numtests=0 +passed=0 +testunit=SYSTEM + + +########## +# main +########## + +ParseArgs $* + +RunTests <<EOF +pkixutil test_mem +pkixutil test_object +pkixutil test_string +pkixutil test_bigint +pkixutil test_bytearray +pkixutil test_mutex +pkixutil test_mutex2 +pkixutil test_mutex3 +pkixutil test_monitorlock +pkixutil test_oid +pkixutil test_hashtable +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} + + + + diff --git a/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage b/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage new file mode 100755 index 000000000..e69de29bb --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage diff --git a/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh b/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh new file mode 100755 index 000000000..050e4aeef --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh @@ -0,0 +1,33 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh +# + +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +. ./libpkix_init_nist.sh +cd ${curdir} + +numtests=0 +passed=0 +testunit=CERTSEL + +########## +# main +########## + +ParseArgs $* + +RunTests <<EOF +pkixutil test_comcertselparams ${NIST} NIST-Test-Files-Used +pkixutil test_certselector ${NIST} NIST-Test-Files-Used ../../pkix_pl_tests/module/rev_data +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} diff --git a/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh b/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh new file mode 100755 index 000000000..b63b2c576 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh @@ -0,0 +1,31 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh +# + +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +cd ${curdir} + +numtests=0 +passed=0 +testunit=CHECKER + +########## +# main +########## + +ParseArgs $* + +RunTests <<EOF +pkixutil test_certchainchecker +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} diff --git a/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh b/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh new file mode 100755 index 000000000..7f5d2bf66 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh @@ -0,0 +1,33 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh +# + +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +cd ${curdir} + +numtests=0 +passed=0 +testunit=CRLSEL + + +########## +# main +########## + +ParseArgs $* + +RunTests <<EOF +pkixutil test_comcrlselparams ../../certs +pkixutil test_crlselector +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} diff --git a/security/nss/tests/libpkix/pkix_tests/params/runTests.sh b/security/nss/tests/libpkix/pkix_tests/params/runTests.sh new file mode 100755 index 000000000..cd0e38a71 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/params/runTests.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh +# + +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +. ./libpkix_init_nist.sh +cd ${curdir} + +numtests=0 +passed=0 +testunit=PARAMS + + +########## +# main +########## + +ParseArgs $* + +RunTests <<EOF +pkixutil test_valparams ../../certs +pkixutil test_procparams ../../certs +pkixutil test_trustanchor ${NIST} ../../certs NIST-Test-Files-Used +pkixutil test_resourcelimits +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} diff --git a/security/nss/tests/libpkix/pkix_tests/results/runTests.sh b/security/nss/tests/libpkix/pkix_tests/results/runTests.sh new file mode 100755 index 000000000..8a8461029 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/results/runTests.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh +# + +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +. ./libpkix_init_nist.sh +cd ${curdir} + +numtests=0 +passed=0 +testunit=RESULTS + + +########## +# main +########## + +ParseArgs $* + +RunTests <<EOF +pkixutil test_policynode ${NIST} NIST-Test-Files-Used +pkixutil test_valresult ../../certs +pkixutil test_buildresult ../../certs +pkixutil test_verifynode ${NIST} TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} diff --git a/security/nss/tests/libpkix/pkix_tests/runTests.sh b/security/nss/tests/libpkix/pkix_tests/runTests.sh new file mode 100755 index 000000000..9f1b895fb --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/runTests.sh @@ -0,0 +1,98 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh +# + +curdir=`pwd` +cd ../common +. ./libpkix_init.sh > /dev/null +cd ${curdir} + +testunit="PKIX" + +totalErrors=0 +utilErrors=0 +crlselErrors=0 +paramsErrors=0 +resultsErrors=0 +topErrors=0 +checkerErrors=0 +certselErrors=0 +quiet=0 + +checkMemArg="" +arenasArg="" +quietArg="" +memText="" + +### ParseArgs +ParseArgs() # args +{ + while [ $# -gt 0 ]; do + if [ $1 = "-checkmem" ]; then + checkMemArg=$1 + memText=" (Memory Checking Enabled)" + elif [ $1 = "-quiet" ]; then + quietArg=$1 + quiet=1 + elif [ $1 = "-arenas" ]; then + arenasArg=$1 + fi + shift + done +} + +ParseArgs $* + +testHeadingEcho + +echo "RUNNING tests in certsel"; +cd certsel; +runTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +certselErrors=$? + +echo "RUNNING tests in checker"; +cd ../checker; +runTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +checkerErrors=$? + +echo "RUNNING tests in results"; +cd ../results; +runTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +resultsErrors=$? + +echo "RUNNING tests in params"; +cd ../params; +runTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +paramsErrors=$? + +echo "RUNNING tests in crlsel"; +cd ../crlsel; +runTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +crlselErrors=$? + +echo "RUNNING tests in store"; +cd ../store; +runTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +storeErrors=$? + +echo "RUNNING tests in util"; +cd ../util; +runTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +utilErrors=$? + +echo "RUNNING tests in top"; +cd ../top; +runTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +topErrors=$? + +totalErrors=`expr ${certselErrors} + ${checkerErrors} + ${resultsErrors} + ${paramsErrors} + ${crlselErrors} + ${storeErrors} + ${utilErrors} + ${topErrors}` + +testEndingEcho + +exit ${totalErrors} + diff --git a/security/nss/tests/libpkix/pkix_tests/store/runTests.sh b/security/nss/tests/libpkix/pkix_tests/store/runTests.sh new file mode 100755 index 000000000..7b0bb3745 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/store/runTests.sh @@ -0,0 +1,32 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh +# + +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +cd ${curdir} + +numtests=0 +passed=0 +testunit=STORE + + +########## +# main +########## + +ParseArgs $* + +RunTests <<EOF +pkixutil test_store genericCertStore rev_data/crlchecker ${HOSTDIR} +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} diff --git a/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt b/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt Binary files differnew file mode 100644 index 000000000..1e2f7c7a1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl Binary files differnew file mode 100755 index 000000000..148b47815 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt Binary files differnew file mode 100755 index 000000000..66563db40 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl Binary files differnew file mode 100755 index 000000000..6cd8d2577 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt Binary files differnew file mode 100755 index 000000000..44419aa4c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt Binary files differnew file mode 100755 index 000000000..07f7e58d1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt Binary files differnew file mode 100755 index 000000000..36591b8bf --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl Binary files differnew file mode 100755 index 000000000..8c96b41dc --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt Binary files differnew file mode 100755 index 000000000..119368ca5 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl Binary files differnew file mode 100755 index 000000000..eca3a5e84 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt Binary files differnew file mode 100755 index 000000000..460d19307 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl Binary files differnew file mode 100755 index 000000000..148b47815 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt Binary files differnew file mode 100755 index 000000000..182472b21 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl Binary files differnew file mode 100755 index 000000000..e037e5047 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt Binary files differnew file mode 100755 index 000000000..44419aa4c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt Binary files differnew file mode 100755 index 000000000..07f7e58d1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt Binary files differnew file mode 100755 index 000000000..36591b8bf --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl Binary files differnew file mode 100755 index 000000000..8c96b41dc --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt Binary files differnew file mode 100755 index 000000000..f5fe26115 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl Binary files differnew file mode 100755 index 000000000..eca3a5e84 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt Binary files differnew file mode 100755 index 000000000..460d19307 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl Binary files differnew file mode 100755 index 000000000..148b47815 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt Binary files differnew file mode 100755 index 000000000..182472b21 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl Binary files differnew file mode 100755 index 000000000..e037e5047 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt Binary files differnew file mode 100755 index 000000000..44419aa4c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt Binary files differnew file mode 100755 index 000000000..07f7e58d1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt Binary files differnew file mode 100755 index 000000000..36591b8bf --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl Binary files differnew file mode 100755 index 000000000..8c96b41dc --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt Binary files differnew file mode 100755 index 000000000..f5fe26115 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl Binary files differnew file mode 100755 index 000000000..eca3a5e84 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt Binary files differnew file mode 100755 index 000000000..460d19307 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl Binary files differnew file mode 100755 index 000000000..148b47815 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt Binary files differnew file mode 100755 index 000000000..66563db40 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl Binary files differnew file mode 100755 index 000000000..e037e5047 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt Binary files differnew file mode 100755 index 000000000..44419aa4c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt Binary files differnew file mode 100755 index 000000000..07f7e58d1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl Binary files differnew file mode 100755 index 000000000..eca3a5e84 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt Binary files differnew file mode 100755 index 000000000..460d19307 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl Binary files differnew file mode 100755 index 000000000..148b47815 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt Binary files differnew file mode 100755 index 000000000..182472b21 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl Binary files differnew file mode 100755 index 000000000..e037e5047 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt Binary files differnew file mode 100755 index 000000000..44419aa4c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt Binary files differnew file mode 100755 index 000000000..07f7e58d1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl Binary files differnew file mode 100755 index 000000000..eca3a5e84 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt Binary files differnew file mode 100755 index 000000000..460d19307 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt Binary files differnew file mode 100755 index 000000000..182472b21 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt Binary files differnew file mode 100755 index 000000000..44419aa4c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt Binary files differnew file mode 100755 index 000000000..07f7e58d1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt Binary files differnew file mode 100755 index 000000000..36591b8bf --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt Binary files differnew file mode 100755 index 000000000..f5fe26115 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt Binary files differnew file mode 100755 index 000000000..460d19307 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt Binary files differnew file mode 100755 index 000000000..b11826f97 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt Binary files differnew file mode 100755 index 000000000..44419aa4c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt Binary files differnew file mode 100755 index 000000000..07f7e58d1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt Binary files differnew file mode 100755 index 000000000..36591b8bf --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt Binary files differnew file mode 100755 index 000000000..2b4387d6c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt Binary files differnew file mode 100755 index 000000000..f5fe26115 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt Binary files differnew file mode 100755 index 000000000..460d19307 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt Binary files differnew file mode 100755 index 000000000..b11826f97 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt Binary files differnew file mode 100755 index 000000000..44419aa4c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt Binary files differnew file mode 100755 index 000000000..07f7e58d1 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt Binary files differnew file mode 100755 index 000000000..36591b8bf --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt Binary files differnew file mode 100755 index 000000000..2b4387d6c --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt Binary files differnew file mode 100755 index 000000000..f5fe26115 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt Binary files differnew file mode 100755 index 000000000..460d19307 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/cert8.db b/security/nss/tests/libpkix/pkix_tests/top/cert8.db Binary files differnew file mode 100644 index 000000000..a2bb46756 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/cert8.db diff --git a/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt b/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt Binary files differnew file mode 100644 index 000000000..c9904f4e0 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/key3.db b/security/nss/tests/libpkix/pkix_tests/top/key3.db Binary files differnew file mode 100644 index 000000000..fd1bee826 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/key3.db diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl Binary files differnew file mode 100755 index 000000000..9619c22cf --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt Binary files differnew file mode 100755 index 000000000..0022f3cbf --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt Binary files differnew file mode 100755 index 000000000..50be7df1f --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl Binary files differnew file mode 100755 index 000000000..2deed93ed --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl Binary files differnew file mode 100755 index 000000000..fa9b2dc69 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt Binary files differnew file mode 100755 index 000000000..04bc5f16a --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl Binary files differnew file mode 100755 index 000000000..675e9a53f --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt Binary files differnew file mode 100755 index 000000000..e12232b8a --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt Binary files differnew file mode 100755 index 000000000..f5a165baa --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt Binary files differnew file mode 100755 index 000000000..ca09c166e --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl Binary files differnew file mode 100755 index 000000000..e37aa9c24 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl diff --git a/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt b/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt Binary files differnew file mode 100644 index 000000000..0715ceb7b --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt diff --git a/security/nss/tests/libpkix/pkix_tests/top/runTests.sh b/security/nss/tests/libpkix/pkix_tests/top/runTests.sh new file mode 100755 index 000000000..1e2080939 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/runTests.sh @@ -0,0 +1,517 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh +# + + +LDAP='nss.red.iplanet.com:1389' +export LDAP +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +doPD=1 +doOCSP=1 +. ./libpkix_init_nist.sh +cd ${curdir} + +numtests=0 +passed=0 +testunit=TOP +doTop=1 +linkMStoreNistFiles="store1/TrustAnchorRootCRL.crl + store1/TwoCRLsCABadCRL.crl + store2/TwoCRLsCAGoodCRL.crl" + +if [ ! -z "${NIST_FILES_DIR}" ] ; then + if [ -d ${HOSTDIR}/rev_data/multiple_certstores ]; then + rm -fr ${HOSTDIR}/rev_data/multiple_certstores + fi + mkdir -p ${HOSTDIR}/rev_data/multiple_certstores + mkdir -p ${HOSTDIR}/rev_data/multiple_certstores/store1 + mkdir -p ${HOSTDIR}/rev_data/multiple_certstores/store2 + for i in ${linkMStoreNistFiles}; do + if [ -f ${HOSTDIR}/rev_data/multiple_certstores/$i ]; then + rm ${HOSTDIR}/rev_data/multiple_certstores/$i + fi + fname=`basename $i` + cp ${NIST_FILES_DIR}/${fname} ${HOSTDIR}/rev_data/multiple_certstores/$i + done +fi + +ocspFiles="goodcert.crt revokedcert.crt anchorcert.crt + secmod.db key3.db cert8.db" + +if [ ! -z ${doOCSPTest} ] ; then + if [ -d ${HOSTDIR}/ocsp ]; then + rm -fr ${HOSTDIR}/ocsp + fi + mkdir -p ${HOSTDIR}/ocsp + for i in ${ocspFiles}; do + cp $i ${HOSTDIR}/ocsp/$i + + done +fi + +########## +# main +########## + +ParseArgs $* + +Display "" +Display "# ENE = expect no error (validation should succeed)" +Display "# EE = expect error (validation should fail)" +Display "" + +LOGGING=1 +SOCKETTRACE=1 +export LOGGING SOCKETTRACE + +RunTests <<EOF +pkixutil test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt +pkixutil_or test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt +pkixutil test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt +pkixutil_or test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt +pkixutil test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEESignatureTest3EE.crt +pkixutil_or test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEESignatureTest3EE.crt +pkixutil test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt +pkixutil_or test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt +pkixutil test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt +pkixutil_or test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt +EOF + +tracedErrors=$? + +LOGGING=0 +SOCKETTRACE=0 + +RunTests <<EOF +pkixutil test_basicchecker ../../certs +pkixutil test_basicconstraintschecker "Two-Certificates-Chain" ENE ../../certs hy2hy-bc0 hy2hc-bc +pkixutil test_basicconstraintschecker "Three-Certificates-Chain" ENE ../../certs hy2hy-bc0 hy2hy-bc0 hy2hc-bc +pkixutil test_basicconstraintschecker "Four-Certificates-Chain-with-error" EE ../../certs hy2hy-bc0 hy2hy-bc0 hy2hc-bc hy2hc-bc +pkixutil test_validatechain_bc ../../certs/hy2hy-bc0 ../../certs/hy2hc-bc +pkixutil test_policychecker NIST-Test-Files-Used ENE $NIST ../../certs +pkixutil test_defaultcrlchecker2stores NIST-Test.4.4.7-with-multiple-CRL-stores ENE $NIST ${HOSTDIR}/rev_data/multiple_certstores/store1 ${HOSTDIR}/rev_data/multiple_certstores/store2 TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt +pkixutil test_buildchain_resourcelimits ${LDAP} NIST-Test.4.5.1 ENE $NIST ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_customcrlchecker "CRL-test-without-revocation" ENE rev_data/crlchecker sci2sci.crt sci2phy.crt phy2prof.crt prof2test.crt +pkixutil test_customcrlchecker "CRL-test-with-revocation-reasoncode" EE rev_data/crlchecker sci2sci.crt sci2chem.crt chem2prof.crt prof2test.crt +pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0R:testcertificates.gov+R:Test23EE@testcertificates.gov" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt +pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0R:TEST.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt +pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0N:testcertificates.gov+N:testserver.testcertificates.gov" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt +pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0N:notestcertificates.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt +pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0U:.gov+U:http://testserver.testcertificates.gov/index.html" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt +pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0U:test.testcertificates.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt +pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "1D:C=US+D:CN=Certificates,C=US" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt +pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0D:O=TestCertificates,C=CN" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt +pkixutil test_validatechain "CRL-test-without-key-usage-cRLsign-bit-NIST-Test-Files-Used" EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt +pkixutil test_validatechain NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt +pkixutil test_validatechain NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt +pkixutil test_validatechain NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEESignatureTest3EE.crt +pkixutil test_validatechain NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt +pkixutil test_validatechain NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt +pkixutil test_validatechain NIST-Test.4.1.6 EE $NIST TrustAnchorRootCertificate.crt DSACACert.crt InvalidDSASignatureTest6EE.crt +pkixutil test_validatechain NIST-Test.4.2.1 EE $NIST TrustAnchorRootCertificate.crt BadnotBeforeDateCACert.crt InvalidCAnotBeforeDateTest1EE.crt +pkixutil test_validatechain NIST-Test.4.2.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotBeforeDateTest2EE.crt +pkixutil test_validatechain NIST-Test.4.2.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Validpre2000UTCnotBeforeDateTest3EE.crt +pkixutil test_validatechain NIST-Test.4.2.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotBeforeDateTest4EE.crt +pkixutil test_validatechain NIST-Test.4.2.5 EE $NIST TrustAnchorRootCertificate.crt BadnotAfterDateCACert.crt InvalidCAnotAfterDateTest5EE.crt +pkixutil test_validatechain NIST-Test.4.2.6 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotAfterDateTest6EE.crt +pkixutil test_validatechain NIST-Test.4.2.7 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Invalidpre2000UTCEEnotAfterDateTest7EE.crt +pkixutil test_validatechain NIST-Test.4.2.8 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotAfterDateTest8EE.crt +pkixutil test_validatechain NIST-Test.4.3.1 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidNameChainingTest1EE.crt +pkixutil test_validatechain NIST-Test.4.3.2 EE $NIST TrustAnchorRootCertificate.crt NameOrderingCACert.crt InvalidNameChainingOrderTest2EE.crt +pkixutil test_validatechain NIST-Test.4.3.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest3EE.crt +pkixutil test_validatechain NIST-Test.4.3.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest4EE.crt +pkixutil test_validatechain NIST-Test.4.3.5 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingCapitalizationTest5EE.crt +pkixutil test_validatechain NIST-Test.4.3.6 ENE $NIST TrustAnchorRootCertificate.crt UIDCACert.crt ValidNameUIDsTest6EE.crt +pkixutil test_validatechain NIST-Test.4.3.9 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringEncodedNamesCACert.crt ValidUTF8StringEncodedNamesTest9EE.crt +pkixutil test_validatechain NIST-Test.4.3.10 ENE $NIST TrustAnchorRootCertificate.crt RolloverfromPrintableStringtoUTF8StringCACert.crt ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt +pkixutil test_validatechain NIST-Test.4.3.11 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringCaseInsensitiveMatchCACert.crt ValidUTF8StringCaseInsensitiveMatchTest11EE.crt +pkixutil test_validatechain NIST-Test.4.4.1 EE $NIST TrustAnchorRootCertificate.crt NoCRLCACert.crt InvalidMissingCRLTest1EE.crt +pkixutil test_validatechain NIST-Test.4.4.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt RevokedsubCACert.crt InvalidRevokedCATest2EE.crt +pkixutil test_validatechain NIST-Test.4.4.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidRevokedEETest3EE.crt +pkixutil test_validatechain NIST-Test.4.4.4 EE $NIST TrustAnchorRootCertificate.crt BadCRLSignatureCACert.crt InvalidBadCRLSignatureTest4EE.crt +pkixutil test_validatechain NIST-Test.4.4.5 EE $NIST TrustAnchorRootCertificate.crt BadCRLIssuerNameCACert.crt InvalidBadCRLIssuerNameTest5EE.crt +pkixutil test_validatechain NIST-Test.4.4.6 EE $NIST TrustAnchorRootCertificate.crt WrongCRLCACert.crt InvalidWrongCRLTest6EE.crt +pkixutil test_validatechain NIST-Test.4.4.7 ENE $NIST TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt +pkixutil test_validatechain NIST-Test.4.4.8 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLEntryExtensionCACert.crt InvalidUnknownCRLEntryExtensionTest8EE.crt +pkixutil test_validatechain NIST-Test.4.4.9 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest9EE.crt +pkixutil test_validatechain NIST-Test.4.4.10 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest10EE.crt +pkixutil test_validatechain NIST-Test.4.4.11 EE $NIST TrustAnchorRootCertificate.crt OldCRLnextUpdateCACert.crt InvalidOldCRLnextUpdateTest11EE.crt +pkixutil test_validatechain NIST-Test.4.4.12 EE $NIST TrustAnchorRootCertificate.crt pre2000CRLnextUpdateCACert.crt Invalidpre2000CRLnextUpdateTest12EE.crt +pkixutil test_validatechain NIST-Test.4.4.13 ENE $NIST TrustAnchorRootCertificate.crt GeneralizedTimeCRLnextUpdateCACert.crt ValidGeneralizedTimeCRLnextUpdateTest13EE.crt +pkixutil test_validatechain NIST-Test.4.4.14 ENE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt ValidNegativeSerialNumberTest14EE.crt +pkixutil test_validatechain NIST-Test.4.4.15 EE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt InvalidNegativeSerialNumberTest15EE.crt +pkixutil test_validatechain NIST-Test.4.4.16 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest16EE.crt +pkixutil test_validatechain NIST-Test.4.4.17 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest17EE.crt +pkixutil test_validatechain NIST-Test.4.4.18 EE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt InvalidLongSerialNumberTest18EE.crt +pkixutil test_validatechain NIST-Test.4.4.20 EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt +pkixutil test_validatechain NIST-Test.4.5.1 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt ValidBasicSelfIssuedOldWithNewTest1EE.crt +pkixutil test_validatechain NIST-Test.4.5.2 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt InvalidBasicSelfIssuedOldWithNewTest2EE.crt +pkixutil test_validatechain NIST-Test.4.5.5 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt InvalidBasicSelfIssuedNewWithOldTest5EE.crt +pkixutil test_validatechain NIST-Test.4.5.7 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt +pkixutil test_validatechain NIST-Test.4.5.8 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt +pkixutil test_validatechain_NB "CRL-test-without-key-usage-cRLsign-bit-NIST-Test-Files-Used" EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt +pkixutil test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt +pkixutil test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt +pkixutil test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEESignatureTest3EE.crt +pkixutil test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt +pkixutil test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt +pkixutil test_validatechain_NB NIST-Test.4.1.6 EE $NIST TrustAnchorRootCertificate.crt DSACACert.crt InvalidDSASignatureTest6EE.crt +pkixutil test_validatechain_NB NIST-Test.4.2.1 EE $NIST TrustAnchorRootCertificate.crt BadnotBeforeDateCACert.crt InvalidCAnotBeforeDateTest1EE.crt +pkixutil test_validatechain_NB NIST-Test.4.2.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotBeforeDateTest2EE.crt +pkixutil test_validatechain_NB NIST-Test.4.2.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Validpre2000UTCnotBeforeDateTest3EE.crt +pkixutil test_validatechain_NB NIST-Test.4.2.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotBeforeDateTest4EE.crt +pkixutil test_validatechain_NB NIST-Test.4.2.5 EE $NIST TrustAnchorRootCertificate.crt BadnotAfterDateCACert.crt InvalidCAnotAfterDateTest5EE.crt +pkixutil test_validatechain_NB NIST-Test.4.2.6 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotAfterDateTest6EE.crt +pkixutil test_validatechain_NB NIST-Test.4.2.7 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Invalidpre2000UTCEEnotAfterDateTest7EE.crt +pkixutil test_validatechain_NB NIST-Test.4.2.8 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotAfterDateTest8EE.crt +pkixutil test_validatechain_NB NIST-Test.4.3.1 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidNameChainingTest1EE.crt +pkixutil test_validatechain_NB NIST-Test.4.3.2 EE $NIST TrustAnchorRootCertificate.crt NameOrderingCACert.crt InvalidNameChainingOrderTest2EE.crt +pkixutil test_validatechain_NB NIST-Test.4.3.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest3EE.crt +pkixutil test_validatechain_NB NIST-Test.4.3.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest4EE.crt +pkixutil test_validatechain_NB NIST-Test.4.3.5 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingCapitalizationTest5EE.crt +pkixutil test_validatechain_NB NIST-Test.4.3.6 ENE $NIST TrustAnchorRootCertificate.crt UIDCACert.crt ValidNameUIDsTest6EE.crt +pkixutil test_validatechain_NB NIST-Test.4.3.9 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringEncodedNamesCACert.crt ValidUTF8StringEncodedNamesTest9EE.crt +pkixutil test_validatechain_NB NIST-Test.4.3.10 ENE $NIST TrustAnchorRootCertificate.crt RolloverfromPrintableStringtoUTF8StringCACert.crt ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt +pkixutil test_validatechain_NB NIST-Test.4.3.11 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringCaseInsensitiveMatchCACert.crt ValidUTF8StringCaseInsensitiveMatchTest11EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.1 EE $NIST TrustAnchorRootCertificate.crt NoCRLCACert.crt InvalidMissingCRLTest1EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt RevokedsubCACert.crt InvalidRevokedCATest2EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidRevokedEETest3EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.4 EE $NIST TrustAnchorRootCertificate.crt BadCRLSignatureCACert.crt InvalidBadCRLSignatureTest4EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.5 EE $NIST TrustAnchorRootCertificate.crt BadCRLIssuerNameCACert.crt InvalidBadCRLIssuerNameTest5EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.6 EE $NIST TrustAnchorRootCertificate.crt WrongCRLCACert.crt InvalidWrongCRLTest6EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.7 ENE $NIST TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.8 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLEntryExtensionCACert.crt InvalidUnknownCRLEntryExtensionTest8EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.9 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest9EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.10 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest10EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.11 EE $NIST TrustAnchorRootCertificate.crt OldCRLnextUpdateCACert.crt InvalidOldCRLnextUpdateTest11EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.12 EE $NIST TrustAnchorRootCertificate.crt pre2000CRLnextUpdateCACert.crt Invalidpre2000CRLnextUpdateTest12EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.13 ENE $NIST TrustAnchorRootCertificate.crt GeneralizedTimeCRLnextUpdateCACert.crt ValidGeneralizedTimeCRLnextUpdateTest13EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.14 ENE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt ValidNegativeSerialNumberTest14EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.15 EE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt InvalidNegativeSerialNumberTest15EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.16 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest16EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.17 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest17EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.18 EE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt InvalidLongSerialNumberTest18EE.crt +pkixutil test_validatechain_NB NIST-Test.4.4.20 EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt +pkixutil test_validatechain_NB NIST-Test.4.5.1 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt ValidBasicSelfIssuedOldWithNewTest1EE.crt +pkixutil test_validatechain_NB NIST-Test.4.5.2 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt InvalidBasicSelfIssuedOldWithNewTest2EE.crt +pkixutil test_validatechain_NB NIST-Test.4.5.5 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt InvalidBasicSelfIssuedNewWithOldTest5EE.crt +pkixutil test_validatechain_NB NIST-Test.4.5.7 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt +pkixutil test_validatechain_NB NIST-Test.4.5.8 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.1 EE $NIST TrustAnchorRootCertificate.crt MissingbasicConstraintsCACert.crt InvalidMissingbasicConstraintsTest1EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.2 EE $NIST TrustAnchorRootCertificate.crt basicConstraintsCriticalcAFalseCACert.crt InvalidcAFalseTest2EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.3 EE $NIST TrustAnchorRootCertificate.crt basicConstraintsNotCriticalcAFalseCACert.crt InvalidcAFalseTest3EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.4 ENE $NIST TrustAnchorRootCertificate.crt basicConstraintsNotCriticalCACert.crt ValidbasicConstraintsNotCriticalTest4EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.5 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0subCACert.crt InvalidpathLenConstraintTest5EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.6 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0subCACert.crt InvalidpathLenConstraintTest6EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.7 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt ValidpathLenConstraintTest7EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.8 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt ValidpathLenConstraintTest8EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.9 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt InvalidpathLenConstraintTest9EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.10 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt InvalidpathLenConstraintTest10EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.11 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subsubsubCA11XCert.crt InvalidpathLenConstraintTest11EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.12 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subsubsubCA11XCert.crt InvalidpathLenConstraintTest12EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.13 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subsubsubCA41XCert.crt ValidpathLenConstraintTest13EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.14 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subsubsubCA41XCert.crt ValidpathLenConstraintTest14EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.15 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0SelfIssuedCACert.crt ValidSelfIssuedpathLenConstraintTest15EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.16 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0subCA2Cert.crt InvalidSelfIssuedpathLenConstraintTest16EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.6.17 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint1CACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedsubCACert.crt ValidSelfIssuedpathLenConstraintTest17EE.crt +pkixutil test_validatechain "NIST-Test.4.7.1" EE $NIST TrustAnchorRootCertificate.crt keyUsageCriticalkeyCertSignFalseCACert.crt InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt +pkixutil test_validatechain "NIST-Test.4.7.2" EE $NIST TrustAnchorRootCertificate.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt +pkixutil test_validatechain "NIST-Test.4.7.3" ENE $NIST TrustAnchorRootCertificate.crt keyUsageNotCriticalCACert.crt ValidkeyUsageNotCriticalTest3EE.crt +pkixutil test_validatechain "NIST-Test.4.7.4" EE $NIST TrustAnchorRootCertificate.crt keyUsageCriticalcRLSignFalseCACert.crt InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt +pkixutil test_validatechain "NIST-Test.4.7.5" EE $NIST TrustAnchorRootCertificate.crt keyUsageNotCriticalcRLSignFalseCACert.crt InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt +pkixutil test_policychecker NIST-Test.4.8.1.1-1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt +pkixutil test_policychecker NIST-Test.4.8.1.1-2 ENE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt +pkixutil test_policychecker NIST-Test.4.8.1.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt +pkixutil test_policychecker NIST-Test.4.8.1.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt +pkixutil test_policychecker NIST-Test.4.8.1.4 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1:2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt +pkixutil test_policychecker NIST-Test.4.8.2.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt NoPoliciesCACert.crt AllCertificatesNoPoliciesTest2EE.crt +pkixutil test_policychecker NIST-Test.4.8.2.2 EE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt NoPoliciesCACert.crt AllCertificatesNoPoliciesTest2EE.crt +pkixutil test_policychecker NIST-Test.4.8.3.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt +pkixutil test_policychecker NIST-Test.4.8.3.2 EE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt +pkixutil test_policychecker NIST-Test.4.8.3.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1:2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt +pkixutil test_policychecker NIST-Test.4.8.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCACert.crt DifferentPoliciesTest4EE.crt +pkixutil test_policychecker NIST-Test.4.8.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCA2Cert.crt DifferentPoliciesTest5EE.crt +pkixutil test_policychecker NIST-Test.4.8.6.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt +pkixutil test_policychecker NIST-Test.4.8.6.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt +pkixutil test_policychecker NIST-Test.4.8.6.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt +pkixutil test_policychecker NIST-Test.4.8.7 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt PoliciesP123subCAP12Cert.crt PoliciesP123subsubCAP12P1Cert.crt DifferentPoliciesTest7EE.crt +pkixutil test_policychecker NIST-Test.4.8.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt PoliciesP12subCAP1Cert.crt PoliciesP12subsubCAP1P2Cert.crt DifferentPoliciesTest8EE.crt +pkixutil test_policychecker NIST-Test.4.8.9 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt PoliciesP123subCAP12Cert.crt PoliciesP123subsubCAP12P2Cert.crt PoliciesP123subsubsubCAP12P2P1Cert.crt +pkixutil test_policychecker NIST-Test.4.8.10.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt +pkixutil test_policychecker NIST-Test.4.8.10.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt +pkixutil test_policychecker NIST-Test.4.8.10.3 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt +pkixutil test_policychecker NIST-Test.4.8.11.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AllCertificatesanyPolicyTest11EE.crt +pkixutil test_policychecker NIST-Test.4.8.11.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AllCertificatesanyPolicyTest11EE.crt +pkixutil test_policychecker NIST-Test.4.8.12 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP3CACert.crt DifferentPoliciesTest12EE.crt +pkixutil test_policychecker NIST-Test.4.8.13.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt +pkixutil test_policychecker NIST-Test.4.8.13.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt +pkixutil test_policychecker NIST-Test.4.8.13.3 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.3}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt +pkixutil test_policychecker NIST-Test.4.8.14.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AnyPolicyTest14EE.crt +pkixutil test_policychecker NIST-Test.4.8.14.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt anyPolicyCACert.crt AnyPolicyTest14EE.crt +pkixutil test_policychecker NIST-Test.4.8.15.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt UserNoticeQualifierTest15EE.crt +pkixutil test_policychecker NIST-Test.4.8.15.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt UserNoticeQualifierTest15EE.crt +pkixutil test_policychecker NIST-Test.4.8.16.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest16EE.crt +pkixutil test_policychecker NIST-Test.4.8.16.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest16EE.crt +pkixutil test_policychecker NIST-Test.4.8.17 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest17EE.crt +pkixutil test_policychecker NIST-Test.4.8.18.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt UserNoticeQualifierTest18EE.crt +pkixutil test_policychecker NIST-Test.4.8.18.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt UserNoticeQualifierTest18EE.crt +pkixutil test_policychecker NIST-Test.4.8.19 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt UserNoticeQualifierTest19EE.crt +pkixutil test_policychecker NIST-Test.4.8.20 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt CPSPointerQualifierTest20EE.crt +pkixutil test_policychecker NIST-Test.4.9.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy10CACert.crt requireExplicitPolicy10subCACert.crt requireExplicitPolicy10subsubCACert.crt requireExplicitPolicy10subsubsubCACert.crt ValidrequireExplicitPolicyTest1EE.crt +pkixutil test_policychecker NIST-Test.4.9.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy5CACert.crt requireExplicitPolicy5subCACert.crt requireExplicitPolicy5subsubCACert.crt requireExplicitPolicy5subsubsubCACert.crt ValidrequireExplicitPolicyTest2EE.crt +pkixutil test_policychecker NIST-Test.4.9.3 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy4CACert.crt requireExplicitPolicy4subCACert.crt requireExplicitPolicy4subsubCACert.crt requireExplicitPolicy4subsubsubCACert.crt InvalidrequireExplicitPolicyTest3EE.crt +pkixutil test_policychecker NIST-Test.4.9.4 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy0CACert.crt requireExplicitPolicy0subCACert.crt requireExplicitPolicy0subsubCACert.crt requireExplicitPolicy0subsubsubCACert.crt ValidrequireExplicitPolicyTest4EE.crt +pkixutil test_policychecker NIST-Test.4.9.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy7CACert.crt requireExplicitPolicy7subCARE2Cert.crt requireExplicitPolicy7subsubCARE2RE4Cert.crt requireExplicitPolicy7subsubsubCARE2RE4Cert.crt InvalidrequireExplicitPolicyTest5EE.crt +pkixutil test_policychecker NIST-Test.4.9.6 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt ValidSelfIssuedrequireExplicitPolicyTest6EE.crt +pkixutil test_policychecker NIST-Test.4.9.7 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt requireExplicitPolicy2subCACert.crt InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt +pkixutil test_policychecker NIST-Test.4.9.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt requireExplicitPolicy2subCACert.crt requireExplicitPolicy2SelfIssuedsubCACert.crt InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt +pkixutil test_policychecker NIST-Test.4.10.1.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt +pkixutil test_policychecker NIST-Test.4.10.1.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt +pkixutil test_policychecker NIST-Test.4.10.1.3 EE $NIST ../../certs "{2.5.29.32.0}" P TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt +pkixutil test_policychecker NIST-Test.4.10.2.1 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt InvalidPolicyMappingTest2EE.crt +pkixutil test_policychecker NIST-Test.4.10.2.2 EE $NIST ../../certs "{2.5.29.32.0}" P TrustAnchorRootCertificate.crt Mapping1to2CACert.crt InvalidPolicyMappingTest2EE.crt +pkixutil test_policychecker NIST-Test.4.10.3.1 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt ValidPolicyMappingTest3EE.crt +pkixutil test_policychecker NIST-Test.4.10.3.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt ValidPolicyMappingTest3EE.crt +pkixutil test_policychecker NIST-Test.4.10.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt InvalidPolicyMappingTest4EE.crt +pkixutil test_policychecker NIST-Test.4.10.5.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest5EE.crt +pkixutil test_policychecker NIST-Test.4.10.5.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.6}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest5EE.crt +pkixutil test_policychecker NIST-Test.4.10.6.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest6EE.crt +pkixutil test_policychecker NIST-Test.4.10.6.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.6}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest6EE.crt TrustAnchorRootCertificate.crt +pkixutil test_policychecker NIST-Test.4.10.7.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingFromanyPolicyCACert.crt +pkixutil test_policychecker NIST-Test.4.10.7.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingFromanyPolicyCACert.crt InvalidMappingFromanyPolicyTest7EE.crt +pkixutil test_policychecker NIST-Test.4.10.8.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingToanyPolicyCACert.crt +pkixutil test_policychecker NIST-Test.4.10.8.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingToanyPolicyCACert.crt InvalidMappingToanyPolicyTest8EE.crt +pkixutil test_policychecker NIST-Test.4.10.9 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PanyPolicyMapping1to2CACert.crt ValidPolicyMappingTest9EE.crt +pkixutil test_policychecker NIST-Test.4.10.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCAPanyPolicyMapping1to2CACert.crt InvalidPolicyMappingTest10EE.crt +pkixutil test_policychecker NIST-Test.4.10.11 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCAPanyPolicyMapping1to2CACert.crt ValidPolicyMappingTest11EE.crt +pkixutil test_policychecker NIST-Test.4.10.12.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt ValidPolicyMappingTest12EE.crt +pkixutil test_policychecker NIST-Test.4.10.12.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt ValidPolicyMappingTest12EE.crt +pkixutil test_policychecker NIST-Test.4.10.13 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P1anyPolicyMapping1to2CACert.crt ValidPolicyMappingTest13EE.crt +pkixutil test_policychecker NIST-Test.4.10.14 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P1anyPolicyMapping1to2CACert.crt ValidPolicyMappingTest14EE.crt +pkixutil test_policychecker NIST-Test.4.11.1.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping0CACert.crt inhibitPolicyMapping0subCACert.crt +pkixutil test_policychecker NIST-Test.4.11.1.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping0CACert.crt inhibitPolicyMapping0subCACert.crt InvalidinhibitPolicyMappingTest1EE.crt +pkixutil test_policychecker NIST-Test.4.11.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt ValidinhibitPolicyMappingTest2EE.crt +pkixutil test_policychecker NIST-Test.4.11.3 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt inhibitPolicyMapping1P12subsubCACert.crt InvalidinhibitPolicyMappingTest3EE.crt +pkixutil test_policychecker NIST-Test.4.11.4 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt inhibitPolicyMapping1P12subsubCACert.crt ValidinhibitPolicyMappingTest4EE.crt +pkixutil test_policychecker NIST-Test.4.11.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping5CACert.crt inhibitPolicyMapping5subCACert.crt inhibitPolicyMapping5subsubCACert.crt inhibitPolicyMapping5subsubsubCACert.crt InvalidinhibitPolicyMappingTest5EE.crt +pkixutil test_policychecker NIST-Test.4.11.6 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCAIPM5Cert.crt inhibitPolicyMapping1P12subsubCAIPM5Cert.crt InvalidinhibitPolicyMappingTest6EE.crt +pkixutil test_policychecker NIST-Test.4.11.7 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt ValidSelfIssuedinhibitPolicyMappingTest7EE.crt +pkixutil test_policychecker NIST-Test.4.11.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1subsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt +pkixutil test_policychecker NIST-Test.4.11.9 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1subsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt +pkixutil test_policychecker NIST-Test.4.11.