#! /bin/bash # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. ######################################################################## # # mozilla/security/nss/tests/cert/rcert.sh # # Certificate generating and handeling for NSS QA, can be included # multiple times from all.sh and the individual scripts # # needs to work on all Unix and Windows platforms # # included from (don't expect this to be up to date) # -------------------------------------------------- # all.sh # ssl.sh # smime.sh # tools.sh # # special strings # --------------- # FIXME ... known problems, search for this string # NOTE .... unexpected behavior # # FIXME - Netscape - NSS ######################################################################## ############################## cert_init ############################### # local shell function to initialize this script ######################################################################## cert_init() { SCRIPTNAME="cert.sh" if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for CLEANUP="${SCRIPTNAME}" # cleaning this script will do it fi if [ -z "${INIT_SOURCED}" ] ; then cd ../common . ./init.sh fi if [ -z "${IOPR_CERT_SOURCED}" ]; then . ../iopr/cert_iopr.sh fi SCRIPTNAME="cert.sh" CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` html_head "Certutil and Crlutil Tests" LIBDIR="${DIST}/${OBJDIR}/lib" ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi.* | head -1` if [ ! "${ROOTCERTSFILE}" ] ; then html_failed "Looking for root certs module." cert_log "ERROR: Root certs module not found." Exit 5 "Fatal - Root certs module not found." else html_passed "Looking for root certs module." fi if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}` fi } cert_log() ###################### write the cert_status file { echo "$SCRIPTNAME $*" echo $* >>${CERT_LOG_FILE} } ######################################################################## # function wraps calls to pk12util, also: writes action and options # to stdout. # Params are the same as to pk12util. # Returns pk12util status # pk12u() { echo "${CU_ACTION} --------------------------" echo "pk12util $@" ${BINDIR}/pk12util $@ RET=$? return $RET } ################################ certu ################################# # local shell function to call certutil, also: writes action and options to # stdout, sets variable RET and writes results to the html file results ######################################################################## certu() { echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" EXPECTED=${RETEXPECTED-0} if [ -n "${CU_SUBJECT}" ]; then #the subject of the cert contains blanks, and the shell #will strip the quotes off the string, if called otherwise... echo "certutil -s \"${CU_SUBJECT}\" $*" ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $* RET=$? CU_SUBJECT="" else echo "certutil $*" ${PROFTOOL} ${BINDIR}/certutil $* RET=$? fi if [ "$RET" -ne "$EXPECTED" ]; then CERTFAILED=$RET html_failed "${CU_ACTION} ($RET=$EXPECTED) " cert_log "ERROR: ${CU_ACTION} failed $RET" else html_passed "${CU_ACTION}" fi return $RET } ################################ crlu ################################# # local shell function to call crlutil, also: writes action and options to # stdout, sets variable RET and writes results to the html file results ######################################################################## crlu() { echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" CRLUTIL="crlutil -q" echo "$CRLUTIL $*" ${PROFTOOL} ${BINDIR}/$CRLUTIL $* RET=$? if [ "$RET" -ne 0 ]; then CRLFAILED=$RET html_failed "${CU_ACTION} ($RET) " cert_log "ERROR: ${CU_ACTION} failed $RET" else html_passed "${CU_ACTION}" fi return $RET } ################################ ocspr ################################## # local shell function to call ocsresp, also: writes action and options to # stdout, sets variable RET and writes results to the html file results ######################################################################### ocspr() { echo "$SCRIPTNAME: ${OR_ACTION} --------------------------" OCSPRESP="ocspresp" echo "$OCSPRESP $*" ${PROFTOOL} ${BINDIR}/$OCSPRESP $* RET=$? if [ "$RET" -ne 0 ]; then OCSPFAILED=$RET html_failed "${OR_ACTION} ($RET) " cert_log "ERROR: ${OR_ACTION} failed $RET" else html_passed "${OR_ACTION}" fi return $RET } modu() { echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" MODUTIL="modutil" echo "$MODUTIL $*" # echo is used to press Enter expected by modutil echo | ${BINDIR}/$MODUTIL $* RET=$? if [ "$RET" -ne 0 ]; then MODFAILED=$RET html_failed "${CU_ACTION} ($RET) " cert_log "ERROR: ${CU_ACTION} failed $RET" else html_passed "${CU_ACTION}" fi return $RET } ############################# cert_init_cert ########################## # local shell function to initialize creation of client and server certs ######################################################################## cert_init_cert() { CERTDIR="$1" CERTNAME="$2" CERTSERIAL="$3" DOMAIN="$4" if [ ! -d "${CERTDIR}" ]; then mkdir -p "${CERTDIR}" else echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists" fi cd "${CERTDIR}" CERTDIR="." PROFILEDIR=`cd ${CERTDIR}; pwd` if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then PROFILEDIR=`cygpath -m ${PROFILEDIR}` fi if [ -n "${MULTIACCESS_DBM}" ]; then PROFILEDIR="multiaccess:${DOMAIN}" fi noise } ############################# hw_acc ################################# # local shell function to add hw accelerator modules to the db ######################################################################## hw_acc() { HW_ACC_RET=0 HW_ACC_ERR="" if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then echo "creating $CERTNAME s cert with hwaccelerator..." #case $ACCELERATOR in #rainbow) echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so " echo " -dbdir ${PROFILEDIR} 2>&1 " echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \ -dbdir ${PROFILEDIR} 2>&1 if [ "$?" -ne 0 ]; then echo "modutil -add rainbow failed in `pwd`" HW_ACC_RET=1 HW_ACC_ERR="modutil -add rainbow" fi echo "modutil -add ncipher " echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so " echo " -dbdir ${PROFILEDIR} 2>&1 " echo | ${BINDIR}/modutil -add ncipher \ -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \ -dbdir ${PROFILEDIR} 2>&1 if [ "$?" -ne 0 ]; then echo "modutil -add ncipher failed in `pwd`" HW_ACC_RET=`expr $HW_ACC_RET + 2` HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher" fi if [ "$HW_ACC_RET" -ne 0 ]; then html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) " else html_passed "Adding HW accelerators to certDB for ${CERTNAME}" fi fi return $HW_ACC_RET } ############################# cert_create_cert ######################### # local shell function to create client certs # initialize DB, import # root cert # add cert to DB ######################################################################## cert_create_cert() { cert_init_cert "$1" "$2" "$3" "$4" CU_ACTION="Initializing ${CERTNAME}'s Cert DB" certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB" modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi hw_acc CU_ACTION="Import Root CA for $CERTNAME" certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${R_CADIR}/TestCA.ca.cert" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Import DSA Root CA for $CERTNAME" certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \ -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Import EC Root CA for $CERTNAME" certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi cert_add_cert "$5" return $? } ############################# cert_add_cert ############################ # local shell function to add client certs to an existing CERT DB # generate request # sign request # import Cert # ######################################################################## cert_add_cert() { CU_ACTION="Generate Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Sign ${CERTNAME}'s Request" certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi cert_log "SUCCESS: $CERTNAME's Cert Created" # # Generate and add DSA cert # CU_ACTION="Generate DSA Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Sign ${CERTNAME}'s DSA Request" certu -C -c "TestCA-dsa" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" "$1" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Import $CERTNAME's DSA Cert" certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi cert_log "SUCCESS: $CERTNAME's DSA Cert Created" # Generate DSA certificate signed with RSA CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Sign ${CERTNAME}'s DSA Request with RSA" # Avoid conflicting serial numbers with TestCA issuer by keeping # this set far away. A smaller number risks colliding with the # extended ssl user certificates. NEWSERIAL=`expr ${CERTSERIAL} + 20000` certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" "$1" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Import $CERTNAME's mixed DSA Cert" certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created" # # Generate and add EC cert # CURVE="secp384r1" CU_ACTION="Generate EC Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Sign ${CERTNAME}'s EC Request" certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Import $CERTNAME's EC Cert" certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi cert_log "SUCCESS: $CERTNAME's EC Cert Created" # Generate EC certificate signed with RSA CU_ACTION="Generate mixed EC Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA" # Avoid conflicting serial numbers with TestCA issuer by keeping # this set far away. A smaller number risks colliding with the # extended ssl user certificates. NEWSERIAL=`expr ${CERTSERIAL} + 10000` certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Import $CERTNAME's mixed EC Cert" certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created" echo "Importing RSA-PSS server certificate" pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR} # Let's get the key ID of the imported private key. KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \ grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'` CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request" NEWSERIAL=`expr ${CERTSERIAL} + 30000` certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's RSA-PSS Cert -t u,u,u" certu -A -n "$CERTNAME-rsa-pss" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}-rsa-pss.cert" 2>&1 cert_log "SUCCESS: $CERTNAME's RSA-PSS Cert Created" return 0 } ################################# cert_all_CA ################################ # local shell function to build the additional Temp. Certificate Authority (CA) # used for the "real life" ssl test with 2 different CA's in the # client and in the server's dir ########################################################################## cert_all_CA() { echo nss > ${PWFILE} echo > ${EMPTY_FILE} ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US" cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1" ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3" ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4" ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6" ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7" rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last # in the chain # # Create DSA version of TestCA ALL_CU_SUBJECT="CN=NSS Test CA (DSA), O=BOGUS NSS, L=Mountain View, ST=California, C=US" cert_dsa_CA $CADIR TestCA-dsa -x "CTu,CTu,CTu" ${D_CA} "1" # # Create DSA versions of the intermediate CA certs ALL_CU_SUBJECT="CN=NSS Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_dsa_CA $SERVER_CADIR serverCA-dsa -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_dsa_CA $SERVER_CADIR chain-1-serverCA-dsa "-c serverCA-dsa" "u,u,u" ${D_SERVER_CA} "3" ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_dsa_CA $SERVER_CADIR chain-2-serverCA-dsa "-c chain-1-serverCA-dsa" "u,u,u" ${D_SERVER_CA} "4" ALL_CU_SUBJECT="CN=NSS Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_dsa_CA $CLIENT_CADIR clientCA-dsa -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_dsa_CA $CLIENT_CADIR chain-1-clientCA-dsa "-c clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "6" ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_dsa_CA $CLIENT_CADIR chain-2-clientCA-dsa "-c chain-1-clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "7" rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert # dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last # in the chain # # Create RSA-PSS version of TestCA ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS), O=BOGUS NSS, L=Mountain View, ST=California, C=US" cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256 rm $CADIR/rsapssroot.cert ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US" cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1 rm $CADIR/rsapssroot.cert # # Create EC version of TestCA CA_CURVE="secp521r1" ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US" cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE} # # Create EC versions of the intermediate CA certs ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE} ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE} ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE} ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE} ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE} ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE} rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert # ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last # in the chain } ################################# cert_CA ################################ # local shell function to build the Temp. Certificate Authority (CA) # used for testing purposes, creating a CA Certificate and a root cert ########################################################################## cert_CA() { CUR_CADIR=$1 NICKNAME=$2 SIGNER=$3 TRUSTARG=$4 DOMAIN=$5 CERTSERIAL=$6 echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME ==========================" if [ ! -d "${CUR_CADIR}" ]; then mkdir -p "${CUR_CADIR}" fi cd ${CUR_CADIR} pwd LPROFILE=`pwd` if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then LPROFILE=`cygpath -m ${LPROFILE}` fi if [ -n "${MULTIACCESS_DBM}" ]; then LPROFILE="multiaccess:${DOMAIN}" fi if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB CU_ACTION="Creating CA Cert DB" certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1 if [ "$RET" -ne 0 ]; then Exit 5 "Fatal - failed to create CA $NICKNAME " fi CU_ACTION="Loading root cert module to CA Cert DB" modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi echo "$SCRIPTNAME: Certificate initialized ----------" fi ################# Creating CA Cert ###################################### # CU_ACTION="Creating CA Cert $NICKNAME " CU_SUBJECT=$ALL_CU_SUBJECT certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \ -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <&1 <&1 <&1 <&1 #CU_ACTION="Export Dave's Cert" #cd ${DAVEDIR} #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert ################# Importing Certificates for S/MIME tests ############### # echo "$SCRIPTNAME: Importing Certificates ==============================" CU_ACTION="Import Bob's