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1SelfIssuedsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt +pkixutil test_policychecker NIST-Test.4.11.11 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1SelfIssuedsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt +pkixutil test_policychecker NIST-Test.4.12.1 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy0CACert.crt InvalidinhibitAnyPolicyTest1EE.crt +pkixutil test_policychecker NIST-Test.4.12.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy0CACert.crt ValidinhibitAnyPolicyTest2EE.crt +pkixutil test_policychecker NIST-Test.4.12.3.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt inhibitAnyPolicyTest3EE.crt +pkixutil test_policychecker NIST-Test.4.12.3.2 EE $NIST ../../certs "{2.5.29.32.0}" A TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt inhibitAnyPolicyTest3EE.crt +pkixutil test_policychecker NIST-Test.4.12.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt InvalidinhibitAnyPolicyTest4EE.crt +pkixutil test_policychecker NIST-Test.4.12.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy5CACert.crt inhibitAnyPolicy5subCACert.crt inhibitAnyPolicy5subsubCACert.crt InvalidinhibitAnyPolicyTest5EE.crt +pkixutil test_policychecker NIST-Test.4.12.6 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCAIAP5Cert.crt InvalidinhibitAnyPolicyTest6EE.crt +pkixutil test_policychecker NIST-Test.4.12.7 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt ValidSelfIssuedinhibitAnyPolicyTest7EE.crt +pkixutil test_policychecker NIST-Test.4.12.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt inhibitAnyPolicy1subsubCA2Cert.crt InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt +pkixutil test_policychecker NIST-Test.4.12.9 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt ValidSelfIssuedinhibitAnyPolicyTest9EE.crt +pkixutil test_policychecker NIST-Test.4.12.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.1 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt ValidDNnameConstraintsTest1EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.2 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest2EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.3 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest3EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.4 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt ValidDNnameConstraintsTest4EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.5 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.6 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt ValidDNnameConstraintsTest6EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.7 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt InvalidDNnameConstraintsTest7EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.8 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN4CACert.crt InvalidDNnameConstraintsTest8EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.9 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN4CACert.crt InvalidDNnameConstraintsTest9EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.10 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN5CACert.crt InvalidDNnameConstraintsTest10EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.11 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN5CACert.crt ValidDNnameConstraintsTest11EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.12 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA1Cert.crt InvalidDNnameConstraintsTest12EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.13 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA2Cert.crt InvalidDNnameConstraintsTest13EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.14 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA2Cert.crt ValidDNnameConstraintsTest14EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.15 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA1Cert.crt InvalidDNnameConstraintsTest15EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.16 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA1Cert.crt InvalidDNnameConstraintsTest16EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.17 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA2Cert.crt InvalidDNnameConstraintsTest17EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.18 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA2Cert.crt ValidDNnameConstraintsTest18EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.19 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1SelfIssuedCACert.crt ValidDNnameConstraintsTest19EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.20 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest20EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.21 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA1Cert.crt ValidRFC822nameConstraintsTest21EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.22 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA1Cert.crt InvalidRFC822nameConstraintsTest22EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.23 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.24 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt InvalidRFC822nameConstraintsTest24EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.25 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA3Cert.crt ValidRFC822nameConstraintsTest25EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.26 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA3Cert.crt InvalidRFC822nameConstraintsTest26EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.27 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA3Cert.crt ValidDNandRFC822nameConstraintsTest27EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.28 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA3Cert.crt InvalidDNandRFC822nameConstraintsTest28EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.29 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA3Cert.crt InvalidDNandRFC822nameConstraintsTest29EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.30 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.31 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt InvalidDNSnameConstraintsTest31EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.32 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS2CACert.crt ValidDNSnameConstraintsTest32EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.33 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS2CACert.crt InvalidDNSnameConstraintsTest33EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.34 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.35 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt InvalidURInameConstraintsTest35EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.36 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI2CACert.crt ValidURInameConstraintsTest36EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.37 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI2CACert.crt InvalidURInameConstraintsTest37EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.13.38 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt InvalidDNSnameConstraintsTest38EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.16.1 ENE $NIST TrustAnchorRootCertificate.crt ValidUnknownNotCriticalCertificateExtensionTest1EE.crt +pkixutil test_basicconstraintschecker NIST-Test.4.16.2 EE $NIST TrustAnchorRootCertificate.crt InvalidUnknownCriticalCertificateExtensionTest2EE.crt +pkixutil test_buildchain_uchecker NIST-Test.4.1.1-without-OID ENE - $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain_uchecker NIST-Test.4.1.1-with-OID-without-forwardSupport ENE 2.5.29.19 $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain_uchecker NIST-Test.4.1.1-with-OID-forwardSupport ENE F2.5.29.19 $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.1.1 ENE $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.1.2 EE $NIST InvalidCASignatureTest2EE.crt BadSignedCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.1.3 EE $NIST InvalidEESignatureTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.1.4 ENE $NIST ValidDSASignaturesTest4EE.crt DSACACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.1.5 ENE $NIST ValidDSAParameterInheritanceTest5EE.crt DSAParametersInheritedCACert.crt DSACACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.1.6 EE $NIST InvalidDSASignatureTest6EE.crt DSACACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.2.1 EE $NIST InvalidCAnotBeforeDateTest1EE.crt BadnotBeforeDateCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.2.2 EE $NIST InvalidEEnotBeforeDateTest2EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.2.3 ENE $NIST Validpre2000UTCnotBeforeDateTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.2.4 ENE $NIST ValidGeneralizedTimenotBeforeDateTest4EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.2.5 EE $NIST InvalidCAnotAfterDateTest5EE.crt BadnotAfterDateCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.2.6 EE $NIST InvalidEEnotAfterDateTest6EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.2.7 EE $NIST Invalidpre2000UTCEEnotAfterDateTest7EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.2.8 ENE $NIST ValidGeneralizedTimenotAfterDateTest8EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.3.1 EE $NIST InvalidNameChainingTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.3.2 EE $NIST InvalidNameChainingOrderTest2EE.crt NameOrderingCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.3.3 ENE $NIST ValidNameChainingWhitespaceTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.3.4 ENE $NIST ValidNameChainingWhitespaceTest4EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.3.5 ENE $NIST ValidNameChainingCapitalizationTest5EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.3.6 ENE $NIST ValidNameUIDsTest6EE.crt UIDCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain - NIST-Test.4.3.7 ENE $NIST ValidRFC3280MandatoryAttributeTypesTest7EE.crt RFC3280MandatoryAttributeTypesCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.3.9 ENE $NIST ValidUTF8StringEncodedNamesTest9EE.crt UTF8StringEncodedNamesCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.3.10 ENE $NIST ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt RolloverfromPrintableStringtoUTF8StringCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.3.11 ENE $NIST ValidUTF8StringCaseInsensitiveMatchTest11EE.crt UTF8StringCaseInsensitiveMatchCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.1 EE $NIST InvalidMissingCRLTest1EE.crt NoCRLCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.2 EE $NIST InvalidRevokedCATest2EE.crt RevokedsubCACert.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.3 EE $NIST InvalidRevokedEETest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.4 EE $NIST InvalidBadCRLSignatureTest4EE.crt BadCRLSignatureCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.5 EE $NIST InvalidBadCRLIssuerNameTest5EE.crt BadCRLIssuerNameCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.6 EE $NIST InvalidWrongCRLTest6EE.crt WrongCRLCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.7 ENE $NIST ValidTwoCRLsTest7EE.crt TwoCRLsCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.8 EE $NIST InvalidUnknownCRLEntryExtensionTest8EE.crt UnknownCRLEntryExtensionCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.9 EE $NIST InvalidUnknownCRLExtensionTest9EE.crt UnknownCRLExtensionCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.10 EE $NIST InvalidUnknownCRLExtensionTest10EE.crt UnknownCRLExtensionCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.11 EE $NIST InvalidOldCRLnextUpdateTest11EE.crt OldCRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.12 EE $NIST Invalidpre2000CRLnextUpdateTest12EE.crt pre2000CRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.13 ENE $NIST ValidGeneralizedTimeCRLnextUpdateTest13EE.crt GeneralizedTimeCRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.14 ENE $NIST ValidNegativeSerialNumberTest14EE.crt NegativeSerialNumberCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.15 EE $NIST InvalidNegativeSerialNumberTest15EE.crt NegativeSerialNumberCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.16 ENE $NIST ValidLongSerialNumberTest16EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.17 ENE $NIST ValidLongSerialNumberTest17EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.18 EE $NIST InvalidLongSerialNumberTest18EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.4.20 EE $NIST InvalidSeparateCertificateandCRLKeysTest20EE.crt SeparateCertificateandCRLKeysCRLSigningCert.crt TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.5.1 ENE $NIST ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.5.2 EE $NIST InvalidBasicSelfIssuedOldWithNewTest2EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.1 EE $NIST InvalidMissingbasicConstraintsTest1EE.crt MissingbasicConstraintsCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.2 EE $NIST InvalidcAFalseTest2EE.crt basicConstraintsCriticalcAFalseCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.3 EE $NIST InvalidcAFalseTest3EE.crt basicConstraintsNotCriticalcAFalseCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.4 ENE $NIST ValidbasicConstraintsNotCriticalTest4EE.crt basicConstraintsNotCriticalCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.5 EE $NIST InvalidpathLenConstraintTest5EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.6 EE $NIST InvalidpathLenConstraintTest6EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.7 ENE $NIST ValidpathLenConstraintTest7EE.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.8 ENE $NIST ValidpathLenConstraintTest8EE.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.9 EE $NIST InvalidpathLenConstraintTest9EE.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.10 EE $NIST InvalidpathLenConstraintTest10EE.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.11 EE $NIST InvalidpathLenConstraintTest11EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.12 EE $NIST InvalidpathLenConstraintTest12EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.13 ENE $NIST ValidpathLenConstraintTest13EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.15 ENE $NIST ValidSelfIssuedpathLenConstraintTest15EE.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.16 EE $NIST InvalidSelfIssuedpathLenConstraintTest16EE.crt pathLenConstraint0subCA2Cert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.6.17 ENE $NIST ValidSelfIssuedpathLenConstraintTest17EE.crt pathLenConstraint1SelfIssuedsubCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.7.1 EE $NIST InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt keyUsageCriticalkeyCertSignFalseCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.7.2 EE $NIST InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.7.3 ENE $NIST ValidkeyUsageNotCriticalTest3EE.crt keyUsageNotCriticalCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.7.4 EE $NIST InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt keyUsageCriticalcRLSignFalseCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.7.5 EE $NIST InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt keyUsageNotCriticalcRLSignFalseCACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.1 ENE $NIST ValidDNnameConstraintsTest1EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.2 EE $NIST InvalidDNnameConstraintsTest2EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.3 EE $NIST InvalidDNnameConstraintsTest3EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.4 ENE $NIST ValidDNnameConstraintsTest4EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.5 ENE $NIST ValidDNnameConstraintsTest5EE.crt nameConstraintsDN2CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.6 ENE $NIST ValidDNnameConstraintsTest6EE.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.7 EE $NIST InvalidDNnameConstraintsTest7EE.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.8 EE $NIST InvalidDNnameConstraintsTest8EE.crt nameConstraintsDN4CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.9 EE $NIST InvalidDNnameConstraintsTest9EE.crt nameConstraintsDN4CACert.crt nameConstraintsDN4CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.10 EE $NIST InvalidDNnameConstraintsTest10EE.crt nameConstraintsDN5CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.11 ENE $NIST ValidDNnameConstraintsTest11EE.crt nameConstraintsDN5CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.12 EE $NIST InvalidDNnameConstraintsTest12EE.crt nameConstraintsDN1subCA1Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.13 EE $NIST InvalidDNnameConstraintsTest13EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.14 ENE $NIST ValidDNnameConstraintsTest14EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.15 EE $NIST InvalidDNnameConstraintsTest15EE.crt nameConstraintsDN3subCA1Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.16 EE $NIST InvalidDNnameConstraintsTest16EE.crt nameConstraintsDN3subCA1Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.17 EE $NIST InvalidDNnameConstraintsTest17EE.crt nameConstraintsDN3subCA2Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.18 ENE $NIST ValidDNnameConstraintsTest18EE.crt nameConstraintsDN3subCA2Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.19 ENE $NIST ValidDNnameConstraintsTest19EE.crt nameConstraintsDN1SelfIssuedCACert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.20 EE $NIST InvalidDNnameConstraintsTest20EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.21 ENE $NIST ValidRFC822nameConstraintsTest21EE.crt nameConstraintsRFC822CA1Cert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.22 EE $NIST InvalidRFC822nameConstraintsTest22EE.crt nameConstraintsRFC822CA1Cert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.23 ENE $NIST ValidRFC822nameConstraintsTest23EE.crt nameConstraintsRFC822CA2Cert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.24 EE $NIST InvalidRFC822nameConstraintsTest24EE.crt nameConstraintsRFC822CA2Cert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.25 ENE $NIST ValidRFC822nameConstraintsTest25EE.crt nameConstraintsRFC822CA3Cert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.26 EE $NIST InvalidRFC822nameConstraintsTest26EE.crt nameConstraintsRFC822CA3Cert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.27 ENE $NIST ValidDNandRFC822nameConstraintsTest27EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.28 EE $NIST InvalidDNandRFC822nameConstraintsTest28EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.29 EE $NIST InvalidDNandRFC822nameConstraintsTest29EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.30 ENE $NIST ValidDNSnameConstraintsTest30EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.31 EE $NIST InvalidDNSnameConstraintsTest31EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.32 ENE $NIST ValidDNSnameConstraintsTest32EE.crt nameConstraintsDNS2CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.33 EE $NIST InvalidDNSnameConstraintsTest33EE.crt nameConstraintsDNS2CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.34 ENE $NIST ValidURInameConstraintsTest34EE.crt nameConstraintsURI1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.35 EE $NIST InvalidURInameConstraintsTest35EE.crt nameConstraintsURI1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.36 ENE $NIST ValidURInameConstraintsTest36EE.crt nameConstraintsURI2CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.37 EE $NIST InvalidURInameConstraintsTest37EE.crt nameConstraintsURI2CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-Test.4.13.38 EE $NIST InvalidDNSnameConstraintsTest38EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain_partialchain ${LDAP} NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain_partialchain ${LDAP} NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt TrustAnchorRootCertificate.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain_partialchain ${LDAP} NIST-Test.4.13.13 EE $NIST InvalidDNnameConstraintsTest13EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain_partialchain ${LDAP} NIST-Test.4.13.27 ENE $NIST ValidDNandRFC822nameConstraintsTest27EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1subCA2Cert.crt TrustAnchorRootCertificate.crt +pkixutil test_buildchain ${LDAP} NIST-PDTest ENE ${NIST_PDTEST} certs/BasicHTTPURIPathDiscoveryTest2EE.crt certs/BasicHTTPURITrustAnchorRootCert.crt +pkixutil test_ocsp -d ${HOSTDIR}/ocsp OCSP-Test ENE ${HOSTDIR}/ocsp anchorcert.crt goodcert.crt +pkixutil test_ocsp -d ${HOSTDIR}/ocsp OCSP-Test EE ${HOSTDIR}/ocsp anchorcert.crt revokedcert.crt +EOF + +totalErrors=$? +totalErrors=`expr ${totalErrors} + ${tracedErrors}` + +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} + +########################################################## +# +# Document NIST tests that are not currently running for builder... +# 4.3.8 4.4.19 4.4.21 +# +# Others +# 4.5.4 4.5.5, 4.5.6, 4.5.7, 4.5.8 +# 4.14.* Distribution Point - functionality not yet implemented +# 4.15.* Delta CRL - not supported +########################################################## +# Following tests are not run because of bugs beyond libpkix: +#pkixutil test_validatechain NIST-Test.4.3.7 ENE $NIST TrustAnchorRootCertificate.crt RFC3280MandatoryAttributeTypesCACert.crt ValidRFC3280MandatoryAttributeTypesTest7EE.crt +# pkixutil test_buildchain NIST-Test.4.3.8 ENE $NIST ValidRFC3280OptionalAttributeTypesTest8EE.crt RFC3280OptionalAttributeTypesCACert.crt TrustAnchorRootCertificate.crt + +# Following tests are not supported by libpkix : separate certificate +# NIST test 4.4.19 and 4.4.21 + +# Following tests are not supported by libpkix : cert dp, cert chain definition +# NIST tests 4.5.4, 4.5.5 +#pkixutil test_buildchain NIST-Test.4.5.7 EE $NIST InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt +#pkixutil test_buildchain NIST-Test.4.5.8 EE $NIST InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt TrustAnchorRootCertificate.crt + + +# Following tests are not supported by libpkix : self-issued, multiple keys, one for cert, one for CRL +#pkixutil test_validatechain NIST-Test.4.5.3 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt ValidBasicSelfIssuedNewWithOldTest3EE.crt +#pkixutil test_defaultcrlchecker NIST-Test.4.5.4 ENE $NIST/../crls $NIST/TrustAnchorRootCertificate.crt $NIST/BasicSelfIssuedOldKeyCACert.crt $NIST/BasicSelfIssuedOldKeyNewWithOldCACert.crt $NIST/ValidBasicSelfIssuedNewWithOldTest4EE.crt +#pkixutil test_defaultcrlchecker NIST-Test.4.5.6 ENE $NIST/../crls $NIST/TrustAnchorRootCertificate.crt $NIST/BasicSelfIssuedCRLSigningKeyCACert.crt $NIST/BasicSelfIssuedCRLSigningKeyCRLCert.crt $NIST/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt + +# Need to recreate certs with BC extension and Key Usage +#pkixutil test_buildchain single_sig ENE build_data/single_path/signature/pass yassir2hanfei.crt greg2yassir.crt jes2greg.crt jes2jes.crt +#pkixutil test_buildchain single-sig EE build_data/single_path/signature/fail yassir2hanfei.crt jes2jes.crt +#pkixutil test_buildchain multi-sig ENE build_data/multi_path/signature/pass yassir2hanfei.crt greg2yassir.crt jes2greg.crt jes2jes.crt +#pkixutil test_buildchain multi-sig EE build_data/multi_path/signature/fail yassir2hanfei.crt greg2yassir.crt yassir2hanfei.crt +#pkixutil test_buildchain backtrack-sig ENE build_data/backtracking/signature yassir2hanfei.crt labs2yassir.crt jes2labs.crt jes2jes.crtn diff --git a/security/nss/tests/libpkix/pkix_tests/top/secmod.db b/security/nss/tests/libpkix/pkix_tests/top/secmod.db Binary files differnew file mode 100644 index 000000000..772583d58 --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/top/secmod.db diff --git a/security/nss/tests/libpkix/pkix_tests/util/runTests.sh b/security/nss/tests/libpkix/pkix_tests/util/runTests.sh new file mode 100755 index 000000000..a413535ef --- /dev/null +++ b/security/nss/tests/libpkix/pkix_tests/util/runTests.sh @@ -0,0 +1,33 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh +# + +curdir=`pwd` +cd ../../common +. ./libpkix_init.sh > /dev/null +cd ${curdir} + +numtests=0 +passed=0 +testunit=UTIL + +########## +# main +########## + +ParseArgs $* + +RunTests <<EOF +pkixutil test_error +pkixutil test_list +pkixutil test_list2 +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " ${testunit}: passed ${passed} of ${numtests} tests" +exit ${totalErrors} diff --git a/security/nss/tests/libpkix/runTests.sh b/security/nss/tests/libpkix/runTests.sh new file mode 100755 index 000000000..190f5de6f --- /dev/null +++ b/security/nss/tests/libpkix/runTests.sh @@ -0,0 +1,87 @@ +#! /bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runTests.sh# +# +# This script enables all tests to be run together. It simply cd's into +# the pkix_tests and pkix_pl_tests directories and runs test scripts +# +# This test is the original of libpkix.sh. While libpkix.sh is invoked by +# all.sh as a /bin/sh script, runTests.sh is a /bin/ksh and provides the +# options of checking memory and using different memory allcation schemes. +# + +errors=0 +pkixErrors=0 +pkixplErrors=0 +checkMemArg="" +arenasArg="" +quietArg="" +memText="" + +### ParseArgs +ParseArgs() # args +{ + while [ $# -gt 0 ]; do + if [ $1 = "-checkmem" ]; then + checkMemArg=$1 + memText=" (Memory Checking Enabled)" + elif [ $1 = "-quiet" ]; then + quietArg=$1 + elif [ $1 = "-arenas" ]; then + arenasArg=$1 + fi + shift + done +} + +ParseArgs $* + +echo "*******************************************************************************" +echo "START OF ALL TESTS${memText}" +echo "*******************************************************************************" +echo "" + +echo "RUNNING tests in pkix_pl_test"; +cd pkix_pl_tests; +runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +pkixplErrors=$? + +echo "RUNNING tests in pkix_test"; +cd ../pkix_tests; +runTests.sh ${arenasArg} ${checkMemArg} ${quietArg} +pkixErrors=$? + +echo "RUNNING tests in sample_apps (performance)"; +cd ../sample_apps; +runPerf.sh ${arenasArg} ${checkMemArg} ${quietArg} +pkixPerfErrors=$? + +errors=`expr ${pkixplErrors} + ${pkixErrors} + ${pkixPerfErrors}` + +if [ ${errors} -eq 0 ]; then + echo "" + echo "************************************************************" + echo "END OF ALL TESTS: ALL TESTS COMPLETED SUCCESSFULLY" + echo "************************************************************" + exit 0 +fi + +if [ ${errors} -eq 1 ]; then + plural="" +else + plural="S" +fi + +echo "" +echo "************************************************************" +echo "END OF ALL TESTS: ${errors} TEST${plural} FAILED" +echo "************************************************************" +exit 1 + + + + diff --git a/security/nss/tests/libpkix/sample_apps/README b/security/nss/tests/libpkix/sample_apps/README new file mode 100755 index 000000000..012e7bf7e --- /dev/null +++ b/security/nss/tests/libpkix/sample_apps/README @@ -0,0 +1,77 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +This directory contains both sample applications and performance evaluation +applications. + +SAMPLE APPLICATIONS + +Currently, there are two performance applications: libpkix_buildThreads and +nss_threads. And three sample applications: dumpcert, dumpcrl and +validateChain.. + +============================================================================ + +USAGE: dumpcert <certFile> + Parses a certificate located at <certFile> and displays it. + +Source: <root>/tests/sample_apps/dumpcert.c +Binary: <root>/bin/sample_apps/dumpcert + +============================================================================ + +USAGE: dumpcrl <crlFile> + Parses a CRL located at <crlFile> and displays it. + +Source: <root>/tests/sample_apps/dumpcrl.c +Binary: <root>/bin/sample_apps/dumpcrl + +============================================================================ + +USAGE: validateChain <trustedCert> <cert_1> <cert_2> ... <cert_n> + Validates a chain of n certificates using the given trust anchor. + +Source: <root>/tests/sample_apps/validateChain.c +Binary: <root>/bin/sample_apps/validateChain + +============================================================================ + +PERFORMANCE EVALUATION APPLICATIONS + +============================================================================ + +USAGE: libpkix_buildthreads <duration> <threads> <eecertNickname> + + Sets up and runs a PKIX_BuildChain call for the number of seconds + specified by <duration> using the number of threads specified by + <threads>. This application assumes that the NSS certutil application + has already been run to create the NSS databases and that the + various nicknames on the command line have been associated with + certificates in the NSS databases. The NSS databases MUST reside + in the directory where this file is located and MUST be named + "cert8.db", "key3.db", and "secmod.db". There must exist a nickname + in the databases which has been marked as trusted. + +Source: <root>/perf/libpkix_buildthreads/libpkix_buildthreads.c +Binary: <root>/perf/libpkix_buildthreads/*.OBJ/libpkix_buildthreads + +============================================================================ + +USAGE: nssThreads <duration> <threads> <eecertNickname> + + Sets up and runs a CERT_VerifyCertificate call for the number of + seconds specified by <duration> using the number of threads specified + by <threads>. This application assumes that the NSS certutil + application has already been run to create the NSS databases and that + the various nicknames on the command line have been associated with + certificates in the NSS databases. The NSS databases MUST reside + in the directory where this file is located and MUST be named + "cert8.db", "key3.db", and "secmod.db". There must exist a nickname in + the databases which has been marked as trusted. + +Source: <root>/perf/nss_threads/nss_threads.c +Binary: <root>/perf/nss_threads/*.OBJ/nss_threads + +============================================================================ + diff --git a/security/nss/tests/libpkix/sample_apps/cert8.db b/security/nss/tests/libpkix/sample_apps/cert8.db Binary files differnew file mode 100755 index 000000000..b39de42f1 --- /dev/null +++ b/security/nss/tests/libpkix/sample_apps/cert8.db diff --git a/security/nss/tests/libpkix/sample_apps/key3.db b/security/nss/tests/libpkix/sample_apps/key3.db Binary files differnew file mode 100755 index 000000000..9c03916ee --- /dev/null +++ b/security/nss/tests/libpkix/sample_apps/key3.db diff --git a/security/nss/tests/libpkix/sample_apps/runPerf.sh b/security/nss/tests/libpkix/sample_apps/runPerf.sh new file mode 100755 index 000000000..27b55215e --- /dev/null +++ b/security/nss/tests/libpkix/sample_apps/runPerf.sh @@ -0,0 +1,143 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# runPerf.sh +# + +curdir=`pwd` +cd ../common +. ./libpkix_init.sh > /dev/null +cd ${curdir} + +numtests=0 +passed=0 +testunit=PERFORMANCE + +totalErrors=0 +loopErrors=0 + +ParseArgs $* + +testHeadingEcho + +Display "\nRunning executables at ${DIST_BIN}" +Display "Using libraries at ${LD_LIBRARY_PATH}" + + +# Check the performance data ... +perfTest() +{ + + Display "" + Display "*******************************************************************************" + Display "START OF PKIX PERFORMANCE SCENARIOS ${memText}" +Display "*******************************************************************************" + Display "" + + while read perfPgm args; do + numtests=`expr ${numtests} + 1` + Display "Running ${perfPgm} ${args}" + if [ ${checkmem} -eq 1 ]; then + dbx -C -c "runargs $args; check -all ;run;exit" ${DIST_BIN}/${perfPgm} > ${testOut} 2>&1 + else + ${DIST_BIN}/${perfPgm} ${args} > ${testOut} 2>&1 + fi + + # Examine output file to see if test failed and keep track of number + # of failures and names of failed tests. This assumes that the test + # uses our utility library for displaying information + + outputCount=`cat ${testOut} | grep "per second"` + + if [ $? -ne 0 ]; then + errors=`expr ${errors} + 1` + failedpgms="${failedpgms}${perfPgm} ${args}\n" + cat ${testOut} + else + Display ${outputCount} + passed=`expr ${passed} + 1` + fi + + if [ ${checkmem} -eq 1 ]; then + grep "(actual leaks:" ${testOut} > ${testOutMem} 2>&1 + if [ $? -ne 0 ]; then + prematureErrors=`expr ${prematureErrors} + 1` + failedprematurepgms="${failedprematurepgms}${perfPgm} " + Display "...program terminated prematurely (unable to check for memory leak errors) ..." + else + grep "(actual leaks: 1 total size: 4 bytes)" ${testOut} > /dev/null 2>&1 + if [ $? -ne 0 ]; then + memErrors=`expr ${memErrors} + 1` + failedmempgms="${failedmempgms}${perfPgm} " + Display ${testOutMem} + fi + fi + fi + done + return ${errors} +} + + +# If there is race condition bug, may this test catch it... +loopTest() +{ + totalLoop=10 + + Display "" + Display "*******************************************************************************" + Display "START OF TESTS FOR PKIX PERFORMANCE SANITY LOOP (${totalLoop} times)" +Display "*******************************************************************************" + Display "" + + errors=0 + iLoop=0 + perfPgm="${DIST_BIN}/pkixutil libpkix_buildthreads -d . 5 8 ValidCertificatePathTest1EE" + + while [ $iLoop -lt $totalLoop ] + do + iLoop=`expr $iLoop + 1` + numtests=`expr ${numtests} + 1` + + Display "Running ${perfPgm}" + ${perfPgm} > ${testOut} 2>&1 + Display `cat ${testOut} | grep "per second"` + + outputCount=`cat ${testOut} | grep "per second"` + + if [ $? -ne 0 ]; then + errors=`expr ${errors} + 1` + failedpgms="${failedpgms} ${perfPgm}\n" + cat ${testOut} + else + passed=`expr ${passed} + 1` + fi + done + + return ${errors} + +} + +#main +perfTest <<EOF +pkixutil libpkix_buildthreads -d . 5 1 ValidCertificatePathTest1EE +pkixutil libpkix_buildthreads -d . 5 8 ValidCertificatePathTest1EE +pkixutil nss_threads -d . 5 1 ValidCertificatePathTest1EE +pkixutil nss_threads -d . 5 8 ValidCertificatePathTest1EE +EOF + +totalErrors=$? +html_msg ${totalErrors} 0 " performance test: passed ${passed} of ${numtests} tests" + +numtests=0 +passed=0 +loopTest +loopErrors=$? +totalErrors=`expr ${totalErrors} + ${loopErrors}` +html_msg ${totalErrors} 0 " loop test: passed ${passed} of ${numtests} tests" + +testEndingEcho + +exit ${totalErrors} diff --git a/security/nss/tests/libpkix/sample_apps/secmod.db b/security/nss/tests/libpkix/sample_apps/secmod.db Binary files differnew file mode 100755 index 000000000..772583d58 --- /dev/null +++ b/security/nss/tests/libpkix/sample_apps/secmod.db diff --git a/security/nss/tests/libpkix/vfychain_test.lst b/security/nss/tests/libpkix/vfychain_test.lst new file mode 100644 index 000000000..78d6185c3 --- /dev/null +++ b/security/nss/tests/libpkix/vfychain_test.lst @@ -0,0 +1,4 @@ +# Status | Leaf Cert | Policies | Others(undef) +0 TestUser50 undef +0 TestUser51 undef +0 PayPalEE OID.2.16.840.1.114412.1.1 diff --git a/security/nss/tests/lowhash/lowhash.sh b/security/nss/tests/lowhash/lowhash.sh new file mode 100644 index 000000000..6de255be4 --- /dev/null +++ b/security/nss/tests/lowhash/lowhash.sh @@ -0,0 +1,97 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# mozilla/security/nss/tests/lowhash/lowhash.sh +# +# Script to test basic functionallity of the NSSLoHash API +# +# included from +# -------------- +# all.sh +# +# needs to work on all Linux platforms +# +# tests implemented: +# lowash (verify encryption cert - bugzilla bug 119059) +# +# special strings +# --------------- +# +######################################################################## + +errors=0 + +############################## lowhash_init ############################## +# local shell function to initialize this script +######################################################################## +lowhash_init() +{ + SCRIPTNAME=lowhash.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + LOWHASHDIR=../lowhash + mkdir -p ${LOWHASHDIR} + if [ -f /proc/sys/crypto/fips_enabled ]; then + FVAL=`cat /proc/sys/crypto/fips_enabled` + html_head "Lowhash Tests - /proc/sys/crypto/fips_enabled is ${FVAL}" + else + html_head "Lowhash Tests" + fi + cd ${LOWHASHDIR} +} + +############################## lowhash_test ############################## +# local shell function to test basic the NSS Low Hash API both in +# FIPS 140 compliant mode and not +######################################################################## +lowhash_test() +{ + if [ ! -f ${BINDIR}/lowhashtest -a \ + ! -f ${BINDIR}/lowhashtest${PROG_SUFFIX} ]; then + echo "freebl lowhash not supported in this plaform." + else + TESTS="MD5 SHA1 SHA224 SHA256 SHA384 SHA512" + OLD_MODE=`echo ${NSS_FIPS}` + for fips_mode in 0 1; do + echo "lowhashtest with fips mode=${fips_mode}" + export NSS_FIPS=${fips_mode} + for TEST in ${TESTS} + do + echo "lowhashtest ${TEST}" + ${BINDIR}/lowhashtest ${TEST} 2>&1 + RESULT=$? + html_msg ${RESULT} 0 "lowhashtest with fips mode=${fips_mode} for ${TEST}" + done + done + export NSS_FIPS=${OLD_MODE} + fi +} + +############################## lowhash_cleanup ############################ +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +lowhash_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +lowhash_init +lowhash_test +lowhash_cleanup +echo "lowhash.sh done" diff --git a/security/nss/tests/memleak/ignored b/security/nss/tests/memleak/ignored new file mode 100644 index 000000000..60ed0db84 --- /dev/null +++ b/security/nss/tests/memleak/ignored @@ -0,0 +1,58 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +#367374 +**/PR_ErrorInstallTable** +**/_PR_ImplicitInitialization/** +**/_PR_InitCMon/ExpandMonitorCache/** +**/_PR_InitCMon/PR_NewLock/** +**/_PR_InitLinker/** +**/_PR_InitTPD/** +**/_PR_InitZones/pr_FindSymbolInProg/** +**/_PR_UnixInit/PR_NewLock/** +**/_PR_UnixInit/PR_NewMonitor/** + +#367376 +**/_PR_CreateThread/pthread_create@@GLIBC_** +**/_PR_CreateThread/PR_Calloc/** + +#367384 +**/PR_LoadLibraryWithFlags/** +**/pr_LoadLibraryByPathname/** +**/PR_LoadLibrary/** + +#397487 +**/__rpc_getconfip/setnetconfig/** + +#401100 +**/testThreadLockingBehavior/pthread_create@@GLIBC_** +**/findLockInfo/pthread_create@@GLIBC_** + +#430544 +**/PR_CallOnce/InitializeArenas/PR_NewLock/** + +#458905 +**/cert_createObject/nssTrustDomain_AddCertsToCache/add_cert_to_cache/** +**/cert_createObject/nssTrustDomain_AddCertsToCache/nssArena_Create/** + +#459237 +**/PR_FormatTime/strftime/** +**/PR_FormatTime/__strftime_std/** + +#463208 +**/sqlite3UnixFullPathname/_getcwd/** +**/unixFullPathname/_getcwd/** + +#463631 +vfychain/main/PL_CreateOptState/** + +#486298 +selfserv/main/PORT_Strdup_Util** + +#497251 +**/FREEBL_InitStubs/dlopen@@GLIBC_** + +#679524 +**/nss_Init/PR_CallOnce/nss_doLockInit/** + diff --git a/security/nss/tests/memleak/memleak.sh b/security/nss/tests/memleak/memleak.sh new file mode 100755 index 000000000..45e432bee --- /dev/null +++ b/security/nss/tests/memleak/memleak.sh @@ -0,0 +1,915 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/memleak/memleak.sh +# +# Script to test memory leaks in NSS +# +# needs to work on Solaris and Linux platforms, on others just print a message +# that OS is not supported +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################# memleak_init ############################# +# local shell function to initialize this script +######################################################################## +memleak_init() +{ + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + + if [ ! -r ${CERT_LOG_FILE} ]; then + cd ${QADIR}/cert + . ./cert.sh + fi + + SCRIPTNAME="memleak.sh" + if [ -z "${CLEANUP}" ] ; then + CLEANUP="${SCRIPTNAME}" + fi + + OLD_LIBRARY_PATH=${LD_LIBRARY_PATH} + TMP_LIBDIR="${HOSTDIR}/tmp" + TMP_STACKS="${HOSTDIR}/stacks" + TMP_SORTED="${HOSTDIR}/sorted" + TMP_COUNT="${HOSTDIR}/count" + DBXOUT="${HOSTDIR}/dbxout" + DBXERR="${HOSTDIR}/dbxerr" + DBXCMD="${HOSTDIR}/dbxcmd" + + PORT=${PORT:-8443} + + MODE_LIST="NORMAL BYPASS FIPS" + + SERVER_DB="${HOSTDIR}/server_memleak" + CLIENT_DB="${HOSTDIR}/client_memleak" + cp -r ${HOSTDIR}/server ${SERVER_DB} + cp -r ${HOSTDIR}/client ${CLIENT_DB} + + LOGDIR="${HOSTDIR}/memleak_logs" + mkdir -p ${LOGDIR} + + FOUNDLEAKS="${LOGDIR}/foundleaks" + + REQUEST_FILE="${QADIR}/memleak/sslreq.dat" + IGNORED_STACKS="${QADIR}/memleak/ignored" + + gline=`echo ${OBJDIR} | grep "_64_"` + if [ -n "${gline}" ] ; then + BIT_NAME="64" + else + BIT_NAME="32" + fi + + case "${OS_NAME}" in + "SunOS") + DBX=`which dbx` + AWK=nawk + + if [ $? -eq 0 ] ; then + echo "${SCRIPTNAME}: DBX found: ${DBX}" + else + echo "${SCRIPTNAME}: DBX not found, skipping memory leak checking." + exit 0 + fi + + PROC_ARCH=`uname -p` + + if [ "${PROC_ARCH}" = "sparc" ] ; then + if [ "${BIT_NAME}" = "64" ] ; then + FREEBL_DEFAULT="libfreebl_64fpu_3" + FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_64int_3" + else + FREEBL_DEFAULT="libfreebl_32fpu_3" + FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_32int64_3" + fi + else + if [ "${BIT_NAME}" = "64" ] ; then + echo "${SCRIPTNAME}: OS not supported for memory leak checking." + exit 0 + fi + + FREEBL_DEFAULT="libfreebl_3" + FREEBL_LIST="${FREEBL_DEFAULT}" + fi + + RUN_COMMAND_DBG="run_command_dbx" + PARSE_LOGFILE="parse_logfile_dbx" + ;; + "Linux") + VALGRIND=`which valgrind` + AWK=awk + + if [ $? -eq 0 ] ; then + echo "${SCRIPTNAME}: Valgrind found: ${VALGRIND}" + else + echo "${SCRIPTNAME}: Valgrind not found, skipping memory leak checking." + exit 0 + fi + + FREEBL_DEFAULT="libfreebl_3" + FREEBL_LIST="${FREEBL_DEFAULT}" + + RUN_COMMAND_DBG="run_command_valgrind" + PARSE_LOGFILE="parse_logfile_valgrind" + ;; + *) + echo "${SCRIPTNAME}: OS not supported for memory leak checking." + exit 0 + ;; + esac + + if [ "${BUILD_OPT}" = "1" ] ; then + OPT="OPT" + else + OPT="DBG" + fi + + NSS_DISABLE_UNLOAD="1" + export NSS_DISABLE_UNLOAD + + SELFSERV_ATTR="-D -p ${PORT} -d ${SERVER_DB} -n ${HOSTADDR} -e ${HOSTADDR}-ec -w nss -c :C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz -t 5 -V ssl3:tls1.2" + TSTCLNT_ATTR="-p ${PORT} -h ${HOSTADDR} -c j -f -d ${CLIENT_DB} -w nss -o" + STRSCLNT_ATTR="-q -p ${PORT} -d ${CLIENT_DB} -w nss -c 1000 -n TestUser ${HOSTADDR}" + + tbytes=0 + tblocks=0 + truns=0 + + MEMLEAK_DBG=1 + export MEMLEAK_DBG +} + +########################### memleak_cleanup ############################ +# local shell function to clean up after this script +######################################################################## +memleak_cleanup() +{ + unset MEMLEAK_DBG + unset NSS_DISABLE_UNLOAD + + . ${QADIR}/common/cleanup.sh +} + +############################ set_test_mode ############################# +# local shell function to set testing mode for server and for client +######################################################################## +set_test_mode() +{ + if [ "${server_mode}" = "BYPASS" ] ; then + echo "${SCRIPTNAME}: BYPASS is ON" + SERVER_OPTION="-B -s" + CLIENT_OPTION="" + elif [ "${client_mode}" = "BYPASS" ] ; then + echo "${SCRIPTNAME}: BYPASS is ON" + SERVER_OPTION="" + CLIENT_OPTION="-B -s" + else + echo "${SCRIPTNAME}: BYPASS is OFF" + SERVER_OPTION="" + CLIENT_OPTION="" + fi + + if [ "${server_mode}" = "FIPS" ] ; then + ${BINDIR}/modutil -dbdir ${SERVER_DB} -fips true -force + ${BINDIR}/modutil -dbdir ${SERVER_DB} -list + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips false -force + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -list + + echo "${SCRIPTNAME}: FIPS is ON" + cipher_list="c d e i j k n v y z" + elif [ "${client_mode}" = "FIPS" ] ; then + + ${BINDIR}/modutil -dbdir ${SERVER_DB} -fips false -force + ${BINDIR}/modutil -dbdir ${SERVER_DB} -list + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips true -force + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -list + + echo "${SCRIPTNAME}: FIPS is ON" + cipher_list="c d e i j k n v y z" + else + ${BINDIR}/modutil -dbdir ${SERVER_DB} -fips false -force + ${BINDIR}/modutil -dbdir ${SERVER_DB} -list + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips false -force + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -list + + echo "${SCRIPTNAME}: FIPS is OFF" + # ciphers l and m removed, see bug 1136095 + cipher_list=":C001 :C002 :C003 :C004 :C005 :C006 :C007 :C008 :C009 :C00A :C010 :C011 :C012 :C013 :C014 c d e f g i j k n v y z" + fi +} + +############################## set_freebl ############################## +# local shell function to set freebl - sets temporary path for libraries +######################################################################## +set_freebl() +{ + if [ "${freebl}" = "${FREEBL_DEFAULT}" ] ; then + LD_LIBRARY_PATH="${OLD_LIBRARY_PATH}" + export LD_LIBRARY_PATH + else + if [ -d "${TMP_LIBDIR}" ] ; then + rm -rf ${TMP_LIBDIR} + fi + + mkdir ${TMP_LIBDIR} + [ $? -ne 0 ] && html_failed "Create temp directory" && return 1 + + cp ${DIST}/${OBJDIR}/lib/*.so ${DIST}/${OBJDIR}/lib/*.chk ${TMP_LIBDIR} + [ $? -ne 0 ] && html_failed "Copy libraries to temp directory" && return 1 + + echo "${SCRIPTNAME}: Using ${freebl} instead of ${FREEBL_DEFAULT}" + + mv ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so.orig + [ $? -ne 0 ] && html_failed "Move ${FREEBL_DEFAULT}.so -> ${FREEBL_DEFAULT}.so.orig" && return 1 + + cp ${TMP_LIBDIR}/${freebl}.so ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so + [ $? -ne 0 ] && html_failed "Copy ${freebl}.so -> ${FREEBL_DEFAULT}.so" && return 1 + + mv ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk.orig + [ $? -ne 0 ] && html_failed "Move ${FREEBL_DEFAULT}.chk -> ${FREEBL_DEFAULT}.chk.orig" && return 1 + + cp ${TMP_LIBDIR}/${freebl}.chk ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk + [ $? -ne 0 ] && html_failed "Copy ${freebl}.chk to temp directory" && return 1 + + echo "ls -l ${TMP_LIBDIR}" + ls -l ${TMP_LIBDIR} + + LD_LIBRARY_PATH="${TMP_LIBDIR}" + export LD_LIBRARY_PATH + fi + + return 0 +} + +############################# clear_freebl ############################# +# local shell function to set default library path and clear temporary +# directory for libraries created by function set_freebl +######################################################################## +clear_freebl() +{ + LD_LIBRARY_PATH="${OLD_LIBRARY_PATH}" + export LD_LIBRARY_PATH + + if [ -d "${TMP_LIBDIR}" ] ; then + rm -rf ${TMP_LIBDIR} + fi +} + +############################ run_command_dbx ########################### +# local shell function to run command under dbx tool +######################################################################## +run_command_dbx() +{ + COMMAND=$1 + shift + ATTR=$* + + COMMAND=`which ${COMMAND}` + + echo "dbxenv follow_fork_mode parent" > ${DBXCMD} + echo "dbxenv rtc_mel_at_exit verbose" >> ${DBXCMD} + echo "dbxenv rtc_biu_at_exit verbose" >> ${DBXCMD} + echo "check -memuse -match 16 -frames 16" >> ${DBXCMD} + echo "run ${ATTR}" >> ${DBXCMD} + + export NSS_DISABLE_ARENA_FREE_LIST=1 + + echo "${SCRIPTNAME}: -------- Running ${COMMAND} under DBX:" + echo "${DBX} ${COMMAND}" + echo "${SCRIPTNAME}: -------- DBX commands:" + cat ${DBXCMD} + + ( ${DBX} ${COMMAND} < ${DBXCMD} > ${DBXOUT} 2> ${DBXERR} ) + grep -v Reading ${DBXOUT} 1>&2 + cat ${DBXERR} + + unset NSS_DISABLE_ARENA_FREE_LIST + + grep "exit code is" ${DBXOUT} + grep "exit code is 0" ${DBXOUT} > /dev/null + return $? +} + +######################### run_command_valgrind ######################### +# local shell function to run command under valgrind tool +######################################################################## +run_command_valgrind() +{ + COMMAND=$1 + shift + ATTR=$* + + export NSS_DISABLE_ARENA_FREE_LIST=1 + + echo "${SCRIPTNAME}: -------- Running ${COMMAND} under Valgrind:" + echo "${VALGRIND} --tool=memcheck --leak-check=yes --show-reachable=yes --partial-loads-ok=yes --leak-resolution=high --num-callers=50 ${COMMAND} ${ATTR}" + echo "Running: ${COMMAND} ${ATTR}" 1>&2 + ${VALGRIND} --tool=memcheck --leak-check=yes --show-reachable=yes --partial-loads-ok=yes --leak-resolution=high --num-callers=50 ${COMMAND} ${ATTR} 1>&2 + ret=$? + echo "==0==" + + unset NSS_DISABLE_ARENA_FREE_LIST + + return $ret +} + +############################# run_selfserv ############################# +# local shell function to start selfserv +######################################################################## +run_selfserv() +{ + echo "PATH=${PATH}" + echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" + echo "${SCRIPTNAME}: -------- Running selfserv:" + echo "selfserv ${SELFSERV_ATTR}" + ${BINDIR}/selfserv ${SELFSERV_ATTR} + ret=$? + if [ $ret -ne 0 ]; then + html_failed "${LOGNAME}: Selfserv" + echo "${SCRIPTNAME} ${LOGNAME}: " \ + "Selfserv produced a returncode of ${ret} - FAILED" + fi +} + +########################### run_selfserv_dbg ########################### +# local shell function to start selfserv under debug tool +######################################################################## +run_selfserv_dbg() +{ + echo "PATH=${PATH}" + echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" + ${RUN_COMMAND_DBG} ${BINDIR}/selfserv ${SERVER_OPTION} ${SELFSERV_ATTR} + ret=$? + if [ $ret -ne 0 ]; then + html_failed "${LOGNAME}: Selfserv" + echo "${SCRIPTNAME} ${LOGNAME}: " \ + "Selfserv produced a returncode of ${ret} - FAILED" + fi +} + +############################# run_strsclnt ############################# +# local shell function to run strsclnt for all ciphers and send stop +# command to selfserv over tstclnt +######################################################################## +run_strsclnt() +{ + for cipher in ${cipher_list}; do + VMIN="ssl3" + VMAX="tls1.2" + case "${cipher}" in + f|g) + # TLS 1.1 disallows export cipher suites. + VMAX="tls1.0" + ;; + esac + ATTR="${STRSCLNT_ATTR} -C ${cipher} -V ${VMIN}:${VMAX}" + echo "${SCRIPTNAME}: -------- Trying cipher ${cipher}:" + echo "strsclnt ${ATTR}" + ${BINDIR}/strsclnt ${ATTR} + ret=$? + if [ $ret -ne 0 ]; then + html_failed "${LOGNAME}: Strsclnt with cipher ${cipher}" + echo "${SCRIPTNAME} ${LOGNAME}: " \ + "Strsclnt produced a returncode of ${ret} - FAILED" + fi + done + + ATTR="${TSTCLNT_ATTR} -V ssl3:tls1.2" + echo "${SCRIPTNAME}: -------- Stopping server:" + echo "tstclnt ${ATTR} < ${REQUEST_FILE}" + ${BINDIR}/tstclnt ${ATTR} < ${REQUEST_FILE} + ret=$? + if [ $ret -ne 0 ]; then + html_failed "${LOGNAME}: Tstclnt" + echo "${SCRIPTNAME} ${LOGNAME}: " \ + "Tstclnt produced a returncode of ${ret} - FAILED" + fi + + sleep 20 + kill $(jobs -p) 2> /dev/null +} + +########################### run_strsclnt_dbg ########################### +# local shell function to run strsclnt under debug tool for all ciphers +# and send stop command to selfserv over tstclnt +######################################################################## +run_strsclnt_dbg() +{ + for cipher in ${cipher_list}; do + VMIN="ssl3" + VMAX="tls1.2" + case "${cipher}" in + f|g) + # TLS 1.1 disallows export cipher suites. + VMAX="tls1.0" + ;; + esac + ATTR="${STRSCLNT_ATTR} -C ${cipher} -V ${VMIN}:${VMAX}" + ${RUN_COMMAND_DBG} ${BINDIR}/strsclnt ${CLIENT_OPTION} ${ATTR} + ret=$? + if [ $ret -ne 0 ]; then + html_failed "${LOGNAME}: Strsclnt with cipher ${cipher}" + echo "${SCRIPTNAME} ${LOGNAME}: " \ + "Strsclnt produced a returncode of ${ret} - FAILED" + fi + done + + ATTR="${TSTCLNT_ATTR} -V ssl3:tls1.2" + echo "${SCRIPTNAME}: -------- Stopping server:" + echo "tstclnt ${ATTR} < ${REQUEST_FILE}" + ${BINDIR}/tstclnt ${ATTR} < ${REQUEST_FILE} + ret=$? + if [ $ret -ne 0 ]; then + html_failed "${LOGNAME}: Tstclnt" + echo "${SCRIPTNAME} ${LOGNAME}: " \ + "Tstclnt produced a returncode of ${ret} - FAILED" + fi + + kill $(jobs -p) 2> /dev/null +} + +stat_clear() +{ + stat_minbytes=9999999 + stat_maxbytes=0 + stat_minblocks=9999999 + stat_maxblocks=0 + stat_bytes=0 + stat_blocks=0 + stat_runs=0 +} + +stat_add() +{ + read hash lbytes bytes_str lblocks blocks_str in_str lruns runs_str \ + minbytes minbytes_str maxbytes maxbytes_str minblocks \ + minblocks_str maxblocks maxblocks_str rest < ${TMP_COUNT} + rm ${TMP_COUNT} + + tbytes=`expr ${tbytes} + ${lbytes}` + tblocks=`expr ${tblocks} + ${lblocks}` + truns=`expr ${truns} + ${lruns}` + + if [ ${stat_minbytes} -gt ${minbytes} ]; then + stat_minbytes=${minbytes} + fi + + if [ ${stat_maxbytes} -lt ${maxbytes} ]; then + stat_maxbytes=${maxbytes} + fi + + if [ ${stat_minblocks} -gt ${minblocks} ]; then + stat_minblocks=${minblocks} + fi + + if [ ${stat_maxblocks} -lt ${maxblocks} ]; then + stat_maxblocks=${maxblocks} + fi + + stat_bytes=`expr ${stat_bytes} + ${lbytes}` + stat_blocks=`expr ${stat_blocks} + ${lblocks}` + stat_runs=`expr ${stat_runs} + ${lruns}` +} + +stat_print() +{ + if [ ${stat_runs} -gt 0 ]; then + stat_avgbytes=`expr "${stat_bytes}" / "${stat_runs}"` + stat_avgblocks=`expr "${stat_blocks}" / "${stat_runs}"` + + echo + echo "$1 statistics:" + echo "Leaked bytes: ${stat_minbytes} min, ${stat_avgbytes} avg, ${stat_maxbytes} max" + echo "Leaked blocks: ${stat_minblocks} min, ${stat_avgblocks} avg, ${stat_maxblocks} max" + echo "Total runs: ${stat_runs}" + echo + fi +} + +########################## run_ciphers_server ########################## +# local shell function to test server part of code (selfserv) +######################################################################## +run_ciphers_server() +{ + html_head "Memory leak checking - server" + + stat_clear + + client_mode="NORMAL" + for server_mode in ${MODE_LIST}; do + set_test_mode + + for freebl in ${FREEBL_LIST}; do + set_freebl || continue + + LOGNAME=server-${BIT_NAME}-${freebl}-${server_mode} + LOGFILE=${LOGDIR}/${LOGNAME}.log + echo "Running ${LOGNAME}" + + ( + run_selfserv_dbg 2>> ${LOGFILE} & + sleep 5 + run_strsclnt + ) + + sleep 20 + clear_freebl + + log_parse + ret=$? + + html_msg ${ret} 0 "${LOGNAME}" "produced a returncode of $ret, expected is 0" + done + done + + stat_print "Selfserv" + + html "</TABLE><BR>" +} + +########################## run_ciphers_client ########################## +# local shell function to test client part of code (strsclnt) +######################################################################## +run_ciphers_client() +{ + html_head "Memory leak checking - client" + + stat_clear + + server_mode="NORMAL" + for client_mode in ${MODE_LIST}; do + set_test_mode + + for freebl in ${FREEBL_LIST}; do + set_freebl || continue + + LOGNAME=client-${BIT_NAME}-${freebl}-${client_mode} + LOGFILE=${LOGDIR}/${LOGNAME}.log + echo "Running ${LOGNAME}" + + ( + run_selfserv & + sleep 5 + run_strsclnt_dbg 2>> ${LOGFILE} + ) + + sleep 20 + clear_freebl + + log_parse + ret=$? + html_msg ${ret} 0 "${LOGNAME}" "produced a returncode of $ret, expected is 0" + done + done + + stat_print "Strsclnt" + + html "</TABLE><BR>" +} + +########################## parse_logfile_dbx ########################### +# local shell function to parse and process logs from dbx +######################################################################## +parse_logfile_dbx() +{ + ${AWK} ' + BEGIN { + in_mel = 0 + mel_line = 0 + bytes = 0 + lbytes = 0 + minbytes = 9999999 + maxbytes = 0 + blocks = 0 + lblocks = 0 + minblocks = 9999999 + maxblocks = 0 + runs = 0 + stack_string = "" + bin_name = "" + } + /Memory Leak \(mel\):/ || + /Possible memory leak -- address in block \(aib\):/ || + /Block in use \(biu\):/ { + in_mel = 1 + stack_string = "" + next + } + in_mel == 1 && /^$/ { + print bin_name stack_string + in_mel = 0 + mel_line = 0 + next + } + in_mel == 1 { + mel_line += 1 + } + /Found leaked block of size/ { + bytes += $6 + blocks += 1 + next + } + /Found .* leaked blocks/ { + bytes += $8 + blocks += $2 + next + } + /Found block of size/ { + bytes += $5 + blocks += 1 + next + } + /Found .* blocks totaling/ { + bytes += $5 + blocks += $2 + next + } + mel_line > 2 { + gsub(/\(\)/, "") + new_line = $2 + stack_string = "/" new_line stack_string + next + } + /^Running: / { + bin_name = $2 + next + } + /execution completed/ { + runs += 1 + lbytes += bytes + minbytes = (minbytes < bytes) ? minbytes : bytes + maxbytes = (maxbytes > bytes) ? maxbytes : bytes + bytes = 0 + lblocks += blocks + minblocks = (minblocks < blocks) ? minblocks : blocks + maxblocks = (maxblocks > blocks) ? maxblocks : blocks + blocks = 0 + next + } + END { + print "# " lbytes " bytes " lblocks " blocks in " runs " runs " \ + minbytes " minbytes " maxbytes " maxbytes " minblocks " minblocks " \ + maxblocks " maxblocks " > "/dev/stderr" + }' 2> ${TMP_COUNT} + + stat_add +} + +######################## parse_logfile_valgrind ######################## +# local shell function to parse and process logs from valgrind +######################################################################## +parse_logfile_valgrind() +{ + ${AWK} ' + BEGIN { + in_mel = 0 + in_sum = 0 + bytes = 0 + lbytes = 0 + minbytes = 9999999 + maxbytes = 0 + blocks = 0 + lblocks = 0 + minblocks = 9999999 + maxblocks = 0 + runs = 0 + stack_string = "" + bin_name = "" + } + !/==[0-9]*==/ { + if ( $1 == "Running:" ) + bin_name = $2 + bin_nf = split(bin_name, bin_fields, "/") + bin_name = bin_fields[bin_nf] + next + } + /blocks are/ { + in_mel = 1 + stack_string = "" + next + } + /LEAK SUMMARY/ { + in_sum = 1 + next + } + /^==[0-9]*== *$/ { + if (in_mel) + print bin_name stack_string + if (in_sum) { + runs += 1 + lbytes += bytes + minbytes = (minbytes < bytes) ? minbytes : bytes + maxbytes = (maxbytes > bytes) ? maxbytes : bytes + bytes = 0 + lblocks += blocks + minblocks = (minblocks < blocks) ? minblocks : blocks + maxblocks = (maxblocks > blocks) ? maxblocks : blocks + blocks = 0 + } + in_sum = 0 + in_mel = 0 + next + } + in_mel == 1 { + new_line = $4 + if ( new_line == "(within") + new_line = "*" + stack_string = "/" new_line stack_string + } + in_sum == 1 { + for (i = 2; i <= NF; i++) { + if ($i == "bytes") { + str = $(i - 1) + gsub(",", "", str) + bytes += str + } + if ($i == "blocks.") { + str = $(i - 1) + gsub(",", "", str) + blocks += str + } + } + } + END { + print "# " lbytes " bytes " lblocks " blocks in " runs " runs " \ + minbytes " minbytes " maxbytes " maxbytes " minblocks " minblocks " \ + maxblocks " maxblocks " > "/dev/stderr" + }' 2> ${TMP_COUNT} + + stat_add +} + +############################# check_ignored ############################ +# local shell function to check all stacks if they are not ignored +######################################################################## +check_ignored() +{ + ${AWK} -F/ ' + BEGIN { + ignore = "'${IGNORED_STACKS}'" + # read in the ignore file + BUGNUM = "" + count = 0 + new = 0 + while ((getline line < ignore) > 0) { + if (line ~ "^#[0-9]+") { + BUGNUM = line + } else if (line ~ "^#") { + continue + } else if (line == "") { + continue + } else { + bugnum_array[count] = BUGNUM + # Create a regular expression for the ignored stack: + # replace * with % so we can later replace them with regular expressions + # without messing up everything (the regular expressions contain *) + gsub("\\*", "%", line) + # replace %% with .* + gsub("%%", ".*", line) + # replace % with [^/]* + gsub("%", "[^/]*", line) + # add ^ at the beginning + # add $ at the end + line_array[count] = "^" line "$" + count++ + } + } + } + { + match_found = 0 + # Look for matching ignored stack + for (i = 0; i < count; i++) { + if ($0 ~ line_array[i]) { + # found a match + match_found = 1 + bug_found = bugnum_array[i] + break + } + } + # Process result + if (match_found == 1 ) { + if (bug_found != "") { + print "IGNORED STACK (" bug_found "): " $0 + } else { + print "IGNORED STACK: " $0 + } + } else { + print "NEW STACK: " $0 + new = 1 + } + } + END { + exit new + }' + ret=$? + return $ret +} + +############################### parse_log ############################## +# local shell function to parse log file +######################################################################## +log_parse() +{ + ${PARSE_LOGFILE} < ${LOGFILE} > ${TMP_STACKS} + echo "${SCRIPTNAME}: Processing log ${LOGNAME}:" > ${TMP_SORTED} + cat ${TMP_STACKS} | sort -u | check_ignored >> ${TMP_SORTED} + ret=$? + echo >> ${TMP_SORTED} + + cat ${TMP_SORTED} | tee -a ${FOUNDLEAKS} + rm ${TMP_STACKS} ${TMP_SORTED} + + return ${ret} +} + +############################## cnt_total ############################### +# local shell function to count total leaked bytes +######################################################################## +cnt_total() +{ + echo "" + echo "TinderboxPrint:${OPT} Lk bytes: ${tbytes}" + echo "TinderboxPrint:${OPT} Lk blocks: ${tblocks}" + echo "TinderboxPrint:${OPT} # of runs: ${truns}" + echo "" +} + +############################### run_ocsp ############################### +# local shell function to run ocsp tests +######################################################################## +run_ocsp() +{ + stat_clear + + cd ${QADIR}/iopr + . ./ocsp_iopr.sh + ocsp_iopr_run + + stat_print "Ocspclnt" +} + +############################## run_chains ############################## +# local shell function to run PKIX certificate chains tests +######################################################################## +run_chains() +{ + stat_clear + + LOGNAME="chains" + LOGFILE=${LOGDIR}/chains.log + + . ${QADIR}/chains/chains.sh + + stat_print "Chains" +} + +############################## run_chains ############################## +# local shell function to run memory leak tests +# +# NSS_MEMLEAK_TESTS - list of tests to run, if not defined before, +# then is redefined to default list +######################################################################## +memleak_run_tests() +{ + nss_memleak_tests="ssl_server ssl_client chains ocsp" + NSS_MEMLEAK_TESTS="${NSS_MEMLEAK_TESTS:-$nss_memleak_tests}" + + for MEMLEAK_TEST in ${NSS_MEMLEAK_TESTS} + do + case "${MEMLEAK_TEST}" in + "ssl_server") + run_ciphers_server + ;; + "ssl_client") + run_ciphers_client + ;; + "chains") + run_chains + ;; + "ocsp") + run_ocsp + ;; + esac + done +} + +################################# main ################################# + +memleak_init +memleak_run_tests +cnt_total +memleak_cleanup + diff --git a/security/nss/tests/memleak/sslreq.dat b/security/nss/tests/memleak/sslreq.dat new file mode 100644 index 000000000..1db703d1a --- /dev/null +++ b/security/nss/tests/memleak/sslreq.dat @@ -0,0 +1,2 @@ +GET /stop HTTP/1.0
+
diff --git a/security/nss/tests/merge/merge.sh b/security/nss/tests/merge/merge.sh new file mode 100755 index 000000000..1929b12c8 --- /dev/null +++ b/security/nss/tests/merge/merge.sh @@ -0,0 +1,277 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/merge/merge.sh +# +# Script to test NSS merge +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## merge_init ############################## +# local shell function to initialize this script +######################################################################## +merge_init() +{ + SCRIPTNAME=merge.sh # sourced - $0 would point to all.sh + HAS_EXPLICIT_DB=0 + if [ ! -z "${NSS_DEFAULT_DB_TYPE}" ]; then + HAS_EXPLICIT_DB=1 + fi + + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ${QADIR}/cert + . ./cert.sh + fi + + if [ ! -d ${HOSTDIR}/SDR ]; then + cd ${QADIR}/sdr + . ./sdr.sh + fi + SCRIPTNAME=merge.sh + + html_head "Merge Tests" + + # need the SSL & SMIME directories from cert.sh + grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { + Exit 11 "Fatal - S/MIME of cert.sh needs to pass first" + } + grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { + Exit 8 "Fatal - SSL of cert.sh needs to pass first" + } + + #temporary files for SDR tests + VALUE1=$HOSTDIR/tests.v1.$$ + VALUE3=$HOSTDIR/tests.v3.$$ + + # local directories used in this test. + MERGEDIR=${HOSTDIR}/merge + R_MERGEDIR=../merge + D_MERGE="merge.$version" + # SDR not initialized in common/init + P_R_SDR=../SDR + D_SDR="SDR.$version" + mkdir -p ${MERGEDIR} + + PROFILE=. + if [ -n "${MULTIACCESS_DBM}" ]; then + PROFILE="multiaccess:${D_MERGE}" + P_R_SDR="multiaccess:${D_SDR}" + fi + + cd ${MERGEDIR} + + # clear out any existing databases, potentially from a previous run. + rm -f *.db + + # copy alicedir over as a seed database. + cp ${R_ALICEDIR}/* . + # copy the smime text samples + cp ${QADIR}/smime/*.txt . + + # create a set of conflicting names. + CONFLICT1DIR=conflict1 + CONFLICT2DIR=conflict2 + mkdir ${CONFLICT1DIR} + mkdir ${CONFLICT2DIR} + # in the upgrade mode (dbm->sql), make sure our test databases + # are dbm databases. + if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then + save=${NSS_DEFAULT_DB_TYPE} + NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE + fi + + certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE} + certutil -N -d ${CONFLICT2DIR} -f ${R_PWFILE} + certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser41.cert -d ${CONFLICT1DIR} + # modify CONFLICTDIR potentially corrupting the database + certutil -A -n "Alice #1" -t C,, -i ${R_CADIR}/TestUser42.cert -d ${CONFLICT1DIR} -f ${R_PWFILE} + certutil -M -n "Alice #1" -t ,, -d ${CONFLICT1DIR} -f ${R_PWFILE} + certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser43.cert -d ${CONFLICT1DIR} + certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser44.cert -d ${CONFLICT2DIR} + certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser45.cert -d ${CONFLICT2DIR} + certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser46.cert -d ${CONFLICT2DIR} + if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then + NSS_DEFAULT_DB_TYPE=${save}; export NSS_DEFAULT_DB_TYPE + fi + + # + # allow all the tests to run in standalone mode. + # in standalone mode, TEST_MODE is not set. + # if NSS_DEFAULT_DB_TYPE is dbm, then test merge with dbm + # if NSS_DEFAULT_DB_TYPE is sql, then test merge with sql + # if NSS_DEFAULT_DB_TYPE is not set, then test database upgrade merge + # from dbm databases (created above) into a new sql db. + if [ -z "${TEST_MODE}" ] && [ ${HAS_EXPLICIT_DB} -eq 0 ]; then + echo "*** Using Standalone Upgrade DB mode" + NSS_DEFAULT_DB_TYPE=sql; export NSS_DEFAULT_DB_TYPE + echo certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} + ${BINDIR}/certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} + TEST_MODE=UPGRADE_DB + + fi + +} + +# +# this allows us to run this test for both merge and upgrade-merge cases. +# merge_cmd takes the potential upgrade-id and the rest of the certutil +# arguments. +# +merge_cmd() +{ + MERGE_CMD=--merge + if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then + MERGE_CMD="--upgrade-merge --upgrade-token-name OldDB --upgrade-id ${1}" + fi + shift + echo certutil ${MERGE_CMD} $* + ${PROFTOOL} ${BINDIR}/certutil ${MERGE_CMD} $* +} + + +merge_main() +{ + # first create a local sdr key and encrypt some data with it + # This will cause a colision with the SDR key in ../SDR. + echo "$SCRIPTNAME: Creating an SDR key & Encrypt" + echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}" + ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE} + html_msg $? 0 "Creating SDR Key" + + # Now merge in Dave + # Dave's cert is already in alicedir, but his key isn't. This will make + # sure we are updating the keys and CKA_ID's on the certificate properly. + MERGE_ID=dave + echo "$SCRIPTNAME: Merging in Key for Existing user" + merge_cmd dave --source-dir ${P_R_DAVEDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} + html_msg $? 0 "Merging Dave" + + # Merge in server + # contains a CRL and new user certs + MERGE_ID=server + echo "$SCRIPTNAME: Merging in new user " + merge_cmd server --source-dir ${P_R_SERVERDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} + html_msg $? 0 "Merging server" + + # Merge in ext_client + # contains a new certificate chain and additional trust flags + MERGE_ID=ext_client + echo "$SCRIPTNAME: Merging in new chain " + merge_cmd ext_client --source-dir ${P_R_EXT_CLIENTDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} + html_msg $? 0 "Merging ext_client" + + # Merge conflicting nicknames in conflict1dir + # contains several certificates with nicknames that conflict with the target + # database + MERGE_ID=conflict1 + echo "$SCRIPTNAME: Merging in conflicting nicknames 1" + merge_cmd conflict1 --source-dir ${CONFLICT1DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} + + html_msg $? 0 "Merging conflicting nicknames 1" + + # Merge conflicting nicknames in conflict2dir + # contains several certificates with nicknames that conflict with the target + # database + MERGE_ID=conflict2 + echo "$SCRIPTNAME: Merging in conflicting nicknames 1" + merge_cmd conflict2 --source-dir ${CONFLICT2DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} + html_msg $? 0 "Merging conflicting nicknames 2" + + # Make sure conflicted names were properly sorted out. + echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #4)" + certutil -L -n "Alice #4" -d ${PROFILE} + html_msg $? 0 "Verify nicknames were deconflicted (Alice #4)" + + # Make sure conflicted names were properly sorted out. + echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #100)" + certutil -L -n "Alice #100" -d ${PROFILE} + html_msg $? 0 "Verify nicknames were deconflicted (Alice #100)" + + # Merge in SDR + # contains a secret SDR key + MERGE_ID=SDR + echo "$SCRIPTNAME: Merging in SDR " + merge_cmd sdr --source-dir ${P_R_SDR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} + html_msg $? 0 "Merging SDR" + + # insert a listing of the database into the log for diagonic purposes + ${BINDIR}/certutil -L -d ${PROFILE} + ${BINDIR}/crlutil -L -d ${PROFILE} + + # Make sure we can decrypt with our original SDR key generated above + echo "$SCRIPTNAME: Decrypt - With Original SDR Key" + echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}" + ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE} + html_msg $? 0 "Decrypt - Value 3" + + # Make sure we can decrypt with our the SDR key merged in from ../SDR + echo "$SCRIPTNAME: Decrypt - With Merged SDR Key" + echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}" + ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE} + html_msg $? 0 "Decrypt - Value 1" + + # Make sure we can sign with merge certificate + echo "$SCRIPTNAME: Signing with merged key ------------------" + echo "cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig" + ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig + html_msg $? 0 "Create Detached Signature Dave" "." + + echo "cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} " + ${PROFTOOL} ${BINDIR}/cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} + html_msg $? 0 "Verifying Dave's Detached Signature" + + # Make sure that trust objects were properly merged + echo "$SCRIPTNAME: verifying merged cert ------------------" + echo "certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}" + ${PROFTOOL} ${BINDIR}/certutil -V -n ExtendedSSLUser -u C -d ${PROFILE} + html_msg $? 0 "Verifying ExtendedSSL User Cert" + + # Make sure that the crl got properly copied in + echo "$SCRIPTNAME: verifying merged crl ------------------" + echo "crlutil -L -n TestCA -d ${PROFILE}" + ${PROFTOOL} ${BINDIR}/crlutil -L -n TestCA -d ${PROFILE} + html_msg $? 0 "Verifying TestCA CRL" + +} + +############################## smime_cleanup ########################### +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +merge_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +merge_init +merge_main +echo "TEST_MODE=${TEST_MODE}" +echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}" +merge_cleanup + + diff --git a/security/nss/tests/mksymlinks b/security/nss/tests/mksymlinks new file mode 100755 index 000000000..aae3386ce --- /dev/null +++ b/security/nss/tests/mksymlinks @@ -0,0 +1,115 @@ +#! /bin/sh + +O_OPTIONS=OFF +. `dirname $0`/header + +if [ $O_DEBUG = ON ] ; then + Debug "NTDIST $NTDIST" + Debug "UXDIST $UXDIST" + Debug "TESTSCRIPTDIR $TESTSCRIPTDIR" +fi + +if [ -d "$NSS_VER_DIR" ] ; then + cd $NSS_VER_DIR +else + glob_usage "cant cd to $NSS_VER_DIR Exiting" +fi + +if [ -d "$NTDIST" ] ; then + cd $NTDIST + if [ ! -h WINNT5.0_DBG.OBJ -a ! -d WINNT5.0_DBG.OBJ ] ; then + ln -s WINNT4.0_DBG.OBJ WINNT5.0_DBG.OBJ + fi + if [ ! -h WINNT5.0_DBG.OBJD -a ! -d WINNT5.0_DBG.OBJD ] ; then + ln -s WINNT4.0_DBG.OBJD WINNT5.0_DBG.OBJD + fi + if [ ! -h WINNT5.0_OPT.OBJ -a ! -d WINNT5.0_OPT.OBJ ] ; then + ln -s WINNT4.0_OPT.OBJ WINNT5.0_OPT.OBJ + fi + if [ ! -h WINNT5.1_DBG.OBJ -a ! -d WINNT5.1_DBG.OBJ ] ; then + ln -s WINNT4.0_DBG.OBJ WINNT5.1_DBG.OBJ + fi + if [ ! -h WINNT5.1_DBG.OBJD -a ! -d WINNT5.1_DBG.OBJD ] ; then + ln -s WINNT4.0_DBG.OBJD WINNT5.1_DBG.OBJD + fi + if [ ! -h WINNT5.1_OPT.OBJ -a ! -d WINNT5.1_OPT.OBJ ] ; then + ln -s WINNT4.0_OPT.OBJ WINNT5.1_OPT.OBJ + fi + + if [ $O_DEBUG = ON ] ; then + tell + fi +else + if [ $O_DEBUG = ON ] ; then + Debug "WARNING!!! cant cd to $NTDIST " + fi +fi + +if [ -d "$UXDIST" ] +then + cd $UXDIST +else + glob_usage "Error!!! cant cd to $UXDIST " +fi + +ErrorFlag=0 + +#if [ ! -h OSF1V5.1_DBG.OBJ -a ! -d OSF1V5.1_DBG.OBJ ] ; then + #ln -s OSF1V4.0D_DBG.OBJ OSF1V5.1_DBG.OBJ || ErrorFlag=1 +#fi +#if [ ! -h OSF1V5.1_OPT.OBJ -a ! -d OSF1V5.1_OPT.OBJ ] ; then + #ln -s OSF1V4.0D_OPT.OBJ OSF1V5.1_OPT.OBJ || ErrorFlag=1 +#fi +#if [ ! -h OSF1V5.0_DBG.OBJ -a ! -d OSF1V5.0_DBG.OBJ ] ; then + #ln -s OSF1V4.0D_DBG.OBJ OSF1V5.0_DBG.OBJ || ErrorFlag=1 +#fi +#if [ ! -h OSF1V5.0_OPT.OBJ -a ! -d OSF1V5.0_OPT.OBJ ] ; then + #ln -s OSF1V4.0D_OPT.OBJ OSF1V5.0_OPT.OBJ || ErrorFlag=1 +#fi +if [ ! -h SunOS5.9_64_DBG.OBJ -a ! -d SunOS5.9_64_DBG.OBJ ] ; then + ln -s SunOS5.8_64_DBG.OBJ SunOS5.9_64_DBG.OBJ || ErrorFlag=1 +fi +if [ ! -h SunOS5.9_64_OPT.OBJ -a ! -d SunOS5.9_64_OPT.OBJ ] ; then + ln -s SunOS5.8_64_OPT.OBJ SunOS5.9_64_OPT.OBJ || ErrorFlag=1 +fi +if [ ! -h SunOS5.9_DBG.OBJ -a ! -d SunOS5.9_DBG.OBJ ] ; then + ln -s SunOS5.8_DBG.OBJ SunOS5.9_DBG.OBJ || ErrorFlag=1 +fi +if [ ! -h SunOS5.9_OPT.OBJ -a ! -d SunOS5.9_OPT.OBJ ] ; then + ln -s SunOS5.8_OPT.OBJ SunOS5.9_OPT.OBJ || ErrorFlag=1 +fi +#sonmi - still leaving the section in there so 3.3 and 3.2 will not break +#since 5.8 is the masterbuild it should never be executed +#additionally: only creat link if the slave build is present, but +#master is not +#if [ ! -h SunOS5.8_DBG.OBJ -a ! -d SunOS5.8_DBG.OBJ ] ; then + #if [ -d SunOS5.6_DBG.OBJ ] ; then + #ln -s SunOS5.6_DBG.OBJ SunOS5.8_DBG.OBJ || ErrorFlag=1 + #fi +#fi +#if [ ! -h SunOS5.8_OPT.OBJ -a ! -d SunOS5.8_OPT.OBJ ] ; then + #if [ -d SunOS5.6_OPT.OBJ ] ; then + #ln -s SunOS5.6_OPT.OBJ SunOS5.8_OPT.OBJ || ErrorFlag=1 + #fi +#fi +#if [ ! -h Linux2.4_x86_glibc_PTH_DBG.OBJ -a ! -d Linux2.4_x86_glibc_PTH_DBG.OBJ] +#then + #ln -s Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.4_x86_glibc_PTH_DBG.OBJ || ErrorFlag=1 +#fi +#if [ ! -h Linux2.4_x86_glibc_PTH_OPT.OBJ -a ! -d Linux2.4_x86_glibc_PTH_OPT.OBJ] +#then + #ln -s Linux2.2_x86_glibc_PTH_OPT.OBJ Linux2.4_x86_glibc_PTH_OPT.OBJ || ErrorFlag=1 +#fi + +if [ ! -h SunOS5.9_i86pc_DBG.OBJ -a ! -d SunOS5.9_i86pc_DBG.OBJ ] ; then + ln -s SunOS5.8_i86pc_DBG.OBJ SunOS5.9_i86pc_DBG.OBJ || ErrorFlag=1 +fi +if [ ! -h SunOS5.9_i86pc_OPT.OBJ -a ! -d SunOS5.9_i86pc_OPT.OBJ ] ; then + ln -s SunOS5.8_i86pc_OPT.OBJ SunOS5.9_i86pc_OPT.OBJ || ErrorFlag=1 +fi + +if [ $O_DEBUG = ON ] ; then + tell +fi + +exit $ErrorFlag #no cleanup here, no tempfiles diff --git a/security/nss/tests/mpi/mpi.sh b/security/nss/tests/mpi/mpi.sh new file mode 100644 index 000000000..5cda51615 --- /dev/null +++ b/security/nss/tests/mpi/mpi.sh @@ -0,0 +1,40 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +mpi_init() +{ + SCRIPTNAME="mpi.sh" + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then + cd ../common + . ./init.sh + fi + SCRIPTNAME="mpi.sh" + html_head "MPI tests" +} + +mpi_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +mpi_init +tests=($(mpi_tests list | awk '{print $1}')) +for test in "${tests[@]}" +do + OUT=$(mpi_tests $test 2>&1) + [ ! -z "$OUT" ] && echo "$OUT" + OUT=`echo $OUT | grep -i 'error\|Assertion failure'` + + if [ -n "$OUT" ] ; then + html_failed "mpi $test test" + else + html_passed "mpi $test test" + fi +done + +mpi_cleanup diff --git a/security/nss/tests/multinit/multinit.sh b/security/nss/tests/multinit/multinit.sh new file mode 100755 index 000000000..6ec605f0e --- /dev/null +++ b/security/nss/tests/multinit/multinit.sh @@ -0,0 +1,158 @@ +#! /bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/multinit/multinit.sh +# +# Script to test NSS multinit +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## multinit_init ############################## +# local shell function to initialize this script +######################################################################## +multinit_init() +{ + SCRIPTNAME=multinit.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=multinit.sh + + html_head "MULTI Tests" + + grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { + Exit 11 "Fatal - S/MIME of cert.sh needs to pass first" + } + + # set up our directories + MULTINITDIR=${HOSTDIR}/multinit + MULTINITDIR_1=${MULTINITDIR}/dir1 + MULTINITDIR_2=${MULTINITDIR}/dir2 + MULTINITDIR_3=${MULTINITDIR}/dir3 + R_MULINITDIR=../multinit + R_MULTINITDIR_1=${R_MULTINITDIR}/dir1 + R_MULTINITDIR_2=${R_MULTINITDIR}/dir2 + R_MULTINITDIR_3=${R_MULTINITDIR}/dir3 + # first create them all + mkdir -p ${MULTINITDIR} + mkdir -p ${MULTINITDIR_1} + mkdir -p ${MULTINITDIR_2} + mkdir -p ${MULTINITDIR_3} + # now copy them fro alice, bob, and dave + cd ${MULTINITDIR} + cp ${P_R_ALICEDIR}/* ${MULTINITDIR_1}/ + cp ${P_R_BOBDIR}/* ${MULTINITDIR_2}/ + cp ${P_R_DAVEDIR}/* ${MULTINITDIR_3}/ + # finally delete the RootCerts module to keep the certificate noice in the + # summary lines down + echo | modutil -delete RootCerts -dbdir ${MULTINITDIR_1} + echo | modutil -delete RootCerts -dbdir ${MULTINITDIR_2} + echo | modutil -delete RootCerts -dbdir ${MULTINITDIR_3} + MULTINIT_TESTS=${QADIR}/multinit/multinit.txt +} + + +############################## multinit_main ############################## +# local shell function to test basic signed and enveloped messages +# from 1 --> 2" +######################################################################## +multinit_main() +{ + html_head "Multi init interface testing" + exec < ${MULTINIT_TESTS} + while read order commands shutdown_type dirs readonly testname + do + if [ "$order" != "#" ]; then + read tag expected_result + + # handle the case where we expect different results based on + # the database type. + if [ "$tag" != "all" ]; then + read tag2 expected_result2 + if [ "$NSS_DEFAULT_DB_TYPE" == "$tag2" ]; then + expected_result=$expected_result2 + fi + fi + + # convert shutdown type to option flags + shutdown_command=""; + if [ "$shutdown_type" == "old" ]; then + shutdown_command="--oldStype" + fi + + # convert read only to option flags + ro_command=""; + case $readonly in + all) ro_command="--main_readonly --lib1_readonly --lib2_readonly";; + libs) ro_command="--lib1_readonly --lib2_readonly";; + main) ro_command="--main_readonly";; + lib1) ro_command="--lib1_readonly";; + lib2) ro_command="--lib2_readonly";; + none) ;; + *) ;; + esac + + # convert commands to option flags + main_command=`echo $commands | sed -e 's;,.*$;;'` + lib1_command=`echo $commands | sed -e 's;,.*,;+&+;' -e 's;^.*+,;;' -e 's;,+.*$;;'` + lib2_command=`echo $commands | sed -e 's;^.*,;;'` + + # convert db's to option flags + main_db=`echo $dirs | sed -e 's;,.*$;;'` + lib1_db=`echo $dirs | sed -e 's;,.*,;+&+;' -e 's;^.*+,;;' -e 's;,+.*$;;'` + lib2_db=`echo $dirs | sed -e 's;^.*,;;'` + + # show us the command we are executing + echo ${PROFILETOOL} ${BINDIR}/multinit --order $order --main_command $main_command --lib1_command $lib1_command --lib2_command $lib2_command $shutdown_command --main_db $main_db --lib1_db $lib1_db --lib2_db $lib2_db $ro_command --main_token_name "Main" --lib1_token_name "Lib1" --lib2_token_name "Lib2" --verbose --summary + + # execute the command an collect the result. Most of the user + # visible output goes to stderr, so it's not captured by the pipe + actual_result=`${PROFILETOOL} ${BINDIR}/multinit --order $order --main_command $main_command --lib1_command $lib1_command --lib2_command $lib2_command $shutdown_command --main_db $main_db --lib1_db $lib1_db --lib2_db $lib2_db $ro_command --main_token_name "Main" --lib1_token_name "Lib1" --lib2_token_name "Lib2" --verbose --summary | grep "^result=" | sed -e 's;^result=;;'` + + # show what we got and what we expected for diagnostic purposes + echo "actual = |$actual_result|" + echo "expected = |$expected_result|" + test "$actual_result" == "$expected_result" + html_msg $? 0 "$testname" + fi + done +} + +############################## multinit_cleanup ########################### +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +multinit_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +multinit_init +multinit_main +multinit_cleanup diff --git a/security/nss/tests/multinit/multinit.txt b/security/nss/tests/multinit/multinit.txt new file mode 100644 index 000000000..d5296dc0e --- /dev/null +++ b/security/nss/tests/multinit/multinit.txt @@ -0,0 +1,79 @@ +# +# This file defines the tests for multiple initialization of NSS in +# different libraries. +# +# Test description lines control the parameters for the multinit test program. +# +# Init order: Upper case/digits indicate an init call, lower case indicate +# a shutdown call. +# M,m-Main 1,i-lib1, 2,z-lib2 +# Main calls the traditional NSS init calls (simulating the main application) +# lib1 and lib2 call NSS_InitContext(). +# +# All functions call NSS_ShutdownContext unless 'main shutdown type' is set to +# 'old', in which case main will call the traditional NSS_Shutdown(). +# +# Commands: comma separated list of commands to execute. These simulate +# executing commands from either a library or main. In each cycle, multinit +# will do one initialize or shutdown, then execute all the commands +# for any of the libraries or main that is currently initialized. The same +# command is executed in each cycle that it's library is initialized. +# +# Commands are given in order or 'main','lib1','lib2'. Valid commands are: +# none - don't execute any commands for this library (or main). +# list_certs - list all the visible certs in the system. +# list_slots - list all the slots in the system. +# key_slot - list the current default key slot. +# +# Main Shutdown Type - which kind of shutdown does main call. See Init order. +# +# Directories - which directory should each init open. Listed in order of: +# (main init directory),(lib1 init directory),(lib2 init directory). +# +# RO - Which databases to open up read only, valid values are: +# all - main, lib1, and lib2 +# none - open all directories R/W +# libs - lib1 & lib2 +# main, lib1, lib2 - their respective directories only. +# +# Test description lines are followed by their expected summary output. +# output lines are of the form: +# +# tag expected output. +# +# where tag is one of +# all - applies to all database types +# sql - expected output for sql databases +# dbm - expected output for dbm databases +# +# if you do not specify all, you must have one line each for sql and dbm +# +# main +# init main,lib1,lib2 shutdown main,lib1,lib2 Test Case name +# order commands type directories RO +# ------ ------------------------ --- ----------- ----- -------------- + 1M2zmi list_slots,list_certs,none new dir1,dir2,dir3 all Progressive init +all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCCMS<NSS Generic Crypto Services>ttS<Main>ttS<Lib1>ttC<Alice>uuuC<Bob>pupupuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCZS<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCNC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCI + 1M2zmi list_certs,none,none old dir1,dir2,dir3 all Progressive init - oldStyle +all 1MC<Alice>uuuC<Bob>pupupuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2C<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCZC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCNIE0xffffe09a + 12Mizm none,list_certs,none new dir1,dir2,dir3 all Sequenced init +all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2C<Bob>uuuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCMC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCIZN + 12Mizm none,list_certs,none old dir1,dir2,dir3 all Sequenced init - old Style +all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCC2C<Bob>uuuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCMC<Alice>uuuC<Bob>pupupuC<Dave>pupupuC<Eve>pppC<NSS Test CA>CTCCIZN + 1Mi2mz none,list_certs,list_slots new dir1,dir2,dir3 all Overlap shutdown +all 1C<Bob>uuuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCCMC<Alice>uuuC<Bob>pupupuC<Dave>pppC<Eve>pppC<NSS Test CA>CTCCI2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttNS<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttS<Lib1>ttZ + 1Mi2mz none,key_slot,none new dir1,dir2,dir3 all Keyslot test +all 1S<Lib1>ttMS<Main>ttI2NZ + M12miz none,key_slot,none new dir1,dir2,dir3 all Main init first +all M1S<Main>tt2S<Main>ttNS<Main>ttIZ + M12miz key_slot,none,none old dir1,dir2,dir3 all Main init first - old Style +all MS<Main>tt1S<Main>tt2S<Main>ttNIE0xffffe09aZE0xffffe09a + M12miz list_slots,none,none new dir1,dir1,dir2 all Loading the same directory twice +all MS<NSS Generic Crypto Services>ttS<Main>tt1S<NSS Generic Crypto Services>ttS<Main>tt2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>ttNIZ + M12miz list_slots,none,none new dir1,dir1,dir2 libs Loading the same directory twice - r/w then ro +all MS<NSS Generic Crypto Services>ttS<Main>tf1S<NSS Generic Crypto Services>ttS<Main>tf2S<NSS Generic Crypto Services>ttS<Lib2>ttS<Main>tfNIZ + M12miz list_slots,none,none new dir1,dir1,dir2 main Loading the same directory twice - ro then r/w +sql MS<NSS Generic Crypto Services>ttS<Main>tt1S<NSS Generic Crypto Services>ttS<Lib1>tfS<Main>tt2S<NSS Generic Crypto Services>ttS<Lib2>tfS<Lib1>tfS<Main>ttNIZ +dbm MS<NSS Generic Crypto Services>ttS<Main>tt1S<NSS Generic Crypto Services>ttS<Main>tt2S<NSS Generic Crypto Services>ttS<Lib2>tfS<Main>ttNIZ + M12miM1zim key_slot,none,none old dir1,dir2,dir3 all Properly detect shutdown of a closed handle +all MS<Main>tt1S<Main>tt2S<Main>ttNIE0xffffe09aMS<Main>tt1S<Main>ttZE0xffffe09aS<Main>ttIS<Main>ttN diff --git a/security/nss/tests/nssdir b/security/nss/tests/nssdir new file mode 100755 index 000000000..884c299f5 --- /dev/null +++ b/security/nss/tests/nssdir @@ -0,0 +1,28 @@ +if ( "$2" == "" ) then + setenv BUILDDATE `date +%m%d` +else + setenv BUILDDATE $2 +endif + +if ( "$1" == "" ) then + setenv NSSVER tip +else + setenv NSSVER $1 +endif + +if ( ! ${?QAYEAR} ) then + setenv QAYEAR `date +%Y` +else if ( "$QAYEAR" == "" ) then + setenv QAYEAR `date +%Y` + +endif + +setenv NSS_VER_DIR /share/builds/mccrel3/nss/nss$NSSVER +setenv NTDIST ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/blowfish_NT4.0_Win95/mozilla/dist +setenv UXDIST ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/dist +setenv TESTSCRIPTDIR ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/security/nss/tests +setenv RESULTDIR ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/tests_results/security + +cd ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8 +pwd +ls diff --git a/security/nss/tests/nsspath b/security/nss/tests/nsspath new file mode 100755 index 000000000..5d5ececc6 --- /dev/null +++ b/security/nss/tests/nsspath @@ -0,0 +1,12 @@ +#! /bin/tcsh + +set PWD=`pwd` +source /u/sonmi/bin/nssdir $* +set OBJDIR=`(cd mozilla/security/nss/tests/common; gmake objdir_name)` +setenv PATH `perl /u/sonmi/bin/path_uniq -s "${PATH}:${UXDIST}/${OBJDIR}/bin"` +if ( `uname -n` == "iws-perf" ) then + setenv LD_LIBRARY_PATH "${UXDIST}/${OBJDIR}/lib:/opt/nfast/toolkits/pkcs11" +else + setenv LD_LIBRARY_PATH "${UXDIST}/${OBJDIR}/lib" +endif +cd $PWD diff --git a/security/nss/tests/nssqa b/security/nss/tests/nssqa new file mode 100755 index 000000000..441128155 --- /dev/null +++ b/security/nss/tests/nssqa @@ -0,0 +1,286 @@ +#! /bin/sh + +######################################################################## +# +# /u/sonmi/bin/nssqa - /u/svbld/bin/init/nss/nssqa +# +# this script is supposed to automatically run QA for NSS on all required +# Unix and Windows (NT and 2000) platforms +# +# parameters +# ---------- +# nssversion (supported: 30b, 31, tip) +# builddate (default - today) +# +# options +# ------- +# -y answer all questions with y - use at your own risk...ignores warnings +# -s silent (only usefull with -y) +# -h, -? - you guessed right - displays this text +# -d debug +# -f <filename> - write the (error)output to filename +# -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.nssqa +# +# 12/1/00 +# took out the (unused) local directory for releasebuild QA on NT +# cleaned up 32 - 64 bit issues +# took hardcoded machinenames out +######################################################################## + +O_OPTIONS=ON # accept options (see above for listing) +WIN_WAIT_FOREVER=ON # first we wait forever for a TESTDIR to appear, than + # we wait forever for the build to finish... + +TBX_EXIT=50 # in case we are running on a tinderbox build, any + # early exit needs to return an error +. `dirname $0`/header # utilities, shellfunctions etc, global to NSS QA + +if [ -z "$O_TBX" -o "$O_TBX" != "ON" ] ; then + is_running ${TMP}/nssqa + # checks if the file exists, if yes Exits, if not + # creates to implement a primitive locking mechanism +fi + +KILL_SELFSERV=OFF # cleanup will also kill the leftover selfserv processes + +################################ check_distdir ######################### +# local shell function to check if the DIST directory exists, if not there +# is no use to continue the test +######################################################################## +check_distdir() +{ + set_objdir + + if [ ! -d "$LOCALDIST_BIN" ] + then + Debug "Dist $DIST" + Warning "$LOCALDIST_BIN (the dist binaries dir) does not exist" + return 1 + fi + + if [ ! -d "$LOCALDIST" -a ! -h "$LOCALDIST" ] + then + Debug "Dist $DIST" + Warning "$LOCALDIST (the dist directory) does not exist" + return 1 + fi + + Debug "LOCALDIST_BIN $LOCALDIST_BIN" + Debug "Dist $DIST" + return 0 +} + +################################ run_all ############################### +# local shell function to start the all.sh after asking user and redirect +# the output apropriately +######################################################################## +run_all() +{ + check_distdir || return 1 + #kill_by_name selfserv + ask "Testing $OBJDIR continue with all.sh" "y" "n" || Exit + + Debug "running all.sh in `pwd`" + if [ $O_SILENT = ON ] + then + if [ $O_DEBUG = ON -a $O_FILE = ON ] + then + all.sh >>$FILENAME 2>>$FILENAME + else + all.sh >/dev/null 2>/dev/null + fi + else + all.sh + fi + Debug "Done with all.sh " + line +} + +all_sh() +{ + echo +} + + +########################### wait_for_build ############################# +# local shell function to wait until the build is finished +######################################################################## +wait_for_build() +{ + if [ $O_WIN = "ON" ] + then + WaitForever ${OSDIR}/SVbuild.InProgress.1 0 + #Wait for the build to finish Windows a lot longer + OS_TARGET=WINNT;export OS_TARGET;Debug "OS_TARGET set to $OS_TARGET" + QA_OS_NAME=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name | \ + sed -e "s/WINNT4.0.*/Windows-NT-4.0/" -e "s/WINNT5.0.*/Windows-2000/"` + Echo "WINDOWS-OS-LINE: $QA_OS_NAME" + else + Wait ${OSDIR}/SVbuild.InProgress.1 0 + #Wait for the build to finish... Unix a few hours + qa_stat_get_sysinfo + Echo "UNIX-OS-LINE: $QA_OS" + fi + find_nt_masterbuild +} + + +########################### map_os ############################# +# local shell function: From the operatingsystem figure out the name of +# the build ; needed to detemine if the build finished, passed and for +# the directory names +######################################################################## +map_os32() +{ + case `uname -s` in + SunOS) + S_REL=`uname -r | sed -e "s/^[^\.]*\.//g"` + if [ `uname -p` = "i386" ] ; then + MAPPED_OS=Solaris8_x86 + elif [ "$S_REL" -lt 8 ] ; then + MAPPED_OS=Solaris2.6 + else + MAPPED_OS=Solaris8_forte6 + fi + ;; + OSF1) + MAPPED_OS=OSF1V4.0 + ;; + Darwin) + MAPPED_OS=Darwin6.5 + ;; + AIX) + MAPPED_OS=AIX4.3 + ;; + Linux) + RH_MR=`cat /etc/redhat-release | sed \ + -e "s/Red Hat Linux release //" -e "s/ .*//g" \ + -e "s/\..*//g"` + + if [ "$RH_MR" = "6" ] ; then + MAPPED_OS=Linux2.2 + else + MAPPED_OS=Linux2.4 + LD_ASSUME_KERNEL="2.2.5" + export LD_ASSUME_KERNEL + fi + ;; + HP-UX) + MAPPED_OS=HPUX11.00 + ;; + *) + if [ "$os_name" = "Windows" ] + then + MAPPED_OS=NT4.0 + else + Exit "Sorry, operating system `uname -s` is not supported yet" + fi + ;; + esac + set_osdir + Debug "Mapped OS to $MAPPED_OS" +} + +############################# nssqa_main ############################### +# local shell function main controlling function of the nss qa +######################################################################## +nssqa_main() +{ + Debug "In function nssqa_main" + + if [ $O_WIN = "OFF" -a "$O_TBX" = "OFF" -a $O_LOCAL = "OFF" ] ; then + if [ ! -h ${NTDIST}/WINNT5.0_DBG.OBJ -o \ + ! -h ${UXDIST}/SunOS5.8_OPT.OBJ -o \ + ! -h ${UXDIST}/OSF1V5.0_DBG.OBJ ] ; then + # determine if all needed symbolic links are present, in case + # we build on one platform and QA on another + # create the symbolic links + #mksymlinks $* || + `dirname $0`/mksymlinks $NSSVER $BUILDDATE || + Warning "Can't make the neccessary symbolic links" + fi + fi + + if [ -d $TESTSCRIPTDIR ] #the directory mozilla/security/nss/tests, + then # where all.sh lives + cd $TESTSCRIPTDIR + else + Exit "cant cd to $TESTSCRIPTDIR Exiting" + fi + + Debug "Testing from `pwd`" + line + Debug "HOST: $HOST, DOMSUF: $DOMSUF" + + if [ "$O_TBX" = "OFF" ] ; then + map_os32 # From the operatingsystem figure out the name of the build + Debug Testing build for $MAPPED_OS in $OSDIR + wait_for_build + fi + run_all + BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT" + run_all + + # now for the 64 bit build! + map_os64 # From the operatingsystem figure out the name of the build + if [ -n "$IS_64" ] ; then #Wait for the 64 bit build to finish... + Debug "This is a $IS_64 platform" + USE_64=1;export USE_64;Debug "Use_64 set to $USE_64" + unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT" + + run_all + BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT" + run_all + elif [ "$O_WIN" = "ON" ] ; then + OS_TARGET=WIN95;export OS_TARGET + Debug "OS_TARGET set to $OS_TARGET" + #Echo "WINDOWS-OS-LINE: $os_name $os_full $OS_TARGET" + unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT" + #if [ "$TEST_LEVEL" = "0" ] ; then + #QA_OS_NAME=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name | \ + #sed -e "s/WINNT4.0.*/Windows-NT-4.0/" -e \ + #"s/WINNT5.0.*/Windows-2000/"` + #Echo "WINDOWS-OS-LINE: $QA_OS_NAME $OS_TARGET" + #fi + run_all + BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT" + run_all + else + Debug "This is a 32 bit platform" + fi +} + +TEST_LEVEL=0 + +while [ $TEST_LEVEL -lt 2 ] ; do + export TEST_LEVEL + unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT" + unset USE_64;export USE_64;Debug "USE_64 $USE_64" + bc $TEST_LEVEL + Debug "About to start nssqa_main" + if [ $O_FILE = ON -a "$O_WIN" != "ON" ] ; then + nssqa_main 2>>$FILENAME + else + nssqa_main + fi + if [ "$O_TBX" = "ON" ] ; then # do not do backward compatibility + TEST_LEVEL=3 # testing on tinderbox + else + TEST_LEVEL=`expr $TEST_LEVEL + 1 ` + fi +done + +if [ "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then +#FIXME - maybe it should be copied back to the networkdrive later (-ln) + if [ -n "${TMPFILES}" ] ; then #caused problems on tinderbox machines + Debug "rm -f ${TMPFILES}" + rm -f $TMPFILES 2>/dev/null + fi + Debug "running qa_stat" + . `dirname $0`/qa_stat +fi + + +qa_stat_get_sysinfo + +Exit "nssqa completed. Done `uname -n` $QA_OS_STRING" diff --git a/security/nss/tests/ocsp/ocsp.sh b/security/nss/tests/ocsp/ocsp.sh new file mode 100644 index 000000000..246e6e3d4 --- /dev/null +++ b/security/nss/tests/ocsp/ocsp.sh @@ -0,0 +1,54 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/ocsp/ocsp.sh +# +# Script to test NSS OCSP +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## ssl_init ################################ +# local shell function to initialize this script +######################################################################## +ocsp_init() +{ + SCRIPTNAME=ocsp.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ -z "${IOPR_OCSP_SOURCED}" ]; then + . ../iopr/ocsp_iopr.