cert into Alice's db" certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ -i ${R_BOBDIR}/Bob.cert 2>&1 CU_ACTION="Import Dave's cert into Alice's DB" certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ -i ${R_DAVEDIR}/Dave.cert 2>&1 CU_ACTION="Import Dave's cert into Bob's DB" certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ -i ${R_DAVEDIR}/Dave.cert 2>&1 CU_ACTION="Import Eve's cert into Alice's DB" certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ -i ${R_EVEDIR}/Eve.cert 2>&1 CU_ACTION="Import Eve's cert into Bob's DB" certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ -i ${R_EVEDIR}/Eve.cert 2>&1 echo "$SCRIPTNAME: Importing EC Certificates ==============================" CU_ACTION="Import Bob's EC cert into Alice's db" certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ -i ${R_BOBDIR}/Bob-ec.cert 2>&1 CU_ACTION="Import Dave's EC cert into Alice's DB" certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 CU_ACTION="Import Dave's EC cert into Bob's DB" certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 ## XXXX Do not import Eve's EC cert until we can make sure that ## the email addresses listed in the Subject Alt Name Extension ## inside Eve's ECC and non-ECC certs are different. # CU_ACTION="Import Eve's EC cert into Alice's DB" # certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ # -i ${R_EVEDIR}/Eve-ec.cert 2>&1 # CU_ACTION="Import Eve's EC cert into Bob's DB" # certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ # -i ${R_EVEDIR}/Eve-ec.cert 2>&1 if [ "$CERTFAILED" != 0 ] ; then cert_log "ERROR: SMIME failed $RET" else cert_log "SUCCESS: SMIME passed" fi } ############################## cert_extended_ssl ####################### # local shell function to create client + server certs for extended SSL test ######################################################################## cert_extended_ssl() { ################# Creating Certs for extended SSL test #################### # CERTFAILED=0 echo "$SCRIPTNAME: Creating Certificates, issued by the last ===============" echo " of a chain of CA's which are not in the same database============" echo "Server Cert" cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER} CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 CU_ACTION="Generate Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request (ext)" cp ${CERTDIR}/req ${SERVER_CADIR} certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)" certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)" certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1 # # Repeat the above for DSA certs # CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)" cp ${CERTDIR}/req ${SERVER_CADIR} certu -C -c "chain-2-serverCA-dsa" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)" certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 CU_ACTION="Import Client DSA Root CA -t T,, for $CERTNAME (ext.)" certu -A -n "clientCA-dsa" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${CLIENT_CADIR}/clientCA-dsa.ca.cert" 2>&1 # # done with DSA certs # # Repeat again for mixed DSA certs # CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)" cp ${CERTDIR}/req ${SERVER_CADIR} certu -C -c "chain-2-serverCA" -m 202 -v 60 -d "${P_SERVER_CADIR}" \ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)" certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 # CU_ACTION="Import Client mixed DSA Root CA -t T,, for $CERTNAME (ext.)" # certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \ # -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \ # 2>&1 # # Repeat the above for EC certs # EC_CURVE="secp256r1" CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" cp ${CERTDIR}/req ${SERVER_CADIR} certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)" certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1 # # done with EC certs # # Repeat again for mixed EC certs # EC_CURVE="secp256r1" CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)" cp ${CERTDIR}/req ${SERVER_CADIR} certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \ -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)" certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 # CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)" # certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \ # -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \ # 2>&1 # Check that a repeated import with a different nickname doesn't change the # nickname of the existing cert (bug 1458518). # We want to search for the results using grep, to avoid subset matches, # we'll use one of the longer nicknames for testing. # (Because "grep -w hostname" matches "grep -w hostname-dsamixed") MYDBPASS="-d ${PROFILEDIR} -f ${R_PWFILE}" TESTNAME="Ensure there's exactly one match for ${CERTNAME}-dsamixed" cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}" CU_ACTION="Repeated import of $CERTNAME's mixed DSA Cert with different nickname" certu -A -n "${CERTNAME}-repeated-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 TESTNAME="Ensure there's