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=ocsp.sh + echo "$SCRIPTNAME: OCSP tests ===============================" + + REQF=${QADIR}/ssl/sslreq.dat + + cd ${CLIENTDIR} +} + +################## main ################################################# +ocsp_init +ocsp_iopr_run diff --git a/security/nss/tests/path_uniq b/security/nss/tests/path_uniq new file mode 100755 index 000000000..f29f60a00 --- /dev/null +++ b/security/nss/tests/path_uniq @@ -0,0 +1,107 @@ +#! /bin/perl + +######################################################################## +# +# /u/sonmi/bin/path_uniq +# +# this script makes components of a PATH like string unique cand prints +# it to stdout +# +# parameters +# ---------- +# PATH +# +# options +# ------- +# -d delimiter - default : +# -s shortens the path +# +# usefull enhancements: in the usage part, try to guess what was meant as +# a path and echo it to stdout to not break for PATHs with blanks +# +######################################################################## + +sub usage { + print STDERR "usage $0 [-s] [-d <delimiter>] PATH\n"; + print STDERR " this script makes components of the PATH unique, if you\n"; + print STDERR " pass in a searchpath A:B:C:A:B:E it will print A:B:C:E to\n"; + print STDERR " the stdout\n\n"; + print STDERR " -s will mercylessly cut components from the path, \n"; + print STDERR " use at your own risk\n\n"; + print STDERR " the parameters you gave were: \n"; + for ( $i = 0; $i <= $#ARGV; $i++ ) { + print STDERR " $ARGV[$i]\n"; + } + exit ; +} + + +$i = 0; +$j = 0; +$delimiter = ":"; +$searchpath = ""; +@pathcomponents; +$found=0; +$newpath=""; +$shorten=0; + +for ( $i=0; $i <= $#ARGV; $i++) { + if ( $ARGV[$i] eq '-d' ) { + $delimiter = $ARGV[++$i]; + } elsif ( $ARGV[$i] eq '-s' ) { + $shorten=1; + } else { + $searchpath = $ARGV[$i]; + } +} +if ( $searchpath eq "" ) { + usage; +} +#print STDERR "delimiter $delimiter\n"; +#print STDERR "shorten $shorten\n"; +#print STDERR "searchpath $searchpath\n"; + +@pathcomponents=split($delimiter, $searchpath); + +for ( $i = 0; $i <= $#pathcomponents; $i++ ) { + $found=0; + if ( $shorten == 1 ) { + if ( "\/tools\/ns-arch\/sparc_sun_solaris2\.4\/lib\/sparcworks\/SUNWspro/bin" eq $pathcomponents[$i] || + "\/h\/tortoise\/export\/share\/builds\/tools\/sparc_sun_solaris2\.5\.1\/perl5\.004\/bin" eq $pathcomponents[$i] || + "\/usr\/dist\/local\/exe" eq $pathcomponents[$i] || + "\/opt\/SUNWspro\/bin" eq $pathcomponents[$i] || + "\/opt\/SUNWwabi\/bin" eq $pathcomponents[$i] || + "\/u\/svbld\/bin" eq $pathcomponents[$i] || + "\/usr\/demos" eq $pathcomponents[$i] || + "\/usr\/audio\/bin" eq $pathcomponents[$i] || + "\/usr\/openwin\/demo" eq $pathcomponents[$i] || + "\/tools\/contrib\/bin" eq $pathcomponents[$i] || + "\/usr\/etc\/" eq $pathcomponents[$i] || + "\/usr\/demos\/bin" eq $pathcomponents[$i] ) { + + + #print "dumped: $pathcomponents[$i]\n"; + next; + } + #print "keep: $pathcomponents[$i]\n"; + } + for ( $j = 0; $j < $i; $j++ ) { + if ( $pathcomponents[$j] eq $pathcomponents[$i] ) { + #print "$i and $j match - $pathcomponents[$i] - $pathcomponents[$j]\n"; + $found=1; + last; + } + } + if ( $found == 0 ) { + #print "$pathcomponents[$i]:"; + if ($i == 0) { + $newpath = $pathcomponents[$i]; + } else { + $newpath=join($delimiter, $newpath,$pathcomponents[$i]); + } + } +} +print "$newpath\n"; +exit; + + diff --git a/security/nss/tests/perf/perf.sh b/security/nss/tests/perf/perf.sh new file mode 100755 index 000000000..b398a0e57 --- /dev/null +++ b/security/nss/tests/perf/perf.sh @@ -0,0 +1,61 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/perf/perf.sh +# +# script run from the nightly NSS QA to measure nss performance +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## perf_init ############################## +# local shell function to initialize this script +######################################################################## + +perf_init() +{ + SCRIPTNAME="perf.sh" + if [ -z "${INIT_SOURCED}" ] ; then + cd ../common + . ./init.sh + fi + SCRIPTNAME="perf.sh" + PERFDIR=${HOSTDIR}/perf + mkdir -p ${PERFDIR} +} + +perf_init +cd ${PERFDIR} +RSAPERF_OUT=`${BINDIR}/rsaperf -i 300 -s -n none` +RSAPERF_OUT=`echo $RSAPERF_OUT | sed \ + -e "s/^/RSAPERF: $OBJDIR /" \ + -e 's/microseconds/us/' \ + -e 's/milliseconds/ms/' \ + -e 's/seconds/s/' \ + -e 's/ minutes, and /_min_/'` + +echo "$RSAPERF_OUT" + + + +#FIXME +#export RSAPERF_OUT +# +#perl -e ' + +#@rsaperf=split(/ /, $ENV{RSAPERF_OUT}); + +#echo "${RSAPERF_OUT}" | read IT_NUM T1 T2 TOT_TIM TOT_TIM_U \ + #T3 T4 T5 AVRG_TIM AVRG_TIM_U + +#300 iterations in 8.881 seconds one operation every 29606 microseconds diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db b/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db Binary files differnew file mode 100644 index 000000000..02f36ae28 --- /dev/null +++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db b/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db Binary files differnew file mode 100644 index 000000000..1c015a4a2 --- /dev/null +++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db diff --git a/security/nss/tests/pkits/pkits.sh b/security/nss/tests/pkits/pkits.sh new file mode 100755 index 000000000..ecf007736 --- /dev/null +++ b/security/nss/tests/pkits/pkits.sh @@ -0,0 +1,1988 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/pkits/pkits.sh +# +# Script to test the NIST PKITS tests +# +# needs to work on all Unix and Windows platforms +# +# tests implemented: +# vfychain +# +# special NOTES +# --------------- +# NIST PKITS data needs to be downloaded from +# http://csrc.nist.gov/pki/testing/x509paths.html +# Environment variable PKITS_DATA needs to be set to the directory +# where this data is downloaded, or test data needs to be copied under +# the mozilla source tree in mozilla/PKITS_DATA +######################################################################## + +############################## pkits_init ############################## +# local shell function to initialize this script +######################################################################## +pkits_init() +{ + SCRIPTNAME=pkits.sh + + if [ -z "${CLEANUP}" ] ; then + CLEANUP="${SCRIPTNAME}" + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + + if [ -z "${PKITS_DATA}" ]; then + echo "${SCRIPTNAME}: PKITS data directory not defined, skipping." + exit 0 + fi + + if [ ! -d "${PKITS_DATA}" ]; then + echo "${SCRIPTNAME}: PKITS data directory ${PKITS_DATA} doesn't exist, skipping." + exit 0 + fi + + PKITSDIR=${HOSTDIR}/pkits + + COPYDIR=${PKITSDIR}/copydir + + mkdir -p ${PKITSDIR} + mkdir -p ${COPYDIR} + mkdir -p ${PKITSDIR}/html + + certs=${PKITS_DATA}/certs + crls=${PKITS_DATA}/crls + + cd ${PKITSDIR} + + PKITSdb=${PKITSDIR}/PKITSdb + PKITSbkp=${PKITSDIR}/PKITSbkp + + PKITS_LOG=${PKITSDIR}/pkits.log #getting its own logfile + pkits_log "Start of logfile $PKITS_LOG" + + if [ ! -d "${PKITSdb}" ]; then + mkdir -p ${PKITSdb} + else + pkits_log "$SCRIPTNAME: WARNING - ${PKITSdb} exists" + fi + + if [ ! -d "${PKITSbkp}" ]; then + mkdir -p ${PKITSbkp} + else + pkits_log "$SCRIPTNAME: WARNING - ${PKITSbkp} exists" + fi + + echo "HOSTDIR" $HOSTDIR + echo "PKITSDIR" $PKITSDIR + echo "PKITSdb" $PKITSdb + echo "PKITSbkp" $PKITSbkp + echo "PKITS_DATA" $PKITS_DATA + echo "certs" $certs + echo "crls" $crls + + echo nss > ${PKITSdb}/pw + ${BINDIR}/certutil -N -d ${PKITSdb} -f ${PKITSdb}/pw + + ${BINDIR}/certutil -A -n TrustAnchorRootCertificate -t "C,C,C" -i \ + $certs/TrustAnchorRootCertificate.crt -d $PKITSdb + if [ -z "$NSS_NO_PKITS_CRLS" ]; then + ${BINDIR}/crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb} -f ${PKITSdb}/pw + else + html "<H3>NO CRLs are being used.</H3>" + pkits_log "NO CRLs are being used." + fi + + cp ${PKITSdb}/* ${PKITSbkp} + + KNOWN_BUG= +} + +############################### pkits_log ############################## +# write to pkits.log file +######################################################################## +pkits_log() +{ + echo "$SCRIPTNAME $*" + echo $* >> ${PKITS_LOG} +} + +restore_db() +{ + echo "Restore DB" + rm ${PKITSdb}/* + cp ${PKITSbkp}/* ${PKITSdb} +} + +log_banner() +{ + echo "" + echo "--------------------------------------------------------------------" + echo "Test case ${VFY_ACTION}" + echo "" +} + +start_table() +{ + html "<TABLE BORDER=1><TR><TH COLSPAN=3>$*</TH></TR>" + html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" + echo "" + echo "***************************************************************" + echo "$*" + echo "***************************************************************" +} + +break_table() +{ + html "</TABLE><P>" + start_table "$@" +} + +################################ pkits ################################# +# local shell function for positive testcases, calls vfychain, writes +# action and options to stdout, sets variable RET and writes results to +# the html file results +######################################################################## +pkits() +{ + echo "vfychain -d $PKITSdb -u 4 $*" + ${BINDIR}/vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1 + RET=$? + CNT=`grep -c ERROR ${PKITSDIR}/cmdout.txt` + RET=`expr ${RET} + ${CNT}` + cat ${PKITSDIR}/cmdout.txt + + if [ "$RET" -ne 0 ]; then + html_failed "${VFY_ACTION} ($RET) " + pkits_log "ERROR: ${VFY_ACTION} failed $RET" + else + html_passed "${VFY_ACTION}" + pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET" + fi + + return $RET +} + +################################ pkitsn ################################# +# local shell function for negative testcases, calls vfychain, writes +# action and options to stdout, sets variable RET and writes results to +# the html file results +######################################################################## +pkitsn() +{ + echo "vfychain -d $PKITSdb -u 4 $*" + ${BINDIR}/vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1 + RET=$? + CNT=`grep -c ERROR ${PKITSDIR}/cmdout.txt` + RET=`expr ${RET} + ${CNT}` + cat ${PKITSDIR}/cmdout.txt + + if [ "$RET" -eq 0 ]; then + html_failed "${VFY_ACTION} ($RET) " + pkits_log "ERROR: ${VFY_ACTION} failed $RET" + else + html_passed "${VFY_ACTION} ($RET) " + pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET" + fi + return $RET +} + +################################ crlImport ############################# +# local shell function to import a CRL, calls crlutil -I -i, writes +# action and options to stdout +######################################################################## +crlImport() +{ + if [ -z "$NSS_NO_PKITS_CRLS" ]; then + echo "crlutil -d $PKITSdb -I -f ${PKITSdb}/pw -i $crls/$*" + ${BINDIR}/crlutil -d ${PKITSdb} -I -f ${PKITSdb}/pw -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1 + RET=$? + cat ${PKITSDIR}/cmdout.txt + + if [ "$RET" -ne 0 ]; then + html_failed "${VFY_ACTION} ($RET) " + pkits_log "ERROR: ${VFY_ACTION} failed $RET" + fi + fi +} + +################################ crlImportn ############################# +# local shell function to import an incorrect CRL, calls crlutil -I -i, +# writes action and options to stdout +######################################################################## +crlImportn() +{ + RET=0 + if [ -z "$NSS_NO_PKITS_CRLS" ]; then + echo "crlutil -d $PKITSdb -I -f ${PKITSdb}/pw -i $crls/$*" + ${BINDIR}/crlutil -d ${PKITSdb} -I -f ${PKITSdb}/pw -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1 + RET=$? + cat ${PKITSDIR}/cmdout.txt + + if [ "$RET" -eq 0 ]; then + html_failed "${VFY_ACTION} ($RET) " + pkits_log "ERROR: ${VFY_ACTION} failed $RET" + else + html_passed "${VFY_ACTION} ($RET) " + pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET" + fi + fi + return $RET +} + +################################ certImport ############################# +# local shell function to import a Cert, calls certutil -A, writes +# action and options to stdout +######################################################################## +certImport() +{ + echo "certutil -d $PKITSdb -A -t \",,\" -n $* -i $certs/$*.crt" + ${BINDIR}/certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1 + RET=$? + cat ${PKITSDIR}/cmdout.txt + + if [ "$RET" -ne 0 ]; then + html_failed "${VFY_ACTION} ($RET) " + pkits_log "ERROR: ${VFY_ACTION} failed $RET" + fi +} + +################################ certImportn ############################# +# local shell function to import an incorrect Cert, calls certutil -A, +# writes action and options to stdout +######################################################################## +certImportn() +{ + RET=0 + if [ -z "$NSS_NO_PKITS_CRLS" ]; then + echo "certutil -d $PKITSdb -A -t \",,\" -n $* -i $certs/$*.crt" + ${BINDIR}/certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1 + RET=$? + cat ${PKITSDIR}/cmdout.txt + + if [ "$RET" -eq 0 ]; then + html_failed "${VFY_ACTION} ($RET) " + pkits_log "ERROR: ${VFY_ACTION} failed $RET" + else + html_passed "${VFY_ACTION} ($RET) " + pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET" + fi + fi +} + +############################## pkits_tests_bySection ################### +# running the various PKITS tests +######################################################################## +pkits_SignatureVerification() +{ + start_table "NIST PKITS Section 4.1: Signature Verification" + + VFY_ACTION="Valid Signatures Test1"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/ValidCertificatePathTest1EE.crt $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Invalid CA Signature Test2"; log_banner + certImport BadSignedCACert + crlImport BadSignedCACRL.crl + pkitsn $certs/InvalidCASignatureTest2EE.crt \ + $certs/BadSignedCACert.crt + restore_db + + VFY_ACTION="Invalid EE Signature Test3"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkitsn $certs/InvalidEESignatureTest3EE.crt $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Valid DSA Signatures Test4"; log_banner + certImport DSACACert + crlImport DSACACRL.crl + pkits $certs/ValidDSASignaturesTest4EE.crt $certs/DSACACert.crt + restore_db + + # NSS doesn't support DSA parameter inheritance anymore (see bug 671097) + # VFY_ACTION="Valid DSA Parameter Inheritance Test5"; log_banner + # certImport DSACACert + # crlImport DSACACRL.crl + # certImport DSAParametersInheritedCACert + # crlImport DSAParametersInheritedCACRL.crl + # pkits $certs/ValidDSAParameterInheritanceTest5EE.crt \ + # $certs/DSAParametersInheritedCACert.crt \ + # $certs/DSACACert.crt + # restore_db + + VFY_ACTION="Invalid DSA Signature Test6"; log_banner + certImport DSACACert + crlImport DSACACRL.crl + pkitsn $certs/InvalidDSASignatureTest6EE.crt $certs/DSACACert.crt + restore_db +} + +pkits_ValidityPeriods() +{ + break_table "NIST PKITS Section 4.2: Validity Periods" + + VFY_ACTION="Invalid CA notBefore Date Test1"; log_banner + certImport BadnotBeforeDateCACert + crlImportn BadnotBeforeDateCACRL.crl + if [ $RET -eq 0 ] ; then + pkitsn $certs/InvalidCAnotBeforeDateTest1EE.crt \ + $certs/BadnotBeforeDateCACert.crt + fi + restore_db + + VFY_ACTION="Invalid EE notBefore Date Test2"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkitsn $certs/InvalidEEnotBeforeDateTest2EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Valid pre2000 UTC notBefore Date Test3"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/Validpre2000UTCnotBeforeDateTest3EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Valid GeneralizedTime notBefore Date Test4"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/ValidGeneralizedTimenotBeforeDateTest4EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Invalid CA notAfter Date Test5"; log_banner + certImport BadnotAfterDateCACert + crlImportn BadnotAfterDateCACRL.crl + if [ $RET -eq 0 ] ; then + pkitsn $certs/InvalidCAnotAfterDateTest5EE.crt \ + $certs/BadnotAfterDateCACert.crt + fi + restore_db + + VFY_ACTION="Invalid EE notAfter Date Test6"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkitsn $certs/InvalidEEnotAfterDateTest6EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Invalid pre2000 UTC EE notAfter Date Test7"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkitsn $certs/Invalidpre2000UTCEEnotAfterDateTest7EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="ValidGeneralizedTime notAfter Date Test8"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/ValidGeneralizedTimenotAfterDateTest8EE.crt \ + $certs/GoodCACert.crt + restore_db +} + +pkits_NameChaining() +{ + break_table "NIST PKITS Section 4.3: Verifying NameChaining" + + VFY_ACTION="Invalid Name Chaining EE Test1"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkitsn $certs/InvalidNameChainingTest1EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Invalid Name Chaining Order Test2"; log_banner + certImport NameOrderingCACert + crlImport NameOrderCACRL.crl + pkitsn $certs/InvalidNameChainingOrderTest2EE.crt \ + $certs/NameOrderingCACert.crt + restore_db + +### bug 216123 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Valid Name Chaining Whitespace Test3"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/ValidNameChainingWhitespaceTest3EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Valid Name Chaining Whitespace Test4"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/ValidNameChainingWhitespaceTest4EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Valid Name Chaining Capitalization Test5"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/ValidNameChainingCapitalizationTest5EE.crt \ + $certs/GoodCACert.crt + restore_db +fi + + VFY_ACTION="Valid Name Chaining UIDs Test6"; log_banner + certImport UIDCACert + crlImport UIDCACRL.crl + pkits $certs/ValidNameUIDsTest6EE.crt $certs/UIDCACert.crt + restore_db + + VFY_ACTION="Valid RFC3280 Mandatory Attribute Types Test7"; log_banner + certImport RFC3280MandatoryAttributeTypesCACert + crlImport RFC3280MandatoryAttributeTypesCACRL.crl + pkits $certs/ValidRFC3280MandatoryAttributeTypesTest7EE.crt \ + $certs/RFC3280MandatoryAttributeTypesCACert.crt + restore_db + + VFY_ACTION="Valid RFC3280 Optional Attribute Types Test8"; log_banner + certImport RFC3280OptionalAttributeTypesCACert + crlImport RFC3280OptionalAttributeTypesCACRL.crl + pkits $certs/ValidRFC3280OptionalAttributeTypesTest8EE.crt \ + $certs/RFC3280OptionalAttributeTypesCACert.crt + restore_db + + VFY_ACTION="Valid UTF8String Encoded Names Test9"; log_banner + certImport UTF8StringEncodedNamesCACert + crlImport UTF8StringEncodedNamesCACRL.crl + pkits $certs/ValidUTF8StringEncodedNamesTest9EE.crt \ + $certs/UTF8StringEncodedNamesCACert.crt + restore_db + +### bug 216123 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Valid Rollover from PrintableString to UTF8String Test10"; log_banner + certImport RolloverfromPrintableStringtoUTF8StringCACert + crlImport RolloverfromPrintableStringtoUTF8StringCACRL.crl + pkits $certs/ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt \ + $certs/RolloverfromPrintableStringtoUTF8StringCACert.crt + restore_db + + VFY_ACTION="Valid UTF8String case Insensitive Match Test11"; log_banner + certImport UTF8StringCaseInsensitiveMatchCACert + crlImport UTF8StringCaseInsensitiveMatchCACRL.crl + pkits $certs/ValidUTF8StringCaseInsensitiveMatchTest11EE.crt \ + $certs/UTF8StringCaseInsensitiveMatchCACert.crt + restore_db +fi +} + +pkits_BasicCertRevocation() +{ + break_table "NIST PKITS Section 4.4: Basic Certificate Revocation Tests" + +### bug 414556 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Missing CRL Test1"; log_banner + pkitsn $certs/InvalidMissingCRLTest1EE.crt \ + $certs/NoCRLCACert.crt +fi + + VFY_ACTION="Invalid Revoked CA Test2"; log_banner + certImport RevokedsubCACert + crlImport RevokedsubCACRL.crl + certImport GoodCACert + crlImport GoodCACRL.crl + pkitsn $certs/InvalidRevokedCATest2EE.crt \ + $certs/RevokedsubCACert.crt $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Invalid Revoked EE Test3"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkitsn $certs/InvalidRevokedEETest3EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Invalid Bad CRL Signature Test4"; log_banner + certImport BadCRLSignatureCACert + crlImportn BadCRLSignatureCACRL.crl + if [ $RET -eq 0 ] ; then + pkitsn $certs/InvalidBadCRLSignatureTest4EE.crt \ + $certs/BadCRLSignatureCACert.crt + fi + restore_db + + VFY_ACTION="Invalid Bad CRL Issuer Name Test5"; log_banner + certImport BadCRLIssuerNameCACert + crlImportn BadCRLIssuerNameCACRL.crl + if [ $RET -eq 0 ] ; then + pkitsn $certs/InvalidBadCRLIssuerNameTest5EE.crt \ + $certs/BadCRLIssuerNameCACert.crt + fi + restore_db + +### bug 414556 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Invalid Wrong CRL Test6"; log_banner + certImport WrongCRLCACert + crlImport WrongCRLCACRL.crl + pkitsn $certs/InvalidWrongCRLTest6EE.crt \ + $certs/WrongCRLCACert.crt + restore_db +fi + + VFY_ACTION="Valid Two CRLs Test7"; log_banner + certImport TwoCRLsCACert + crlImport TwoCRLsCAGoodCRL.crl + crlImportn TwoCRLsCABadCRL.crl + pkits $certs/ValidTwoCRLsTest7EE.crt \ + $certs/TwoCRLsCACert.crt + restore_db + + VFY_ACTION="Invalid Unknown CRL Entry Extension Test8"; log_banner + certImport UnknownCRLEntryExtensionCACert + crlImportn UnknownCRLEntryExtensionCACRL.crl + if [ $RET -eq 0 ] ; then + pkitsn $certs/InvalidUnknownCRLEntryExtensionTest8EE.crt \ + $certs/UnknownCRLEntryExtensionCACert.crt + fi + restore_db + + VFY_ACTION="Invalid Unknown CRL Extension Test9"; log_banner + certImport UnknownCRLExtensionCACert + crlImportn UnknownCRLExtensionCACRL.crl + if [ $RET -eq 0 ] ; then + pkitsn $certs/InvalidUnknownCRLExtensionTest9EE.crt \ + $certs/UnknownCRLExtensionCACert.crt + fi + restore_db + + VFY_ACTION="Invalid Unknown CRL Extension Test10"; log_banner + certImport UnknownCRLExtensionCACert + crlImportn UnknownCRLExtensionCACRL.crl + if [ $RET -eq 0 ] ; then + pkitsn $certs/InvalidUnknownCRLExtensionTest10EE.crt \ + $certs/UnknownCRLExtensionCACert.crt + fi + restore_db + +### bug 414563 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Invalid Old CRL nextUpdate Test11"; log_banner + certImport OldCRLnextUpdateCACert + crlImport OldCRLnextUpdateCACRL.crl + pkitsn $certs/InvalidOldCRLnextUpdateTest11EE.crt \ + $certs/OldCRLnextUpdateCACert.crt + restore_db + + VFY_ACTION="Invalid pre2000 CRL nextUpdate Test12"; log_banner + certImport pre2000CRLnextUpdateCACert + crlImport pre2000CRLnextUpdateCACRL.crl + pkitsn $certs/Invalidpre2000CRLnextUpdateTest12EE.crt \ + $certs/pre2000CRLnextUpdateCACert.crt + restore_db +fi + + VFY_ACTION="Valid GeneralizedTime CRL nextUpdate Test13"; log_banner + certImport GeneralizedTimeCRLnextUpdateCACert + crlImport GeneralizedTimeCRLnextUpdateCACRL.crl + pkits $certs/ValidGeneralizedTimeCRLnextUpdateTest13EE.crt \ + $certs/GeneralizedTimeCRLnextUpdateCACert.crt + restore_db + + VFY_ACTION="Valid Negative Serial Number Test14"; log_banner + certImport NegativeSerialNumberCACert + crlImport NegativeSerialNumberCACRL.crl + pkits $certs/ValidNegativeSerialNumberTest14EE.crt \ + $certs/NegativeSerialNumberCACert.crt + restore_db + + VFY_ACTION="Invalid Negative Serial Number Test15"; log_banner + certImport NegativeSerialNumberCACert + crlImport NegativeSerialNumberCACRL.crl + pkitsn $certs/InvalidNegativeSerialNumberTest15EE.crt \ + $certs/NegativeSerialNumberCACert.crt + restore_db + + VFY_ACTION="Valid Long Serial Number Test16"; log_banner + certImport LongSerialNumberCACert + crlImport LongSerialNumberCACRL.crl + pkits $certs/ValidLongSerialNumberTest16EE.crt \ + $certs/LongSerialNumberCACert.crt + restore_db + + VFY_ACTION="Valid Long Serial Number Test17"; log_banner + certImport LongSerialNumberCACert + crlImport LongSerialNumberCACRL.crl + pkits $certs/ValidLongSerialNumberTest17EE.crt \ + $certs/LongSerialNumberCACert.crt + restore_db + + VFY_ACTION="Invalid Long Serial Number Test18"; log_banner + certImport LongSerialNumberCACert + crlImport LongSerialNumberCACRL.crl + pkitsn $certs/InvalidLongSerialNumberTest18EE.crt \ + $certs/LongSerialNumberCACert.crt + restore_db + +### bug 232737 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Valid Separate Certificate and CRL Keys Test19"; log_banner + certImport SeparateCertificateandCRLKeysCertificateSigningCACert + certImport SeparateCertificateandCRLKeysCRLSigningCert + crlImport SeparateCertificateandCRLKeysCRL.crl + pkits $certs/ValidSeparateCertificateandCRLKeysTest19EE.crt \ + $certs/SeparateCertificateandCRLKeysCRLSigningCert.crt + restore_db + + VFY_ACTION="Invalid Separate Certificate and CRL Keys Test20"; log_banner + certImport SeparateCertificateandCRLKeysCertificateSigningCACert + certImport SeparateCertificateandCRLKeysCRLSigningCert + crlImport SeparateCertificateandCRLKeysCRL.crl + pkits $certs/InvalidSeparateCertificateandCRLKeysTest20EE.crt \ + $certs/SeparateCertificateandCRLKeysCRLSigningCert.crt + restore_db + + VFY_ACTION="Invalid Separate Certificate and CRL Keys Test21"; log_banner + certImport SeparateCertificateandCRLKeysCA2CertificateSigningCACert + certImport SeparateCertificateandCRLKeysCA2CRLSigningCert + crlImport SeparateCertificateandCRLKeysCA2CRL.crl + pkits $certs/InvalidSeparateCertificateandCRLKeysTest21EE.crt \ + $certs/SeparateCertificateandCRLKeysCA2CRLSigningCert.crt + restore_db +fi +} + +pkits_PathVerificWithSelfIssuedCerts() +{ + break_table "NIST PKITS Section 4.5: Self-Issued Certificates" + +### bug 232737 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Valid Basic Self-Issued Old With New Test1"; log_banner + certImport BasicSelfIssuedNewKeyCACert + crlImport BasicSelfIssuedNewKeyCACRL.crl + pkits $certs/ValidBasicSelfIssuedOldWithNewTest1EE.crt \ + $certs/BasicSelfIssuedNewKeyOldWithNewCACert.crt \ + $certs/BasicSelfIssuedNewKeyCACert.crt + restore_db + + VFY_ACTION="Invalid Basic Self-Issued Old With New Test2"; log_banner + certImport BasicSelfIssuedNewKeyCACert + crlImport BasicSelfIssuedNewKeyCACRL.crl + pkitsn $certs/InvalidBasicSelfIssuedOldWithNewTest2EE.crt \ + $certs/BasicSelfIssuedNewKeyOldWithNewCACert.crt \ + $certs/BasicSelfIssuedNewKeyCACert.crt + restore_db +fi + +### bugs 321755 & 418769 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Valid Basic Self-Issued New With Old Test3"; log_banner + certImport BasicSelfIssuedOldKeyCACert + crlImport BasicSelfIssuedOldKeyCACRL.crl + pkits $certs/ValidBasicSelfIssuedNewWithOldTest3EE.crt \ + $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \ + $certs/BasicSelfIssuedOldKeyCACert.crt + restore_db + + VFY_ACTION="Valid Basic Self-Issued New With Old Test4"; log_banner + certImport BasicSelfIssuedOldKeyCACert + crlImport BasicSelfIssuedOldKeyCACRL.crl + pkits $certs/ValidBasicSelfIssuedNewWithOldTest4EE.crt \ + $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \ + $certs/BasicSelfIssuedOldKeyCACert.crt + restore_db + + VFY_ACTION="Invalid Basic Self-Issued New With Old Test5"; log_banner + certImport BasicSelfIssuedOldKeyCACert + crlImport BasicSelfIssuedOldKeyCACRL.crl + pkitsn $certs/InvalidBasicSelfIssuedNewWithOldTest5EE.crt \ + $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \ + $certs/BasicSelfIssuedOldKeyCACert.crt + restore_db + + VFY_ACTION="Valid Basic Self-Issued CRL Signing Key Test6"; log_banner + certImport BasicSelfIssuedCRLSigningKeyCACert + crlImport BasicSelfIssuedOldKeyCACRL.crl + pkits $certs/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt \ + $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \ + $certs/BasicSelfIssuedCRLSigningKeyCACert.crt + restore_db + + VFY_ACTION="Invalid Basic Self-Issued CRL Signing Key Test7"; log_banner + certImport BasicSelfIssuedCRLSigningKeyCACert + crlImport BasicSelfIssuedOldKeyCACRL.crl + pkitsn $certs/InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt \ + $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \ + $certs/BasicSelfIssuedCRLSigningKeyCACert.crt + restore_db + + VFY_ACTION="Invalid Basic Self-Issued CRL Signing Key Test8"; log_banner + certImport BasicSelfIssuedCRLSigningKeyCACert + crlImport BasicSelfIssuedOldKeyCACRL.crl + pkitsn $certs/InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt \ + $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \ + $certs/BasicSelfIssuedCRLSigningKeyCACert.crt + restore_db +fi +} + +pkits_BasicConstraints() +{ + break_table "NIST PKITS Section 4.6: Verifying Basic Constraints" + + VFY_ACTION="Invalid Missing basicConstraints Test1"; log_banner + certImport MissingbasicConstraintsCACert + crlImport MissingbasicConstraintsCACRL.crl + pkitsn $certs/InvalidMissingbasicConstraintsTest1EE.crt \ + $certs/MissingbasicConstraintsCACert.crt + restore_db + + VFY_ACTION="Invalid cA False Test2"; log_banner + certImport basicConstraintsCriticalcAFalseCACert + crlImport basicConstraintsCriticalcAFalseCACRL.crl + pkitsn $certs/InvalidcAFalseTest2EE.crt \ + $certs/basicConstraintsCriticalcAFalseCACert.crt + restore_db + + VFY_ACTION="Invalid cA False Test3"; log_banner + certImport basicConstraintsNotCriticalcAFalseCACert + crlImport basicConstraintsNotCriticalcAFalseCACRL.crl + pkitsn $certs/InvalidcAFalseTest3EE.crt \ + $certs/basicConstraintsNotCriticalcAFalseCACert.crt + restore_db + + VFY_ACTION="Valid basicConstraints Not Critical Test4"; log_banner + certImport basicConstraintsNotCriticalCACert + crlImport basicConstraintsNotCriticalCACRL.crl + pkits $certs/ValidbasicConstraintsNotCriticalTest4EE.crt \ + $certs/basicConstraintsNotCriticalCACert.crt + restore_db + + VFY_ACTION="Invalid pathLenConstraint Test5"; log_banner + certImport pathLenConstraint0CACert + crlImport pathLenConstraint0CACRL.crl + certImport pathLenConstraint0subCACert + crlImport pathLenConstraint0subCACRL.crl + pkitsn $certs/InvalidpathLenConstraintTest5EE.crt \ + $certs/pathLenConstraint0subCACert.crt \ + $certs/pathLenConstraint0CACert.crt + restore_db + + VFY_ACTION="Invalid pathLenConstraint Test6"; log_banner + certImport pathLenConstraint0CACert + crlImport pathLenConstraint0CACRL.crl + certImport pathLenConstraint0subCACert + crlImport pathLenConstraint0subCACRL.crl + pkitsn $certs/InvalidpathLenConstraintTest6EE.crt \ + $certs/pathLenConstraint0subCACert.crt \ + $certs/pathLenConstraint0CACert.crt + restore_db + + VFY_ACTION="Valid pathLenConstraint Test7"; log_banner + certImport pathLenConstraint0CACert + crlImport pathLenConstraint0CACRL.crl + pkits $certs/ValidpathLenConstraintTest7EE.crt \ + $certs/pathLenConstraint0CACert.crt + restore_db + + VFY_ACTION="Valid pathLenConstraint test8"; log_banner + certImport pathLenConstraint0CACert + crlImport pathLenConstraint0CACRL.crl + pkits $certs/ValidpathLenConstraintTest8EE.crt \ + $certs/pathLenConstraint0CACert.crt + restore_db + + VFY_ACTION="Invalid pathLenConstraint Test9"; log_banner + certImport pathLenConstraint6CACert + crlImport pathLenConstraint6CACRL.crl + certImport pathLenConstraint6subCA0Cert + crlImport pathLenConstraint6subCA0CRL.crl + certImport pathLenConstraint6subsubCA00Cert + crlImport pathLenConstraint6subsubCA00CRL.crl + pkitsn $certs/InvalidpathLenConstraintTest9EE.crt \ + $certs/pathLenConstraint6subsubCA00Cert.crt \ + $certs/pathLenConstraint6subCA0Cert.crt \ + $certs/pathLenConstraint6CACert.crt + restore_db + + VFY_ACTION="Invalid pathLenConstraint Test10"; log_banner + certImport pathLenConstraint6CACert + crlImport pathLenConstraint6CACRL.crl + certImport pathLenConstraint6subCA0Cert + crlImport pathLenConstraint6subCA0CRL.crl + certImport pathLenConstraint6subsubCA00Cert + crlImport pathLenConstraint6subsubCA00CRL.crl + pkitsn $certs/InvalidpathLenConstraintTest10EE.crt \ + $certs/pathLenConstraint6subsubCA00Cert.crt \ + $certs/pathLenConstraint6subCA0Cert.crt \ + $certs/pathLenConstraint6CACert.crt + restore_db + + VFY_ACTION="Invalid pathLenConstraint Test11"; log_banner + certImport pathLenConstraint6CACert + crlImport pathLenConstraint6CACRL.crl + certImport pathLenConstraint6subCA1Cert + crlImport pathLenConstraint6subCA1CRL.crl + certImport pathLenConstraint6subsubCA11Cert + crlImport pathLenConstraint6subsubCA11CRL.crl + certImport pathLenConstraint6subsubsubCA11XCert + crlImport pathLenConstraint6subsubsubCA11XCRL.crl + pkitsn $certs/InvalidpathLenConstraintTest11EE.crt \ + $certs/pathLenConstraint6subsubsubCA11XCert.crt \ + $certs/pathLenConstraint6subsubCA11Cert.crt \ + $certs/pathLenConstraint6subCA1Cert.crt \ + $certs/pathLenConstraint6CACert.crt + restore_db + + VFY_ACTION="Invalid pathLenConstraint test12"; log_banner + certImport pathLenConstraint6CACert + crlImport pathLenConstraint6CACRL.crl + certImport pathLenConstraint6subCA1Cert + crlImport pathLenConstraint6subCA1CRL.crl + certImport pathLenConstraint6subsubCA11Cert + crlImport pathLenConstraint6subsubCA11CRL.crl + certImport pathLenConstraint6subsubsubCA11XCert + crlImport pathLenConstraint6subsubsubCA11XCRL.crl + pkitsn $certs/InvalidpathLenConstraintTest12EE.crt \ + $certs/pathLenConstraint6subsubsubCA11XCert.crt \ + $certs/pathLenConstraint6subsubCA11Cert.crt \ + $certs/pathLenConstraint6subCA1Cert.crt \ + $certs/pathLenConstraint6CACert.crt + restore_db + + VFY_ACTION="Valid pathLenConstraint Test13"; log_banner + certImport pathLenConstraint6CACert + crlImport pathLenConstraint6CACRL.crl + certImport pathLenConstraint6subCA4Cert + crlImport pathLenConstraint6subCA4CRL.crl + certImport pathLenConstraint6subsubCA41Cert + crlImport pathLenConstraint6subsubCA41CRL.crl + certImport pathLenConstraint6subsubsubCA41XCert + crlImport pathLenConstraint6subsubsubCA41XCRL.crl + pkits $certs/ValidpathLenConstraintTest13EE.crt \ + $certs/pathLenConstraint6subsubsubCA41XCert.crt \ + $certs/pathLenConstraint6subsubCA41Cert.crt \ + $certs/pathLenConstraint6subCA4Cert.crt \ + $certs/pathLenConstraint6CACert.crt + restore_db + + VFY_ACTION="Valid pathLenConstraint Test14"; log_banner + certImport pathLenConstraint6CACert + crlImport pathLenConstraint6CACRL.crl + certImport pathLenConstraint6subCA4Cert + crlImport pathLenConstraint6subCA4CRL.crl + certImport pathLenConstraint6subsubCA41Cert + crlImport pathLenConstraint6subsubCA41CRL.crl + certImport pathLenConstraint6subsubsubCA41XCert + crlImport pathLenConstraint6subsubsubCA41XCRL.crl + pkits $certs/ValidpathLenConstraintTest14EE.crt \ + $certs/pathLenConstraint6subsubsubCA41XCert.crt \ + $certs/pathLenConstraint6subsubCA41Cert.crt \ + $certs/pathLenConstraint6subCA4Cert.crt \ + $certs/pathLenConstraint6CACert.crt + restore_db + +### bug 232737 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Valid Self-Issued pathLenConstraint Test15"; log_banner + certImport pathLenConstraint0CACert + crlImport pathLenConstraint0CACRL.crl + pkits $certs/ValidSelfIssuedpathLenConstraintTest15EE.crt \ + $certs/pathLenConstraint0SelfIssuedCACert.crt \ + $certs/pathLenConstraint0CACert.crt + restore_db +fi + + VFY_ACTION="Invalid Self-Issued pathLenConstraint Test16"; log_banner + certImport pathLenConstraint0CACert + crlImport pathLenConstraint0CACRL.crl + certImport pathLenConstraint0subCA2Cert + crlImport pathLenConstraint0subCA2CRL.crl + pkitsn $certs/InvalidSelfIssuedpathLenConstraintTest16EE.crt \ + $certs/pathLenConstraint0subCA2Cert.crt \ + $certs/pathLenConstraint0SelfIssuedCACert.crt \ + $certs/pathLenConstraint0CACert.crt + restore_db + +### bug 232737 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Valid Self-Issued pathLenConstraint Test17"; log_banner + certImport pathLenConstraint1CACert + crlImport pathLenConstraint1CACRL.crl + certImport pathLenConstraint1subCACert + crlImport pathLenConstraint1subCACRL.crl + pkits $certs/ValidSelfIssuedpathLenConstraintTest17EE.crt \ + $certs/pathLenConstraint1SelfIssuedsubCACert.crt \ + $certs/pathLenConstraint1subCACert.crt \ + $certs/pathLenConstraint1SelfIssuedCACert.crt \ + $certs/pathLenConstraint1CACert.crt + restore_db +fi +} + +pkits_KeyUsage() +{ + break_table "NIST PKITS Section 4.7: Key Usage" + + VFY_ACTION="Invalid keyUsage Critical keyCertSign False Test1"; log_banner + certImport keyUsageCriticalkeyCertSignFalseCACert + crlImport keyUsageCriticalkeyCertSignFalseCACRL.crl + pkitsn $certs/InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt \ + $certs/keyUsageCriticalkeyCertSignFalseCACert.crt + restore_db + + VFY_ACTION="Invalid keyUsage Not Critical keyCertSign False Test2"; log_banner + certImport keyUsageNotCriticalkeyCertSignFalseCACert + crlImport keyUsageNotCriticalkeyCertSignFalseCACRL.crl + pkitsn $certs/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt \ + $certs/keyUsageNotCriticalkeyCertSignFalseCACert.crt + restore_db + + VFY_ACTION="Valid keyUsage Not Critical Test3"; log_banner + certImport keyUsageNotCriticalCACert + crlImport keyUsageNotCriticalCACRL.crl + pkits $certs/ValidkeyUsageNotCriticalTest3EE.crt \ + $certs/keyUsageNotCriticalCACert.crt + restore_db + + VFY_ACTION="Invalid keyUsage Critical cRLSign False Test4"; log_banner + certImport keyUsageCriticalcRLSignFalseCACert + crlImportn keyUsageCriticalcRLSignFalseCACRL.crl + if [ $RET -eq 0 ] ; then + pkitsn $certs/InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt \ + $certs/keyUsageCriticalcRLSignFalseCACert.crt + fi + restore_db + + VFY_ACTION="Invalid keyUsage Not Critical cRLSign False Test5"; log_banner + certImport keyUsageNotCriticalcRLSignFalseCACert + crlImportn keyUsageNotCriticalcRLSignFalseCACRL.crl + if [ $RET -eq 0 ] ; then + pkitsn $certs/InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt \ + $certs/keyUsageNotCriticalcRLSignFalseCACert.crt + fi + restore_db +} + +pkits_CertificatePolicies() +{ + break_table "NIST PKITS Section 4.8: Certificate Policies" + + VFY_ACTION="All Certificates Same Policy Test1"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/ValidCertificatePathTest1EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="All Certificates No Policies Test2"; log_banner + certImport NoPoliciesCACert + crlImport NoPoliciesCACRL.crl + pkits $certs/AllCertificatesNoPoliciesTest2EE.crt \ + $certs/NoPoliciesCACert.crt + restore_db + + VFY_ACTION="Different Policies Test3"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + certImport PoliciesP2subCACert + crlImport PoliciesP2subCACRL.crl + pkits $certs/DifferentPoliciesTest3EE.crt \ + $certs/PoliciesP2subCACert.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Different Policies Test4"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + certImport GoodsubCACert + crlImport GoodsubCACRL.crl + pkits $certs/DifferentPoliciesTest4EE.crt \ + $certs/GoodsubCACert.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Different Policies Test5"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + certImport PoliciesP2subCA2Cert + crlImport PoliciesP2subCA2CRL.crl + pkits $certs/DifferentPoliciesTest5EE.crt \ + $certs/PoliciesP2subCA2Cert.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Overlapping Policies Test6"; log_banner + certImport PoliciesP1234CACert + crlImport PoliciesP1234CACRL.crl + certImport PoliciesP1234subCAP123Cert + crlImport PoliciesP1234subCAP123CRL.crl + certImport PoliciesP1234subsubCAP123P12Cert + crlImport PoliciesP1234subsubCAP123P12CRL.crl + pkits $certs/OverlappingPoliciesTest6EE.crt \ + $certs/PoliciesP1234subsubCAP123P12Cert.crt \ + $certs/PoliciesP1234subCAP123Cert.crt \ + $certs/PoliciesP1234CACert.crt + restore_db + + VFY_ACTION="Different Policies Test7"; log_banner + certImport PoliciesP123CACert + crlImport PoliciesP123CACRL.crl + certImport PoliciesP123subCAP12Cert + crlImport PoliciesP123subCAP12CRL.crl + certImport PoliciesP123subsubCAP12P1Cert + crlImport PoliciesP123subsubCAP12P1CRL.crl + pkits $certs/DifferentPoliciesTest7EE.crt \ + $certs/PoliciesP123subsubCAP12P1Cert.crt \ + $certs/PoliciesP123subCAP12Cert.crt \ + $certs/PoliciesP123CACert.crt + restore_db + + VFY_ACTION="Different Policies Test8"; log_banner + certImport PoliciesP12CACert + crlImport PoliciesP12CACRL.crl + certImport PoliciesP12subCAP1Cert + crlImport PoliciesP12subCAP1CRL.crl + certImport PoliciesP12subsubCAP1P2Cert + crlImport PoliciesP12subsubCAP1P2CRL.crl + pkits $certs/DifferentPoliciesTest8EE.crt \ + $certs/PoliciesP123subsubCAP12P1Cert.crt \ + $certs/PoliciesP12subCAP1Cert.crt \ + $certs/PoliciesP12CACert.crt + restore_db + + VFY_ACTION="Different Policies Test9"; log_banner + certImport PoliciesP123CACert + crlImport PoliciesP123CACRL.crl + certImport PoliciesP123subCAP12Cert + crlImport PoliciesP123subCAP12CRL.crl + certImport PoliciesP123subsubCAP12P2Cert + crlImport PoliciesP123subsubCAP2P2CRL.crl + certImport PoliciesP123subsubsubCAP12P2P1Cert + crlImport PoliciesP123subsubsubCAP12P2P1CRL.crl + pkits $certs/DifferentPoliciesTest9EE.crt \ + $certs/PoliciesP123subsubsubCAP12P2P1Cert.crt \ + $certs/PoliciesP123subsubCAP12P1Cert.crt \ + $certs/PoliciesP12subCAP1Cert.crt \ + $certs/PoliciesP12CACert.crt + restore_db + + VFY_ACTION="All Certificates Same Policies Test10"; log_banner + certImport PoliciesP12CACert + crlImport PoliciesP12CACRL.crl + pkits $certs/AllCertificatesSamePoliciesTest10EE.crt \ + $certs/NoPoliciesCACert.crt + restore_db + + VFY_ACTION="All Certificates AnyPolicy Test11"; log_banner + certImport anyPolicyCACert + crlImport anyPolicyCACRL.crl + pkits $certs/AllCertificatesanyPolicyTest11EE.crt \ + $certs/anyPolicyCACert.crt + restore_db + + VFY_ACTION="Different Policies Test12"; log_banner + certImport PoliciesP3CACert + crlImport PoliciesP3CACRL.crl + pkits $certs/DifferentPoliciesTest12EE.crt \ + $certs/PoliciesP3CACert.crt + restore_db + + VFY_ACTION="All Certificates Same Policies Test13"; log_banner + certImport PoliciesP123CACert + crlImport PoliciesP123CACRL.crl + pkits $certs/AllCertificatesSamePoliciesTest13EE.crt \ + $certs/PoliciesP123CACert.crt + restore_db + + VFY_ACTION="AnyPolicy Test14"; log_banner + certImport anyPolicyCACert + crlImport anyPolicyCACRL.crl + pkits $certs/AnyPolicyTest14EE.crt \ + $certs/anyPolicyCACert.crt + restore_db + + VFY_ACTION="User Notice Qualifier Test15"; log_banner + pkits $certs/UserNoticeQualifierTest15EE.crt + + VFY_ACTION="User Notice Qualifier Test16"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/UserNoticeQualifierTest16EE.crt \ + $certs/GoodCACert.crt + + VFY_ACTION="User Notice Qualifier Test17"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/UserNoticeQualifierTest17EE.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="User Notice Qualifier Test18"; log_banner + certImport PoliciesP12CACert + crlImport PoliciesP12CACRL.crl + pkits $certs/UserNoticeQualifierTest18EE.crt \ + $certs/PoliciesP12CACert.crt + restore_db + + VFY_ACTION="User Notice Qualifier Test19"; log_banner + pkits $certs/UserNoticeQualifierTest19EE.crt + + VFY_ACTION="CPS Pointer Qualifier Test20"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + pkits $certs/CPSPointerQualifierTest20EE.crt \ + $certs/GoodCACert.crt + restore_db +} + +pkits_RequireExplicitPolicy() +{ + break_table "NIST PKITS Section 4.9: Require Explicit Policy" + + VFY_ACTION="Valid RequireExplicitPolicy Test1"; log_banner + certImportn requireExplicitPolicy10CACert + crlImportn requireExplicitPolicy10CACRL.crl + certImport requireExplicitPolicy10subCACert + crlImport requireExplicitPolicy10subCACRL.crl + certImport requireExplicitPolicy10subsubCACert + crlImport requireExplicitPolicy10subsubCACRL.crl + certImport requireExplicitPolicy10subsubsubCACert + crlImport requireExplicitPolicy10subsubsubCACRL.crl + pkits $certs/ValidrequireExplicitPolicyTest1EE.crt \ + $certs/requireExplicitPolicy10subsubsubCACert.crt \ + $certs/requireExplicitPolicy10subsubCACert.crt \ + $certs/requireExplicitPolicy10subCACert.crt \ + $certs/requireExplicitPolicy10CACert.crt + restore_db + + VFY_ACTION="Valid RequireExplicitPolicy Test2"; log_banner + certImportn requireExplicitPolicy5CACert + crlImportn requireExplicitPolicy5CACRL.crl + certImport requireExplicitPolicy5subCACert + crlImport requireExplicitPolicy5subCACRL.crl + certImport requireExplicitPolicy5subsubCACert + crlImport requireExplicitPolicy5subsubCACRL.crl + certImport requireExplicitPolicy5subsubsubCACert + crlImport requireExplicitPolicy5subsubsubCACRL.crl + pkits $certs/ValidrequireExplicitPolicyTest2EE.crt \ + $certs/requireExplicitPolicy5subsubsubCACert.crt \ + $certs/requireExplicitPolicy5subsubCACert.crt \ + $certs/requireExplicitPolicy5subCACert.crt \ + $certs/requireExplicitPolicy5CACert.crt + restore_db + + VFY_ACTION="Invalid RequireExplicitPolicy Test3"; log_banner + certImportn requireExplicitPolicy4CACert + crlImportn requireExplicitPolicy4CACRL.crl + certImport requireExplicitPolicy4subCACert + crlImport requireExplicitPolicy4subCACRL.crl + certImport requireExplicitPolicy4subsubCACert + crlImport requireExplicitPolicy4subsubCACRL.crl + certImport requireExplicitPolicy4subsubsubCACert + crlImport requireExplicitPolicy4subsubsubCACRL.crl + pkitsn $certs/InvalidrequireExplicitPolicyTest3EE.crt \ + $certs/requireExplicitPolicy4subsubsubCACert.crt \ + $certs/requireExplicitPolicy4subsubCACert.crt \ + $certs/requireExplicitPolicy4subCACert.crt \ + $certs/requireExplicitPolicy4CACert.crt + restore_db + + VFY_ACTION="Valid RequireExplicitPolicy Test4"; log_banner + certImportn requireExplicitPolicy0CACert + crlImportn requireExplicitPolicy0CACRL.crl + certImport requireExplicitPolicy0subCACert + crlImport requireExplicitPolicy0subCACRL.crl + certImport requireExplicitPolicy0subsubCACert + crlImport requireExplicitPolicy0subsubCACRL.crl + certImport requireExplicitPolicy0subsubsubCACert + crlImport requireExplicitPolicy0subsubsubCACRL.crl + pkits $certs/ValidrequireExplicitPolicyTest4EE.crt \ + $certs/requireExplicitPolicy0subsubsubCACert.crt \ + $certs/requireExplicitPolicy0subsubCACert.crt \ + $certs/requireExplicitPolicy0subCACert.crt \ + $certs/requireExplicitPolicy0CACert.crt + restore_db + + VFY_ACTION="Invalid RequireExplicitPolicy Test5"; log_banner + certImportn requireExplicitPolicy7CACert + crlImportn requireExplicitPolicy7CACRL.crl + certImportn requireExplicitPolicy7subCARE2Cert + crlImportn requireExplicitPolicy7subCARE2CRL.crl + certImportn requireExplicitPolicy7subsubCARE2RE4Cert + crlImportn requireExplicitPolicy7subsubCARE2RE4CRL.crl + certImport requireExplicitPolicy7subsubsubCARE2RE4Cert + crlImport requireExplicitPolicy7subsubsubCARE2RE4CRL.crl + pkitsn $certs/InvalidrequireExplicitPolicyTest5EE.crt \ + $certs/requireExplicitPolicy7subsubsubCARE2RE4Cert.crt \ + $certs/requireExplicitPolicy7subsubCARE2RE4Cert.crt \ + $certs/requireExplicitPolicy7subCARE2Cert.crt \ + $certs/requireExplicitPolicy7CACert.crt + restore_db + + VFY_ACTION="Valid Self-Issued RequireExplicitPolicy Test6"; log_banner + certImportn requireExplicitPolicy2CACert + crlImportn requireExplicitPolicy2CACRL.crl + pkits $certs/ValidSelfIssuedrequireExplicitPolicyTest6EE.crt \ + $certs/requireExplicitPolicy2SelfIssuedCACert.crt \ + $certs/requireExplicitPolicy2CACert.crt + restore_db + + VFY_ACTION="Invalid Self-Issued RequireExplicitPolicy Test7"; log_banner + certImportn requireExplicitPolicy2CACert + crlImportn requireExplicitPolicy2CACRL.crl + certImport requireExplicitPolicy2subCACert + crlImport requireExplicitPolicy2subCACRL.crl + pkitsn $certs/InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt \ + $certs/requireExplicitPolicy2subCACert.crt \ + $certs/requireExplicitPolicy2SelfIssuedCACert.crt \ + $certs/requireExplicitPolicy2CACert.crt + restore_db + + VFY_ACTION="Invalid Self-Issued RequireExplicitPolicy Test8"; log_banner + certImportn requireExplicitPolicy2CACert + crlImportn requireExplicitPolicy2CACRL.crl + certImport requireExplicitPolicy2subCACert + crlImport requireExplicitPolicy2subCACRL.crl + pkitsn $certs/InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt \ + $certs/requireExplicitPolicy2SelfIssuedsubCACert.crt \ + $certs/requireExplicitPolicy2subCACert.crt \ + $certs/requireExplicitPolicy2SelfIssuedCACert.crt \ + $certs/requireExplicitPolicy2CACert.crt + restore_db +} + +pkits_PolicyMappings() +{ + break_table "NIST PKITS Section 4.10: Policy Mappings" + + VFY_ACTION="Valid Policy Mapping Test1"; log_banner + certImportn Mapping1to2CACert + crlImportn Mapping1to2CACRL.crl + pkits $certs/ValidPolicyMappingTest1EE.crt \ + $certs/Mapping1to2CACert.crt + restore_db + + VFY_ACTION="Invalid Policy Mapping Test2"; log_banner + certImportn Mapping1to2CACert + crlImportn Mapping1to2CACRL.crl + pkitsn $certs/InvalidPolicyMappingTest2EE.crt \ + $certs/Mapping1to2CACert.crt + restore_db + + VFY_ACTION="Valid Policy Mapping Test3"; log_banner + certImportn P12Mapping1to3CACert + crlImportn P12Mapping1to3CACRL.crl + certImportn P12Mapping1to3subCACert + crlImportn P12Mapping1to3subCACRL.crl + certImportn P12Mapping1to3subsubCACert + crlImportn P12Mapping1to3subsubCACRL.crl + pkits $certs/ValidPolicyMappingTest3EE.crt \ + $certs/P12Mapping1to3subsubCACert.crt \ + $certs/P12Mapping1to3subCACert.crt \ + $certs/P12Mapping1to3CA.crt + restore_db + + VFY_ACTION="Invalid Policy Mapping Test4"; log_banner + certImportn P12Mapping1to3CACert + crlImportn P12Mapping1to3CACRL.crl + certImportn P12Mapping1to3subCACert + crlImportn P12Mapping1to3subCACRL.crl + certImportn P12Mapping1to3subsubCACert + crlImportn P12Mapping1to3subsubCACRL.crl + pkitsn $certs/InvalidPolicyMappingTest4EE.crt \ + $certs/P12Mapping1to3subsubCACert.crt \ + $certs/P12Mapping1to3subCACert.crt \ + $certs/P12Mapping1to3CA.crt + restore_db + + VFY_ACTION="Valid Policy Mapping Test5"; log_banner + certImportn P1Mapping1to234CACert + crlImportn P1Mapping1to234CACRL.crl + certImportn P1Mapping1to234subCACert + crlImportn P1Mapping1to234subCACRL.crl + pkits $certs/ValidPolicyMappingTest5EE.crt \ + $certs/P1Mapping1to234subCACert.crt \ + $certs/P1Mapping1to234CA.crt + restore_db + + VFY_ACTION="Valid Policy Mapping Test6"; log_banner + certImportn P1Mapping1to234CACert + crlImportn P1Mapping1to234CACRL.crl + certImportn P1Mapping1to234subCACert + crlImportn P1Mapping1to234subCACRL.crl + pkits $certs/ValidPolicyMappingTest6EE.crt \ + $certs/P1Mapping1to234subCACert.crt \ + $certs/P1Mapping1to234CA.crt + restore_db + + VFY_ACTION="Invalid Mapping from anyPolicy Test7"; log_banner + certImportn MappingFromanyPolicyCACert + crlImportn MappingFromanyPolicyCACRL.crl + pkitsn $certs/InvalidMappingFromanyPolicyTest7EE.crt \ + $certs/MappingFromanyPolicyCACert.crt + restore_db + + VFY_ACTION="Invalid Mapping to anyPolicy Test8"; log_banner + certImportn MappingToanyPolicyCACert + crlImportn MappingToanyPolicyCACRL.crl + pkitsn $certs/InvalidMappingToanyPolicyTest8EE.crt \ + $certs/MappingToanyPolicyCACert.crt + restore_db + + VFY_ACTION="Valid Policy Mapping Test9"; log_banner + certImport PanyPolicyMapping1to2CACert + crlImport PanyPolicyMapping1to2CACRL.crl + pkits $certs/ValidPolicyMappingTest9EE.crt \ + $certs/PanyPolicyMapping1to2CACert.crt + restore_db + + VFY_ACTION="Invalid Policy Mapping Test10"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + certImportn GoodsubCAPanyPolicyMapping1to2CACert + crlImportn GoodsubCAPanyPolicyMapping1to2CACRL.crl + pkitsn $certs/InvalidPolicyMappingTest10EE.crt \ + $certs/GoodsubCAPanyPolicyMapping1to2CACert.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Valid Policy Mapping Test11"; log_banner + certImport GoodCACert + crlImport GoodCACRL.crl + certImportn GoodsubCAPanyPolicyMapping1to2CACert + crlImportn GoodsubCAPanyPolicyMapping1to2CACRL.crl + pkits $certs/ValidPolicyMappingTest11EE.crt \ + $certs/GoodsubCAPanyPolicyMapping1to2CACert.crt \ + $certs/GoodCACert.crt + restore_db + + VFY_ACTION="Valid Policy Mapping Test12"; log_banner + certImportn P12Mapping1to3CACert + crlImportn P12Mapping1to3CACRL.crl + pkits $certs/ValidPolicyMappingTest12EE.crt \ + $certs/P12Mapping1to3CACert.crt + restore_db + + VFY_ACTION="Valid Policy Mapping Test13"; log_banner + certImportn P1anyPolicyMapping1to2CACert + crlImportn P1anyPolicyMapping1to2CACRL.crl + pkits $certs/ValidPolicyMappingTest13EE.crt \ + $certs/P1anyPolicyMapping1to2CACert.crt + restore_db + + VFY_ACTION="Valid Policy Mapping Test14"; log_banner + certImportn P1anyPolicyMapping1to2CACert + crlImportn P1anyPolicyMapping1to2CACRL.crl + pkits $certs/ValidPolicyMappingTest14EE.crt \ + $certs/P1anyPolicyMapping1to2CACert.crt + restore_db +} + + +pkits_InhibitPolicyMapping() +{ + break_table "NIST PKITS Section 4.11: Inhibit Policy Mapping" + + VFY_ACTION="Invalid inhibitPolicyMapping Test1"; log_banner + certImportn inhibitPolicyMapping0CACert + crlImportn inhibitPolicyMapping0CACRL.crl + certImportn inhibitPolicyMapping0subCACert + crlImportn inhibitPolicyMapping0subCACRL.crl + pkitsn $certs/InvalidinhibitPolicyMappingTest1EE.crt \ + $certs/inhibitPolicyMapping0CACert.crt \ + $certs/inhibitPolicyMapping0subCACert.crt + restore_db + + VFY_ACTION="Valid inhibitPolicyMapping Test2"; log_banner + certImportn inhibitPolicyMapping1P12CACert + crlImportn inhibitPolicyMapping1P12CACRL.crl + certImportn inhibitPolicyMapping1P12subCACert + crlImportn inhibitPolicyMapping1P12subCACRL.crl + pkits $certs/ValidinhibitPolicyMappingTest2EE.crt \ + $certs/inhibitPolicyMapping1P12CACert.crt \ + $certs/inhibitPolicyMapping1P12subCACert.crt + restore_db + + VFY_ACTION="Invalid inhibitPolicyMapping Test3"; log_banner + certImportn inhibitPolicyMapping1P12CACert + crlImportn inhibitPolicyMapping1P12CACRL.crl + certImportn inhibitPolicyMapping1P12subCACert + crlImportn inhibitPolicyMapping1P12subCACRL.crl + certImportn inhibitPolicyMapping1P12subsubCACert + crlImportn inhibitPolicyMapping1P12subsubCACRL.crl + pkitsn $certs/InvalidinhibitPolicyMappingTest3EE.crt \ + $certs/inhibitPolicyMapping1P12subsubCACert.crt \ + $certs/inhibitPolicyMapping1P12subCACert.crt \ + $certs/inhibitPolicyMapping1P12CACert.crt + restore_db + + VFY_ACTION="Valid inhibitPolicyMapping Test4"; log_banner + certImportn inhibitPolicyMapping1P12CACert + crlImportn inhibitPolicyMapping1P12CACRL.crl + certImportn inhibitPolicyMapping1P12subCACert + crlImportn inhibitPolicyMapping1P12subCACRL.crl + certImportn inhibitPolicyMapping1P12subsubCACert + crlImportn inhibitPolicyMapping1P12subsubCACRL.crl + pkits $certs/ValidinhibitPolicyMappingTest4EE.crt \ + $certs/inhibitPolicyMapping1P12CACert.crt \ + $certs/inhibitPolicyMapping1P12subCACert.crt + restore_db + + VFY_ACTION="Invalid inhibitPolicyMapping Test5"; log_banner + certImportn inhibitPolicyMapping5CACert + crlImportn inhibitPolicyMapping5CACRL.crl + certImportn inhibitPolicyMapping5subCACert + crlImportn inhibitPolicyMapping5subCACRL.crl + certImport inhibitPolicyMapping5subsubCACert + crlImport inhibitPolicyMapping5subsubCACRL.crl + pkitsn $certs/InvalidinhibitPolicyMappingTest5EE.crt \ + $certs/inhibitPolicyMapping5subsubCACert.crt \ + $certs/inhibitPolicyMapping5subCACert.crt \ + $certs/inhibitPolicyMapping5CACert.crt + restore_db + + VFY_ACTION="Invalid inhibitPolicyMapping Test6"; log_banner + certImportn inhibitPolicyMapping1P12CACert + crlImportn inhibitPolicyMapping1P12CACRL.crl + certImportn inhibitPolicyMapping1P12subCAIPM5Cert + crlImportn inhibitPolicyMapping1P12subCAIPM5CRL.crl + certImport inhibitPolicyMapping1P12subsubCAIPM5Cert + crlImportn inhibitPolicyMapping1P12subsubCAIPM5CRL.crl + pkitsn $certs/InvalidinhibitPolicyMappingTest6EE.crt \ + $certs/inhibitPolicyMapping1P12subsubCAIPM5Cert.crt \ + $certs/inhibitPolicyMapping1P12subCAIPM5Cert.crt \ + $certs/inhibitPolicyMapping1P12CACert.crt + restore_db + + VFY_ACTION="Valid Self-Issued inhibitPolicyMapping Test7"; log_banner + certImportn inhibitPolicyMapping1P1CACert + crlImportn inhibitPolicyMapping1P1CACRL.crl + certImportn inhibitPolicyMapping1P1subCACert + crlImportn inhibitPolicyMapping1P1subCACRL.crl + pkits $certs/ValidSelfIssuedinhibitPolicyMappingTest7EE.crt \ + $certs/inhibitPolicyMapping1P1subCACert.crt \ + $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \ + $certs/inhibitPolicyMapping1P1CACert.crt + restore_db + + VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test8"; log_banner + certImportn inhibitPolicyMapping1P1CACert + crlImportn inhibitPolicyMapping1P1CACRL.crl + certImportn inhibitPolicyMapping1P1subCACert + crlImportn inhibitPolicyMapping1P1subCACRL.crl + certImport inhibitPolicyMapping1P1subsubCACert + crlImportn inhibitPolicyMapping1P1subsubCACRL.crl + pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt \ + $certs/inhibitPolicyMapping1P1subsubCACert.crt \ + $certs/inhibitPolicyMapping1P1subCACert.crt \ + $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \ + $certs/inhibitPolicyMapping1P1CACert.crt + restore_db + + VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test9"; log_banner + certImportn inhibitPolicyMapping1P1CACert + crlImportn inhibitPolicyMapping1P1CACRL.crl + certImportn inhibitPolicyMapping1P1subCACert + crlImportn inhibitPolicyMapping1P1subCACRL.crl + certImportn inhibitPolicyMapping1P1subsubCACert + crlImportn inhibitPolicyMapping1P1subsubCACRL.crl + pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt \ + $certs/inhibitPolicyMapping1P1subsubCACert.crt \ + $certs/inhibitPolicyMapping1P1subCACert.crt \ + $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \ + $certs/inhibitPolicyMapping1P1CACert.crt + restore_db + + VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test10"; log_banner + certImportn inhibitPolicyMapping1P1CACert + crlImportn inhibitPolicyMapping1P1CACRL.crl + certImportn inhibitPolicyMapping1P1subCACert + crlImportn inhibitPolicyMapping1P1subCACRL.crl + pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt \ + $certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt \ + $certs/inhibitPolicyMapping1P1subCACert.crt \ + $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \ + $certs/inhibitPolicyMapping1P1CACert.crt + restore_db + + VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test11"; log_banner + certImportn inhibitPolicyMapping1P1CACert + crlImportn inhibitPolicyMapping1P1CACRL.crl + certImportn inhibitPolicyMapping1P1subCACert + crlImportn inhibitPolicyMapping1P1subCACRL.crl + pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt \ + $certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt \ + $certs/inhibitPolicyMapping1P1subCACert.crt \ + $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \ + $certs/inhibitPolicyMapping1P1CACert.crt + restore_db +} + + +pkits_InhibitAnyPolicy() +{ + break_table "NIST PKITS Section 4.12: Inhibit Any Policy" + + VFY_ACTION="Invalid inhibitAnyPolicy Test1"; log_banner + certImportn inhibitAnyPolicy0CACert + crlImportn inhibitAnyPolicy0CACRL.crl + pkitsn $certs/InvalidinhibitAnyPolicyTest1EE.crt \ + $certs/inhibitAnyPolicy0CACert.crt + restore_db + + VFY_ACTION="Valid inhibitAnyPolicy Test2"; log_banner + certImportn inhibitAnyPolicy0CACert + crlImportn inhibitAnyPolicy0CACRL.crl + pkits $certs/ValidinhibitAnyPolicyTest2EE.crt \ + $certs/inhibitAnyPolicy0CACert.crt + restore_db + + VFY_ACTION="inhibitAnyPolicy Test3"; log_banner + certImportn inhibitAnyPolicy1CACert + crlImportn inhibitAnyPolicy1CACRL.crl + certImport inhibitAnyPolicy1subCA1Cert + crlImport inhibitAnyPolicy1subCA1CRL.crl + pkits $certs/inhibitAnyPolicyTest3EE.crt \ + $certs/inhibitAnyPolicy1CACert.crt \ + $certs/inhibitAnyPolicy1subCA1Cert.crt + restore_db + + VFY_ACTION="Invalid inhibitAnyPolicy Test4"; log_banner + certImportn inhibitAnyPolicy1CACert + crlImportn inhibitAnyPolicy1CACRL.crl + certImport inhibitAnyPolicy1subCA1Cert + crlImport inhibitAnyPolicy1subCA1CRL.crl + pkitsn $certs/InvalidinhibitAnyPolicyTest4EE.crt \ + $certs/inhibitAnyPolicy1CACert.crt \ + $certs/inhibitAnyPolicy1subCA1Cert.crt + restore_db + + VFY_ACTION="Invalid inhibitAnyPolicy Test5"; log_banner + certImportn inhibitAnyPolicy5CACert + crlImportn inhibitAnyPolicy5CACRL.crl + certImportn inhibitAnyPolicy5subCACert + crlImportn inhibitAnyPolicy5subCACRL.crl + certImport inhibitAnyPolicy5subsubCACert + crlImport inhibitAnyPolicy5subsubCACRL.crl + pkitsn $certs/InvalidinhibitAnyPolicyTest5EE.crt \ + $certs/inhibitAnyPolicy5CACert.crt \ + $certs/inhibitAnyPolicy5subCACert.crt \ + $certs/inhibitAnyPolicy5subsubCACert.crt + restore_db + + VFY_ACTION="Invalid inhibitAnyPolicy Test6"; log_banner + certImportn inhibitAnyPolicy1CACert + crlImportn inhibitAnyPolicy1CACRL.crl + certImportn inhibitAnyPolicy1subCAIAP5Cert + crlImportn inhibitAnyPolicy1subCAIAP5CRL.crl + pkitsn $certs/InvalidinhibitAnyPolicyTest5EE.crt \ + $certs/inhibitAnyPolicy1CACert.crt \ + $certs/inhibitAnyPolicy5subCACert.crt \ + $certs/inhibitAnyPolicy5subsubCACert.crt + restore_db + + VFY_ACTION="Valid Self-Issued inhibitAnyPolicy Test7"; log_banner + certImportn inhibitAnyPolicy1CACert + crlImportn inhibitAnyPolicy1CACRL.crl + certImport inhibitAnyPolicy1subCA2Cert + crlImport inhibitAnyPolicy1subCA2CRL.crl + pkits $certs/ValidSelfIssuedinhibitAnyPolicyTest7EE.crt \ + $certs/inhibitAnyPolicy1CACert.crt \ + $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \ + $certs/inhibitAnyPolicy1subCA2Cert.crt + restore_db + + VFY_ACTION="Invalid Self-Issued inhibitAnyPolicy Test8"; log_banner + certImportn inhibitAnyPolicy1CACert + crlImportn inhibitAnyPolicy1CACRL.crl + certImport inhibitAnyPolicy1subCA2Cert + crlImport inhibitAnyPolicy1subCA2CRL.crl + certImport inhibitAnyPolicy1subsubCA2Cert + crlImport inhibitAnyPolicy1subsubCA2CRL.crl + pkitsn $certs/InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt \ + $certs/inhibitAnyPolicy1CACert.crt \ + $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \ + $certs/inhibitAnyPolicy1subCA2Cert.crt \ + $certs/inhibitAnyPolicy1subsubCA2Cert.crt + restore_db + + VFY_ACTION="Valid Self-Issued inhibitAnyPolicy Test9"; log_banner + certImportn inhibitAnyPolicy1CACert + crlImportn inhibitAnyPolicy1CACRL.crl + certImport inhibitAnyPolicy1subCA2Cert + crlImport inhibitAnyPolicy1subCA2CRL.crl + pkits $certs/ValidSelfIssuedinhibitAnyPolicyTest9EE.crt \ + $certs/inhibitAnyPolicy1CACert.crt \ + $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \ + $certs/inhibitAnyPolicy1subCA2Cert.crt \ + $certs/inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt + restore_db + + VFY_ACTION="Invalid Self-Issued inhibitAnyPolicy Test10"; log_banner + certImportn inhibitAnyPolicy1CACert + crlImportn inhibitAnyPolicy1CACRL.crl + certImport inhibitAnyPolicy1subCA2Cert + crlImport inhibitAnyPolicy1subCA2CRL.crl + pkitsn $certs/InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt \ + $certs/inhibitAnyPolicy1CACert.crt \ + $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \ + $certs/inhibitAnyPolicy1subCA2Cert.crt + restore_db +} + + +pkits_NameConstraints() +{ + break_table "NIST PKITS Section 4.13: Name Constraints" + + VFY_ACTION="Valid DN nameConstraints Test1"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + pkits $certs/ValidDNnameConstraintsTest1EE.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test2"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest2EE.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test3"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest3EE.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Valid DN nameConstraints Test4"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + pkits $certs/ValidDNnameConstraintsTest4EE.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Valid DN nameConstraints Test5"; log_banner + certImport nameConstraintsDN2CACert + crlImport nameConstraintsDN2CACRL.crl + pkits $certs/ValidDNnameConstraintsTest5EE.crt \ + $certs/nameConstraintsDN2CACert.crt + restore_db + + VFY_ACTION="Valid DN nameConstraints Test6"; log_banner + certImport nameConstraintsDN3CACert + crlImport nameConstraintsDN3CACRL.crl + pkits $certs/ValidDNnameConstraintsTest6EE.crt \ + $certs/nameConstraintsDN3CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test7"; log_banner + certImport nameConstraintsDN3CACert + crlImport nameConstraintsDN3CACRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest7EE.crt \ + $certs/nameConstraintsDN3CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test8"; log_banner + certImport nameConstraintsDN4CACert + crlImport nameConstraintsDN4CACRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest8EE.crt \ + $certs/nameConstraintsDN4CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test9"; log_banner + certImport nameConstraintsDN4CACert + crlImport nameConstraintsDN4CACRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest9EE.crt \ + $certs/nameConstraintsDN4CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test10"; log_banner + certImport nameConstraintsDN5CACert + crlImport nameConstraintsDN5CACRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest10EE.crt \ + $certs/nameConstraintsDN5CACert.crt + restore_db + + VFY_ACTION="Valid DN nameConstraints Test11"; log_banner + certImport nameConstraintsDN5CACert + crlImport nameConstraintsDN5CACRL.crl + pkits $certs/ValidDNnameConstraintsTest11EE.crt \ + $certs/nameConstraintsDN5CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test12"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + certImport nameConstraintsDN1subCA1Cert + crlImport nameConstraintsDN1subCA1CRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest12EE.crt \ + $certs/nameConstraintsDN1subCA1Cert.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test13"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + certImport nameConstraintsDN1subCA2Cert + crlImport nameConstraintsDN1subCA2CRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest13EE.crt \ + $certs/nameConstraintsDN1subCA2Cert.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Valid DN nameConstraints Test14"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + certImport nameConstraintsDN1subCA2Cert + crlImport nameConstraintsDN1subCA2CRL.crl + pkits $certs/ValidDNnameConstraintsTest14EE.crt \ + $certs/nameConstraintsDN1subCA2Cert.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test15"; log_banner + certImport nameConstraintsDN3CACert + crlImport nameConstraintsDN3CACRL.crl + certImport nameConstraintsDN3subCA1Cert + crlImport nameConstraintsDN3subCA1CRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest15EE.crt \ + $certs/nameConstraintsDN3subCA1Cert.crt \ + $certs/nameConstraintsDN3CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test16"; log_banner + certImport nameConstraintsDN3CACert + crlImport nameConstraintsDN3CACRL.crl + certImport nameConstraintsDN3subCA1Cert + crlImport nameConstraintsDN3subCA1CRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest16EE.crt \ + $certs/nameConstraintsDN3subCA1Cert.crt \ + $certs/nameConstraintsDN3CACert.crt + restore_db + + VFY_ACTION="Invalid DN nameConstraints Test17"; log_banner + certImport nameConstraintsDN3CACert + crlImport nameConstraintsDN3CACRL.crl + certImport nameConstraintsDN3subCA2Cert + crlImport nameConstraintsDN3subCA2CRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest17EE.crt \ + $certs/nameConstraintsDN3subCA2Cert.crt \ + $certs/nameConstraintsDN3CACert.crt + restore_db + + VFY_ACTION="Valid DN nameConstraints Test18"; log_banner + certImport nameConstraintsDN3CACert + crlImport nameConstraintsDN3CACRL.crl + certImport nameConstraintsDN3subCA2Cert + crlImport nameConstraintsDN3subCA2CRL.crl + pkits $certs/ValidDNnameConstraintsTest18EE.crt \ + $certs/nameConstraintsDN3subCA2Cert.crt \ + $certs/nameConstraintsDN3CACert.crt + restore_db + +### bug 232737 ### +if [ -n "${KNOWN_BUG}" ]; then + VFY_ACTION="Valid Self-Issued DN nameConstraints Test19"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + pkits $certs/ValidDNnameConstraintsTest19EE.crt \ + $certs/nameConstraintsDN1SelfIssuedCACert.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db +fi + + VFY_ACTION="Invalid Self-Issued DN nameConstraints Test20"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + pkitsn $certs/InvalidDNnameConstraintsTest20EE.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Valid RFC822 nameConstraints Test21"; log_banner + certImport nameConstraintsRFC822CA1Cert + crlImport nameConstraintsRFC822CA1CRL.crl + pkits $certs/ValidRFC822nameConstraintsTest21EE.crt \ + $certs/nameConstraintsRFC822CA1Cert.crt + restore_db + + VFY_ACTION="Invalid RFC822 nameConstraints Test22"; log_banner + certImport nameConstraintsRFC822CA1Cert + crlImport nameConstraintsRFC822CA1CRL.crl + pkitsn $certs/InvalidRFC822nameConstraintsTest22EE.crt \ + $certs/nameConstraintsRFC822CA1Cert.crt + restore_db + + VFY_ACTION="Valid RFC822 nameConstraints Test23"; log_banner + certImport nameConstraintsRFC822CA2Cert + crlImport nameConstraintsRFC822CA2CRL.crl + pkits $certs/ValidRFC822nameConstraintsTest23EE.crt \ + $certs/nameConstraintsRFC822CA2Cert.crt + restore_db + + VFY_ACTION="Invalid RFC822 nameConstraints Test24"; log_banner + certImport nameConstraintsRFC822CA2Cert + crlImport nameConstraintsRFC822CA2CRL.crl + pkitsn $certs/InvalidRFC822nameConstraintsTest24EE.crt \ + $certs/nameConstraintsRFC822CA2Cert.crt + restore_db + + VFY_ACTION="Valid RFC822 nameConstraints Test25"; log_banner + certImport nameConstraintsRFC822CA3Cert + crlImport nameConstraintsRFC822CA3CRL.crl + pkits $certs/ValidRFC822nameConstraintsTest25EE.crt \ + $certs/nameConstraintsRFC822CA3Cert.crt + restore_db + + VFY_ACTION="Invalid RFC822 nameConstraints Test26"; log_banner + certImport nameConstraintsRFC822CA3Cert + crlImport nameConstraintsRFC822CA3CRL.crl + pkitsn $certs/InvalidRFC822nameConstraintsTest26EE.crt \ + $certs/nameConstraintsRFC822CA3Cert.crt + restore_db + + VFY_ACTION="Valid DN and RFC822 nameConstraints Test27"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + certImport nameConstraintsDN1subCA3Cert + crlImport nameConstraintsDN1subCA3CRL.crl + pkits $certs/ValidDNandRFC822nameConstraintsTest27EE.crt \ + $certs/nameConstraintsDN1subCA3Cert.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Invalid DN and RFC822 nameConstraints Test28"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + certImport nameConstraintsDN1subCA3Cert + crlImport nameConstraintsDN1subCA3CRL.crl + pkitsn $certs/InvalidDNandRFC822nameConstraintsTest28EE.crt \ + $certs/nameConstraintsDN1subCA3Cert.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Invalid DN and RFC822 nameConstraints Test29"; log_banner + certImport nameConstraintsDN1CACert + crlImport nameConstraintsDN1CACRL.crl + certImport nameConstraintsDN1subCA3Cert + crlImport nameConstraintsDN1subCA3CRL.crl + pkitsn $certs/InvalidDNandRFC822nameConstraintsTest29EE.crt \ + $certs/nameConstraintsDN1subCA3Cert.crt \ + $certs/nameConstraintsDN1CACert.crt + restore_db + + VFY_ACTION="Valid DNS nameConstraints Test30"; log_banner + certImport nameConstraintsDNS1CACert + crlImport nameConstraintsDNS1CACRL.crl + pkits $certs/ValidDNSnameConstraintsTest30EE.crt \ + $certs/nameConstraintsDNS1CACert.crt + restore_db + + VFY_ACTION="Invalid DNS nameConstraints Test31"; log_banner + certImport nameConstraintsDNS1CACert + crlImport nameConstraintsDNS1CACRL.crl + pkitsn $certs/InvalidDNSnameConstraintsTest31EE.crt \ + $certs/nameConstraintsDNS1CACert.crt + restore_db + + VFY_ACTION="Valid DNS nameConstraints Test32"; log_banner + certImport nameConstraintsDNS2CACert + crlImport nameConstraintsDNS2CACRL.crl + pkits $certs/ValidDNSnameConstraintsTest32EE.crt \ + $certs/nameConstraintsDNS2CACert.crt + restore_db + + VFY_ACTION="Invalid DNS nameConstraints Test33"; log_banner + certImport nameConstraintsDNS2CACert + crlImport nameConstraintsDNS2CACRL.crl + pkitsn $certs/InvalidDNSnameConstraintsTest33EE.crt \ + $certs/nameConstraintsDNS2CACert.crt + restore_db + + VFY_ACTION="Valid URI nameConstraints Test34"; log_banner + certImport nameConstraintsURI1CACert + crlImport nameConstraintsURI1CACRL.crl + pkits $certs/ValidURInameConstraintsTest34EE.crt \ + $certs/nameConstraintsURI1CACert.crt + restore_db + + VFY_ACTION="Invalid URI nameConstraints Test35"; log_banner + certImport nameConstraintsURI1CACert + crlImport nameConstraintsURI1CACRL.crl + pkitsn $certs/InvalidURInameConstraintsTest35EE.crt \ + $certs/nameConstraintsURI1CACert.crt + restore_db + + VFY_ACTION="Valid URI nameConstraints Test36"; log_banner + certImport nameConstraintsURI2CACert + crlImport nameConstraintsURI2CACRL.crl + pkits $certs/ValidURInameConstraintsTest36EE.crt \ + $certs/nameConstraintsURI2CACert.crt + restore_db + + VFY_ACTION="Invalid URI nameConstraints Test37"; log_banner + certImport nameConstraintsURI2CACert + crlImport nameConstraintsURI2CACRL.crl + pkitsn $certs/InvalidURInameConstraintsTest37EE.crt \ + $certs/nameConstraintsURI2CACert.crt + restore_db + + VFY_ACTION="Invalid DNS nameConstraints Test38"; log_banner + certImport nameConstraintsDNS1CACert + crlImport nameConstraintsDNS1CACRL.crl + pkitsn $certs/InvalidDNSnameConstraintsTest38EE.crt \ + $certs/nameConstraintsDNS1CACert.crt + restore_db +} + +pkits_PvtCertExtensions() +{ + break_table "NIST PKITS Section 4.16: Private Certificate Extensions" + + VFY_ACTION="Valid Unknown Not Critical Certificate Extension Test1"; log_banner + pkits $certs/ValidUnknownNotCriticalCertificateExtensionTest1EE.crt + + VFY_ACTION="Invalid Unknown Critical Certificate Extension Test2"; log_banner + pkitsn $certs/InvalidUnknownCriticalCertificateExtensionTest2EE.crt +} + +############################## pkits_cleanup ########################### +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +pkits_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + + +################################## main ################################ +pkits_init +pkits_SignatureVerification | tee -a $PKITS_LOG +pkits_ValidityPeriods | tee -a $PKITS_LOG +pkits_NameChaining | tee -a $PKITS_LOG +pkits_BasicCertRevocation | tee -a $PKITS_LOG +pkits_PathVerificWithSelfIssuedCerts | tee -a $PKITS_LOG +pkits_BasicConstraints | tee -a $PKITS_LOG +pkits_KeyUsage | tee -a $PKITS_LOG +if [ -n "$NSS_PKITS_POLICIES" ]; then + pkits_CertificatePolicies | tee -a $PKITS_LOG + pkits_RequireExplicitPolicy | tee -a $PKITS_LOG + pkits_PolicyMappings | tee -a $PKITS_LOG + pkits_InhibitPolicyMapping | tee -a $PKITS_LOG + pkits_InhibitAnyPolicy | tee -a $PKITS_LOG +fi +pkits_NameConstraints | tee -a $PKITS_LOG +pkits_PvtCertExtensions | tee -a $PKITS_LOG +pkits_cleanup + diff --git a/security/nss/tests/platformlist b/security/nss/tests/platformlist new file mode 100644 index 000000000..19bf821e9 --- /dev/null +++ b/security/nss/tests/platformlist @@ -0,0 +1,11 @@ +Darwin6.5 +HP-UX_B.11.00_32_bit +HP-UX_B.11.00_64 +RH_Linux_7.2_(Enigma) +RH_Linux_7.3_(Valhalla) +RH_Linux_Advanced_Server_2.1AS_(Pensacola) +SunOS_5.8_32_bit +SunOS_5.8_64_bit +Windows-2000 +Windows-XP + diff --git a/security/nss/tests/platformlist.tbx b/security/nss/tests/platformlist.tbx new file mode 100644 index 000000000..435284cff --- /dev/null +++ b/security/nss/tests/platformlist.tbx @@ -0,0 +1,14 @@ +AIX_3_32_bit AIX4.3_DBG.OBJ AIX4.3_OPT.OBJ +AIX_3_64_bit AIX4.3_DBG.OBJ AIX4.3_OPT.OBJ AIX4.3_64_DBG.OBJ AIX4.3_64_OPT.OBJ +HP-UX_B.11.00_32_bit HP-UXB.11.00_DBG.OBJ HP-UXB.11.00_OPT.OBJ +HP-UX_B.11.00_64_bit HP-UXB.11.00_DBG.OBJ HP-UXB.11.00_OPT.OBJ +OSF1_V4.0 OSF1V4.0D_DBG.OBJ OSF1V4.0D_OPT.OBJ +OSF1_V5.0 OSF1V5.0_DBG.OBJ OSF1V5.0_OPT.OBJ +RH_Linux_6.2_(Zoot) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ +RH_Linux_6.1_(Cartman) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ +RH_Linux_6.0_(Hedwig) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ +SunOS_5.6 SunOS5.6_DBG.OBJ SunOS5.6_OPT.OBJ +SunOS_5.8_32_bit +SunOS_5.8_64_bit +Windows-2000 WINNT5.0_DBG.OBJ WINNT5.0_OPT.OBJ WIN954.0_DBG.OBJ WIN954.0_OPT.OBJ +Windows-NT-4.0 WIN954.0_DBG.OBJ WIN954.0_OPT.OBJ WINNT4.0_DBG.OBJ WINNT4.0_OPT.OBJ diff --git a/security/nss/tests/qa_stage b/security/nss/tests/qa_stage new file mode 100755 index 000000000..f0960c845 --- /dev/null +++ b/security/nss/tests/qa_stage @@ -0,0 +1,336 @@ +#! /bin/sh +######################################################################## +# +# /u/sonmi/bin/qa_stage - /u/svbld/bin/init/nss/qa_stage +# +# this script is supposed to convert the tinderbox and daily QA files +# for use on mozilla.org +# +# parameters +# ---------- +# nssversion (supported: 30b, 31, tip) +# builddate (default - today) +# +######################################################################## + +if [ -z "$BUILDNUMBER" ] +then + BUILDNUMBER=1 +fi +if [ `uname` = "Linux" ] ; then + PATH=".:/u/sonmi/bin:/u/sonmi/bin/linux:/usr/bsd:/usr/ucb/:/bin:/usr/bin:/usr/ccs/bin:/usr/sbin:/usr/bin/X11:/usr/etc:/etc:/usr/demos:/usr/demos/bin:/usr/local/bin:/usr/local/X11/bin:/tools/ns/bin" + export PATH +fi + +Echo() +{ + if [ "$O_SILENT" = "OFF" ] ; then + echo $* + fi +} + +################################### qa_stage_init ########################## +# +######################################################################## +qa_stage_init() +{ + umask 000 + + eval_opts $* + + if [ -z "${QAYEAR}" ] ; then + QAYEAR=`date +%Y` + elif [ "$QAYEAR" = "" ] ; then + QAYEAR=`date +%Y` + fi + + Echo "Init..." + DAYBUILD=${QAYEAR}${BUILDDATE}.${BUILDNUMBER} + NSS_D0=/share/builds/mccrel3/nss + NSS_VER_DIR=${NSS_D0}/nss${NSSVER} + NTDIST=${NSS_VER_DIR}/builds/${DAYBUILD}/blowfish_NT4.0_Win95/mozilla/dist + UXDIST=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/dist + TESTSCRIPTDIR=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/security/nss/tests + RESULTDIR=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/tests_results/security + TBX_RESULTDIR=${NSS_D0}/nsstip/tinderbox/tests_results/security + + MOZ_D0=/pub/security/nss + MOZ_RESULTDIR=${MOZ_D0}/daily_qa/${DAYBUILD} + MOZ_TBX_RESULTDIR=${MOZ_D0}/tinderbox + + export BUILDDATE NSSVER QAYEAR NTDIST UXDIST TESTSCRIPTDIR RESULTDIR + + + IPLANET_TBX_URL="http://cindercone.red.iplanet.com${TBX_RESULTDIR}" + IPLANET_DQA_URL="http://cindercone.red.iplanet.com${RESULTDIR}" + + MOZ_TBX_URL="ftp://ftp.mozilla.org${MOZ_TBX_RESULTDIR}" + MOZ_DQA_URL="ftp://ftp.mozilla.org${MOZ_RESULTDIR}" + + export IPLANET_TBX_URL IPLANET_DQA_URL MOZ_TBX_URL MOZ_DQA_URL + STAGE_1=/u/sonmi/tmp/ftp_stage + + if [ ! -d $STAGE_1 ] ; then + Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit" + exit 1 + fi + cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit) + rm all.tar* 2>/dev/null + TBX_STAGE=$STAGE_1/tinderbox + DQA_STAGE=$STAGE_1/daily_qa/${DAYBUILD} + Echo "Staging area tbx: $TBX_STAGE" + Echo "Staging area daily QA (DQA): $DQA_STAGE" + Echo "Resultdir (sourcedir) for daily QA (RESULTDIR): $RESULTDIR" +} + +################################### qa_stage_dqa ########################## +# +######################################################################## +qa_stage_dqa() +{ + Echo "DQA:..." + Echo "Resultdir (sourcedir) for daily QA (RESULTDIR): $RESULTDIR" +#set -x + if [ ! -d $RESULTDIR ] ; then + Echo "Resultdir $RESULTDIR does not exist, can't push daily QA" + return + fi + cd $RESULTDIR || return + #for w in `find . -name "result*html"` + for w in `find . -name "result.html"` + do + if [ ! -d $DQA_STAGE/`dirname $w` ] ; then + mkdir -p $DQA_STAGE/`dirname $w` + fi + rm $DQA_STAGE/$w 2>/dev/null + cat $w | reformat_qa >$DQA_STAGE/$w + done + for w in `find . -name "output.log" -o -name "results.html"` + do +#echo $w + if [ ! -d $DQA_STAGE/`dirname $w` ] ; then + mkdir -p $DQA_STAGE/`dirname $w` + fi + cp $w $DQA_STAGE/$w + done +} + + +################################### qa_stage_tbx ########################## +# +######################################################################## +qa_stage_tbx() +{ + Echo "tbx: " + if [ ! -d $TBX_RESULTDIR ] ; then + Echo "TBX_RESULTDIR $TBX_RESULTDIR does not exist" + return + fi + cd $TBX_RESULTDIR || return + Echo "find from $TBX_FIND_FROM" + for w in `find $TBX_FIND_FROM -name "result.html"` + do + if [ ! -d "$TBX_STAGE/`dirname $w`" ] ; then + mkdir -p $TBX_STAGE/`dirname $w` + fi + rm $TBX_STAGE/$w 2>/dev/null + cat $w | reformat_qa >$TBX_STAGE/$w + done + for w in `find $TBX_FIND_FROM -name "output.log" -o -name "results.html"` + do + if [ ! -d $TBX_STAGE/`dirname $w` ] ; then + mkdir -p $TBX_STAGE/`dirname $w` + fi + cp $w $TBX_STAGE/$w + done +} + +match_tbxdirs() +{ + YY=`date +%Y` + DD=`date +%d` + MM=`date +%m` + HH=`date +%H` + + TBX_FIND_FROM="*-$YY$MM$DD-$HH.*" + i=$1 + while [ $i -gt 0 ] ; do + i=`expr $i - 1` + HH=`expr $HH - 1` + if [ $HH -lt 0 ] ; then + HH=23 + DD=`expr $DD - 1` + if [ $DD -eq 0 ] ; then + MM=`expr $MM - 1` + case $MM in + 0) + YY=`expr $YY - 1` + MM=12 + DD=31 + ;; + [13578]|10|12) + DD=31 + ;; + 2) + DD=28 + ;; + [469]|11) + DD=30 + ;; + esac + fi + fi + case $MM in + [123456789]) + MM=0$MM + ;; + esac + case $DD in + [123456789]) + DD=0$DD + ;; + esac + case $HH in + [0123456789]) + HH=0$HH + ;; + esac + TBX_FIND_FROM="$TBX_FIND_FROM *-$YY$MM$DD-$HH.*" + done +} + +################################### eval_opts ########################## +# global shell function, evapuates options and parameters, sets flags +# variables and defaults +######################################################################## +eval_opts() +{ + DO_TBX=OFF + DO_DQA=OFF + DO_CLEAN=OFF + O_SILENT=OFF + O_INCREMENTAL=OFF + O_MAIL=OFF + BUILDDATE=`date +%m%d` + NSSVER=tip + + TBX_FIND_FROM="." + + while [ -n "$1" ] + do + case $1 in + -d) + DO_DQA=ON + ;; + -m) + O_MAIL=ON + shift + MAILINGLIST=$1 + if [ -z "$MAILINGLIST" ] + then + echo "Error: -m requires a mailinglist to follow, for example sonmi@iplanet.com" + exit + fi + ;; + -ti) + DO_TBX=ON + match_tbxdirs 2 + O_INCREMENTAL=ON + ;; + -t) + DO_TBX=ON + ;; + -c) + DO_CLEAN=ON + ;; + -s) + O_SILENT=ON + ;; + + tip|3[0-9]*) + NSSVER=$1 + ;; + [01][0-9][0-3][0-9]) + BUILDDATE=$1 + ;; + esac + shift + done +} + +qa_stage_init $* + +if [ "$DO_CLEAN" = "ON" ] ; then + Echo "Cleaning old stuff" + if [ ! -d $STAGE_1 ] ; then + Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit" + exit 1 + fi + cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit) + if [ -n "$TBX_STAGE" -a -d "$TBX_STAGE" ] ; then + rm -rf $TBX_STAGE/* + else + Echo "nothing here to clean..." + fi +fi +if [ "$DO_DQA" = "ON" ] ; then + qa_stage_dqa + if [ "$O_MAIL" = "ON" -a -f "$DQA_STAGE/result.html" ] ; then + cat $DQA_STAGE/result.html | /usr/sbin/sendmail $MAILINGLIST + fi +fi +if [ "$DO_TBX" = "ON" ] ; then + qa_stage_tbx +fi +if [ ! -d $STAGE_1 ] ; then + Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit" + exit 1 +fi +cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit) +Echo "tar..." +if [ "$O_SILENT" = "ON" ] ; then + TARPARAM=cf +else + TARPARAM=cvf +fi + + +if [ "$DO_DQA" = "ON" -a "$DO_TBX" = "ON" ] ; then + Echo "tar $TARPARAM all.tar daily_qa tinderbox" + tar $TARPARAM all.tar daily_qa tinderbox +elif [ "$DO_DQA" = "ON" ] ; then + Echo "tar $TARPARAM all.tar daily_qa" + tar $TARPARAM all.tar daily_qa +else + Echo "tar $TARPARAM all.tar tinderbox" + tar $TARPARAM all.tar tinderbox +fi +gzip all.tar +# ssh-agent > /u/sonmi/.ssh/ssh-agent.info +# setenv like it says in that file +# ssh-add + +SSH_AUTH_SOCK=`grep SSH_AUTH_SOCK /u/sonmi/.ssh/ssh-agent.info | sed -e 's/setenv SSH_AUTH_SOCK //' -e 's/;//'` +SSH_AGENT_PID=`grep SSH_AGENT_PID /u/sonmi/.ssh/ssh-agent.info | sed -e 's/setenv SSH_AGENT_PID //' -e 's/;//'` +export SSH_AUTH_SOCK SSH_AGENT_PID +if [ "$O_SILENT" = "OFF" ] ; then + set -x + scp all.tar.gz sonmi@stage.mozilla.org:/home/ftp/pub/security/nss + ssh -l sonmi stage.mozilla.org '/home/sonmi/bin/nssqa_stage ' +else + scp all.tar.gz sonmi@stage.mozilla.org:/home/ftp/pub/security/nss >/dev/null 2>/dev/null + ssh -l sonmi stage.mozilla.org '/home/sonmi/bin/nssqa_stage ' >/dev/null 2>/dev/null +fi + +#" rlogin huey " +#" sftp sonmi@stage.mozilla.org" +#" cd /home/ftp/pub/security/nss" +#" lcd tmp/ftp_stage" +#" put all.tar.gz" +#" quit " +#" ssh -l sonmi stage.mozilla.org" +#" cd /home/ftp/pub/security/nss" +#" gunzip all.tar.gz" +#" tar xvf all.tar" +#" rm all.tar" + diff --git a/security/nss/tests/qa_stat b/security/nss/tests/qa_stat new file mode 100755 index 000000000..ddf8dd8d2 --- /dev/null +++ b/security/nss/tests/qa_stat @@ -0,0 +1,938 @@ +#! /bin/sh +######################################################################## +# +# /u/sonmi/bin/qa_stat - /u/svbld/bin/init/nss/qa_stat +# +# this script is supposed to automatically run QA for NSS on all required +# Unix platforms +# +# parameters +# ---------- +# nssversion (supported: 30b, 31, tip) +# builddate (default - today) +# +# options +# ------- +# -y answer all questions with y - use at your own risk...ignores warnings +# -s silent (only usefull with -y) +# -h, -? - you guessed right - displays this text +# -d debug +# -f <filename> - write the (error)output to filename +# -m <mailinglist> - send filename to mailinglist (csl) only useful +# with -f +# -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.qa_stat +# +######################################################################## + +O_OPTIONS=ON + +TBX_EXIT=49 # in case we are running on a tinderbox build, any + # early exit needs to return an error +if [ -z "$O_TBX" -o "$O_TBX" = "OFF" ] ; then + if [ -z "$O_LOCAL" -o "$O_LOCAL" = "OFF" ] ; then + . `dirname $0`/header + fi +fi +Debug "Sourced header O_TBX=$O_TBX O_LOCAL=$O_LOCAL" +TBX_EXIT=48 +EARLY_EXIT=TRUE + +URL="cindercone.red.iplanet.com" + +DOCDIR=/u/sonmi/doc + +HTML_ERRORCOLOR=\"#FF0000\" +HTML_ERRORMSG=Failed + +HTML_MISSINGCOLOR=\"#FFFFCC\" +HTML_MISSINGMSG=Missing + +HTML_INCOMPLETECOLOR=$HTML_MISSINGCOLOR +HTML_INCOMPLETEMSG=Incomplete + +HTML_PASSEDCOLOR=\"#66FF99\" +HTML_PASSEDMSG=Passed + +# this file is used to deal with hanging rsh - a new shell is started +# for each rsh, and a function is called after it is finished - they +# communicate with this file + +RSH_FILE=$TMP/rsh.$$ +echo >$RSH_FILE +TMPFILES="$TMPFILES $WARNINGLIST $RSH_FILE " +RSH_WAIT_TIME=80 #maximum time allowed for the 2 rsh to finish... +#TOTAL_TESTS=106 +TOTAL_TESTS=252 #tip +#TOTAL_TESTS=244 #3.4 +#TOTAL_TESTS=123 #3.3.2 +BCT_TOTAL_TESTS=122 #3.2.2 +#TOTAL_TESTS=133 #tip + +Debug "NTDIST $NTDIST" +Debug "UXDIST $UXDIST" +Debug "TESTSCRIPTDIR $TESTSCRIPTDIR" +Debug "RESULTDIR $RESULTDIR" + +############################### watch_rsh ############################## +# local shell function, deals with a hanging rsh (kills it...) +# this function is started as a backgroundprocess before the rsh is started, +# and writes info to the RSH_FILE, after the rsh is finished it writes finish +# info to the same file (this time called as a function, forground). +# the backgroundprocess stays around for RSH_WAIT_TIME, if then the finish +# information is not there attempts to kill the rsh +# +# watch_rsh start qa_computername & +# watch_rsh stop qa_computername +# +######################################################################## +watch_rsh() +{ + case $1 in + start) + echo "$2 started" >>$RSH_FILE + sleep $RSH_WAIT_TIME + O_ALWAYS_YES=ON # may modify global flags because this is a + # forked off bg process - kill_by_name otherwise + # will ask the user if it really should be killed + grep "$2 finished" $RSH_FILE >/dev/null || kill_by_name "rsh $2" + exit + ;; + stop) + echo "$2 finished" >>$RSH_FILE + ;; + esac +} + +############################### find_qa_systems ######################## +# local shell function, tries to determine the QA operating system +# works remotely, and for Windows machines +######################################################################## +find_qa_systems() +{ +for QA_SYS in `ls $RESULTDIR | grep '\.1$' | sed -e "s/\..*//" | sort -u` +do + NO_RSH="FALSE" + QA_OS="" + QA_RHVER="" + IS_64="" + IS_WIN="" + + grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa >/dev/null && NO_RSH=TRUE + + if [ "$NO_RSH" = "TRUE" ] + then + + QA_OS=`grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \ + -e "s/.*-OS-LINE: /${QA_SYS}/"` + QA_OS_STRING=`echo $QA_OS | sed -e "s/^[_ ]//" -e "s/ /_/g"` + echo $QA_OS_STRING >>$PLATFORMLIST + if [ "$O_SILENT" != ON ] ; then + echo $QA_OS + fi + + #grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \ + #-e "s/.*-OS-LINE: /${QA_SYS}_/" >>$PLATFORMLIST + #if [ "$O_SILENT" != ON ] ; then + #grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \ + #-e "s/.*-OS-LINE:/${QA_SYS}/" + #fi + else + REM_SYSNAME=$QA_SYS + watch_rsh start $REM_SYSNAME & + qa_stat_get_sysinfo $QA_SYS + watch_rsh stop $REM_SYSNAME + echo $QA_OS_STRING >>$PLATFORMLIST + # use later for missing list + fi +done + +} + +################################### qa_stat_init ########################## +# local shell function, sets the name of the resultfile to: +# <filename> if option -f <filename> +# $RESULTDIR/result if write permission +# (mozilla/tests_results/security/result) +# $HOME/resultNSS${NSSVER}-${BUILDDATE} if no write permission in $RESULTDIR +######################################################################## +qa_stat_init() +{ + if [ $O_FILE = ON -a $O_CRON = OFF ] # if -f was specified write there + then + RFILE=$FILENAME + else + RFILE=${RESULTDIR}/result.$$ + if [ ! -w $RESULTDIR ] + then + RFILE=$HOME/resultNSS${NSSVER}-${BUILDDATE}.$$ + Debug "Using alternate resultfile $RFILE" + #elif [ $O_CRON = ON ] + #then + ##find ${RESULTDIR} -exec chmod a+rw {} \; #FIXME - umask + ##doesn't seem to work - this is a tmp workaround + fi + + if [ ! -x $RESULTDIR -o ! -r $RESULTDIR -o ! -w $RESULTDIR ] + then + glob_usage "$RESULTDIR does not have the right permissions `ls -l $RESULTDIR`" + fi + if [ -d $RESULTDIR ] + then + cd $RESULTDIR + else + glob_usage "$RESULTDIR does not exist" + fi + fi + + ERRORLIST=${RFILE}.E + PLATFORMLIST=${RFILE}.P + PERFLIST=${RFILE}.PE + TMP_HTML_FILE=${RFILE}.html + HTML_FILE=${RESULTDIR}/result.html + WARNINGLIST=${RFILE}.W + BCMISSINGLIST=${RFILE}.BCM + BCERRORLIST=${RFILE}.BCE + TMPFILE=${RFILE}.T + ML_FILE=${RFILE}.ML + + TMPFILES="$TMPFILES $TMPFILE" + TMPFILES="$TMPFILES $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \ + $BCMISSINGLIST $BCERRORLIST $ML_FILE" #FIXME uncomment + + FILENAME=$RFILE #we might want to mail it...later switch to html file + O_FILE="ON" + + rm $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \ + $BCMISSINGLIST $BCERRORLIST $TMP_HTML_FILE 2>/dev/null + touch $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \ + $BCMISSINGLIST $BCERRORLIST $TMP_HTML_FILE 2>/dev/null + + if [ $O_WIN = "ON" -a "$O_TBX" = "ON" ] ; then + HTML_PATH="http://${URL}${UX_D0}/nss${NSSVER}/tinderbox/tests_results/security/`basename $RESULTDIR`" + else + HTML_PATH="http://${URL}${RESULTDIR}" + fi + HREF_TMP_HTML_FILE="${HTML_PATH}/`basename $HTML_FILE`" + + write_qa_header_html >$TMP_HTML_FILE +} + +################################# html_footer ######################### +# local shell function, writes end of the html body +####################################################################### +write_qa_header_html() +{ +echo 'Subject: QA Report ' $NSSVER $BUILDDATE ' +From: sonmi@iplanet.com +Reply-To: sonmi@iplanet.com +Content-Type: text/html; charset=us-ascii +<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> +<html> +<head> + <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> + <meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; U; SunOS 5.8 sun4u) [N +etscape]"> +</head> +<body> +<br> + +<br> +<h2> +<a href="http://tinderbox.mozilla.org/showbuilds.cgi?tree=NSS">Tinderbox</a +><br> +<a href="http://cindercone.red.iplanet.com/share/builds/mccrel3/nss/nsstip/tinderbox/tests_results/security/">Tinderbox QA result</a><br> +<a href="ftp://ftp.mozilla.org/pub/security/nss/daily_qa">Mozilla Daily NSS QA result</a></h2> + + + +<br> +<center> +<h1> +<a NAME="Top"></a><b><font size=+2>QA Results</font></b></h1></center> + + +<table BORDER WIDTH="100%" NOSAVE > +<tr> +<td> <b><font size=+1>Build-OS and version</font></b></td> +<td><b><font size=+1>QA-OS</font></b></td> +<td><b><font size=+1>Systemname</font></b></td> +<td><b><font size=+1>P/F</font></b></td> +<td><b><font size=+1>result</font></b></td> +<td><b><font size=+1>output</font></b></td> +<td><b><font size=+1>errors</font></b></td> +<td><b><font size=+1>QA time / #</font></b></td> +</tr> +' +} + +################################# html_footer ######################### +# local shell function, writes end of the html body +####################################################################### +html_footer() +{ + echo '</body>' + echo '</html>' +} + +################################# setQAsysvars ######################### +# local shell function, sets system specific variables +######################################################################## +setQAsysvars() +{ + if [ "$MACHINE" != "0" ] + then + MACHINE=`echo $MACHINE | sed -e 's/^bct.//g'` + TESTDATE=`ls -ld $MACHINE | awk '{ print $6, $7, $8 }'` + TESTNUMBER=`echo $MACHINE | sed -e 's/.*\.//'` + SYSNAME=`echo $MACHINE | sed -e 's/\..*//'` + Debug "SYSNAME= $SYSNAME" + + if [ "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then + QA_SYS_OS=$QA_OS + else + QA_SYS_OS=`grep $SYSNAME $PLATFORMLIST | + sed -e 's/
//' | \ + sort | uniq | sed -e "s/$SYSNAME//" \ + -e "s/^_//" | sort | uniq` + fi + Debug "QA_SYS_OS= $QA_SYS_OS" + fi + BUILD_SYS=`echo $BUILDPLATFORM | sed -e 's/\.OBJ//' -e 's/_DBG/ Debug/' \ + -e 's/_OPT/ Optimized/' -e 's/_64/ 64bit/' -e 's/_glibc_PTH//' \ + -e 's/_/ /'` + Debug "BUILD_SYS=$BUILD_SYS" + if [ -f "${RESULTDIR}/${MACHINE}/results.html" ] ; then + RESULT="${HTML_PATH}/${MACHINE}/results.html" + else + RESULT="0" + fi + if [ -f "${RESULTDIR}/bct/${MACHINE}/results.html" ] ; then + BCB_RESULT="${HTML_PATH}/bct/${MACHINE}/results.html" + else + BCB_RESULT="0" + fi + + if [ -f "${RESULTDIR}/${MACHINE}/output.log" ] ; then + LOG="${HTML_PATH}/${MACHINE}/output.log" + else + LOG="0" + fi + if [ -f "${RESULTDIR}/bct/${MACHINE}/output.log" ] ; then + BCB_LOG="${HTML_PATH}/bct/${MACHINE}/output.log" + else + BCB_LOG="0" + fi +} + +################################# html_line() ######################### +# local shell function, writes a line in the html table +######################################################################## +html_line() +{ + echo '<tr NOSAVE>' + echo '<td NOSAVE>'$BUILD_SYS'</td>' + echo '' + if [ "$QA_SYS_OS" != "0" ] ; then + echo '<td NOSAVE>'$QA_SYS_OS'</td>' + else + echo '<td></td>' + fi + echo '' + if [ "$SYSNAME" != "0" ] ; then + echo '<td>'$SYSNAME'</td>' + else + echo '<td></td>' + fi + #echo '<td>'$SYSNAME $TESTNUMBER $TESTDATE'</td>' + echo '' + # hopefully we never run more different tests on a tinderbox build... + # on win some shells can not handle exit codes greater then 52 (64???) + # so for very early exits the codes are set 50-45, for failures later + # in the process the higher the number, the more failures + if [ "$O_TBX" = "ON" -a "$TBX_EXIT" -gt 45 ] ; then + TBX_EXIT=0 + fi + if [ "$1" = "failed" ] + then + TBX_EXIT=`expr $TBX_EXIT + 1` + echo '<td BGCOLOR='$HTML_ERRORCOLOR' NOSAVE><b>'$HTML_ERRORMSG'</b></td>' + elif [ "$1" = "passed" ] + then + echo '<td BGCOLOR='$HTML_PASSEDCOLOR' NOSAVE>'$HTML_PASSEDMSG'</td>' + elif [ "$1" = "incomplete" ] + then + TBX_EXIT=`expr $TBX_EXIT + 1` + echo '<td BGCOLOR='$HTML_INCOMPLETECOLOR' NOSAVE>'$HTML_INCOMPLETEMSG'</td>' + else + TBX_EXIT=`expr $TBX_EXIT + 1` + echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>' + fi + if [ "$CURRENT_TABLE" != "BC" ] ; then + if [ "$RESULT" = "0" ] ; then + echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>' + else + echo '<td> <a href="'$RESULT'">result</a> </td>' + fi + if [ "$LOG" = "0" ] ; then + echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>' + else + echo '<td> <a href="'$LOG'">log</a> </td>' + fi + if [ "$1" = "failed" ] ; then + echo '<td> <a href="'${HREF_TMP_HTML_FILE}'#errorlist">error</a> </td>' + else + echo '<td></td>' + fi + else + #<td><b><font size=+1>errors</font></b></td> + #<td><b><font size=+1>P/F</font></b></td> + #<td><b><font size=+1>P/F</font></b></td> + + #echo '<td><b><font size=+1>All Current</font></b></td>' + #echo '<td><b><font size=+1>old dlls</font></b></td>' + #echo '<td><b><font size=+1>old executables</font></b></td>' + #if [ "$RESULT" != "0" -a "$LOG" != "0" ] ; then + #echo '<td><a href="'$RESULT'">result</a>, <a href="'$LOG'">log</td>' + #elif [ "$RESULT" = "0" -a "$LOG" != "0" ] ; then + #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$LOG'">log</a></td>' + #elif [ "$RESULT" != "0" -a "$LOG" = "0" ] ; then + #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$RESULT'">result</a></td>' + #else + #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>' + #fi + #if [ "$BCB_RESULT" != "0" -a "$BCB_LOG" != "0" ] ; then + #echo '<td><a href="'$BCB_RESULT'">result</a>, <a href="'$BCB_LOG'"> log</td>' + #elif [ "$BCB_RESULT" = "0" -a "$BCB_LOG" != "0" ] ; then + #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$BCB_LOG'">log</a></td>' + #elif [ "$BCB_RESULT" != "0" -a "$BCB_LOG" = "0" ] ; then + #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$BCB_RESULT'">result</a></td>' + #else + #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>' + #fi + if [ "$BCB_RESULT" = "0" ] ; then + echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>' + else + echo '<td> <a href="'$BCB_RESULT'">result</a> </td>' + fi + if [ "$BCB_LOG" = "0" ] ; then + echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>' + else + echo '<td> <a href="'$BCB_LOG'">log</a> </td>' + fi + fi + echo '<td>'$TESTDATE $TESTNUMBER'</td>' + echo '</tr>' +} + +################################# qa_errorlist ######################### +# local shell function, finds problems in the previously run QA +# linux:the gnu grep, on Linux can output 10 lines above and 3 lines below +# the errormessage +######################################################################## +qa_errorlist() +{ + grep "bgcolor=red" ${MACHINES_TO_CHECK}*/results.html | + sed -e 's/.results.html:<TR><TD>/ /' -e 's/<[^>]*>/ /g' + grep 'cache hits; .* cache misses, .* cache not reusable' \ + ${MACHINES_TO_CHECK}*/output.log | + grep strsclnt | + grep -v '0 cache hits; 0 cache misses, 0 cache not reusable' | + grep -v ' cache hits; 1 cache misses, 0 cache not reusable' + for logfile in ${MACHINES_TO_CHECK}*/output.log; do + grep -vi "write to SSL socket" $logfile | + grep -vi "HDX PR_Read returned error" | + grep -vi "no error" | + grep -vi "12285" | + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP error + #grep -vi "5938" | needed for -v option + #grep -vi "HDX PR_Read hit EOF" | + grep -vi "write to SSL socket" $logfile | + grep -vi "peer cannot verify" | + grep -vi "error" | + grep -vi "fatal" | + grep -vi "TCP Connection aborted" | + grep -vi "TCP connection reset" | + grep $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i failed + done + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "segmentation violation" \ + ${MACHINES_TO_CHECK}*/output.log + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "memory fault" \ + ${MACHINES_TO_CHECK}*/output.log + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "bus error" \ + ${MACHINES_TO_CHECK}*/output.log + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "core dumped" \ + ${MACHINES_TO_CHECK}*/output.log + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP fatal \ + ${MACHINES_TO_CHECK}*/output.log + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i\ + "PKCS12 decode not verified" ${MACHINES_TO_CHECK}*/output.log + + if [ -n "${MACHINES_TO_CHECK}" ] ; then + find ${MACHINES_TO_CHECK}* -name core -print 2>/dev/null | + grep -v bct + else + find . -name core -print 2>/dev/null | + grep -v bct + fi +} + +tbx_missing_platforms () +{ + QA_MISSING="QA report missing" + MACHINE="0" + + if [ "$QA_OS_STRING" = "WINNT4.0" ] ; then + QA_OS_STRING="Windows-NT-4.0" + fi + for BUILDPLATFORM in `grep $QA_OS_STRING $TESTSCRIPTDIR/platformlist.tbx` + do + if [ "$BUILDPLATFORM" != "$QA_OS_STRING" ] ; then + Debug "BUILDPLATFORM = $BUILDPLATFORM QA_OS_STRING = $QA_OS_STRING" + grep $BUILDPLATFORM ${MACHINES_TO_CHECK}*/results.html \ + >/dev/null || { + setQAsysvars + html_line missing >>$TMP_HTML_FILE + } + fi + done +} + +############################ platform _list ########################### +# local shell function, generate pass/fail information for each Platform +######################################################################## +platformlist() +{ + grep Platform ${MACHINES_TO_CHECK}*/results.html | + sed -e 's/.results.html:<H4>Platform: /---/' \ + -e 's/<BR>//' >$TMPFILE + # this is done a little complicated to avoid starting a subshell in + # a while read that gets the input from a pipeline, and variables set + #in or underneath this function get unset after done... + for MB in `cat $TMPFILE` ; do + MACHINE=`echo $MB | sed -e "s/---.*//"` + BUILDPLATFORM=`echo $MB | sed -e "s/.*---//"` + grep "${MACHINE}[^0-9]" $ERRORLIST >/dev/null + ret=$? + setQAsysvars + if [ $ret -eq 0 ] + then + echo "Failed $MACHINE $BUILDPLATFORM" >>$RFILE + html_line failed >>$TMP_HTML_FILE + else + echo "Passed $MACHINE $BUILDPLATFORM" >>$RFILE + html_line passed >>$TMP_HTML_FILE + fi + done +} + +############################ missing_platforms ########################### +# local shell function, finds out if we ran on all required platforms +######################################################################## +missing_platforms() +{ + QA_MISSING="QA report missing" + MACHINE="0" + SYSNAME="0" + QA_SYS_OS="0" + + for BUILDPLATFORM in `cat $TESTSCRIPTDIR/platformlist` + do + grep $BUILDPLATFORM $PLATFORMLIST > /dev/null || { + setQAsysvars + html_line missing >>$TMP_HTML_FILE + } + done +} + +############################ incomplete_results ########################### +# local shell function, finds out if all qa runs were complete +######################################################################## +incomplete_results () +{ + + for w in `ls ${MACHINES_TO_CHECK}*/results.html` + do + grep bgcolor=red $w || { + PASSED_LINES="" + PASSED_LINES=`grep bgcolor=lightGreen $w | wc -l` + if [ -n "$PASSED_LINES" -a "$PASSED_LINES" -lt "$TOTAL_TESTS" ] ; then + BUILDPLATFORM=`grep Platform $w | sed -e 's/<H4>Platform:/ /' -e 's/<BR>//'` + MACHINE=`echo $w | sed -e "s/.results.html//"` + #MACHINE=`echo $w | sed -e "s/\.[0-9]*.results.html//"` + setQAsysvars + html_line incomplete >>$TMP_HTML_FILE + elif [ "$PASSED_LINES" -gt "$TOTAL_TESTS" ] ; then + echo "WARNING - more tests than expected on $w ($PASSED_LINES)" >>$WARNINGLIST + fi + } + done +} + +qa_stat_table() +{ + echo ' ' + echo '<br> ' + echo '<center>' + echo '<h1>' + echo '<a NAME="'$1'"></a>'$1'</h1></center>' + echo ' ' + echo '<table BORDER WIDTH="100%" NOSAVE >' + echo '<tr NOSAVE>' +} + +############################### psaperf ######################## +# local shell function, copies results of the daily performance test +# into a table in the QA report +######################################################################## +rsaperf() +{ + grep RSAPERF */output.log | grep -v "_DBG" > $PERFLIST + + qa_stat_table "Performance list" + + echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>' + echo '<td><b><font size=+1>Systemname</font></b></td>' + echo '<td><b><font size=+1># of iterations</font></b></td>' + echo '<td><b><font size=+1>average for one op</font></b></td>' + echo '<td><b><font size=+1>Total</font></b></td>' + echo '<td><b><font size=+1>QA time / #</font></b></td>' + echo '</tr>' + cat $PERFLIST | + while read MACHINE BUILDPLATFORM no_iter t1 t2 total total_unit t3 \ + t4 t5 average average_unit + do + #caution subshell, variables local to this loop + BUILD_SYS=`echo $BUILDPLATFORM | sed -e 's/\.OBJ//' \ + -e 's/_DBG/ Debug/' \ + -e 's/_OPT/ Optimized/' -e 's/_64/ 64bit/' -e 's/_glibc_PTH//' \ + -e 's/_/ /'` + TESTNUMBER=`echo $MACHINE | sed -e 's/[^\.]*\.//' -e 's/\/.*//'` + MACHINE=`echo $MACHINE | sed -e 's/\..*//'` + TESTDATE=`ls -ld ${MACHINE}.${TESTNUMBER} | awk '{ print $6, $7, $8 }'` + echo '<tr>' + echo '<td>'$BUILD_SYS'</td>' + echo '' + echo '<td>'$MACHINE'</td>' + echo '' + echo '<td>'$no_iter'</td>' + echo '' + echo '<td>'$average' '$average_unit'</td>' + echo '' + echo '<td>'$total' '$total_unit'</td>' + echo '' + echo '<td>'$TESTDATE $TESTNUMBER'</td>' + echo '' + echo '</tr>' + done + echo '</table>' +} + +############################### qa_stat_cleanup ######################## +# local shell function, finishes html file, sets variables for global Exit +######################################################################## +qa_stat_cleanup() +{ + + html_footer >>$TMP_HTML_FILE + + O_DEBUG=OFF + + EARLY_EXIT=FALSE + cp $TMP_HTML_FILE $HTML_FILE + FILENAME=$HTML_FILE #we might want to mail it... + Exit +} + + +############################### bc_test ######################## +# local shell function, evaluates the results of the backward u +# compatibility tests +######################################################################## +bc_header() +{ +CURRENT_TABLE="BC" #so html_line can determine which fields to write + + qa_stat_table "Backward Compatibility Test" + echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>' + echo '<td><b><font size=+1>QA-OS</font></b></td>' + echo '<td><b><font size=+1>Systemname</font></b></td>' + echo '<td><b><font size=+1>P/F</font></b></td>' + #echo '<td><b><font size=+1>All Current</font></b></td>' + #echo '<td><b><font size=+1>backward comp. test</font></b></td>' + echo '<td><b><font size=+1>result</font></b></td>' + echo '<td><b><font size=+1>output</font></b></td>' + echo '<td><b><font size=+1>QA time / #</font></b></td>' + echo '</tr>' + +} + +old_bc_test() +{ +CURRENT_TABLE="BC" #so html_line can determine which fields to write + + qa_stat_table "Backward Compatibility Test" + echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>' + echo '<td><b><font size=+1>QA-OS</font></b></td>' + echo '<td><b><font size=+1>Systemname</font></b></td>' + echo '<td><b><font size=+1>P/F</font></b></td>' + #echo '<td><b><font size=+1>All Current</font></b></td>' + #echo '<td><b><font size=+1>backward comp. test</font></b></td>' + echo '<td><b><font size=+1>result</font></b></td>' + echo '<td><b><font size=+1>output</font></b></td>' + echo '<td><b><font size=+1>QA time / #</font></b></td>' + echo '</tr>' + + for w in `ls */results.html` + do + TMP_RESULT="`dirname $w`/results.tmp" + TMP_BC_RESULT="`dirname bct/$w`/results.tmp" + rm $TMP_RESULT $TMP_BC_RESULT 2>/dev/null + cat $w | sed -e 's/<[^>]*>//g' -e 's/ /_/g' \ + -e 's/signtool_-[vw]/signtool_-vw/' | + grep '_[PF]a[si][sl]ed' >$TMP_RESULT + cat bct/$w | sed -e 's/<[^>]*>//g' -e 's/ /_/g' \ + -e 's/signtool_-[vw]/signtool_-vw/' | + grep '_[PF]a[si][sl]ed' >$TMP_BC_RESULT + diff $TMP_RESULT $TMP_BC_RESULT 2>>$BCMISSINGLIST | + grep -v "Create_objsign_cert_.signtool_-G.*Passed" | + grep -v "porting_Alice.s_email_cert" | + grep -v "^[0-9,cad]*$" | grep -v "^---$" | grep -v "^---.$" | + grep -v "Can.t_run_pk12util_tests_for_NSS_3.2" >/dev/null && ( + echo "$w differs" >> $BCMISSINGLIST + echo "=========================================" + echo "diff $w bct/$w" + echo "=========================================" + diff $TMP_RESULT $TMP_BC_RESULT 2>&1 | + grep -v "Create_objsign_cert_.signtool_-G.*Passed" | + grep -v "porting_Alice.s_email_cert" | + grep -v "Can.t_run_pk12util_tests_for_NSS_3.2" + ) 2>&1 >>$BCERRORLIST + + #diff -b $w bct/$w 2>>$BCMISSINGLIST | + #grep -v "Create objsign cert .signtool -G.*Passed" | + #grep -v "Listing signed files in jar .signtool -v.*Passed" | + #grep -v "Listing signed files in jar .signtool -w.*Passed" | + #grep -v "backward compatibility" | + #grep -v "Can.t run pk12util tests for NSS 3.2" | + #grep -v "porting Alice.s email cert " | + #grep -v "^---$" | grep -v "^[<> ] $" | + #grep -v "^---.$" | grep -v "^[<> ] .$" | + #grep -v '< </BODY></HTML>' | + #grep -v "^[0-9,cad]*$" 2>>$BCMISSINGLIST >/dev/null && ( + #echo "$w differs" >> $BCMISSINGLIST + #echo "=========================================" + #echo "diff $w bct/$w" + #echo "=========================================" + #diff -b $w bct/$w 2>&1 | + #grep -v "Listing signed files in jar .signtool -v.*Passed" | + #grep -v "Listing signed files in jar .signtool -w.*Passed" | + #grep -v "backward compatibility" | + #grep -v "Can.t run pk12util tests for NSS 3.2" | + #grep -v "porting Alice.s email cert " | + #grep -v "^---$" | grep -v "^[<> ] $" | + #grep -v "^---.$" | grep -v "^[<> ] .$" | + #grep -v '< </BODY></HTML>' | + #grep -v "^[0-9,cad]*$" \ + #) 2>&1 >>$BCERRORLIST + rm $TMP_RESULT $TMP_BC_RESULT 2>/dev/null + done + rm $ERRORLIST + cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \ + -e "s/.results.html.*/\/results.html/" | + sort -u > $ERRORLIST + + platformlist + echo '</table>' >>$TMP_HTML_FILE + + head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/" +} + +bc_test() +{ +CURRENT_TABLE="BC" #so html_line can determine which fields to write + + qa_stat_table "Backward Compatibility Test" + echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>' + echo '<td><b><font size=+1>QA-OS</font></b></td>' + echo '<td><b><font size=+1>Systemname</font></b></td>' + echo '<td><b><font size=+1>P/F</font></b></td>' + #echo '<td><b><font size=+1>All Current</font></b></td>' + #echo '<td><b><font size=+1>backward comp. test</font></b></td>' + echo '<td><b><font size=+1>result</font></b></td>' + echo '<td><b><font size=+1>output</font></b></td>' + echo '<td><b><font size=+1>QA time / #</font></b></td>' + echo '</tr>' + +set -x + for w in `ls */results.html` + do + BCT_DIR=`dirname "bct/$w"` + BCT_RESULT="bct/$w" + BCT_LOG="$BCT_DIR/output.log" + grep "bgcolor=red" $BCT_RESULT | + sed -e 's/.results.html:<TR><TD>/ /' -e 's/<[^>]*>/ /g' + grep 'cache hits; .* cache misses, .* cache not reusable' \ + $BCT_LOG | + grep -v selfserv | + grep -v '0 cache hits; 1 cache misses, 0 cache not reusable' | + grep -v '0 cache hits; 0 cache misses, 0 cache not reusable' | + grep -v ' cache hits; 1 cache misses, 0 cache not reusable' + grep -vi "write to SSL socket" $BCT_LOG | + grep -vi "HDX PR_Read returned error" | + grep -vi "no error" | + grep -vi "12285" | + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP error + grep -vi "write to SSL socket" $BCT_LOG | + grep -vi "peer cannot verify" | + grep -vi "TCP Connection aborted" | + grep -vi "error" | + grep -vi "fatal" | + grep -vi "TCP connection reset" | + grep $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i failed $BCT_LOG + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "segmentation violation" $BCT_LOG + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "memory fault" $BCT_LOG + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "bus error" $BCT_LOG + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "core dumped" $BCT_LOG + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP fatal $BCT_LOG + grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i "PKCS12 decode not verified" $BCT_LOG + find ${BTC_DIR} -name core -print + + done 2>&1 >>$BCERRORLIST + rm $ERRORLIST + cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \ + -e "s/.results.html.*/\/results.html/" | + sort -u > $ERRORLIST + + platformlist + echo '</table>' >>$TMP_HTML_FILE + + head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/" +} + + +############################### bc_test ######################## +# local shell function, evaluates the results of the backward u +# compatibility tests +# move the whole function to old to tests a new solution +######################################################################## +bc_test_old() +{ +CURRENT_TABLE="BC" #so html_line can determine which fields to write + + qa_stat_table "Backward Compatibility Test" + echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>' + echo '<td><b><font size=+1>QA-OS</font></b></td>' + echo '<td><b><font size=+1>Systemname</font></b></td>' + echo '<td><b><font size=+1>P/F</font></b></td>' + #echo '<td><b><font size=+1>All Current</font></b></td>' + #echo '<td><b><font size=+1>backward comp. test</font></b></td>' + echo '<td><b><font size=+1>result</font></b></td>' + echo '<td><b><font size=+1>output</font></b></td>' + echo '<td><b><font size=+1>QA time / #</font></b></td>' + echo '</tr>' + + for w in `ls */results.html` + do + diff -b $w bct/$w 2>>$BCMISSINGLIST | + grep -v "Create objsign cert .signtool -G.*Passed" | + grep -v "Listing signed files in jar .signtool -v.*Passed" | + grep -v "Listing signed files in jar .signtool -w.*Passed" | + grep -v "backward compatibility" | + grep -v "Can.t run pk12util tests for NSS 3.2" | + grep -v "porting Alice.s email cert " | + grep -v "^---$" | grep -v "^[<> ] $" | + grep -v "^---.$" | grep -v "^[<> ] .$" | + grep -v '< </BODY></HTML>' | + grep -v "^[0-9,cad]*$" 2>>$BCMISSINGLIST >/dev/null && ( + echo "$w differs" >> $BCMISSINGLIST + echo "=========================================" + echo "diff $w bct/$w" + echo "=========================================" + diff -b $w bct/$w 2>&1 | + grep -v "Listing signed files in jar .signtool -v.*Passed" | + grep -v "Listing signed files in jar .signtool -w.*Passed" | + grep -v "backward compatibility" | + grep -v "Can.t run pk12util tests for NSS 3.2" | + grep -v "porting Alice.s email cert " | + grep -v "^---$" | grep -v "^[<> ] $" | + grep -v "^---.$" | grep -v "^[<> ] .$" | + grep -v '< </BODY></HTML>' | + grep -v "^[0-9,cad]*$" \ + ) 2>&1 >>$BCERRORLIST + done + rm $ERRORLIST + cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \ + -e "s/.results.html.*/\/results.html/" | + sort -u > $ERRORLIST + + platformlist + echo '</table>' >>$TMP_HTML_FILE + + head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/" + +} + +############################### tbx_main ######################## +# local shell function, tinderbox variation of the qa status script +######################################################################## +tbx_main() +{ + TBX_EXIT=47 + qa_stat_get_sysinfo # find out the OS we are running and all required tests + # on this OS + + MACHINES_TO_CHECK=$HOST #`uname -n` only search the local tests for errors + qa_errorlist > $ERRORLIST # + platformlist + #tbx_missing_platforms #temp. taken out until we find a better way to + #determine if all necessary QA ran - right now we run different + #tinderboxes on one machine + incomplete_results + echo '</table>' >>$TMP_HTML_FILE + echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE + cat $ERRORLIST | sed -e "s/^/<br>/" >>$TMP_HTML_FILE + +} + +############################### qa_stat_main ######################## +# local shell function, main flow of the qa status script +######################################################################## +qa_stat_main() +{ + find_qa_systems 2>/dev/null + MACHINES_TO_CHECK="" # check all founf qa runs + qa_errorlist > $ERRORLIST + platformlist + missing_platforms + incomplete_results + echo '</table>' >>$TMP_HTML_FILE + echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE + cat $ERRORLIST | sed -e "s/^/<br>/" >>$TMP_HTML_FILE + cat $WARNINGLIST 2>/dev/null | sed -e "s/^/<br>/" >>$TMP_HTML_FILE 2>/dev/null + rsaperf >>$TMP_HTML_FILE + bc_header >>$TMP_HTML_FILE + MACHINES_TO_CHECK="bct/" + TOTAL_TESTS=$BCT_TOTAL_TESTS + BEFORE_CONTEXT_GREP="" #WORKAROUND - errors in one outputlog within the first + AFTER_CONTEXT_GREP="" # or last lines will show up in the next/previos file + qa_errorlist > $ERRORLIST + platformlist + missing_platforms + incomplete_results + echo '</table>' >>$TMP_HTML_FILE + echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE + cat $ERRORLIST | sed -e "s/^/<br>/" >>$TMP_HTML_FILE + cat $WARNINGLIST 2>/dev/null | sed -e "s/^/<br>/" >>$TMP_HTML_FILE 2>/dev/null + #bc_test >>$TMP_HTML_FILE +} + +CURRENT_TABLE="Standard" +qa_stat_init + +if [ "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then + tbx_main +else + qa_stat_main +fi + +qa_stat_cleanup diff --git a/security/nss/tests/qaclean b/security/nss/tests/qaclean new file mode 100755 index 000000000..14c71f390 --- /dev/null +++ b/security/nss/tests/qaclean @@ -0,0 +1,144 @@ +#! /bin/sh + +######################################################################## +# +# /u/sonmi/bin/qaclean +# +# is supposed to clean up after a "hanging" QA +# +# 1) see if there is a lockfile +# if yes: +# 1a) kill the process of the lockfile and if possible it's children +# 1b) rm the lockfile +# 2) kill selfservers +# 3) clean up old tmp files +# +######################################################################## + +if [ -z "$TMP" ] +then + if [ -z "$TEMP" ] + then + TMP="/tmp" + else + TMP=$TEMP + fi +fi +if [ ! -w "$TMP" ] +then + echo "Can't write to tmp directory $TMP - exiting" + echo "Can't write to tmp directory $TMP - exiting" >&2 + exit 1 +fi + +########################### Ps ######################################### +# platform specific ps +######################################################################## +Ps() +{ + if [ `uname -s` = "SunOS" ] + then + /usr/5bin/ps -e + else + ps -e + fi +} + +Kill() +{ + if [ "$1" = "$$" ] + then + return + fi + echo "Killing PID $1" + kill $1 + sleep 1 + kill -9 $1 2>/dev/null +} + +########################### kill_by_name ################################ +# like killall, only without permissionproblems, kills the process whose +# name is given as parameter +######################################################################## +kill_by_name() +{ + echo "Killing all $1" + + for PID in `Ps | grep "$1" | grep -v grep | \ + sed -e "s/^[ ]*//g" -e "s/[ ].*//"` + do + Kill $PID + done +} + +kill_the_rest() +{ +i=0 +while [ $i -lt $1 ] +do + kill_by_name nssqa + kill_by_name selfserv + kill_by_name strsclnt + kill_by_name all.sh + kill_by_name sdr.sh + kill_by_name ssl.sh + kill_by_name smime.sh + i=`expr $i + 1` +done +} + +nt_warning() +{ +os_name=`uname -s` +case $os_name in + CYGWIN*|WIN*|Win*) + echo + echo + echo + echo "Another Windows problem... If you have not already done so" + echo "after this script completes, please reboot, and log in as" + echo "user svbld again" + echo + echo + echo + ;; +esac +} + +nt_warning +case $1 in + -all) + for w in tommy booboo kentuckyderby galileo shame axilla columbus \ + smarch charm hp64 biggayal orville kwyjibo hbombaix raven \ + jordan hornet phaedrus louie box dbldog huey washer dryer \ + shabadoo trex bummer compaqtor jellyfish sjsu + do + echo $w + ping $w && rsh $w '/u/sonmi/bin/qaclean' + done + + ;; + ?*) + rsh $1 '/u/sonmi/bin/qaclean' + exit + ;; +esac + +uname -a +echo + +if [ -f ${TMP}/nssqa.* ] +then + echo "nssqa seems to be running ${TMP}/nssqa.*" + #cat ${TMP}/nssqa.* + NSSQA_PID=`ls ${TMP}/nssqa.* | sed -e 's/[^.]*\.//'` + Kill $NSSQA_PID + rm ${TMP}/nssqa.* +fi + +kill_the_rest 3 +ls -l ${TMP}/nsstmp.* +rm ${TMP}/nsstmp.* 2>/dev/null +rm ${TMP}/certutilout.* 2>/dev/null +rm ${TMP}/Pk12* +nt_warning diff --git a/security/nss/tests/remote/Makefile b/security/nss/tests/remote/Makefile new file mode 100644 index 000000000..6c6e5bd55 --- /dev/null +++ b/security/nss/tests/remote/Makefile @@ -0,0 +1,153 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +TESTPACKAGE="nss-$(OS_TARGET)$(CPU_TAG).tgz" +RTSH=$(DIST)/../../runtests.sh +PCFG=$(DIST)/platform.cfg + + +#Hint: In order to test the Makefiles without running the tests, use: +# make NSS_CYCLES="standard" NSS_TESTS="dummy" + +ifeq ($(OS_TARGET),Android) +TEST_SHELL?=$$HOME/bin/sh +ANDROID_PORT?="2222" +#Define the subset of tests that is known to work on Android +NSS_CYCLES?="standard pkix upgradedb sharedb" +NSS_TESTS?="cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits chains" +NSS_SSL_TESTS?="crl normal_normal iopr" +NSS_SSL_RUN?="cov auth stress" +else +TEST_SHELL?="/bin/sh" +endif + +# Create a package for test execution on a separate system. +package_for_testing: + echo "export OBJDIR=$(OBJDIR_NAME)" > $(PCFG) + echo "export OS_ARCH=$(OS_ARCH)" >> $(PCFG) + echo "export OS_TARGET=$(OS_TARGET)" >> $(PCFG) + echo "export DLL_PREFIX=$(DLL_PREFIX)" >> $(PCFG) + echo "export DLL_SUFFIX=$(DLL_SUFFIX)" >> $(PCFG) + echo 'echo "set HOST and DOMSUF if your system is not registered in DNS"' > $(RTSH) + cat $(PCFG) >> $(RTSH) + echo 'export NSS_TESTS=$(NSS_TESTS)' >> $(RTSH) + echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(RTSH) + echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)' >> $(RTSH) + echo 'export NSS_CYCLES=$(NSS_CYCLES)' >> $(RTSH) + echo 'export USE_64=$(USE_64)' >> $(RTSH) + echo 'export BUILD_OPT=$(BUILD_OPT)' >> $(RTSH) + echo 'export PKITS_DATA=$(PKITS_DATA)' >> $(RTSH) + echo 'export NSS_DISABLE_ECC=$(NSS_DISABLE_ECC)' >> $(RTSH) + echo 'export NSPR_LOG_MODULES=$(NSPR_LOG_MODULES)' >> $(RTSH) +ifeq ($(OS_TARGET),Android) + # Android doesn't support FIPS tests, because + # dladdr does not return a full path for implicitly loaded libraries + echo "export NSS_TEST_DISABLE_FIPS=1" >> $(DIST)/platform.cfg +endif +ifeq ($(CROSS_COMPILE),1) +# execute signing on test system + echo 'export DIST=$${HOME}/nsstest/dist/' >> $(RTSH) + echo 'export NSPR_LIB_DIR=$${DIST}/$${OBJDIR}/lib/' >> $(RTSH) + echo 'echo "signing"' >> $(RTSH) +# work around a bug in Android ash that has a corrupted work directory after login + echo 'cd $${HOME}/nsstest' >> $(RTSH) + echo 'cd nss/cmd/shlibsign' >> $(RTSH) + echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}freebl3.$${DLL_SUFFIX}' >> $(RTSH) + echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}softokn3.$${DLL_SUFFIX}' >> $(RTSH) + echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}nssdbm3.$${DLL_SUFFIX}' >> $(RTSH) +ifneq ($(OS_TARGET),Android) +# Android's ash doesn't support "export -n" yet + echo 'export -n DIST' >> $(RTSH) + echo 'export -n NSPR_LIB_DIR' >> $(RTSH) +endif + echo 'cd ../../../' >> $(RTSH) +endif + echo 'rm -rf tests_results' >> $(RTSH) + echo 'echo "running tests"' >> $(RTSH) + echo 'cd nss/tests' >> $(RTSH) + # We require progress indication on stdout while running the tests (to avoid timeouts). + set -o pipefail + echo '$(TEST_SHELL) ./all.sh | tee ../../logfile 2>&1 |grep ": #"' >> $(RTSH) + RETVAL=$? + echo 'cd ../../' >> $(RTSH) + # dump test summary from end of logfile + echo 'echo "=========="; tail -100 logfile' >> $(RTSH) + echo 'tar czf tests_results.tgz tests_results' >> $(RTSH) + echo 'echo "created tests_results.tgz"' >> $(RTSH) + echo 'echo "results are in directory: "`ls -1d tests_results/security/*.1`' >> $(RTSH) + echo 'echo exit status: $${RETVAL}' >> $(RTSH) + echo 'exit $${RETVAL}' >> $(RTSH) + rm -f $(TESTPACKAGE) + (cd $(DIST)/../.. ; tar czhf dist/$(TESTPACKAGE) runtests.sh dist/$(OBJDIR_NAME) dist/public nss/tests nss/cmd/bltest/tests nss/cmd/pk11gcmtest/tests nss/cmd/shlibsign; echo "created "`pwd`"/dist/$(TESTPACKAGE)" ) + +android_run_tests: + ssh -p $(ANDROID_PORT) -o CheckHostIP=no $(ANDROID_ADDR) 'pwd; cd; pwd; cd nsstest; export PATH=$$HOME/bin:$$PATH ; $(TEST_SHELL) runtests.sh' + +android_install: + rm -f $(DIST)/android.sftp + echo '-mkdir nsstest' > $(DIST)/android.sftp + echo '-rm nsstest/$(TESTPACKAGE)' >> $(DIST)/android.sftp + echo 'progress' >> $(DIST)/android.sftp + echo 'put $(DIST)/../$(TESTPACKAGE) nsstest' >> $(DIST)/android.sftp + sftp -o Port=$(ANDROID_PORT) -o CheckHostIP=no -b $(DIST)/android.sftp $(ANDROID_ADDR) + ssh -p $(ANDROID_PORT) -o CheckHostIP=no $(ANDROID_ADDR) 'cd nsstest ; $$HOME/bin/rm -rf logfile runtests.sh dist security tests_results tests_results.tgz; $$HOME/bin/tar xzf $(TESTPACKAGE)' + +WORKDIR="$(DIST)/../../" +RESULTSPACKAGE=tests_results.tgz +android_get_result: + rm -f $(WORKDIR)/result.sftp $(WORKDIR)/$(RESULTSPACKAGE) + echo "progress" > $(WORKDIR)/result.sftp + echo 'get nsstest/$(RESULTSPACKAGE) $(WORKDIR)' >> $(WORKDIR)/result.sftp + sftp -o Port=$(ANDROID_PORT) -o CheckHostIP=no -b $(WORKDIR)/result.sftp $(ANDROID_ADDR) + (cd $(WORKDIR); tar xzf $(RESULTSPACKAGE); rm -f result.sftp $(RESULTSPACKAGE) ) + +# Android testing assumes having built with: OS_TARGET=Android CROSS_COMPILE=1 +# Connectivity tested with Android app: SSHDroid +# Provide appropriate ANDROID_ADDR variable, e.g.: +# make test_android ANDROID_ADDR=root@192.168.4.5 +# See also: https://wiki.mozilla.org/NSS:Android + +test_android: package_for_testing android_install android_run_tests android_get_result diff --git a/security/nss/tests/remote/manifest.mn b/security/nss/tests/remote/manifest.mn new file mode 100644 index 000000000..049f1617c --- /dev/null +++ b/security/nss/tests/remote/manifest.mn @@ -0,0 +1,6 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +CORE_DEPTH = ../.. +DEPTH = ../.. diff --git a/security/nss/tests/run_niscc.sh b/security/nss/tests/run_niscc.sh new file mode 100755 index 000000000..def3fd07e --- /dev/null +++ b/security/nss/tests/run_niscc.sh @@ -0,0 +1,982 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# PRIOR TO RUNNING THIS SCRIPT +# you should adjust MAIL_COMMAND and QA_LIST +# +# External dependencies: +# - install the NISCC test files, e.g. at /niscc (readonly OK) +# - libfaketimeMT because the test certificates have expired +# - build environment for building NSS +# - gdb to analyze core files +# - a command line mail tool (e.g. mailx) +# - openssl to combine input PEM files into pkcs#12 +# - curl for obtaining version information from the web +# + +################################################################################ +# Print script usage +################################################################################ +usage() +{ + cat << EOF +Usage: $0 [options] + +Test NSS library against NISCC SMIME and TLS testcases. + +Options: + -h, --help print this help message and exit + -v, --verbose enable extra verbose output + --niscc-home DIR use NISCC testcases from directory DIR (default /niscc) + --host HOST use host HOST (default '127.0.0.1') + --threads X set thread number to X (max. 10, default 10) + --out DIR set DIR as output directory (default '/out') + --mail ADDRESS send mail with test result to ADDRESS + --nss DIR set NSS directory to DIR (default '~/niscc-hg/nss') + --nss-hack DIR set hacked NSS directory to DIR (default '~/niscc-hg/nss_hack') + --log-store store all the logs (only summary by default) + --no-build-test don't pull and build tested NSS + --no-build-hack don't pull and build hacked NSS + --test-system test system installed NSS + --date DATE use DATE in log archive name and outgoing email + --libfaketime path.so use faketime library with LD_PRELOAD=path.so + --smallset test only a very small subset + +All options are optional. +All options (and possibly more) can be also set through environment variables. +Commandline options have higher priority than environment variables. +For more information please refer to the source code of this script. + +For a successfull run the script NEEDS the core file pattern to be 'core.*', +e.g. 'core.%t'. You can check the current pattern in +'/proc/sys/kernel/core_pattern'. Otherwise the test will be unable to detect +any failures and will pass every time. + +It is recommended to use hacked and tested binaries in a location, where their +absolute path is max. 80 characters. If their path is longer and a core file is +generated, its properties may be incomplete. + +Return value of the script indicates how many failures it experienced. + +EOF + exit $1 +} + +################################################################################ +# Process command-line arguments +################################################################################ +process_args() +{ + HELP="false" + args=`getopt -u -l "niscc-home:,host:,threads:,out:,verbose,mail:,nss:,nss-hack:,log-store,no-build-test,no-build-hack,help,test-system,date:,libfaketime:,smallset" -- "hv" $*` + [ "$?" != "0" ] && usage 1 + set -- $args + for i; do + case "$i" in + -v|--verbose) + shift + VERBOSE="-v" + ;; + --niscc-home) + shift + NISCC_HOME="$1" + shift + ;; + --host) + shift + HOST="$1" + shift + ;; + --threads) + shift + THREADS="$1" + shift + ;; + --out) + shift + TEST_OUTPUT="$1" + shift + ;; + --mail) + shift + USE_MAIL="true" + QA_LIST="$1" + shift + ;; + --nss) + shift + LOCALDIST="$1" + shift + ;; + --nss-hack) + shift + NSS_HACK="$1" + shift + ;; + --log-store) + shift + LOG_STORE="true" + ;; + --no-build-test) + shift + NO_BUILD_TEST="true" + ;; + --no-build-hack) + shift + NO_BUILD_HACK="true" + ;; + -h|--help) + shift + HELP="true" + ;; + --test-system) + shift + TEST_SYSTEM="true" + ;; + --date) + shift + DATE="$1" + shift + ;; + --libfaketime) + shift + FAKETIMELIB="$1" + shift + ;; + --smallset) + shift + SMALLSET="true" + ;; + --) + ;; + *) + ;; + esac + done + [ $HELP = "true" ] && usage 0 +} + +################################################################################ +# Create and set needed and useful environment variables +################################################################################ +create_environment() +{ + # Base location of NISCC testcases + export NISCC_HOME=${NISCC_HOME:-/niscc} + + # Base location of NSS + export HG=${HG:-"$HOME/niscc-hg"} + + # NSS being tested + export LOCALDIST=${LOCALDIST:-"${HG}/nss"} + + # Hacked NSS - built with "NISCC_TEST=1" + export NSS_HACK=${NSS_HACK:-"${HG}/nss_hack"} + + # Hostname of the testmachine + export HOST=${HOST:-127.0.0.1} + + # Whether to store logfiles + export LOG_STORE=${LOG_STORE:-"false"} + + # Whether to mail the summary + export USE_MAIL=${USE_MAIL:-"false"} + + # How to mail summary + export MAIL_COMMAND=${MAIL_COMMAND:-"mailx -S smtp=smtp://your.smtp.server:25 -r your+niscc@email.address"} + + # List of mail addresses where to send summary + export QA_LIST=${QA_LIST:-"result@recipient.address"} + + # Whether to use 64b build + export USE_64=${USE_64:-1} + + # Directory where to write all the output data (around 650MiB for each run) + export TEST_OUTPUT=${TEST_OUTPUT:-"$HOME/out"} + + # How many threads to use in selfserv and strsclnt (max. 10) + export THREADS=${THREADS:-10} + + # If true, do not build tthe tested version of NSS + export NO_BUILD_TEST=${NO_BUILD_TEST:-"false"} + + # If true, do not build the special NSS version for NISCC + export NO_BUILD_HACK=${NO_BUILD_HACK:-"false"} + + # If true, do not rebuild client and server directories + export NO_SETUP=${NO_SETUP:-"false"} + + # Location of NISCC SSL/TLS testcases + export TEST=${TEST:-"${NISCC_HOME}/NISCC_SSL_testcases"} + + # If true, then be extra verbose + export VERBOSE=${VERBOSE:-""} + + # If true, test the system installed NSS + export TEST_SYSTEM=${TEST_SYSTEM:-"false"} + [ "$TEST_SYSTEM" = "true" ] && export NO_BUILD_TEST="true" + + [ ! -z "$VERBOSE" ] && set -xv + + # Real date for naming of archives (system date must be 2002-11-18 .. 2007-11-18 due to certificate validity + DATE=${DATE:-`date`} + export DATE=`date -d "$DATE" +%Y%m%d` + + FAKETIMELIB=${FAKETIMELIB:-""} + export DATE=`date -d "$DATE" +%Y%m%d` + + # Whether to test only a very small subset + export SMALLSET=${SMALLSET:-"false"} + + # Create output dir if it doesn't exist + mkdir -p ${TEST_OUTPUT} +} + +################################################################################ +# Do a HG pull of NSS +################################################################################ +hg_pull() +{ + # Tested NSS - by default using HG default tip + if [ "$NO_BUILD_TEST" = "false" ]; then + echo "cloning NSS sources to be tested from HG" + [ ! -d "$LOCALDIST" ] && mkdir -p "$LOCALDIST" + cd "$LOCALDIST" + [ ! -d "$LOCALDIST/nspr" ] && hg clone --noupdate https://hg.mozilla.org/projects/nspr + cd nspr; hg pull; hg update -C -r default; cd .. + [ ! -d "$LOCALDIST/nss" ] && hg clone --noupdate https://hg.mozilla.org/projects/nss + cd nss; hg pull; hg update -C -r default; cd .. + #find . -exec touch {} \; + fi + + # Hacked NSS - by default using some RTM version. + # Do not use HEAD for hacked NSS - it needs to be stable and bug-free + if [ "$NO_BUILD_HACK" = "false" ]; then + echo "cloning NSS sources for a hacked build from HG" + [ ! -d "$NSS_HACK" ] && mkdir -p "$NSS_HACK" + cd "$NSS_HACK" + NSPR_TAG=`curl --silent http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/nsprpub/TAG-INFO | head -1 | sed --regexp-extended 's/[[:space:]]//g' | awk '{print $1}'` + NSS_TAG=`curl --silent http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/TAG-INFO | head -1 | sed --regexp-extended 's/[[:space:]]//g' | awk '{print $1}'` + [ ! -d "$NSS_HACK/nspr" ] && hg clone --noupdate https://hg.mozilla.org/projects/nspr + cd nspr; hg pull; hg update -C -r "$NSPR_TAG"; cd .. + [ ! -d "$NSS_HACK/nss" ] && hg clone --noupdate https://hg.mozilla.org/projects/nss + cd nss; hg pull; hg update -C -r "$NSS_TAG"; cd .. + #find . -exec touch {} \; + fi +} + +################################################################################ +# Build NSS after setting make variable NISCC_TEST +################################################################################ +build_NSS() +{ + # Tested NSS + if [ "$NO_BUILD_TEST" = "false" ]; then + echo "building NSS to be tested" + cd "$LOCALDIST" + unset NISCC_TEST + cd nss + gmake nss_clean_all &>> $TEST_OUTPUT/nisccBuildLog + gmake nss_build_all &>> $TEST_OUTPUT/nisccBuildLog + fi + + # Hacked NSS + if [ "$NO_BUILD_HACK" = "false" ]; then + echo "building hacked NSS" + cd "$NSS_HACK" + export NISCC_TEST=1 + cd nss + gmake nss_clean_all &>> $TEST_OUTPUT/nisccBuildLogHack + gmake nss_build_all &>> $TEST_OUTPUT/nisccBuildLogHack + fi + + unset NISCC_TEST +} + +################################################################################ +# Set build dir, bin and lib directories +################################################################################ +init() +{ + # Enable useful core files to be generated in case of crash + ulimit -c unlimited + + # Pattern of core files, they should be created in current directory + echo "core_pattern $(cat /proc/sys/kernel/core_pattern)" > "$TEST_OUTPUT/nisccLog00" + + # gmake is needed in the path for this suite to run + echo "PATH $PATH" >> "$TEST_OUTPUT/nisccLog00" + + # Find out hacked NSS version + DISTTYPE=`cd "$NSS_HACK/nss/tests/common"; gmake objdir_name` + echo "NSS_HACK DISTTYPE $DISTTYPE" >> "$TEST_OUTPUT/nisccLog00" + export HACKBIN="$NSS_HACK/dist/$DISTTYPE/bin" + export HACKLIB="$NSS_HACK/dist/$DISTTYPE/lib" + + if [ "$TEST_SYSTEM" = "false" ]; then + # Find out nss version + DISTTYPE=`cd "$LOCALDIST/nss/tests/common"; gmake objdir_name` + echo "NSS DISTTYPE $DISTTYPE" >> "$TEST_OUTPUT/nisccLog00" + export TESTBIN="$LOCALDIST/dist/$DISTTYPE/bin" + export TESTLIB="$LOCALDIST/dist/$DISTTYPE/lib" + export TESTTOOLS="$TESTBIN" + else + # Using system installed NSS + echo "USING SYSTEM NSS" >> "$TEST_OUTPUT/nisccLog00" + export TESTBIN="/usr/bin" + if [ `uname -m` = "x86_64" ]; then + export TESTLIB="/usr/lib64" + export TESTTOOLS="/usr/lib64/nss/unsupported-tools" + else + export TESTLIB="/usr/lib" + export TESTTOOLS="/usr/lib/nss/unsupported-tools" + fi + fi + + # Verify NISCC_TEST was set in the proper library + if strings "$HACKLIB/libssl3.so" | grep NISCC_TEST > /dev/null 2>&1; then + echo "$HACKLIB/libssl3.so contains NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00" + else + echo "$HACKLIB/libssl3.so does NOT contain NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00" + fi + + if strings "$TESTLIB/libssl3.so" | grep NISCC_TEST > /dev/null 2>&1; then + echo "$TESTLIB/libssl3.so contains NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00" + else + echo "$TESTLIB/libssl3.so does NOT contain NISCC_TEST" >> "$TEST_OUTPUT/nisccLog00" + fi +} + +################################################################################ +# Setup simple client and server directory +################################################################################ +ssl_setup_dirs_simple() +{ + [ "$NO_SETUP" = "true" ] && return + + echo "Setting up working directories for SSL simple tests" + + CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client" + SERVER="$TEST_OUTPUT/niscc_ssl/simple_server" + + # Generate .p12 files + openssl pkcs12 -export -inkey "$TEST/client_key.pem" -in "$TEST/client_crt.pem" -out "$TEST_OUTPUT/client_crt.p12" -passout pass:testtest1 -name "client_crt" + openssl pkcs12 -export -inkey "$TEST/server_key.pem" -in "$TEST/server_crt.pem" -out "$TEST_OUTPUT/server_crt.p12" -passout pass:testtest1 -name "server_crt" + + # Setup simple client directory + rm -rf "$CLIENT" + mkdir -p "$CLIENT" + echo test > "$CLIENT/password-is-test.txt" + export LD_LIBRARY_PATH="$TESTLIB" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -N -d "$CLIENT" -f "$CLIENT/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -A -d "$CLIENT" -n rootca -i "$TEST/rootca.crt" -t "C,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/client_crt.p12" -d "$CLIENT" -k "$CLIENT/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -L -d "$CLIENT" >> "$TEST_OUTPUT/nisccLog00" 2>&1 + + # File containg message used for terminating the server + echo "GET /stop HTTP/1.0" > "$CLIENT/stop.txt" + echo "" >> "$CLIENT/stop.txt" + + # Setup simple server directory + rm -rf "$SERVER" + mkdir -p "$SERVER" + echo test > "$SERVER/password-is-test.txt" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -N -d "$SERVER" -f "$SERVER/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -A -d "$SERVER" -n rootca -i "$TEST/rootca.crt" -t "TC,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/server_crt.p12" -d "$SERVER" -k "$SERVER/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -L -d "$SERVER" >> "$TEST_OUTPUT/nisccLog00" 2>&1 + + unset LD_LIBRARY_PATH +} + +################################################################################ +# Setup resigned client and server directory +################################################################################ +ssl_setup_dirs_resigned() +{ + [ "$NO_SETUP" = "true" ] && return + + echo "Setting up working directories for SSL resigned tests" + + CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client" + SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server" + + # Setup resigned client directory + rm -rf "$CLIENT" + mkdir -p "$CLIENT" + echo test > "$CLIENT/password-is-test.txt" + export LD_LIBRARY_PATH="$TESTLIB" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -N -d "$CLIENT" -f "$CLIENT/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -A -d "$CLIENT" -n rootca -i "$TEST/rootca.crt" -t "C,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/client_crt.p12" -d "$CLIENT" -k "$CLIENT/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -L -d "$CLIENT" >> "$TEST_OUTPUT/nisccLog00" 2>&1 + + echo "GET /stop HTTP/1.0" > "$CLIENT/stop.txt" + echo "" >> "$CLIENT/stop.txt" + + # Setup resigned server directory + rm -rf "$SERVER" + mkdir -p "$SERVER" + echo test > "$SERVER/password-is-test.txt" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -N -d "$SERVER" -f "$SERVER/password-is-test.txt" >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -A -d "$SERVER" -n rootca -i "$TEST/rootca.crt" -t "TC,C," >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/pk12util" -i "$TEST_OUTPUT/server_crt.p12" -d "$SERVER" -k "$SERVER/password-is-test.txt" -W testtest1 >> "$TEST_OUTPUT/nisccLog00" 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -L -d "$SERVER" >> "$TEST_OUTPUT/nisccLog00" 2>&1 + + unset LD_LIBRARY_PATH +} + +################################################################################ +# NISCC SMIME tests +################################################################################ +niscc_smime() +{ + cd "$TEST_OUTPUT" + DATA="$NISCC_HOME/NISCC_SMIME_testcases" + + [ ! -d niscc_smime ] && mkdir -p niscc_smime + + export SMIME_CERT_DB_DIR=envDB + export NSS_STRICT_SHUTDOWN=1 + export NSS_DISABLE_ARENA_FREE_LIST=1 + export LD_LIBRARY_PATH="$TESTLIB" + + # Generate .p12 files + openssl pkcs12 -export -inkey "$DATA/Client.key" -in "$DATA/Client.crt" -out Client.p12 -passout pass:testtest1 &>/dev/null + openssl pkcs12 -export -inkey "$DATA/CA.key" -in "$DATA/CA.crt" -out CA.p12 -passout pass:testtest1 &>/dev/null + + # Generate envDB if needed + if [ ! -d "$SMIME_CERT_DB_DIR" ]; then + mkdir -p "$SMIME_CERT_DB_DIR" + echo testtest1 > password-is-testtest1.txt + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -N -d "./$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt > /dev/null 2>&1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt -i "$DATA/CA.crt" -n CA -t "TC,C," + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt -i "$DATA/Client.crt" -n Client -t "TC,C," + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/pk12util" -i ./CA.p12 -d "$SMIME_CERT_DB_DIR" -k password-is-testtest1.txt -W testtest1 + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/pk12util" -i ./Client.p12 -d "$SMIME_CERT_DB_DIR" -k password-is-testtest1.txt -W testtest1 + fi + + # if p7m-ed-m-files.txt does not exist, then generate it. + [ -f "$DATA/p7m-ed-m-files.txt" ] && sed "s|^|$DATA/|" "$DATA/p7m-ed-m-files.txt" > p7m-ed-m-files.txt + export P7M_ED_M_FILES=p7m-ed-m-files.txt + if [ "$SMALLSET" = "true" ]; then + [ ! -f "$P7M_ED_M_FILES" ] && find "$DATA"/p7m-ed-m-0* -type f -print | head -10 >> "$P7M_ED_M_FILES" + else + [ ! -f "$P7M_ED_M_FILES" ] && find "$DATA"/p7m-ed-m-0* -type f -print >> "$P7M_ED_M_FILES" + fi + + # Test "p7m-ed-m*" testcases + echo "Testing SMIME enveloped data testcases" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/cmsutil" $VERBOSE -D -d "$SMIME_CERT_DB_DIR" -p testtest1 -b -i "$P7M_ED_M_FILES" > niscc_smime/p7m-ed-m-results.txt 2>&1 + + export SMIME_CERT_DB_DIR=sigDB + # Generate sigDB if needed + if [ ! -d "$SMIME_CERT_DB_DIR" ]; then + mkdir -p "$SMIME_CERT_DB_DIR" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -N -d "$SMIME_CERT_DB_DIR" -f password-is-testtest1.txt + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -i "$DATA/CA.crt" -n CA -t "TC,C," + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/certutil" -A -d "$SMIME_CERT_DB_DIR" -i "$DATA/Client.crt" -n Client -t "TC,C," + fi + + # if p7m-sd-dt-files.txt does not exist, then generate it. + [ -f "$DATA/p7m-sd-dt-files.txt" ] && sed "s|^|$DATA/|" "$DATA/p7m-sd-dt-files.txt" > p7m-sd-dt-files.txt + export P7M_SD_DT_FILES=p7m-sd-dt-files.txt + if [ "$SMALLSET" = "true" ]; then + [ ! -f "$P7M_SD_DT_FILES" ] && find "$DATA"/p7m-sd-dt-[cm]-* -type f -print | head -10 >> "$P7M_SD_DT_FILES" + else + [ ! -f "$P7M_SD_DT_FILES" ] && find "$DATA"/p7m-sd-dt-[cm]-* -type f -print >> "$P7M_SD_DT_FILES" + fi + + [ ! -f detached.txt ] && touch detached.txt + + # Test "p7m-sd-dt*" testcases + echo "Testing SMIME detached signed data testcases" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/cmsutil" $VERBOSE -D -d "$SMIME_CERT_DB_DIR" -c detached.txt -b -i "$P7M_SD_DT_FILES" > niscc_smime/p7m-sd-dt-results.txt 2>&1 + + # if p7m-sd-op-files.txt does not exist, then generate it. + [ -f "$DATA/p7m-sd-op-files.txt" ] && sed "s|^|$DATA/|" "$DATA/p7m-sd-op-files.txt" > p7m-sd-op-files.txt + export P7M_SD_OP_FILES=p7m-sd-op-files.txt + if [ "$SMALLSET" = "true" ]; then + [ ! -f "$P7M_SD_OP_FILES" ] && find "$DATA"/p7m-sd-op-[cm]-* -type f -print | head -10 >> "$P7M_SD_OP_FILES" + else + [ ! -f "$P7M_SD_OP_FILES" ] && find "$DATA"/p7m-sd-op-[cm]-* -type f -print >> "$P7M_SD_OP_FILES" + fi + + # Test "p7m-sd-op*" testcases + echo "Testing SMIME opaque signed data testcases" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTBIN}/cmsutil" $VERBOSE -D -d "$SMIME_CERT_DB_DIR" -b -i "$P7M_SD_OP_FILES" > niscc_smime/p7m-sd-op-results.txt 2>&1 + + unset LD_LIBRARY_PATH +} + +################################################################################ +# Set env variables for NISCC SSL tests +################################################################################ +niscc_ssl_init() +{ + export NSS_STRICT_SHUTDOWN=1 + export NSS_DISABLE_ARENA_FREE_LIST=1 + cd "$TEST_OUTPUT" +} + +force_crash() +{ + echo "int main(int argc, char *argv[]) { int *i; i = (int*)(void*)1; *i = 1; }" > "$TEST_OUTPUT/crashme.c" + gcc -g -o "$TEST_OUTPUT/crashme" "$TEST_OUTPUT/crashme.c" + "$TEST_OUTPUT/crashme" +} + +################################################################################ +# Do simple client auth tests +# Use an altered client against the server +################################################################################ +ssl_simple_client_auth() +{ + echo "Testing SSL simple client auth testcases" + export CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client" + export SERVER="$TEST_OUTPUT/niscc_ssl/simple_server" + export PORT=8443 + export START_AT=1 + if [ "$SMALLSET" = "true" ]; then + export STOP_AT=10 + else + export STOP_AT=106160 + fi + unset NISCC_TEST + export LD_LIBRARY_PATH="$TESTLIB" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTTOOLS}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -rr -t $THREADS -w test > "$TEST_OUTPUT/nisccLog01" 2>&1 & + + export NISCC_TEST="$TEST/simple_client" + export LD_LIBRARY_PATH="$HACKLIB" + + for START in `seq $START_AT $THREADS $STOP_AT`; do + START_AT=$START \ + STOP_AT=$(($START+$THREADS)) \ + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${HACKBIN}/strsclnt" $VERBOSE -d "$CLIENT" -n client_crt -p $PORT -t $THREADS -c $THREADS -o -N -w test $HOST >> "$TEST_OUTPUT/nisccLog02" 2>&1 + done + + unset NISCC_TEST + echo "starting tstclnt to shutdown simple client selfserv process" + for i in `seq 5`; do + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${HACKBIN}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog02" 2>&1 + done + + unset LD_LIBRARY_PATH + + sleep 1 +} + +################################################################################ +# Do simple server auth tests +# Use an altered server against the client +################################################################################ +ssl_simple_server_auth() +{ + echo "Testing SSL simple server auth testcases" + export CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client" + export SERVER="$TEST_OUTPUT/niscc_ssl/simple_server" + export PORT=8444 + export START_AT=00000001 + if [ "$SMALLSET" = "true" ]; then + export STOP_AT=00000010 + else + export STOP_AT=00106167 + fi + export LD_LIBRARY_PATH="$HACKLIB" + export NISCC_TEST="$TEST/simple_server" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog03" 2>&1 & + + unset NISCC_TEST + export LD_LIBRARY_PATH="$TESTLIB" + for START in `seq $START_AT $THREADS $STOP_AT`; do + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog04" 2>&1 + done + + echo "starting tstclnt to shutdown simple server selfserv process" + for i in `seq 5`; do + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog04" 2>&1 + done + + unset LD_LIBRARY_PATH + + sleep 1 +} + +################################################################################ +# Do simple rootCA tests +# Use an altered server against the client +################################################################################ +ssl_simple_rootca() +{ + echo "Testing SSL simple rootCA testcases" + export CLIENT="$TEST_OUTPUT/niscc_ssl/simple_client" + export SERVER="$TEST_OUTPUT/niscc_ssl/simple_server" + export PORT=8445 + export START_AT=1 + if [ "$SMALLSET" = "true" ]; then + export STOP_AT=10 + else + export STOP_AT=106190 + fi + export LD_LIBRARY_PATH="$HACKLIB" + export NISCC_TEST="$TEST/simple_rootca" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog05" 2>&1 & + + unset NISCC_TEST + export LD_LIBRARY_PATH="$TESTLIB" + for START in `seq $START_AT $THREADS $STOP_AT`; do + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog06" 2>&1 + done + + echo "starting tstclnt to shutdown simple rootca selfserv process" + for i in `seq 5`; do + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog06" 2>&1 + done + + unset LD_LIBRARY_PATH + + sleep 1 +} + +################################################################################ +# Do resigned client auth tests +# Use an altered client against the server +################################################################################ +ssl_resigned_client_auth() +{ + echo "Testing SSL resigned client auth testcases" + export CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client" + export SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server" + export PORT=8446 + export START_AT=0 + if [ "$SMALLSET" = "true" ]; then + export STOP_AT=9 + else + export STOP_AT=99981 + fi + unset NISCC_TEST + export LD_LIBRARY_PATH="$TESTLIB" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTTOOLS}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -rr -t $THREADS -w test > "$TEST_OUTPUT/nisccLog07" 2>&1 & + + export NISCC_TEST="$TEST/resigned_client" + export LD_LIBRARY_PATH="$HACKLIB" + + for START in `seq $START_AT $THREADS $STOP_AT`; do + START_AT=$START \ + STOP_AT=$(($START+$THREADS)) \ + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${HACKBIN}/strsclnt" $VERBOSE -d "$CLIENT" -n client_crt -p $PORT -t $THREADS -c $THREADS -o -N -w test $HOST >> "$TEST_OUTPUT/nisccLog08" 2>&1 + done + + unset NISCC_TEST + echo "starting tstclnt to shutdown resigned client selfserv process" + for i in `seq 5`; do + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${HACKBIN}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog08" 2>&1 + done + + unset LD_LIBRARY_PATH + + sleep 1 +} + +################################################################################ +# Do resigned server auth tests +# Use an altered server against the client +################################################################################ +ssl_resigned_server_auth() +{ + echo "Testing SSL resigned server auth testcases" + export CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client" + export SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server" + export PORT=8447 + export START_AT=0 + if [ "$SMALLSET" = "true" ]; then + export STOP_AT=9 + else + export STOP_AT=100068 + fi + export LD_LIBRARY_PATH="$HACKLIB" + export NISCC_TEST="$TEST/resigned_server" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog09" 2>&1 & + + unset NISCC_TEST + export LD_LIBRARY_PATH="$TESTLIB" + for START in `seq $START_AT $THREADS $STOP_AT`; do + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog10" 2>&1 + done + + echo "starting tstclnt to shutdown resigned server selfserv process" + for i in `seq 5`; do + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog10" 2>&1 + done + + unset LD_LIBRARY_PATH + + sleep 1 +} + +################################################################################ +# Do resigned rootCA tests +# Use an altered server against the client +################################################################################ +ssl_resigned_rootca() +{ + echo "Testing SSL resigned rootCA testcases" + export CLIENT="$TEST_OUTPUT/niscc_ssl/resigned_client" + export SERVER="$TEST_OUTPUT/niscc_ssl/resigned_server" + export PORT=8448 + export START_AT=0 + if [ "$SMALLSET" = "true" ]; then + export STOP_AT=9 + else + export STOP_AT=99959 + fi + export LD_LIBRARY_PATH="$HACKLIB" + export NISCC_TEST="$TEST/resigned_rootca" + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${HACKBIN}/selfserv" $VERBOSE -p $PORT -d "$SERVER" -n server_crt -t $THREADS -w test > "$TEST_OUTPUT/nisccLog11" 2>&1 & + + unset NISCC_TEST + export LD_LIBRARY_PATH="$TESTLIB" + for START in `seq $START_AT $THREADS $STOP_AT`; do + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTTOOLS}/strsclnt" $VERBOSE -d "$CLIENT" -p $PORT -t $THREADS -c $THREADS -o -N $HOST >> "$TEST_OUTPUT/nisccLog12" 2>&1 + done + + echo "starting tstclnt to shutdown resigned rootca selfserv process" + for i in `seq 5`; do + LD_PRELOAD=${FAKETIMELIB} NO_FAKE_STAT=1 FAKETIME="@2004-03-29 14:14:14" \ + "${TESTTOOLS}/tstclnt" -h $HOST -p $PORT -d "$CLIENT" -n client_crt -o -f -w test < "$CLIENT/stop.txt" >> "$TEST_OUTPUT/nisccLog12" 2>&1 + done + + unset LD_LIBRARY_PATH + + sleep 1 +} + +################################################################################ +# Email the test logfile, and if core found, notify of failure +################################################################################ +mail_testLog() +{ + pushd "$TEST_OUTPUT" + + # remove mozilla nss build false positives and core stored in previous runs + find . -name "core*" -print | grep -v coreconf | grep -v core_watch | grep -v archive >> crashLog + export SIZE=`cat crashLog | wc -l` + + [ "$USE_MAIL" = "false" ] && return + + # mail text + MT=mailText + rm -f $MT + + if [ "$SIZE" -ne 1 ]; then + echo "### FAILED ###" >> $MT + echo "### Exactly one crash is expected." >> $MT + echo "### Zero means: crash detection is broken, fix the script!" >> $MT + echo "### > 1 means: robustness test failure, fix the bug! (check the logs)" >> $MT + cat crashLog >> nisccLogSummary + SUBJ="FAILED: NISCC TESTS (check file: crashLog)" + else + echo ":) PASSED :)" >> $MT + SUBJ="PASSED: NISCC tests" + fi + + echo "Date used during test run: $DATE" >> $MT + + echo "Count of lines in files:" >> $MT + wc -l crashLog nisccBuildLog nisccBuildLogHack nisccLog[0-9]* p7m-* |grep -vw total >> $MT + NUM=`cat nisccLog0[123456789] nisccLog1[12] | egrep -ic "success/passed"` + echo "Number of times the SSL tests reported success/passed (low expected): $NUM" >> $MT + NUM=`cat nisccLog0[123456789] nisccLog1[12] | egrep -ic "problem|failed|error"` + echo "Number of times the SSL tests reported problem/failed/error (high expected): $NUM" >> $MT + NUM=`cat niscc_smime/p7m*results.txt | egrep -ic "success/passed"` + echo "Number of times the S/MIME tests reported success/passed (low expected): $NUM" >> $MT + NUM=`cat niscc_smime/p7m*results.txt | egrep -ic "problem|failed|error"` + echo "Number of times the S/MIME tests reported problem/failed/error (high expected): $NUM" >> $MT + echo "==== tail of nisccBuildLog ====" >> $MT + tail -20 nisccBuildLog >> $MT + echo "===============================" >> $MT + echo "==== tail of nisccBuildLogHack ====" >> $MT + tail -20 nisccBuildLogHack >> $MT + echo "===================================" >> $MT + + #NUM=`` + #echo "Number of : $NUM" >> $MT + + cat $MT | $MAIL_COMMAND -s "$SUBJ" $QA_LIST + + popd +} + +################################################################################ +# Summarize all logs +################################################################################ +log_summary() +{ + echo "Summarizing all logs" + # Move old logs + [ -f "$TEST_OUTPUT/nisccLogSummary" ] && mv nisccLogSummary nisccLogSummary.old + [ -f "$TEST_OUTPUT/crashLog" ] && mv crashLog crashLog.old + + for a in $TEST_OUTPUT/nisccLog[0-9]*; do + echo ================================== "$a" + grep -v using "$a" | sort | uniq -c | sort -b -n +0 -1 + done > $TEST_OUTPUT/nisccLogSummary + + for a in $TEST_OUTPUT/niscc_smime/p7m-*-results.txt; do + echo ================================== "$a" + grep -v using "$a" | sort | uniq -c | sort -b -n +0 -1 + done >> $TEST_OUTPUT/nisccLogSummary +} + +################################################################################ +# Process core files +################################################################################ +core_process() +{ + echo "Processing core files" + cd "$TEST_OUTPUT" + + for CORE in `cat crashLog`; do + FILE=`file "$CORE" | sed "s/.* from '//" | sed "s/'.*//"` + BINARY=`strings "$CORE" | grep "^${FILE}" | tail -1` + gdb "$BINARY" "$CORE" << EOF_GDB > "$CORE.details" +where +quit +EOF_GDB + done +} + +################################################################################ +# Move the old log files to save them, delete extra log files +################################################################################ +move_files() +{ + echo "Moving and deleting log files" + cd "$TEST_OUTPUT" + + rm -rf TRASH + mkdir TRASH + + if [ "$LOG_STORE" = "true" ]; then + BRANCH=`echo $LOCALDIST | sed "s:.*/\(security.*\)/builds/.*:\1:"` + if [ "$BRANCH" = "$LOCALDIST" ]; then + ARCHIVE="$TEST_OUTPUT/archive" + else + ARCHIVE="$TEST_OUTPUT/archive/$BRANCH" + fi + + # Check for archive directory + if [ ! -d "$ARCHIVE" ]; then + mkdir -p "$ARCHIVE" + fi + + # Determine next log storage point + slot=`ls -1 "$ARCHIVE" | grep $DATE | wc -l` + slot=`expr $slot + 1` + location="$ARCHIVE/$DATE.$slot" + mkdir -p "$location" + + # Archive the logs + mv nisccBuildLog "$location" 2> /dev/null + mv nisccBuildLogHack "$location" 2> /dev/null + mv nisccLogSummary "$location" + mv nisccLog* "$location" + mv niscc_smime/p7m-ed-m-results.txt "$location" + mv niscc_smime/p7m-sd-dt-results.txt "$location" + mv niscc_smime/p7m-sd-op-results.txt "$location" + + # Archive any core files produced + for core in `cat "$TEST_OUTPUT/crashLog"`; do + mv "$core" "$location" + mv "$core.details" "$location" + done + mv crashLog "$location" + else + # Logs not stored => summaries, crashlog and corefiles not moved, other logs deleted + mv nisccLog00 nisccLog01 nisccLog02 nisccLog03 nisccLog04 nisccLog05 nisccLog06 nisccLog07 nisccLog08 nisccLog09 nisccLog10 nisccLog11 nisccLog12 TRASH/ + mv niscc_smime/p7m-ed-m-results.txt niscc_smime/p7m-sd-dt-results.txt niscc_smime/p7m-sd-op-results.txt TRASH/ + fi + mv envDB sigDB niscc_smime niscc_ssl TRASH/ + mv CA.p12 Client.p12 client_crt.p12 server_crt.p12 TRASH/ + mv p7m-ed-m-files.txt p7m-sd-dt-files.txt p7m-sd-op-files.txt password-is-testtest1.txt detached.txt TRASH/ + mv crashme.c crashme TRASH/ +} + +################################################################################ +# Main +################################################################################ +process_args $* +create_environment +hg_pull +build_NSS +init +niscc_smime +niscc_ssl_init +force_crash +ssl_setup_dirs_simple + ssl_simple_client_auth + ssl_simple_server_auth + ssl_simple_rootca +ssl_setup_dirs_resigned + ssl_resigned_client_auth + ssl_resigned_server_auth + ssl_resigned_rootca +# no idea what these commented-out lines are supposed to be! +#ssl_setup_dirs_update +# ssl_update_server_auth der +# ssl_update_client_auth der +# ssl_update_server_auth resigned-der +# ssl_update_client_auth resigned-der +log_summary +mail_testLog +core_process +move_files +exit $SIZE diff --git a/security/nss/tests/sdr/sdr.sh b/security/nss/tests/sdr/sdr.sh new file mode 100755 index 000000000..f846e9247 --- /dev/null +++ b/security/nss/tests/sdr/sdr.sh @@ -0,0 +1,111 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/sdr/sdr.sh +# +# Script to start test basic functionallity of NSS sdr +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## sdr_init ################################ +# local shell function to initialize this script +######################################################################## +sdr_init() +{ + SCRIPTNAME=sdr.sh + if [ -z "${CLEANUP}" ] ; then + CLEANUP="${SCRIPTNAME}" + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + SCRIPTNAME=sdr.sh + + #temporary files + VALUE1=$HOSTDIR/tests.v1.$$ + VALUE2=$HOSTDIR/tests.v2.$$ + VALUE3=$HOSTDIR/tests.v3.$$ + + T1="Test1" + T2="The quick brown fox jumped over the lazy dog" + T3="1234567" + + SDRDIR=${HOSTDIR}/SDR + D_SDR="SDR.$version" + if [ ! -d ${SDRDIR} ]; then + mkdir -p ${SDRDIR} + fi + + PROFILE=. + if [ -n "${MULTIACCESS_DBM}" ]; then + PROFILE="multiaccess:${D_SDR}" + fi + + cd ${SDRDIR} + html_head "SDR Tests" +} + +############################## sdr_main ################################ +# local shell function to test NSS SDR +######################################################################## +sdr_main() +{ + echo "$SCRIPTNAME: Creating an SDR key/SDR Encrypt - Value 1" + echo "sdrtest -d ${PROFILE} -o ${VALUE1} -t \"${T1}\"" + ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE1} -t "${T1}" + html_msg $? 0 "Creating SDR Key/Encrypt - Value 1" + + echo "$SCRIPTNAME: SDR Encrypt - Value 2" + echo "sdrtest -d ${PROFILE} -o ${VALUE2} -t \"${T2}\"" + ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE2} -t "${T2}" + html_msg $? 0 "Encrypt - Value 2" + + echo "$SCRIPTNAME: SDR Encrypt - Value 3" + echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t \"${T3}\"" + ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t "${T3}" + html_msg $? 0 "Encrypt - Value 3" + + echo "$SCRIPTNAME: SDR Decrypt - Value 1" + echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t \"${T1}\"" + ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t "${T1}" + html_msg $? 0 "Decrypt - Value 1" + + echo "$SCRIPTNAME: SDR Decrypt - Value 2" + echo "sdrtest -d ${PROFILE} -i ${VALUE2} -t \"${T2}\"" + ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE2} -t "${T2}" + html_msg $? 0 "Decrypt - Value 2" + + echo "$SCRIPTNAME: SDR Decrypt - Value 3" + echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t \"${T3}\"" + ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t "${T3}" + html_msg $? 0 "Decrypt - Value 3" +} + +############################## sdr_cleanup ############################# +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +sdr_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +sdr_init +sdr_main +sdr_cleanup diff --git a/security/nss/tests/set_environment b/security/nss/tests/set_environment new file mode 100644 index 000000000..5a3515cca --- /dev/null +++ b/security/nss/tests/set_environment @@ -0,0 +1,234 @@ +#! /bin/sh + +######################################################################## +# +# /u/sonmi/bin/set_environment +# +# sourced from the header if running from cron to get the full environment +# to run nssqa - also used to unify all nssqa environments +# +# This is derived from the .cshrc file for the svbld account. +# +######################################################################## + +if [ -z "$HOME" ] +then + HOME=/u/svbld +fi +if [ -z "$QASCRIPT_DIR" ] +then + QASCRIPT_DIR=`dirname $0` +fi + +os_name=`uname -s` +if [ "$os_name" != "Windows_95" -a \ + "$os_name" != "Windows_NT" -a \ + "$os_name" != "WINNT" -a \ + "$os_name" != "Windows" -a \ + "$os_name" != "Windows_98" -a \ + "$os_name" != "CYGWIN_NT-4.0" -a \ + "$os_name" != "CYGWIN_NT-5.0" -a \ + "$os_name" != "CYGWIN_95-4.0" -a \ + "$os_name" != "CYGWIN_98-4.10" ] +then + PATH=.:$HOME/bin:/tools/ns/bin:/bin:/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/dist/local/exe:/usr/bin/X11:/usr/audio/bin:/u/sonmi/bin:$PATH + JAVA_HOME="D:/i386/jdk1.2.2" + JAVA_HOME14="R:/jdk/1.4.0/WINNT" +fi + +CVSROOT=:pserver:svbld@redcvs.red.iplanet.com:/m/src + +os_name=`uname -s` +os_version=`uname -r` +#os_p=`uname -p` +os_full="" + +if [ -f /u/svbld/bin/nsarch ] +then + os_full=`/u/svbld/bin/nsarch -f` #FIXME +fi + +MANPATH=/usr/share/man:/usr/openwin/man:/usr/local/man + +RMAIL=rmail +BEFORE_CONTEXT_GREP="" +AFTER_CONTEXT_GREP="" + +export CVSROOT HOME os_name os_version os_full MANPATH + + +if [ "$os_name" = "HP-UX" ] +then + PATH=$PATH:/usr/local/bin:/opt/aCC/bin:/usr/local/bin/audio:/tools/ns/bin:/etc:/usr/contrib/bin:/usr/contrib/bin/X11:/usr/local/hpux/bin:/nfs/iapp1/hphome/bin:/etc:/u/svbld/bin/HP/perl/bin + JAVA_HOME="/share/builds/components/cms_jdk/HP-UX/1.2.2.04" + JAVA_HOME14=$JAVA_HOME +# JAVA_HOME="/share/builds/components/cms_jdk/HP-UX/1.3.0.00" +elif [ "$os_name" = "SunOS" ] +then + NATIVE_FLAG="-native" + XAPPLRESDIR=/usr/openwin/lib/app-defaults:/usr/local/lib/X11/app-defaults + OPENWINHOME=/usr/openwin + LD_LIBRARY_PATH=$OPENWINHOME/lib + if [ "$os_full" = "SOLARISx86 2.8" -o "$os_full" = "SOLARISx86 2.9" ] + then + #PATH=/usr/ucb:/opt/usr/local/bin:$PATH + JAVA_HOME="/usr/java1.2" + JAVA_HOME14=/share/builds/components/jdk/1.4.0/SunOS_x86 + PATH=".:/usr/dist/share/forte_dev_i386,v6.2/SUNWspro/bin:/opt/usr/local/perl5/bin:/opt/SUNWspro/bin:/opt/usr/local/bin:/bin:/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/dist/local/exe:/usr/ccs/bin:/usr/ucb/bin:/usr/ucb:/opt/SUNWwabi/bin:/usr/local/bin:/tools/ns/bin:/etc:/tools/contrib/bin" + else + PATH=/usr/ucb:$PATH + JAVA_HOME="/share/builds/components/jdk/1.2.2/SunOS" + JAVA_HOME14=/share/builds/components/jdk/1.4.0/SunOS64 + PATH=/tools/ns/bin:$PATH:/opt/SUNWspro/bin:/usr/bin/X11:/usr/openwin/bin:/usr/openwin/demo + + if [ "$os_version" = "5.8" -o "$os_version" = "5.7" -o \ + "$os_version" = "5.9" ] + then + PATH=$PATH:/usr/dist/pkgs/forte_dev,v6.2/SUNWspro/bin:/tools/ns/workshop/bin + else + PATH=$PATH:/usr/dist/share/devpro,v5.0/5.x-sparc/bin:/tools/ns/workshop/bin + fi + PATH=$PATH:/usr/ccs/bin:/usr/ucb/bin:/opt/SUNWwabi/bin:/usr/local/bin:/tools/ns/bin:/etc:/tools/contrib/bin + fi + export XAPPLRESDIR OPENWINHOME LD_LIBRARY_PATH + +elif [ "$os_name" = "IRIX" ] +then + PATH=$PATH:/tools/ns/bin:/usr/local/bin:/etc:/usr/bsd + MANPATH=/tools/ns/man:/usr/local/man + JAVA_HOME="/share/builds/components/jdk/1.2.2/IRIX" + JAVA_HOME14=$JAVA_HOME +elif [ "$os_name" = "IRIX64" ] +then + PATH=$PATH:/tools/ns/bin:/usr/local/bin:/etc:/usr/bsd + MANPATH=/tools/ns/man:/usr/local/man + JAVA_HOME="/share/builds/components/jdk/1.2.2/IRIX" + JAVA_HOME14=$JAVA_HOME +elif [ "$os_name" = "Linux" ] +then + PATH=/lib:/usr/lib:/bin:/sbin:/usr/bin:/usr/sbin:$PATH + RMAIL=sendmail + #the gnu grep, on Linux can output 10 lines above and 3 lines below + #the errormessage + BEFORE_CONTEXT_GREP="--before-context=10" + AFTER_CONTEXT_GREP="--after-context=3" + JAVA_HOME="/share/builds/components/jdk/1.2.2/Linux" + JAVA_HOME14=/share/builds/components/jdk/1.4.0/Linux +elif [ "$os_name" = "AIX" ] +then + PATH=$PATH:/tools/contrib/bin:/usr/local/bin + TERM=vt100 + export TERM + JAVA_HOME="/share/builds/components/cms_jdk/AIX/1.3.0" + JAVA_HOME14=$JAVA_HOME +elif [ "$os_name" = "OSF1" ] +then + PATH=$PATH:/usr/local/bin + JAVA_HOME="/share/builds/components/jdk/1.2.2/OSF1" + JAVA_HOME14=$JAVA_HOME +fi + +if [ "$os_name" = "IRIX" ] +then + PATH=/tools/ns-arch/soft/perl-5.004_04/run/default/mips_sgi_irix5.3/bin:$PATH +elif [ "$os_name" = "IRIX64" ] +then + PATH=/tools/ns-arch/soft/perl-5.004_04/run/default/mips_sgi_irix5.3/bin:$PATH +fi + +O_CYGNUS=OFF +O_MKS=OFF +O_WIN=OFF + +if [ "$os_name" = "CYGWIN_NT-4.0" -o \ + "$os_name" = "CYGWIN_NT-5.0" -o \ + "$os_name" = "CYGWIN_95-4.0" -o \ + "$os_name" = "CYGWIN_98-4.10" ] +then + #FIXME net use, mount the neccessary pnetwork drives and partitiones first + #FIXME - take MKS out of the PATH + os_full=$os_name + os_name="Windows" + O_CYGNUS=ON + O_WIN=ON + PATH="`dirname $0`:.:/cygdrive/c/cygwin/bin:/cygdrive/z/nstools/bin:/cygdrive/z/nstools/perl5:/cygdrive/z/bin:/cygdrive/c/WINNT/System32:/cygdrive/c/WINNT" + RM=/cygdrive/c/cygwin/bin/rm.exe #FIXME - in case we cant cporrect + #these with the PATH alone + PATH=`perl $QASCRIPT_DIR/path_uniq "$PATH"` + RSH=/cygdrive/c/winnt/system32/rsh +elif [ "$os_name" = "Windows_95" -o \ + "$os_name" = "Windows_NT" -o \ + "$os_name" = "WINNT" -o \ + "$os_name" = "Windows" -o \ + "$os_name" = "Windows_98" ] +then + #FIXME net use, mount the neccessary pnetwork drives and partitiones first + PATH=`echo $SHELL | sed -e "s/.[kK][sS][Hh].[Ee][Xx][Ee]//g" \ + -e "s/.[sS][Hh].[Ee][Xx][Ee]//g"` + MOZTOOLS_IN_PATH=NO + if [ -n "$MOZ_TOOLS" -a -d "$MOZ_TOOLS" ] ; then + MOZ_TOOLS=`ls -d "$MOZ_TOOLS" | sed -e 's/\\\/\//g'` + #echo "MOZ_TOOLS reformated to $MOZ_TOOLS" + if [ -d "$MOZ_TOOLS" ] ; then #still exist after reformating? + MOZTOOLS_IN_PATH=OK + fi + fi + if [ -n "$MOZTOOLS_IN_PATH" -a "$MOZTOOLS_IN_PATH" = "OK" ] ; then + #echo "Use MOZTOOLS in PATH" + PATH="$MOZ_TOOLS/bin;$MOZ_TOOLS/perl5;$PATH" + elif [ -d Z:/nstools/bin ] ; then + PATH="Z:/nstools/bin;Z:/nstools/perl5;$PATH" + elif [ -d C:/nstools/bin ] ; then + PATH="C:/nstools/bin;C:/nstools/perl5;$PATH" + elif [ -d D:/nstools/bin ] ; then + PATH="D:/nstools/bin;D:/nstools/perl5;$PATH" + elif [ -d D:/i386/nstools/bin ] ; then + PATH="D:/i386/nstools/bin;D:/i386/nstools/perl5;$PATH" + else + echo "FATAL: Can't find nstools" + exit + fi + + if [ "$os_name" = "Windows_NT" -o \ + "$os_name" = "WINNT" ] + then + PATH="${PATH};C:/WINNT/System32;C:/WINNT;.;" + fi + PATH="`dirname $0`;$PATH" + + PATH=`perl $QASCRIPT_DIR/path_uniq -d ';' "$PATH"` + echo $PATH + os_full=$os_name + os_name="Windows" + O_MKS=ON + O_WIN=ON + if [ -z $RSH ] ; then + RSH=c:/winnt/system32/rsh + fi + +else + EDITOR=vi + EMACSLOADPATH=/u/svbld/emacs + PYTHONPATH=.:/tools/ns/lib/python1.4 + PAGER=less + XMCD_LIBDIR=/usr/local/lib/xmcd + DISPLAY=:0.0 + PATH=`perl $QASCRIPT_DIR/path_uniq "$PATH"` + RSH=rsh +fi + +BASEPATH=$PATH # in case we we set and reset DIST directories the PATH + # needs to change accordingly +export PATH EDITOR EMACSLOADPATH PYTHONPATH PAGER XMCD_LIBDIR DISPLAY MANPATH os_full os_name BASEPATH RSH O_WIN + +umask 022 + +system=`uname -n` # name of this system. + +JAVAC=$JAVA_HOME/bin/javac +JAVA=$JAVA_HOME/bin/java +JAVAC14=$JAVA_HOME14/bin/javac +JAVA14=$JAVA_HOME14/bin/java +#JAVA=$JAVA_HOME/jre/bin/java +export JAVAC JAVA JAVA_HOME JAVAC14 JAVA_HOME14 JAVA14 + diff --git a/security/nss/tests/smime/alice.txt b/security/nss/tests/smime/alice.txt new file mode 100644 index 000000000..0378db464 --- /dev/null +++ b/security/nss/tests/smime/alice.txt @@ -0,0 +1,6 @@ +Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT) +From: alice@bogus.com +Subject: message Alice --> Bob +To: bob@bogus.com + +This is a test message from Alice to Bob. diff --git a/security/nss/tests/smime/bob.txt b/security/nss/tests/smime/bob.txt new file mode 100644 index 000000000..330b2c94d --- /dev/null +++ b/security/nss/tests/smime/bob.txt @@ -0,0 +1,6 @@ +Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT) +From: bob@bogus.com +Subject: message Bob --> Alice +To: alice@bogus.com + +This is a test message from Bob to Alice. diff --git a/security/nss/tests/smime/smime.sh b/security/nss/tests/smime/smime.sh new file mode 100755 index 000000000..2360100de --- /dev/null +++ b/security/nss/tests/smime/smime.sh @@ -0,0 +1,259 @@ +#! /bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/smime/smime.sh +# +# Script to test NSS smime +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## smime_init ############################## +# local shell function to initialize this script +######################################################################## +smime_init() +{ + SCRIPTNAME=smime.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=smime.sh + + if [ -z "$NSS_DISABLE_ECC" ] ; then + html_head "S/MIME Tests with ECC" + else + html_head "S/MIME Tests" + fi + + grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { + Exit 11 "Fatal - S/MIME of cert.sh needs to pass first" + } + + SMIMEDIR=${HOSTDIR}/smime + R_SMIMEDIR=../smime + mkdir -p ${SMIMEDIR} + cd ${SMIMEDIR} + cp ${QADIR}/smime/alice.txt ${SMIMEDIR} +} + +smime_sign() +{ + HASH_CMD="-H ${HASH}" + SIG=sig.${HASH} + + echo "$SCRIPTNAME: Signing Detached Message {$HASH} ------------------" + echo "cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}" + ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG} + html_msg $? 0 "Create Detached Signature Alice (${HASH})" "." + + echo "cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} " + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} + html_msg $? 0 "Verifying Alice's Detached Signature (${HASH})" "." + + echo "$SCRIPTNAME: Signing Attached Message (${HASH}) ------------------" + echo "cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}" + ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG} + html_msg $? 0 "Create Attached Signature Alice (${HASH})" "." + + echo "cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}" + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH} + html_msg $? 0 "Decode Alice's Attached Signature (${HASH})" "." + + echo "diff alice.txt alice.data.${HASH}" + diff alice.txt alice.data.${HASH} + html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "." + +# Test ECDSA signing for all hash algorithms. + if [ -z "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------" + echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}" + ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG} + html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "." + + echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} " + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} + html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "." + + echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------" + echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}" + ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG} + html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "." + + echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}" + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH} + html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "." + + echo "diff alice.txt alice-ec.data.${HASH}" + diff alice.txt alice-ec.data.${HASH} + html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "." + fi + +} + + + +smime_p7() +{ + echo "$SCRIPTNAME: p7 util Data Tests ------------------------------" + echo "p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice_p7.env" + ${PROFTOOL} ${BINDIR}/p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice.env + html_msg $? 0 "Creating envelope for user Alice" "." + + echo "p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data" + ${PROFTOOL} ${BINDIR}/p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data -p nss + html_msg $? 0 "Verifying file delivered to user Alice" "." + + sed -e '3,8p' -n alice_p7.data > alice_p7.data.sed + + echo "diff alice.txt alice_p7.data.sed" + diff alice.txt alice_p7.data.sed + html_msg $? 0 "Compare Decoded Enveloped Data and Original" "." + + echo "p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e" + ${PROFTOOL} ${BINDIR}/p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e + html_msg $? 0 "Signing file for user Alice" "." + + echo "p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig" + ${PROFTOOL} ${BINDIR}/p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig + html_msg $? 0 "Verifying file delivered to user Alice" "." +} + +############################## smime_main ############################## +# local shell function to test basic signed and enveloped messages +# from 1 --> 2" +######################################################################## +smime_main() +{ + + HASH=SHA1 + smime_sign + HASH=SHA256 + smime_sign + HASH=SHA384 + smime_sign + HASH=SHA512 + smime_sign + + echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------" + echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\" + echo " -o alice.env" + ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env + html_msg $? 0 "Create Enveloped Data Alice" "." + + echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1" + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1 + html_msg $? 0 "Decode Enveloped Data Alice" "." + + echo "diff alice.txt alice.data1" + diff alice.txt alice.data1 + html_msg $? 0 "Compare Decoded Enveloped Data and Original" "." + + # multiple recip + echo "$SCRIPTNAME: Testing multiple recipients ------------------------------" + echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\" + echo " -r bob@bogus.com,dave@bogus.com" + ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \ + -r bob@bogus.com,dave@bogus.com + ret=$? + html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "." + if [ $ret != 0 ] ; then + echo "certutil -L -d ${P_R_ALICEDIR}" + ${BINDIR}/certutil -L -d ${P_R_ALICEDIR} + echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com" + ${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com + fi + + echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------" + echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\" + echo " -r eve@bogus.net" + ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \ + -r eve@bogus.net + ret=$? + html_msg $ret 0 "Encrypt to a Multiple Email cert" "." + + echo "cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2" + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2 + html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Bob" "." + + echo "cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3" + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3 + html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Dave" "." + + echo "cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4" + ${PROFTOOL} ${BINDIR}/cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4 + html_msg $? 0 "Decrypt with a Multiple Email cert" "." + + diff alice.txt alice.data2 + html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Bob" "." + + diff alice.txt alice.data3 + html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Dave" "." + + diff alice.txt alice.data4 + html_msg $? 0 "Compare Decoded with Multiple Email cert" "." + + echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------" + echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\" + echo " -d ${P_R_ALICEDIR} > co.der" + ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der + html_msg $? 0 "Create Certs-Only Alice" "." + + echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}" + ${PROFTOOL} ${BINDIR}/cmsutil -D -i co.der -d ${P_R_BOBDIR} + html_msg $? 0 "Verify Certs-Only by CA" "." + + echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------" + echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\" + echo " -r \"bob@bogus.com\" > alice.enc" + ${PROFTOOL} ${BINDIR}/cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \ + -r "bob@bogus.com" > alice.enc + html_msg $? 0 "Create Encrypted-Data" "." + + echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\" + echo " -o alice.data2" + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2 + html_msg $? 0 "Decode Encrypted-Data" "." + + diff alice.txt alice.data2 + html_msg $? 0 "Compare Decoded and Original Data" "." +} + +############################## smime_cleanup ########################### +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +smime_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +smime_init +smime_main +smime_p7 +smime_cleanup + diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh new file mode 100755 index 000000000..b34c9c097 --- /dev/null +++ b/security/nss/tests/ssl/ssl.sh @@ -0,0 +1,1199 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/ssl/ssl.sh +# +# Script to test NSS SSL +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## ssl_init ################################ +# local shell function to initialize this script +######################################################################## +ssl_init() +{ + SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ -z "${IOPR_SSL_SOURCED}" ]; then + . ../iopr/ssl_iopr.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=ssl.sh + echo "$SCRIPTNAME: SSL tests ===============================" + + grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { + html_head "SSL Test failure" + Exit 8 "Fatal - cert.sh needs to pass first" + } + + if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then + grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || { + html_head "SSL Test failure" + Exit 8 "Fatal - SSL of cert.sh needs to pass first" + } + fi + + PORT=${PORT-8443} + NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} + nss_ssl_run="stapling signed_cert_timestamps cov auth stress" + NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} + + # Test case files + SSLCOV=${QADIR}/ssl/sslcov.txt + SSLAUTH=${QADIR}/ssl/sslauth.txt + SSLSTRESS=${QADIR}/ssl/sslstress.txt + SSLPOLICY=${QADIR}/ssl/sslpolicy.txt + REQUEST_FILE=${QADIR}/ssl/sslreq.dat + + #temparary files + SERVEROUTFILE=${TMP}/tests_server.$$ + SERVERPID=${TMP}/tests_pid.$$ + + R_SERVERPID=../tests_pid.$$ + + TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}" + + fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't + #fileout=1 + #verbose="-v" #FIXME - see where this is usefull + + USER_NICKNAME=TestUser + NORM_EXT="" + + EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D" + EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027" + EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA" + + NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B" + NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz" + + if [ -z "$NSS_DISABLE_ECC" ] ; then + ECC_STRING=" - with ECC" + # List of cipher suites to test, including ECC cipher suites. + CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}" + else + ECC_STRING="" + # List of cipher suites to test, excluding ECC cipher suites. + CIPHER_SUITES="-c ${NON_EC_SUITES}" + fi + + if [ "${OS_ARCH}" != "WINNT" ]; then + ulimit -n 1000 # make sure we have enough file descriptors + fi + + cd ${CLIENTDIR} +} + +########################### is_selfserv_alive ########################## +# local shell function to exit with a fatal error if selfserver is not +# running +######################################################################## +is_selfserv_alive() +{ + if [ ! -f "${SERVERPID}" ]; then + echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist" + sleep 5 + if [ ! -f "${SERVERPID}" ]; then + Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist" + fi + fi + + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_SERVERPID} + else + PID=`cat ${SERVERPID}` + fi + + echo "kill -0 ${PID} >/dev/null 2>/dev/null" + kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" + + echo "selfserv with PID ${PID} found at `date`" +} + +########################### wait_for_selfserv ########################## +# local shell function to wait until selfserver is running and initialized +######################################################################## +wait_for_selfserv() +{ + #verbose="-v" + echo "trying to connect to selfserv at `date`" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" + echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}" + ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} + if [ $? -ne 0 ]; then + sleep 5 + echo "retrying to connect to selfserv at `date`" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" + echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}" + ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} + if [ $? -ne 0 ]; then + html_failed "Waiting for Server" + fi + fi + is_selfserv_alive +} + +########################### kill_selfserv ############################## +# local shell function to kill the selfserver after the tests are done +######################################################################## +kill_selfserv() +{ + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_SERVERPID} + else + PID=`cat ${SERVERPID}` + fi + + echo "trying to kill selfserv with PID ${PID} at `date`" + + if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then + echo "${KILL} ${PID}" + ${KILL} ${PID} + else + echo "${KILL} -USR1 ${PID}" + ${KILL} -USR1 ${PID} + fi + wait ${PID} + if [ ${fileout} -eq 1 ]; then + cat ${SERVEROUTFILE} + fi + + # On Linux selfserv needs up to 30 seconds to fully die and free + # the port. Wait until the port is free. (Bug 129701) + if [ "${OS_ARCH}" = "Linux" ]; then + echo "selfserv -b -p ${PORT} 2>/dev/null;" + until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do + echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;" + sleep 1 + done + fi + + echo "selfserv with PID ${PID} killed at `date`" + + rm ${SERVERPID} + html_detect_core "kill_selfserv core detection step" +} + +########################### start_selfserv ############################# +# local shell function to start the selfserver with the parameters required +# for this test and log information (parameters, start time) +# also: wait until the server is up and running +######################################################################## +start_selfserv() +{ + if [ -n "$testname" ] ; then + echo "$SCRIPTNAME: $testname ----" + fi + sparam=`echo $sparam | sed -e 's;_; ;g'` + if [ -z "$NSS_DISABLE_ECC" ] && \ + [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then + ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec" + else + ECC_OPTIONS="" + fi + echo "selfserv starting at `date`" + echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" + echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\" + echo " -V ssl3:tls1.2 $verbose -H 1 &" + if [ ${fileout} -eq 1 ]; then + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \ + > ${SERVEROUTFILE} 2>&1 & + RET=$? + else + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ + ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 & + RET=$? + fi + + # The PID $! returned by the MKS or Cygwin shell is not the PID of + # the real background process, but rather the PID of a helper + # process (sh.exe). MKS's kill command has a bug: invoking kill + # on the helper process does not terminate the real background + # process. Our workaround has been to have selfserv save its PID + # in the ${SERVERPID} file and "kill" that PID instead. But this + # doesn't work under Cygwin; its kill command doesn't recognize + # the PID of the real background process, but it does work on the + # PID of the helper process. So we save the value of $! in the + # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID} + # file under Cygwin. (In fact, this should work in any shell + # other than the MKS shell.) + SHELL_SERVERPID=$! + wait_for_selfserv + + if [ "${OS_ARCH}" = "WINNT" ] && \ + [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then + PID=${SHELL_SERVERPID} + else + PID=`cat ${SERVERPID}` + fi + + echo "selfserv with PID ${PID} started at `date`" +} + +############################## ssl_cov ################################# +# local shell function to perform SSL Cipher Coverage tests +######################################################################## +ssl_cov() +{ + #verbose="-v" + html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" + + testname="" + sparam="$CIPHER_SUITES" + + start_selfserv # Launch the server + + VMIN="ssl3" + VMAX="tls1.1" + + exec < ${SSLCOV} + while read ectype testmax param testname + do + echo "${testname}" | grep "EXPORT" > /dev/null + EXP=$? + + if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then + echo "$SCRIPTNAME: running $testname ----------------------------" + VMAX="ssl3" + if [ "$testmax" = "TLS10" ]; then + VMAX="tls1.0" + fi + if [ "$testmax" = "TLS11" ]; then + VMAX="tls1.1" + fi + if [ "$testmax" = "TLS12" ]; then + VMAX="tls1.2" + fi + + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + html_msg $ret 0 "${testname}" \ + "produced a returncode of $ret, expected is 0" + fi + done + + kill_selfserv + html "</TABLE><BR>" +} + +############################## ssl_auth ################################ +# local shell function to perform SSL Client Authentication tests +######################################################################## +ssl_auth() +{ + #verbose="-v" + html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" + + exec < ${SSLAUTH} + while read ectype value sparam cparam testname + do + [ -z "$ectype" ] && continue + echo "${testname}" | grep "don't require client auth" > /dev/null + CAUTH=$? + + if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "`echo $ectype | cut -b 1`" != "#" ]; then + cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` + if [ "$ectype" = "SNI" ]; then + cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` + sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` + fi + start_selfserv + + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + #workaround for bug #402058 + [ $ret -ne 0 ] && ret=1 + [ $value -ne 0 ] && value=1 + + html_msg $ret $value "${testname}" \ + "produced a returncode of $ret, expected is $value" + kill_selfserv + fi + done + + html "</TABLE><BR>" +} + +ssl_stapling_sub() +{ + #verbose="-v" + testname=$1 + SO=$2 + value=$3 + + if [ "$NORM_EXT" = "Extended Test" ] ; then + # these tests use the ext_client directory for tstclnt, + # which doesn't contain the required "TestCA" for server cert + # verification, I don't know if it would be OK to add it... + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + return 0 + fi + if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + return 0 + fi + + SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} + SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}" + + SAVE_P_R_SERVERDIR=${P_R_SERVERDIR} + P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/ + + echo "${testname}" + + start_selfserv + + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + # hopefully no workaround for bug #402058 needed here? + # (see commands in ssl_auth + + html_msg $ret $value "${testname}" \ + "produced a returncode of $ret, expected is $value" + kill_selfserv + + SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} + P_R_SERVERDIR=${SAVE_P_R_SERVERDIR} +} + +ssl_stapling_stress() +{ + testname="Stress OCSP stapling, server uses random status" + SO="-A TestCA -T random" + value=0 + + if [ "$NORM_EXT" = "Extended Test" ] ; then + # these tests use the ext_client directory for tstclnt, + # which doesn't contain the required "TestCA" for server cert + # verification, I don't know if it would be OK to add it... + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + return 0 + fi + if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + return 0 + fi + + SAVE_SERVER_OPTIONS=${SERVER_OPTIONS} + SERVER_OPTIONS="${SERVER_OPTIONS} ${SO}" + + SAVE_P_R_SERVERDIR=${P_R_SERVERDIR} + P_R_SERVERDIR=${P_R_SERVERDIR}/../stapling/ + + echo "${testname}" + start_selfserv + + echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\" + echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}" + echo "strsclnt started at `date`" + ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \ + -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR} + ret=$? + + echo "strsclnt completed at `date`" + html_msg $ret $value \ + "${testname}" \ + "produced a returncode of $ret, expected is $value." + kill_selfserv + + SERVER_OPTIONS=${SAVE_SERVER_OPTIONS} + P_R_SERVERDIR=${SAVE_P_R_SERVERDIR} +} + +############################ ssl_stapling ############################## +# local shell function to perform SSL Cert Status (OCSP Stapling) tests +######################################################################## +ssl_stapling() +{ + html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" + + # tstclnt Exit code: + # 0: have fresh and valid revocation data, status good + # 1: cert failed to verify, prior to revocation checking + # 2: missing, old or invalid revocation data + # 3: have fresh and valid revocation data, status revoked + + # selfserv modes + # good, revoked, unkown: Include locally signed response. Requires: -A + # failure: Include OCSP failure status, such as "try later" (unsigned) + # badsig: use a good status but with an invalid signature + # corrupted: stapled cert status is an invalid block of data + + ssl_stapling_sub "OCSP stapling, signed response, good status" "-A TestCA -T good" 0 + ssl_stapling_sub "OCSP stapling, signed response, revoked status" "-A TestCA -T revoked" 3 + ssl_stapling_sub "OCSP stapling, signed response, unknown status" "-A TestCA -T unknown" 2 + ssl_stapling_sub "OCSP stapling, unsigned failure response" "-A TestCA -T failure" 2 + ssl_stapling_sub "OCSP stapling, good status, bad signature" "-A TestCA -T badsig" 2 + ssl_stapling_sub "OCSP stapling, invalid cert status data" "-A TestCA -T corrupted" 2 + ssl_stapling_sub "Valid cert, Server doesn't staple" "" 2 + + ssl_stapling_stress + + html "</TABLE><BR>" +} + +############################ ssl_signed_cert_timestamps ################# +# local shell function to perform SSL Signed Certificate Timestamp tests +######################################################################### +ssl_signed_cert_timestamps() +{ + #verbose="-v" + html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" + + testname="ssl_signed_cert_timestamps" + value=0 + + if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + return 0 + fi + + echo "${testname}" + + start_selfserv + + # Since we don't have server-side support, this test only covers advertising the + # extension in the client hello. + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -U -V tls1.0:tls1.2 < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + html_msg $ret $value "${testname}" \ + "produced a returncode of $ret, expected is $value" + kill_selfserv + html "</TABLE><BR>" +} + + +############################## ssl_stress ############################## +# local shell function to perform SSL stress test +######################################################################## +ssl_stress() +{ + html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" + + exec < ${SSLSTRESS} + while read ectype value sparam cparam testname + do + if [ -z "$ectype" ]; then + # silently ignore blank lines + continue + fi + + echo "${testname}" | grep "client auth" > /dev/null + CAUTH=$? + + if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then + echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" + elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + elif [ "`echo $ectype | cut -b 1`" != "#" ]; then + cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` + if [ "$ectype" = "SNI" ]; then + cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` + sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" ` + fi + + start_selfserv + + if [ "`uname -n`" = "sjsu" ] ; then + echo "debugging disapering selfserv... ps -ef | grep selfserv" + ps -ef | grep selfserv + fi + + echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\" + echo " -V ssl3:tls1.2 $verbose ${HOSTADDR}" + echo "strsclnt started at `date`" + ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \ + -V ssl3:tls1.2 $verbose ${HOSTADDR} + ret=$? + echo "strsclnt completed at `date`" + html_msg $ret $value \ + "${testname}" \ + "produced a returncode of $ret, expected is $value. " + if [ "`uname -n`" = "sjsu" ] ; then + echo "debugging disapering selfserv... ps -ef | grep selfserv" + ps -ef | grep selfserv + fi + kill_selfserv + fi + done + + html "</TABLE><BR>" +} + +############################ ssl_crl_ssl ############################### +# local shell function to perform SSL test with/out revoked certs tests +######################################################################## +ssl_crl_ssl() +{ + #verbose="-v" + html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING" + + # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it. + # Cert number $UNREVOKED_CERT_GRP_1 was not revoked + CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN + CRL_GROUP_RANGE=$CRL_GRP_1_RANGE + UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1 + + exec < ${SSLAUTH} + while read ectype value sparam cparam testname + do + [ "$ectype" = "" ] && continue + if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$ectype" = "SNI" ]; then + continue + elif [ "`echo $ectype | cut -b 1`" != "#" ]; then + servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` + pwd=`echo $cparam | grep nss` + user=`echo $cparam | grep TestUser` + _cparam=$cparam + case $servarg in + 1) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=254 + fi + ;; + 2) rev_modvalue=254 ;; + 3) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=1 + fi + ;; + 4) rev_modvalue=1 ;; + esac + TEMP_NUM=0 + while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ] + do + CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}` + TEMP_NUM=`expr $TEMP_NUM + 1` + USER_NICKNAME="TestUser${CURR_SER_NUM}" + cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` + start_selfserv + + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then + modvalue=$rev_modvalue + testAddMsg="revoked" + else + testAddMsg="not revoked" + modvalue=$value + fi + + html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue" + kill_selfserv + done + fi + done + + html "</TABLE><BR>" +} + +############################## ssl_cov ################################# +# local shell function to perform SSL Policy tests +######################################################################## +ssl_policy() +{ + #verbose="-v" + html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" + + testname="" + sparam="$CIPHER_SUITES" + + if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then + return; + fi + + echo "Saving pkcs11.txt" + cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav + + start_selfserv # Launch the server + + VMIN="ssl3" + VMAX="tls1.2" + + exec < ${SSLPOLICY} + while read value ectype testmax param policy testname + do + VMIN="ssl3" + + if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "`echo $value | cut -b 1`" != "#" ] ; then + echo "$SCRIPTNAME: running $testname ----------------------------" + VMAX="ssl3" + if [ "$testmax" = "TLS10" ]; then + VMAX="tls1.0" + fi + if [ "$testmax" = "TLS11" ]; then + VMAX="tls1.1" + fi + if [ "$testmax" = "TLS12" ]; then + VMAX="tls1.2" + fi + + # load the policy + policy=`echo ${policy} | sed -e 's;_; ;g'` + + cat > ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) +++EOF++ + echo "config=${policy}" >> ${P_R_CLIENTDIR}/pkcs11.txt + echo "" >> ${P_R_CLIENTDIR}/pkcs11.txt + echo "library=${DIST}/${OBJDIR}/lib/libnssckbi.so" >> ${P_R_CLIENTDIR}/pkcs11.txt >> ${P_R_CLIENTDIR}/pkcs11.txt + cat >> ${P_R_CLIENTDIR}/pkcs11.txt << ++EOF++ +name=RootCerts +NSS=trustOrder=100 +++EOF++ + + echo "******************************Testing with: " + cat ${P_R_CLIENTDIR}/pkcs11.txt + echo "******************************" + + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + + #workaround for bug #402058 + [ $ret -ne 0 ] && ret=1 + [ ${value} -ne 0 ] && value=1 + + html_msg $ret ${value} "${testname}" \ + "produced a returncode of $ret, expected is ${value}" + fi + done + cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt + + kill_selfserv + html "</TABLE><BR>" +} +############################# is_revoked ############################### +# local shell function to check if certificate is revoked +######################################################################## +is_revoked() { + certNum=$1 + currLoadedGrp=$2 + + found=0 + ownerGrp=1 + while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ] + do + currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}` + currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}` + currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1` + if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then + found=1 + else + ownerGrp=`expr $ownerGrp + 1` + fi + done + if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then + return 1 + fi + if [ $found -eq 0 ]; then + return 1 + fi + unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}` + if [ $certNum -eq $unrevokedGrpCert ]; then + return 1 + fi + return 0 +} + +########################### load_group_crl ############################# +# local shell function to load CRL +######################################################################## +load_group_crl() { + #verbose="-v" + group=$1 + ectype=$2 + + OUTFILE_TMP=${TMP}/$HOST.tmp.$$ + grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}` + grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}` + grpEnd=`expr $grpBegin + $grpRange - 1` + + if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then + ret=1 + return 1; + fi + + # Add -ec suffix for ECC + if [ "$ectype" = "ECC" ] ; then + ecsuffix="-ec" + eccomment="ECC " + else + ecsuffix="" + eccomment="" + fi + + if [ "$RELOAD_CRL" != "" ]; then + if [ $group -eq 1 ]; then + echo "==================== Resetting to group 1 crl ===================" + kill_selfserv + start_selfserv + is_selfserv_alive + fi + echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd =============" + + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}" + echo "Request:" + echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}" + echo "" + echo "RELOAD time $i" + + REQF=${R_CLIENTDIR}.crlreq + cat > ${REQF} <<_EOF_REQUEST_ +GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} + +_EOF_REQUEST_ + + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \ + -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \ + >${OUTFILE_TMP} 2>&1 < ${REQF} + + cat ${OUTFILE_TMP} + grep "CRL ReCache Error" ${OUTFILE_TMP} + if [ $? -eq 0 ]; then + ret=1 + return 1 + fi + else + echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv =====" + + kill_selfserv + CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd" + crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \ + -p ../tests.pw.928 + ret=$? + if [ "$ret" -eq 0 ]; then + html_passed "${CU_ACTION}" + return 1 + fi + start_selfserv + fi + is_selfserv_alive + ret=$? + echo "================= CRL Reloaded =============" +} + + +########################### ssl_crl_cache ############################## +# local shell function to perform SSL test for crl cache functionality +# with/out revoked certs +######################################################################## +ssl_crl_cache() +{ + #verbose="-v" + html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING" + SSLAUTH_TMP=${TMP}/authin.tl.tmp + SERV_ARG=-r_-r + rm -f ${SSLAUTH_TMP} + echo ${SSLAUTH_TMP} + + grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP} + echo $? + while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ] + do + sparam=$SERV_ARG + start_selfserv + exec < ${SSLAUTH_TMP} + while read ectype value sparam cparam testname + do + [ "$ectype" = "" ] && continue + if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$ectype" = "SNI" ]; then + continue + else + servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` + pwd=`echo $cparam | grep nss` + user=`echo $cparam | grep TestUser` + _cparam=$cparam + case $servarg in + 1) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=254 + fi + ;; + 2) rev_modvalue=254 ;; + + 3) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=1 + fi + ;; + 4) rev_modvalue=1 ;; + esac + TEMP_NUM=0 + LOADED_GRP=1 + while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] + do + while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ] + do + CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}` + TEMP_NUM=`expr $TEMP_NUM + 1` + USER_NICKNAME="TestUser${CURR_SER_NUM}" + cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` + + echo "Server Args: $SERV_ARG" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + is_revoked ${CURR_SER_NUM} ${LOADED_GRP} + isRevoked=$? + if [ $isRevoked -eq 0 ]; then + modvalue=$rev_modvalue + testAddMsg="revoked" + else + modvalue=$value + testAddMsg="not revoked" + fi + + is_selfserv_alive + ss_status=$? + if [ "$ss_status" -ne 0 ]; then + html_msg $ret $modvalue \ + "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue. " \ + "selfserv is not alive!" + else + html_msg $ret $modvalue \ + "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue" + fi + done + LOADED_GRP=`expr $LOADED_GRP + 1` + TEMP_NUM=0 + if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then + load_group_crl $LOADED_GRP $ectype + html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \ + "produced a returncode of $ret, expected is 0" + fi + done + # Restart selfserv to roll back to two initial group 1 crls + # TestCA CRL and TestCA-ec CRL + kill_selfserv + start_selfserv + fi + done + kill_selfserv + SERV_ARG="${SERV_ARG}_-r" + rm -f ${SSLAUTH_TMP} + grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP} + done + TEMPFILES=${SSLAUTH_TMP} + html "</TABLE><BR>" +} + + +############################## ssl_cleanup ############################# +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +ssl_cleanup() +{ + rm $SERVERPID 2>/dev/null + cd ${QADIR} + . common/cleanup.sh +} + +############################## ssl_run ################################# +# local shell function to run coverage, authentication and stress tests +######################################################################## +ssl_run() +{ + for SSL_RUN in ${NSS_SSL_RUN} + do + case "${SSL_RUN}" in + "stapling") + if [ -nz "$NSS_DISABLE_LIBPKIX" ]; then + ssl_stapling + fi + ;; + "signed_cert_timestamps") + ssl_signed_cert_timestamps + ;; + "cov") + ssl_cov + ;; + "auth") + ssl_auth + ;; + "stress") + ssl_stress + ;; + esac + done +} + +############################ ssl_run_all ############################### +# local shell function to run both standard and extended ssl tests +######################################################################## +ssl_run_all() +{ + ORIG_SERVERDIR=$SERVERDIR + ORIG_CLIENTDIR=$CLIENTDIR + ORIG_R_SERVERDIR=$R_SERVERDIR + ORIG_R_CLIENTDIR=$R_CLIENTDIR + ORIG_P_R_SERVERDIR=$P_R_SERVERDIR + ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR + + USER_NICKNAME=TestUser + NORM_EXT="" + cd ${CLIENTDIR} + + ssl_run + + SERVERDIR=$EXT_SERVERDIR + CLIENTDIR=$EXT_CLIENTDIR + R_SERVERDIR=$R_EXT_SERVERDIR + R_CLIENTDIR=$R_EXT_CLIENTDIR + P_R_SERVERDIR=$P_R_EXT_SERVERDIR + P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR + + USER_NICKNAME=ExtendedSSLUser + NORM_EXT="Extended Test" + cd ${CLIENTDIR} + + ssl_run + + # the next round of ssl tests will only run if these vars are reset + SERVERDIR=$ORIG_SERVERDIR + CLIENTDIR=$ORIG_CLIENTDIR + R_SERVERDIR=$ORIG_R_SERVERDIR + R_CLIENTDIR=$ORIG_R_CLIENTDIR + P_R_SERVERDIR=$ORIG_P_R_SERVERDIR + P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR + + USER_NICKNAME=TestUser + NORM_EXT= + cd ${QADIR}/ssl +} + +############################ ssl_set_fips ############################## +# local shell function to set FIPS mode on/off +######################################################################## +ssl_set_fips() +{ + CLTSRV=$1 + ONOFF=$2 + + if [ ${CLTSRV} = "server" ]; then + DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}" + else + DBDIRS="${CLIENTDIR} ${EXT_CLIENTDIR}" + fi + + if [ "${ONOFF}" = "on" ]; then + FIPSMODE=true + RET_EXP=0 + else + FIPSMODE=false + RET_EXP=1 + fi + + html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}" + + for DBDIR in ${DBDIRS} + do + EXT_OPT= + echo ${DBDIR} | grep ext > /dev/null + if [ $? -eq 0 ]; then + EXT_OPT="extended " + fi + + echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}" + + echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force" + ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1 + RET=$? + html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \ + "produced a returncode of ${RET}, expected is 0" + + echo "modutil -dbdir ${DBDIR} -list" + DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1` + RET=$? + html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \ + "produced a returncode of ${RET}, expected is 0" + + echo "${DBLIST}" | grep "FIPS PKCS #11" + RET=$? + html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \ + "produced a returncode of ${RET}, expected is ${RET_EXP}" + done + + html "</TABLE><BR>" +} + +############################ ssl_set_fips ############################## +# local shell function to run all tests set in NSS_SSL_TESTS variable +######################################################################## +ssl_run_tests() +{ + for SSL_TEST in ${NSS_SSL_TESTS} + do + case "${SSL_TEST}" in + "policy") + if [ "${TEST_MODE}" = "SHARED_DB" ] ; then + ssl_policy + fi + ;; + "crl") + ssl_crl_ssl + ssl_crl_cache + ;; + "iopr") + ssl_iopr_run + ;; + *) + SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1` + CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2` + + case "${SERVER_MODE}" in + "normal") + SERVER_OPTIONS= + ;; + "fips") + SERVER_OPTIONS= + ssl_set_fips server on + ;; + *) + echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}" + continue + ;; + esac + + case "${CLIENT_MODE}" in + "normal") + CLIENT_OPTIONS= + ;; + "fips") + SERVER_OPTIONS= + ssl_set_fips client on + ;; + *) + echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}" + continue + ;; + esac + + ssl_run_all + + if [ "${SERVER_MODE}" = "fips" ]; then + ssl_set_fips server off + fi + + if [ "${CLIENT_MODE}" = "fips" ]; then + ssl_set_fips client off + fi + ;; + esac + done +} + +################################# main ################################# + +ssl_init +ssl_run_tests +ssl_cleanup + diff --git a/security/nss/tests/ssl/ssl_dist_stress.sh b/security/nss/tests/ssl/ssl_dist_stress.sh new file mode 100755 index 000000000..a67dfcbac --- /dev/null +++ b/security/nss/tests/ssl/ssl_dist_stress.sh @@ -0,0 +1,313 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/ssl/ssl_dist_stress.sh +# +# Script to test NSS SSL - distributed stresstest - this script needs to +# source the regular ssl.sh (for shellfunctions, certs and variables +# initialisation) +# create certs +# start server +# start itself via rsh on different systems to connect back to the server +# +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +############################## ssl_ds_init ############################# +# local shell function to initialize this script +######################################################################## +ssl_ds_init() +{ + if [ -z "$GLOB_MIN_CERT" ] ; then + GLOB_MIN_CERT=0 + fi + if [ -z "$GLOB_MAX_CERT" ] ; then + GLOB_MAX_CERT=200 + fi + IP_PARAM="" + CD_QADIR_SSL="" + + + if [ -n "$1" ] ; then + ssl_ds_eval_opts $* + fi + SCRIPTNAME=ssl_dist_stress.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + ssl_init # let some other script do the hard work (initialize, generate certs, ... + + SCRIPTNAME=ssl_dist_stress.sh + echo "$SCRIPTNAME: SSL distributed stress tests ===============================" + +} + +######################### ssl_ds_usage ################################# +# local shell function to explain the usage +######################################################################## +ssl_ds_usage() +{ + echo "Usage: `basename $1`" + echo " -host hostname " + echo " ...host who runs the server, for distributed stress test" + echo " -stress " + echo " ...runs the server sider of the distributed stress test" + echo " -dir unixdirectory " + echo " ...lets the server side of the distributed stress test" + echo " know where to find the scritp to start on the remote side" + echo " -certnum start-end" + echo " ... provides the range of certs for distributed stress test" + echo " for example -certnum 10-20 will connect 10 times" + echo " no blanks in the range string (not 10 - 20)" + echo " valid range ${GLOB_MIN_CERT}-${GLOB_MAX_CERT}" + echo " -? ...prints this text" + exit 1 #does not need to be Exit, very early in script +} + +######################### ssl_ds_eval_opts ############################# +# local shell function to deal with options and parameters +######################################################################## +ssl_ds_eval_opts() +{ + #use $0 not $SCRIPTNAM<E, too early, SCRIPTNAME not yet set + + while [ -n "$1" ] + do + case $1 in + -host) + BUILD_OPT=1 + export BUILD_OPT + DO_REM_ST="TRUE" + shift + SERVERHOST=$1 + HOST=$1 + if [ -z $SERVERHOST ] ; then + echo "$0 `uname -n`: -host requires hostname" + ssl_ds_usage + fi + echo "$0 `uname -n`: host $HOST ($1)" + ;; + -certn*) + shift + rangeOK=`echo $1 | sed -e 's/[0-9][0-9]*-[0-9][0-9]*/OK/'` + MIN_CERT=`echo $1 | sed -e 's/-[0-9][0-9]*//' -e 's/^00*//'` + MAX_CERT=`echo $1 | sed -e 's/[0-9][0-9]*-//' -e 's/^00*//'` + if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o \ + -z "$MIN_CERT" -o -z "$MAX_CERT" -o \ + "$MIN_CERT" -gt "$MAX_CERT" -o \ + "$MIN_CERT" -lt "$GLOB_MIN_CERT" -o \ + "$MAX_CERT" -gt "$GLOB_MAX_CERT" ] ; then + echo "$0 `uname -n`: -certn range not valid" + ssl_ds_usage + fi + echo "$0 `uname -n`: will use certs from $MIN_CERT to $MAX_CERT" + ;; + -server|-stress|-dist*st*) + BUILD_OPT=1 + export BUILD_OPT + DO_DIST_ST="TRUE" + ;; + -dir|-unixdir|-uxdir|-qadir) + shift + UX_DIR=$1 + #FIXME - we need a default unixdir + if [ -z "$UX_DIR" ] ; then # -o ! -d "$UX_DIR" ] ; then can't do, Win doesn't know... + echo "$0 `uname -n`: -dir requires directoryname " + ssl_ds_usage + fi + CD_QADIR_SSL="cd $UX_DIR" + ;; + -ip*) + shift + IP_ADDRESS=$1 + if [ -z "$IP_ADDRESS" ] ; then + echo "$0 `uname -n`: -ip requires ip-address " + ssl_ds_usage + fi + USE_IP=TRUE + IP_PARAM="-ip $IP_ADDRESS" + ;; + -h|-help|"-?"|*) + ssl_ds_usage + ;; + esac + shift + done +} + +############################## ssl_ds_rem_stress ####################### +# local shell function to perform the client part of the SSL stress test +######################################################################## + +ssl_ds_rem_stress() +{ + testname="SSL remote part of Stress test (`uname -n`)" + echo "$SCRIPTNAME `uname -n`: $testname" + + #cp -r "${CLIENTDIR}" /tmp/ssl_ds.$$ #FIXME + #cd /tmp/ssl_ds.$$ + #verbose="-v" + + cd ${CLIENTDIR} + + CONTINUE=$MAX_CERT + while [ $CONTINUE -ge $MIN_CERT ] + do + echo "strsclnt -D -p ${PORT} -d ${P_R_CLIENTDIR} -w nss -c 1 $verbose " + echo " -n TestUser$CONTINUE ${HOSTADDR} #`uname -n`" + ${BINDIR}/strsclnt -D -p ${PORT} -d . -w nss -c 1 $verbose \ + -n "TestUser$CONTINUE" ${HOSTADDR} & + #${HOSTADDR} & + CONTINUE=`expr $CONTINUE - 1 ` + #sleep 4 #give process time to start up + done + + html_msg 0 0 "${testname}" #FIXME +} + +######################### ssl_ds_dist_stress ########################### +# local shell function to perform the server part of the new, distributed +# SSL stress test +######################################################################## + +ssl_ds_dist_stress() +{ + max_clientlist=" + box-200 + washer-200 + dryer-200 + hornet-50 + shabadoo-50 + y2sun2-10 + galileo-10 + shame-10 + axilla-10 + columbus-10 + smarch-10 + nugget-10 + charm-10 + hp64-10 + biggayal-10 + orville-10 + kwyjibo-10 + hbombaix-10 + raven-10 + jordan-10 + phaedrus-10 + louie-10 + trex-10 + compaqtor-10" + + #clientlist=" huey-2 dewey-2 hornet-2 shabadoo-2" #FIXME ADJUST + clientlist=" box-200 washer-200 huey-200 dewey-200 hornet-200 shabadoo-200 louie-200" + #clientlist=" box-2 huey-2 " + #clientlist="washer-200 huey-200 dewey-200 hornet-200 " + + html_head "SSL Distributed Stress Test" + + testname="SSL distributed Stress test" + + echo cd "${CLIENTDIR}" + cd "${CLIENTDIR}" + if [ -z "CD_QADIR_SSL" ] ; then + CD_QADIR_SSL="cd $QADIR/ssl" + else + cp -r $HOSTDIR $HOSTDIR/../../../../../booboo_Solaris8/mozilla/tests_results/security + fi + + #sparam=" -t 128 -D -r " + sparam=" -t 16 -D -r -r -y " + start_selfserv + + for c in $clientlist + do + client=`echo $c | sed -e "s/-.*//"` + number=`echo $c | sed -e "s/.*-//"` + CLIENT_OK="TRUE" + echo $client + ping $client >/dev/null || CLIENT_OK="FALSE" + if [ "$CLIENT_OK" = "FALSE" ] ; then + echo "$SCRIPTNAME `uname -n`: $client can't be reached - skipping" + else + get_certrange $number + echo "$SCRIPTNAME `uname -n`: $RSH $client -l svbld \\ " + echo " \" $CD_QADIR_SSL ;ssl_dist_stress.sh \\" + echo " -host $HOST -certnum $CERTRANGE $IP_PARAM \" " + $RSH $client -l svbld \ + " $CD_QADIR_SSL;ssl_dist_stress.sh -host $HOST -certnum $CERTRANGE $IP_PARAM " & + fi + done + + echo cd "${CLIENTDIR}" + cd "${CLIENTDIR}" + + sleep 500 # give the clients time to finish #FIXME ADJUST + + echo "GET /stop HTTP/1.0\n\n" > stdin.txt #check to make sure it has /r/n + echo "tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 " + echo " -w nss -f < stdin.txt" + ${BINDIR}/tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 \ + -w nss -f < stdin.txt + + html_msg 0 0 "${testname}" + html "</TABLE><BR>" +} + +############################ get_certrange ############################# +# local shell function to find the range of certs that the next remote +# client is supposed to use (only for server side of the dist stress test +######################################################################## +get_certrange() +{ + rangeOK=`echo $1 | sed -e 's/[0-9][0-9]*/OK/'` + if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o $1 = "OK" ] ; then + range=10 + echo "$SCRIPTNAME `uname -n`: $1 is not a valid number of certs " + echo " defaulting to 10 for $client" + else + range=$1 + if [ $range -gt $GLOB_MAX_CERT ] ; then + range=$GLOB_MAX_CERT + fi + fi + if [ -z "$FROM_CERT" ] ; then # start new on top of the cert stack + FROM_CERT=$GLOB_MAX_CERT + elif [ `expr $FROM_CERT - $range + 1 ` -lt 0 ] ; then + FROM_CERT=$GLOB_MAX_CERT # dont let it fall below 0 on the TO_CERT + + fi + TO_CERT=`expr $FROM_CERT - $range + 1 ` + if [ $TO_CERT -lt 0 ] ; then # it's not that I'm bad in math, I just + TO_CERT=0 # don't trust expr... + fi + CERTRANGE="${TO_CERT}-${FROM_CERT}" + FROM_CERT=`expr ${TO_CERT} - 1 ` #start the next client one below +} + + +################## main ################################################# + +DO_DIST_ST="TRUE" +. ./ssl.sh +ssl_ds_init $* +if [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then + ssl_ds_rem_stress + exit 0 #no cleanup on purpose +elif [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then + ssl_ds_dist_stress +fi +ssl_cleanup diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt new file mode 100644 index 000000000..82d1ddea4 --- /dev/null +++ b/security/nss/tests/ssl/sslauth.txt @@ -0,0 +1,76 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file defines the tests for client auth. +# +# expected +# Enable return server client Test Case name +# ECC value params params +# ------- ------ ------ ------ --------------- + noECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_none TLS Request don't require client auth (client does not provide auth) + noECC 0 -r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Request don't require client auth (bad password) + noECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Request don't require client auth (client auth) + noECC 254 -r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Require client auth (client does not provide auth) + noECC 254 -r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Require client auth (bad password) + noECC 0 -r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser_ TLS Require client auth (client auth) + noECC 0 -r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) + noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) + noECC 0 -r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) + noECC 254 -r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) + noECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) + noECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth) + noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Require client auth on 2nd hs (client auth) + noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth) + noECC 0 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) +# +# Use EC cert for client authentication +# + ECC 0 -r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password) + ECC 0 -r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth) + ECC 254 -r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password) + ECC 0 -r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth) + ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password) + ECC 0 -r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth) + ECC 254 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password) + ECC 0 -r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth) + ECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -V_ssl3:tls1.2_-w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -V_ssl3:tls1.2_-w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth) + ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth) + ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) +# +# SNI Tests +# + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions + SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI + SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS + SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS + SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt new file mode 100644 index 000000000..1eb7f47de --- /dev/null +++ b/security/nss/tests/ssl/sslcov.txt @@ -0,0 +1,143 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables test coverage of the various SSL ciphers +# +# Enable Enable Cipher Test Name +# EC TLS +# + noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5 + noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA + noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA + noECC SSL3 i SSL3_RSA_WITH_NULL_MD5 + noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA + noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA + noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA + noECC SSL3 z SSL3_RSA_WITH_NULL_SHA + noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 + noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384 +# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA +# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA +# + noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5 + noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA + noECC TLS10 i TLS_RSA_WITH_NULL_MD5 + noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA + noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA + noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA + noECC TLS10 z TLS_RSA_WITH_NULL_SHA +# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA +# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA +# +# + noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5 + noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA + noECC TLS11 i TLS11_RSA_WITH_NULL_MD5 + noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA + noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA + noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA + noECC TLS11 z TLS11_RSA_WITH_NULL_SHA +# + noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5 + noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA + noECC TLS12 i TLS12_RSA_WITH_NULL_MD5 + noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA + noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA + noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA + noECC TLS12 z TLS12_RSA_WITH_NULL_SHA + noECC TLS12 :0016 TLS12_DHE_RSA_WITH_3DES_EDE_CBC_SHA + noECC TLS12 :0032 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA + noECC TLS12 :0033 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA + noECC TLS12 :0038 TLS12_DHE_DSS_WITH_AES_256_CBC_SHA + noECC TLS12 :0039 TLS12_DHE_RSA_WITH_AES_256_CBC_SHA + noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256 + noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256 + noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256 + noECC TLS12 :0040 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA256 + noECC TLS12 :0067 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA256 + noECC TLS12 :006A TLS12_DHE_DSS_WITH_AES_256_CBC_SHA256 + noECC TLS12 :006B TLS12_DHE_RSA_WITH_AES_256_CBC_SHA256 + noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 + noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256 + noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256 + noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +# +# ECC ciphers (TLS) +# + ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA + ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA + ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA + ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA + ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA + ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA + ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA + ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +# + ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA + ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA + ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA + ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA + ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA + ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA + ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA + ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA + ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA + ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA + ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA +# + ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA + ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA + ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA + ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA + ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA + ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA + ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA + ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA + ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA + ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA + ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + ECC TLS12 :C024 TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + ECC TLS12 :C028 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + ECC TLS12 :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 diff --git a/security/nss/tests/ssl/sslpolicy.txt b/security/nss/tests/ssl/sslpolicy.txt new file mode 100644 index 000000000..82c15d2af --- /dev/null +++ b/security/nss/tests/ssl/sslpolicy.txt @@ -0,0 +1,174 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file enables policy testing +# +# The policy string is set to the config= line in the pkcs11.txt +# it currently has 2 keywords: +# +# disallow= turn off the use of this algorithm by policy. +# allow= allow this algorithm to by used if selected by policy. +# +# The syntax is disallow=algorithm{/uses}:algorithm{/uses} +# where {} signifies an optional element +# +# valid algorithms are: +# ECC curves: +# PRIME192V1 +# PRIME192V2 +# PRIME192V3 +# PRIME239V1 +# PRIME239V2 +# PRIME239V3 +# PRIME256V1 +# SECP112R1 +# SECP112R2 +# SECP128R1 +# SECP128R2 +# SECP160K1 +# SECP160R1 +# SECP160R2 +# SECP192K1 +# SECP192R1 +# SECP224K1 +# SECP256K1 +# SECP256R1 +# SECP384R1 +# SECP521R1 +# C2PNB163V1 +# C2PNB163V2 +# C2PNB163V3 +# C2PNB176V1 +# C2TNB191V1 +# C2TNB191V2 +# C2TNB191V3 +# C2ONB191V4 +# C2ONB191V5 +# C2PNB208W1 +# C2TNB239V1 +# C2TNB239V2 +# C2TNB239V3 +# C2ONB239V4 +# C2ONB239V5 +# C2PNB272W1 +# C2PNB304W1 +# C2TNB359V1 +# C2PNB368W1 +# C2TNB431R1 +# SECT113R1 +# SECT131R1 +# SECT131R1 +# SECT131R2 +# SECT163K1 +# SECT163R1 +# SECT163R2 +# SECT193R1 +# SECT193R2 +# SECT233K1 +# SECT233R1 +# SECT239K1 +# SECT283K1 +# SECT283R1 +# SECT409K1 +# SECT409R1 +# SECT571K1 +# SECT571R1 +# Hashes: +# MD2 +# MD4 +# MD5 +# SHA1 +# SHA224 +# SHA256 +# SHA384 +# SHA512 +# MACs: +# HMAC-SHA1 +# HMAC-SHA224 +# HMAC-SHA256 +# HMAC-SHA384 +# HMAC-SHA512 +# HMAC-MD5 +# Ciphers: +# AES128-CBC +# AES192-CBC +# AES256-CBC +# AES128-GCM +# AES192-GCM +# AES256-GCM +# CAMELLIA128-CBC +# CAMELLIA192-CBC +# CAMELLIA256-CBC +# SEED-CBC +# DES-EDE3-CBC +# DES-40-CBC +# DES-CBC +# NULL-CIPHER +# RC2 +# RC4 +# IDEA +# Key exchange +# RSA +# RSA-EXPORT +# DHE-RSA +# DHE-DSS +# DH-RSA +# DH-DSS +# ECDHE-ECDSA +# ECDHE-RSA +# ECDH-ECDSA +# ECDH-RSA +# SSL Versions +# SSL2.0 +# SSL3.0 +# TLS1.0 +# TLS1.1 +# TLS1.2 +# DTLS1.1 +# DTLS1.2 +# Include all of the above: +# ALL +#----------------------------------------------- +# Uses are: +# ssl +# ssl-key-exchange +# key-exchange (includes ssl-key-exchange) +# cert-signature +# signature (includes cert-signature) +# all (includes all of the above) +#----------------------------------------------- +# In addition there are the following options: +# min-rsa +# min-dh +# min-dsa +# they have the following syntax: +# allow=min-rsa=512:min-dh=1024 +# +# Exp Enable Enable Cipher Config Policy Test Name +# Ret EC TLS +# turn on single cipher + 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy + 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy + 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly + 1 noECC SSL3 d disallow=all Disallow All Explicitly. +# turn off signature only + 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly. + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly. +# turn off single cipher + 1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly. +# turn off H-Mac + 1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly + 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly. +# turn off key exchange + 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly. + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly. +# turn off version + 1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly. diff --git a/security/nss/tests/ssl/sslreq.dat b/security/nss/tests/ssl/sslreq.dat new file mode 100644 index 000000000..2f7ad7736 --- /dev/null +++ b/security/nss/tests/ssl/sslreq.dat @@ -0,0 +1,2 @@ +GET / HTTP/1.0
+
diff --git a/security/nss/tests/ssl/sslreq.txt b/security/nss/tests/ssl/sslreq.txt new file mode 100644 index 000000000..c1da607c0 --- /dev/null +++ b/security/nss/tests/ssl/sslreq.txt @@ -0,0 +1,2 @@ +GET / HTTP/1.0 + diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt new file mode 100644 index 000000000..e9defc502 --- /dev/null +++ b/security/nss/tests/ssl/sslstress.txt @@ -0,0 +1,87 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This file defines the stress tests for SSL/TLS. +# +# expected +# Enable return server client Test Case name +# ECC value params params +# ------- ------ ------ ------ --------------- + noECC 0 _ -c_1000_-C_c_-V_ssl3:ssl3 Stress SSL3 RC4 128 with MD5 + noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 + noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) + noECC 0 -u -V_ssl3:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) + noECC 0 -z -V_ssl3:tls1.2_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) + noECC 0 -u_-z -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) + noECC 0 -u_-z -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) + SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) + +# +# add client auth versions here... +# + noECC 0 -r_-r -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) + noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) + noECC 0 -r_-r_-u -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) + noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) + noECC 0 -r_-r_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) + noECC 0 -r_-r_-u_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) + noECC 0 -r_-r_-u_-z -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) + SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) + SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) + +# +# ############################ ECC ciphers ############################ +# + ECC 0 -c_:C009 -V_ssl3:tls1.2_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C023 -V_ssl3:tls1.2_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse) + ECC 0 -c_:C02B -V_ssl3:tls1.2_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse) + ECC 0 -c_:C004 -V_ssl3:tls1.2_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C00E -V_ssl3:tls1.2_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C013 -V_ssl3:tls1.2_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA + ECC 0 -c_:C027 -V_ssl3:tls1.2_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256 + ECC 0 -c_:C02F -V_ssl3:tls1.2_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM + ECC 0 -c_:C004_-u -V_ssl3:tls1.2_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket) + ECC 0 -c_:C009_-u -V_ssl3:tls1.2_-c_100_-C_:C009_-u Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (session ticket) +# +# add client auth versions here... +# + ECC 0 -r_-r_-c_:C009 -V_ssl3:tls1.2_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C013 -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth) + ECC 0 -r_-r_-c_:C004 -V_ssl3:tls1.2_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C00E -V_ssl3:tls1.2_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C013 -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth) + ECC 0 -r_-r_-c_:C013_-u -V_ssl3:tls1.2_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth) + +# +# ############################ DHE ciphers ############################ +# + noECC 0 -c_:0016 -V_ssl3:tls1.2_-c_100_-C_:0016_-N Stress TLS DHE_RSA_WITH_3DES_EDE_CBC_SHA (no reuse) + noECC 0 -c_:0033 -V_ssl3:tls1.2_-c_1000_-C_:0033 Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA + + + noECC 0 -c_:0039 -V_ssl3:tls1.2_-c_100_-C_:0039_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA (no reuse) + noECC 0 -c_:0040 -V_ssl3:tls1.2_-c_100_-C_:0040_-N Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA256 (no reuse) + +# noECC 0 -c_:0038_-u -V_ssl3:tls1.2_-c_1000_-C_:0038_-u Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (session ticket) +# use the above session ticket test, once session tickets with DHE_DSS are working + noECC 0 -c_:0038 -V_ssl3:tls1.2_-c_1000_-C_:0038_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (no reuse) + +# noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 +# use the above reuse test, once the session cache with DHE_DSS is working + noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 (no reuse + + noECC 0 -c_:006B -V_ssl3:tls1.2_-c_100_-C_:006B_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA256 (no reuse) + noECC 0 -c_:009E -V_ssl3:tls1.2_-c_100_-C_:009E_-N Stress TLS DHE_RSA_WITH_AES_128_GCM_SHA256 (no reuse) + noECC 0 -c_:009F -V_ssl3:tls1.2_-c_100_-C_:009F_-N Stress TLS DHE_RSA_WITH_AES_256_GCM_SHA384 (no reuse) +# +# add client auth versions here... +# + noECC 0 -r_-r_-c_:0032 -V_ssl3:tls1.2_-c_100_-C_:0032_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth) + noECC 0 -r_-r_-c_:0067 -V_ssl3:tls1.2_-c_1000_-C_:0067_-n_TestUser-dsamixed Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth) + +# noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth) +# noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (session ticket, client auth) +# use the above session ticket test, once session tickets with DHE_DSS are working + noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (no reuse, client auth) + noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (no reuse, client auth) diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh new file mode 100755 index 000000000..9768c5ed9 --- /dev/null +++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh @@ -0,0 +1,159 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/ssl_gtests/ssl_gtests.sh +# +# Script to drive the ssl gtest unit tests +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +# +######################################################################## + +# Generate input to certutil +certscript() { + while [ $# -gt 0 ]; do + case $1 in + sign) echo 0 ;; + kex) echo 2 ;; + ca) echo 5;echo 6 ;; + esac; shift + done; + echo 9 + echo n + echo ${ca:-n} + echo + echo n +} + +# $1: name +# $2: type +# $3+: usages: sign or kex +make_cert() { + name=$1 + type=$2 + case $type in + dsa) type_args='-g 1024' ;; + rsa) type_args='-g 1024' ;; + rsa2048) type_args='-g 2048';type=rsa ;; + rsapss) type_args='-g 1024 --pss';type=rsa ;; + p256) type_args='-q nistp256';type=ec ;; + p384) type_args='-q secp384r1';type=ec ;; + p521) type_args='-q secp521r1';type=ec ;; + rsa_ca) type_args='-g 1024';trust='CT,CT,CT';ca=y;type=rsa ;; + rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;; + ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;; + esac + shift 2 + counter=$(($counter + 1)) + certscript $@ | ${BINDIR}/certutil -S \ + -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \ + -n $name -s "CN=$name" -t ${trust:-,,} ${sign:--x} -m $counter \ + -w -2 -v 120 -k $type $type_args -Z SHA256 -1 -2 + html_msg $? 0 "create certificate: $@" +} + +ssl_gtest_certs() { + mkdir -p "${SSLGTESTDIR}" + cd "${SSLGTESTDIR}" + + PROFILEDIR=`pwd` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + PROFILEDIR=`cygpath -m "${PROFILEDIR}"` + fi + + ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1 + html_msg $? 0 "create ssl_gtest database" + + counter=0 + make_cert client rsa sign + make_cert rsa rsa sign kex + make_cert rsa2048 rsa2048 sign kex + make_cert rsa_sign rsa sign + make_cert rsa_pss rsapss sign + make_cert rsa_decrypt rsa kex + make_cert ecdsa256 p256 sign + make_cert ecdsa384 p384 sign + make_cert ecdsa521 p521 sign + make_cert ecdh_ecdsa p256 kex + make_cert rsa_ca rsa_ca ca + make_cert rsa_chain rsa_chain sign + make_cert ecdh_rsa ecdh_rsa kex + make_cert dsa dsa sign +} + +############################## ssl_gtest_init ########################## +# local shell function to initialize this script +######################################################################## +ssl_gtest_init() +{ + SCRIPTNAME=ssl_gtest.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + + SCRIPTNAME=ssl_gtest.sh + html_head SSL Gtests + + if [ ! -d "${SSLGTESTDIR}" ]; then + ssl_gtest_certs + fi + + cd "${SSLGTESTDIR}" +} + +########################## ssl_gtest_start ######################### +# Local function to actually start the test +#################################################################### +ssl_gtest_start() +{ + if [ ! -f ${BINDIR}/ssl_gtest ]; then + html_unknown "Skipping ssl_gtest (not built)" + return + fi + + SSLGTESTREPORT="${SSLGTESTDIR}/report.xml" + PARSED_REPORT="${SSLGTESTDIR}/report.parsed" + echo "executing ssl_gtest" + ${BINDIR}/ssl_gtest -d "${SSLGTESTDIR}" --gtest_output=xml:"${SSLGTESTREPORT}" \ + --gtest_filter="${GTESTFILTER-*}" + html_msg $? 0 "ssl_gtest run successfully" + echo "executing sed to parse the xml report" + sed -f ${COMMON}/parsegtestreport.sed "${SSLGTESTREPORT}" > "${PARSED_REPORT}" + echo "processing the parsed report" + cat "${PARSED_REPORT}" | while read result name; do + if [ "$result" = "notrun" ]; then + echo "$name" SKIPPED + elif [ "$result" = "run" ]; then + html_passed_ignore_core "$name" + else + html_failed_ignore_core "$name" + fi + done +} + +ssl_gtest_cleanup() +{ + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# +cd "$(dirname "$0")" +ssl_gtest_init +ssl_gtest_start +ssl_gtest_cleanup diff --git a/security/nss/tests/tools/sign.html b/security/nss/tests/tools/sign.html new file mode 100644 index 000000000..1ec9f7b79 --- /dev/null +++ b/security/nss/tests/tools/sign.html @@ -0,0 +1,8 @@ +<html> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> +<body> +Sign this javascriptless page. +</body> +</html> diff --git a/security/nss/tests/tools/signjs.html b/security/nss/tests/tools/signjs.html new file mode 100644 index 000000000..ba22925bd --- /dev/null +++ b/security/nss/tests/tools/signjs.html @@ -0,0 +1,11 @@ +<html> +<!-- This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> +<body> +<script language="JavaScript"> +document.write("<h3>Sign this javascript</h3>"); +</script> +Here's some plain content. +</body> +</html> diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh new file mode 100644 index 000000000..26abf3e4e --- /dev/null +++ b/security/nss/tests/tools/tools.sh @@ -0,0 +1,498 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/tools/tools.sh +# +# Script to test basic functionality of NSS tools +# +# needs to work on all Unix and Windows platforms +# +# tests implemented: +# pk12util +# signtool +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## + + export pkcs12v2pbeWithSha1And128BitRc4=\ +"PKCS #12 V2 PBE With SHA-1 and 128 Bit RC4" + + export pkcs12v2pbeWithSha1And40BitRc4=\ +"PKCS #12 V2 PBE With SHA-1 and 40 Bit RC4" + + export pkcs12v2pbeWithSha1AndTripleDESCBC=\ +"PKCS #12 V2 PBE With SHA-1 and Triple DES-CBC" + + export pkcs12v2pbeWithSha1And128BitRc2Cbc=\ +"PKCS #12 V2 PBE With SHA-1 and 128 Bit RC2 CBC" + + export pkcs12v2pbeWithSha1And40BitRc2Cbc=\ +"PKCS #12 V2 PBE With SHA-1 and 40 Bit RC2 CBC" + + export pkcs12v2pbeWithMd2AndDESCBC=\ +"PKCS #5 Password Based Encryption with MD2 and DES-CBC" + + export pkcs12v2pbeWithMd5AndDESCBC=\ +"PKCS #5 Password Based Encryption with MD5 and DES-CBC" + + export pkcs12v2pbeWithSha1AndDESCBC=\ +"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC" + + export pkcs5pbeWithMD2AndDEScbc=\ +"PKCS #5 Password Based Encryption with MD2 and DES-CBC" + + export pkcs5pbeWithMD5AndDEScbc=\ +"PKCS #5 Password Based Encryption with MD5 and DES-CBC" + + export pkcs5pbeWithSha1AndDEScbc=\ +"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC" + +############################## tools_init ############################## +# local shell function to initialize this script +######################################################################## +tools_init() +{ + SCRIPTNAME=tools.sh # sourced - $0 would point to all.sh + + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then + cd ../common + . ./init.sh + fi + if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here + cd ../cert + . ./cert.sh + fi + SCRIPTNAME=tools.sh + + if [ -z "$NSS_DISABLE_ECC" ] ; then + html_head "Tools Tests with ECC" + else + html_head "Tools Tests" + fi + + grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { + Exit 15 "Fatal - S/MIME of cert.sh needs to pass first" + } + + TOOLSDIR=${HOSTDIR}/tools + COPYDIR=${TOOLSDIR}/copydir + SIGNDIR=${TOOLSDIR}/signdir + + R_TOOLSDIR=../tools + R_COPYDIR=../tools/copydir + R_SIGNDIR=../tools/signdir + P_R_COPYDIR=${R_COPYDIR} + P_R_SIGNDIR=${R_SIGNDIR} + if [ -n "${MULTIACCESS_DBM}" ]; then + P_R_COPYDIR="multiaccess:Tools.$version" + P_R_SIGNDIR="multiaccess:Tools.sign.$version" + fi + + mkdir -p ${TOOLSDIR} + mkdir -p ${COPYDIR} + mkdir -p ${SIGNDIR} + cp ${ALICEDIR}/* ${SIGNDIR}/ + mkdir -p ${TOOLSDIR}/html + cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html + + cd ${TOOLSDIR} +} + +########################## list_p12_file ############################### +# List the key and cert in the specified p12 file +######################################################################## +list_p12_file() +{ + echo "$SCRIPTNAME: Listing Alice's pk12 file" + echo "pk12util -l ${1} -w ${R_PWFILE}" + + ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Listing ${1} (pk12util -l)" + check_tmpfile +} + +######################################################################## +# Import the key and cert from the specified p12 file +######################################################################## +import_p12_file() +{ + echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file" + echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" + + ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Importing ${1} (pk12util -i)" + check_tmpfile +} + +######################################################################## +# Export the key and cert to a p12 file using default ciphers +######################################################################## +export_with_default_ciphers() +{ + echo "$SCRIPTNAME: Exporting Alice's key & cert with [default:default] (pk12util -o)" + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE}" + ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Exporting Alices's key & cert with [default:default] (pk12util -o)" + check_tmpfile + return $ret +} + +######################################################################## +# Exports key/cert to a p12 file, the key encryption cipher is specified +# and the cert encryption cipher is blank for default. +######################################################################## +export_with_key_cipher() +{ + # $1 key encryption cipher + echo "$SCRIPTNAME: Exporting with [${1}:default]" + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -c ${1}" + ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} -c "${1}" 2>&1 + ret=$? + html_msg $ret 0 "Exporting with [${1}:default] (pk12util -o)" + check_tmpfile + return $ret +} + +######################################################################## +# Exports key/cert to a p12 file, the key encryption cipher is left +# empty for default and the cert encryption cipher is specified. +######################################################################## +export_with_cert_cipher() +{ + # $1 certificate encryption cipher + echo "$SCRIPTNAME: Exporting with [default:${1}]" + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -C ${1}" + ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} -C "${1}" 2>&1 + ret=$? + html_msg $ret 0 "Exporting with [default:${1}] (pk12util -o)" + check_tmpfile + return $ret +} + +######################################################################## +# Exports key/cert to a p12 file, both the key encryption cipher and +# the cert encryption cipher are specified. +######################################################################## +export_with_both_key_and_cert_cipher() +{ + # $1 key encryption cipher or "" + # $2 certificate encryption cipher or "" + + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -c ${1} -C ${2}" + ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} \ + -c "${1}" -C "${2}" 2>&1 + ret=$? + html_msg $ret 0 "Exporting with [${1}:${2}] (pk12util -o)" + check_tmpfile + return $ret +} + +######################################################################## +# Exports key and cert to a p12 file, both the key encryption cipher +# and the cert encryption cipher are specified. The key and cert are +# imported and the p12 file is listed +######################################################################## +export_list_import() +{ + # $1 key encryption cipher + # $2 certificate encryption cipher + + if [ "${1}" != "DEFAULT" -a "${2}" != "DEFAULT" ]; then + export_with_both_key_and_cert_cipher "${1}" "${2}" + elif [ "${1}" != "DEFAULT" -a "${2}" = "DEFAULT" ]; then + export_with_key_cipher "${1}" + elif [ "${1}" = "DEFAULT" -a "${2}" != "DEFAULT" ]; then + export_with_cert_cipher "${2}" + else + export_with_default_ciphers + fi + + list_p12_file Alice.p12 + import_p12_file Alice.p12 +} + +######################################################################## +# Export using the pkcs5pbe ciphers for key and certificate encryption. +# List the contents of and import from the p12 file. +######################################################################## +tools_p12_export_list_import_all_pkcs5pbe_ciphers() +{ + # specify each on key and cert cipher + for key_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \ + "${pkcs5pbeWithMD5AndDEScbc}" \ + "${pkcs5pbeWithSha1AndDEScbc}"\ + "DEFAULT"; do + for cert_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \ + "${pkcs5pbeWithMD5AndDEScbc}" \ + "${pkcs5pbeWithSha1AndDEScbc}" \ + "DEFAULT"\ + "null"; do + export_list_import "${key_cipher}" "${cert_cipher}" + done + done +} + +######################################################################## +# Export using the pkcs5v2 ciphers for key and certificate encryption. +# List the contents of and import from the p12 file. +######################################################################## +tools_p12_export_list_import_all_pkcs5v2_ciphers() +{ + # These should pass + for key_cipher in\ + RC2-CBC \ + DES-EDE3-CBC \ + AES-128-CBC \ + AES-192-CBC \ + AES-256-CBC \ + CAMELLIA-128-CBC \ + CAMELLIA-192-CBC \ + CAMELLIA-256-CBC; do + +#--------------------------------------------------------------- +# Bug 452464 - pk12util -o fails when -C option specifies AES or +# Camellia ciphers +# FIXME Restore these to the list +# AES-128-CBC, \ +# AES-192-CBC, \ +# AES-256-CBC, \ +# CAMELLIA-128-CBC, \ +# CAMELLIA-192-CBC, \ +# CAMELLIA-256-CBC, \ +# when 452464 is fixed +#--------------------------------------------------------------- + for cert_cipher in \ + RC2-CBC \ + DES-EDE3-CBC \ + null; do + export_list_import ${key_cipher} ${cert_cipher} + done + done +} + +######################################################################## +# Export using the pkcs12v2pbe ciphers for key and certificate encryption. +# List the contents of and import from the p12 file. +######################################################################## +tools_p12_export_list_import_all_pkcs12v2pbe_ciphers() +{ +#--------------------------------------------------------------- +# Bug 452471 - pk12util -o fails when -c option specifies pkcs12v2 PBE ciphers +# FIXME - Restore these to the list +# "${pkcs12v2pbeWithSha1And128BitRc4}" \ +# "${pkcs12v2pbeWithSha1And40BitRc4}" \ +# "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \ +# "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \ +# "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \ +# "${pkcs12v2pbeWithMd2AndDESCBC}" \ +# "${pkcs12v2pbeWithMd5AndDESCBC}" \ +# "${pkcs12v2pbeWithSha1AndDESCBC}" \ +# "DEFAULT"; do +# when 452471 is fixed +#--------------------------------------------------------------- +# for key_cipher in \ + key_cipher="DEFAULT" + for cert_cipher in "${pkcs12v2pbeWithSha1And128BitRc4}" \ + "${pkcs12v2pbeWithSha1And40BitRc4}" \ + "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \ + "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \ + "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \ + "${pkcs12v2pbeWithMd2AndDESCBC}" \ + "${pkcs12v2pbeWithMd5AndDESCBC}" \ + "${pkcs12v2pbeWithSha1AndDESCBC}" \ + "DEFAULT"\ + "null"; do + export_list_import "${key_cipher}" "${key_cipher}" + done + #done +} + +######################################################################### +# Export with no encryption on key should fail but on cert should pass +######################################################################### +tools_p12_export_with_null_ciphers() +{ + # use null as the key encryption algorithm default for the cert one + # should fail + + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -c null" + ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} \ + -c null 2>&1 + ret=$? + html_msg $ret 30 "Exporting with [null:default] (pk12util -o)" + check_tmpfile + + # use default as the key encryption algorithm null for the cert one + # should pass + + echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\" + echo " -k ${R_PWFILE} -w ${R_PWFILE} -C null" + ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \ + -k ${R_PWFILE} -w ${R_PWFILE} \ + -C null 2>&1 + ret=$? + html_msg $ret 0 "Exporting with [default:null] (pk12util -o)" + check_tmpfile + +} + +######################################################################### +# Exports using the default key and certificate encryption ciphers. +# Imports from and lists the contents of the p12 file. +# Repeats the test with ECC if enabled. +######################################################################## +tools_p12_export_list_import_with_default_ciphers() +{ + echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers" + + export_list_import "DEFAULT" "DEFAULT" + + if [ -z "$NSS_DISABLE_ECC" ] ; then + echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------" + echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" + echo " -w ${R_PWFILE}" + ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ + -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)" + check_tmpfile + + echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------" + echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" + ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)" + check_tmpfile + + echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------" + echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}" + ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)" + check_tmpfile + fi +} + +############################## tools_p12 ############################### +# local shell function to test basic functionality of pk12util +######################################################################## +tools_p12() +{ + tools_p12_export_list_import_with_default_ciphers + tools_p12_export_list_import_all_pkcs5v2_ciphers + tools_p12_export_list_import_all_pkcs5pbe_ciphers + tools_p12_export_list_import_all_pkcs12v2pbe_ciphers + tools_p12_export_with_null_ciphers +} + +############################## tools_sign ############################## +# local shell function pk12util uses a hardcoded tmp file, if this exists +# and is owned by another user we don't get reasonable errormessages +######################################################################## +check_tmpfile() +{ + if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then + echo "Error: pk12util temp file exists. Please remove this file and" + echo " rerun the test (/tmp/Pk12uTemp) " + fi +} + +############################## tools_sign ############################## +# local shell function to test basic functionality of signtool +######################################################################## +tools_sign() +{ + echo "$SCRIPTNAME: Create objsign cert -------------------------------" + echo "signtool -G \"objectsigner\" -d ${P_R_SIGNDIR} -p \"nss\"" + ${BINDIR}/signtool -G "objsigner" -d ${P_R_SIGNDIR} -p "nss" 2>&1 <<SIGNSCRIPT +y +TEST +MOZ +NSS +NY +US +liz +liz@moz.org +SIGNSCRIPT + html_msg $? 0 "Create objsign cert (signtool -G)" + + echo "$SCRIPTNAME: Signing a jar of files ----------------------------" + echo "signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\" + echo " ${R_TOOLSDIR}/html" + ${BINDIR}/signtool -Z nojs.jar -d ${P_R_SIGNDIR} -p "nss" -k objsigner \ + ${R_TOOLSDIR}/html + html_msg $? 0 "Signing a jar of files (signtool -Z)" + + echo "$SCRIPTNAME: Listing signed files in jar ----------------------" + echo "signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner" + ${BINDIR}/signtool -v nojs.jar -d ${P_R_SIGNDIR} -p nss -k objsigner + html_msg $? 0 "Listing signed files in jar (signtool -v)" + + echo "$SCRIPTNAME: Show who signed jar ------------------------------" + echo "signtool -w nojs.jar -d ${P_R_SIGNDIR}" + ${BINDIR}/signtool -w nojs.jar -d ${P_R_SIGNDIR} + html_msg $? 0 "Show who signed jar (signtool -w)" + + echo "$SCRIPTNAME: Signing a xpi of files ----------------------------" + echo "signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p \"nss\" -k objsigner \\" + echo " ${R_TOOLSDIR}/html" + ${BINDIR}/signtool -Z nojs.xpi -X -d ${P_R_SIGNDIR} -p "nss" -k objsigner \ + ${R_TOOLSDIR}/html + html_msg $? 0 "Signing a xpi of files (signtool -Z -X)" + + echo "$SCRIPTNAME: Listing signed files in xpi ----------------------" + echo "signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner" + ${BINDIR}/signtool -v nojs.xpi -d ${P_R_SIGNDIR} -p nss -k objsigner + html_msg $? 0 "Listing signed files in xpi (signtool -v)" + + echo "$SCRIPTNAME: Show who signed xpi ------------------------------" + echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}" + ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR} + html_msg $? 0 "Show who signed xpi (signtool -w)" + +} + +############################## tools_cleanup ########################### +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +tools_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +################## main ################################################# + +tools_init +tools_p12 +tools_sign +tools_cleanup + + |