still exactly one match for ${CERTNAME}-dsamixed" cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}" TESTNAME="Ensure there's zero matches for ${CERTNAME}-repeated-dsamixed" cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-repeated-dsamixed" 0 0 "${TESTNAME}" echo "Importing all the server's own CA chain into the servers DB" for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; do N=`basename $CA | sed -e "s/.ca.cert//"` if [ $N = "serverCA" -o $N = "serverCA-ec" -o $N = "serverCA-dsa" ] ; then T="-t C,C,C" else T="-t u,u,u" fi CU_ACTION="Import $N CA $T for $CERTNAME (ext.) " certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${CA}" 2>&1 done #============ echo "Client Cert" cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT} CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 CU_ACTION="Generate Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \ -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request (ext)" cp ${CERTDIR}/req ${CLIENT_CADIR} certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)" certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)" certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1 # # Repeat the above for DSA certs # CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)" cp ${CERTDIR}/req ${CLIENT_CADIR} certu -C -c "chain-2-clientCA-dsa" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)" certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)" certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \ -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1 # # done with DSA certs # # # Repeat the above for mixed DSA certs # CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)" cp ${CERTDIR}/req ${CLIENT_CADIR} certu -C -c "chain-2-clientCA" -m 302 -v 60 -d "${P_CLIENT_CADIR}" \ -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)" certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 # CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)" # certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \ # -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1 # # done with mixed DSA certs # # # Repeat the above for EC certs # CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" cp ${CERTDIR}/req ${CLIENT_CADIR} certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \ -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 # # done with EC certs # # # Repeat the above for mixed EC certs # CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)" cp ${CERTDIR}/req ${CLIENT_CADIR} certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \ -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)" certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 # CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" # certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \ # -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 # # done with mixed EC certs # echo "Importing all the client's own CA chain into the servers DB" for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ; do N=`basename $CA | sed -e "s/.ca.cert//"` if [ $N = "clientCA" -o $N = "clientCA-ec" -o $N = "clientCA-dsa" ] ; then T="-t T,C,C" else T="-t u,u,u" fi CU_ACTION="Import $N CA $T for $CERTNAME (ext.)" certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${CA}" 2>&1 done if [ "$CERTFAILED" != 0 ] ; then cert_log "ERROR: EXT failed $RET" else cert_log "SUCCESS: EXT passed" fi } ############################## cert_ssl ################################ # local shell function to create client + server certs for SSL test ######################################################################## cert_ssl() { ################# Creating Certs for SSL test ########################### # CERTFAILED=0 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT} echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" echo " ${HOSTADDR} ------------------------------------" cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER} echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" echo " ${HOSTADDR}-sni --------------------------------" CERTSERIAL=101 CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}" cert_add_cert CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC" certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC" certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC" certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" # cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER} # echo "************* Copying CA files to ${SERVERDIR}" # cp ${CADIR}/*.db . # hw_acc # CU_ACTION="Creating ${CERTNAME}'s Server Cert" # CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" # certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \ # -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1 if [ "$CERTFAILED" != 0 ] ; then cert_log "ERROR: SSL failed $RET" else cert_log "SUCCESS: SSL passed" fi echo "$SCRIPTNAME: Creating database for OCSP stapling tests ===============" echo "cp -r ${SERVERDIR} ${STAPLINGDIR}" cp -r ${R_SERVERDIR} ${R_STAPLINGDIR} pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR} pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR} echo "$SCRIPTNAME: Creating database for strsclnt no login tests ===============" echo "cp -r ${CLIENTDIR} ${NOLOGINDIR}" cp -r ${R_CLIENTDIR} ${R_NOLOGINDIR} # change the password to empty certu -W -d "${R_NOLOGINDIR}" -f "${R_PWFILE}" -@ "${R_EMPTY_FILE}" 2>&1 } ############################## cert_stresscerts ################################ # local shell function to create client certs for SSL stresstest ######################################################################## cert_stresscerts() { ############### Creating Certs for SSL stress test ####################### # CERTDIR="$CLIENTDIR" cd "${CERTDIR}" PROFILEDIR=`cd ${CERTDIR}; pwd` if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then PROFILEDIR=`cygpath -m ${PROFILEDIR}` fi if [ -n "${MULTIACCESS_DBM}" ]; then PROFILEDIR="multiaccess:${D_CLIENT}" fi CERTFAILED=0 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" CONTINUE=$GLOB_MAX_CERT CERTSERIAL=10 while [ $CONTINUE -ge $GLOB_MIN_CERT ] do CERTNAME="TestUser$CONTINUE" # cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL cert_add_cert CERTSERIAL=`expr $CERTSERIAL + 1 ` CONTINUE=`expr $CONTINUE - 1 ` done if [ "$CERTFAILED" != 0 ] ; then cert_log "ERROR: StressCert failed $RET" else cert_log "SUCCESS: StressCert passed" fi } ############################## cert_fips ##################################### # local shell function to create certificates for FIPS tests ############################################################################## cert_fips() { CERTFAILED=0 echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates ==============" cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}" CU_ACTION="Initializing ${CERTNAME}'s Cert DB" certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------" CU_ACTION="Enable FIPS mode on database for ${CERTNAME}" echo "modutil -dbdir ${PROFILEDIR} -fips true " ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <&1 CU_ACTION="Attempt to generate a key with exponent of 3 (too small)" certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" CU_ACTION="Attempt to generate a key with exponent of 17 (too small)" certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" RETEXPECTED=0 CU_ACTION="Generate Certificate for ${CERTNAME}" CU_SUBJECT="CN=${CERTNAME}, E=fips@example.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US" certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1 if [ "$RET" -eq 0 ]; then cert_log "SUCCESS: FIPS passed" fi } ########################## cert_rsa_exponent ################################# # local shell function to verify small rsa exponent can be used (only # run if FIPS has not been turned on in the build). ############################################################################## cert_rsa_exponent_nonfips() { echo "$SCRIPTNAME: Verify that small RSA exponents still work ==============" CU_ACTION="Attempt to generate a key with exponent of 3" certu -G -k rsa -g 2048 -y 3 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" CU_ACTION="Attempt to generate a key with exponent of 17" certu -G -k rsa -g 2048 -y 17 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" } ############################## cert_eccurves ########################### # local shell function to create server certs for all EC curves ######################################################################## cert_eccurves() { ################# Creating Certs for EC curves test ######################## # echo "$SCRIPTNAME: Creating Server CA Issued Certificate for " echo " EC Curves Test Certificates ------------------------------------" cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES} CU_ACTION="Initializing EC Curve's Cert DB" certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Loading root cert module to EC Curve's Cert DB" modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 CU_ACTION="Import EC Root CA for $CERTNAME" certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1 CURVE_LIST="nistp256 nistp384 nistp521" CERTSERIAL=2000 for CURVE in ${CURVE_LIST} do CERTFAILED=0 CERTNAME="Curve-${CURVE}" CERTSERIAL=`expr $CERTSERIAL + 1 ` CU_ACTION="Generate EC Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -z "${R_NOISE_FILE}" -o req 2>&1 if [ $RET -eq 0 ] ; then CU_ACTION="Sign ${CERTNAME}'s EC Request" certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 fi if [ $RET -eq 0 ] ; then CU_ACTION="Import $CERTNAME's EC Cert" certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 fi done } ########################### cert_extensions_test ############################# # local shell function to test cert extensions generation ############################################################################## cert_extensions_test() { COUNT=`expr ${COUNT} + 1` CERTNAME=TestExt${COUNT} CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" echo echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \ -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE} echo "certutil options:" cat ${TARG_FILE} ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \ -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE} RET=$? if [ "${RET}" -ne 0 ]; then CERTFAILED=1 html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate" cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed" return 1 fi echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME} EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}` RET=$? echo "${EXTLIST}" if [ "${RET}" -ne 0 ]; then CERTFAILED=1 html_failed "${TESTNAME} (${COUNT}) - List Certificate" cert_log "ERROR: ${TESTNAME} - List Certificate failed" return 1 fi for FL in `echo ${FILTERLIST} | tr \| ' '`; do FL="`echo ${FL} | tr _ ' '`" EXPSTAT=0 if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then EXPSTAT=1 FL=`echo ${FL} | tr -d '!'` fi echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1 RET=$? if [ "${RET}" -ne "${EXPSTAT}" ]; then CERTFAILED=1 html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}" cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed" return 1 fi done html_passed "${TESTNAME} (${COUNT})" return 0 } ############################## cert_extensions ############################### # local shell function to run cert extensions tests ############################################################################## cert_extensions() { CERTNAME=TestExt cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS} TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args COUNT=0 while read ARG OPT FILTERLIST; do if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then continue fi if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then TESTNAME="${FILTERLIST}" continue fi if [ X"${ARG}" = "X=" ]; then cert_extensions_test rm -f ${TARG_FILE} else echo ${ARG} >> ${TARG_FILE} fi done < ${QADIR}/cert/certext.txt } cert_make_with_param() { DIRPASS="$1" CERTNAME="$2" MAKE="$3" SUBJ="$4" EXTRA="$5" EXPECT="$6" TESTNAME="$7" echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA} ${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA} RET=$? if [ "${RET}" -ne "${EXPECT}" ]; then # if we expected failure to create, then delete unexpected certificate if [ "${EXPECT}" -ne 0 ]; then ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME} fi CERTFAILED=1 html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}" cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed" return 1 fi html_passed "${TESTNAME} (${COUNT})" return 0 } cert_check_nickname_exists() { MYDIRPASS="$1" MYCERTNAME="$2" EXPECT="$3" EXPECTCOUNT="$4" MYTESTNAME="$5" echo certutil ${MYDIRPASS} -L ${BINDIR}/certutil ${MYDIRPASS} -L RET=$? if [ "${RET}" -ne "${EXPECT}" ]; then CERTFAILED=1 html_failed "${MYTESTNAME} - list" cert_log "ERROR: ${MYTESTNAME} - list" return 1 fi LISTCOUNT=`${BINDIR}/certutil ${MYDIRPASS} -L | grep -wc ${MYCERTNAME}` if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then CERTFAILED=1 html_failed "${MYTESTNAME} - list and count" cert_log "ERROR: ${MYTESTNAME} - list and count failed" return 1 fi html_passed "${MYTESTNAME}" return 0 } cert_list_and_count_dns() { DIRPASS="$1" CERTNAME="$2" EXPECT="$3" EXPECTCOUNT="$4" TESTNAME="$5" echo certutil ${DIRPASS} -L ${CERTNAME} ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} RET=$? if [ "${RET}" -ne "${EXPECT}" ]; then CERTFAILED=1 html_failed "${TESTNAME} (${COUNT}) - list and count" cert_log "ERROR: ${TESTNAME} - list and count failed" return 1 fi LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS` if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then CERTFAILED=1 html_failed "${TESTNAME} (${COUNT}) - list and count" cert_log "ERROR: ${TESTNAME} - list and count failed" return 1 fi html_passed "${TESTNAME} (${COUNT})" return 0 } cert_dump_ext_to_file() { DIRPASS="$1" CERTNAME="$2" OID="$3" OUTFILE="$4" EXPECT="$5" TESTNAME="$6" echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} echo "writing output to ${OUTFILE}" ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE} RET=$? if [ "${RET}" -ne "${EXPECT}" ]; then CERTFAILED=1 html_failed "${TESTNAME} (${COUNT}) - dump to file" cert_log "ERROR: ${TESTNAME} - dump to file failed" return 1 fi html_passed "${TESTNAME} (${COUNT})" return 0 } cert_delete() { DIRPASS="$1" CERTNAME="$2" EXPECT="$3" TESTNAME="$4" echo certutil ${DIRPASS} -D ${CERTNAME} ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME} RET=$? if [ "${RET}" -ne "${EXPECT}" ]; then CERTFAILED=1 html_failed "${TESTNAME} (${COUNT}) - delete cert" cert_log "ERROR: ${TESTNAME} - delete cert failed" return 1 fi html_passed "${TESTNAME} (${COUNT})" return 0 } cert_inc_count() { COUNT=`expr ${COUNT} + 1` } ############################## cert_crl_ssl ############################ # test adding subject-alt-name, dumping, and adding generic extension ######################################################################## cert_san_and_generic_extensions() { EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}" CERTNAME="-n WithSAN" MAKE="-S -t ,, -x -z ${R_NOISE_FILE}" SUBJ="CN=example.com" TESTNAME="san-and-generic-extensions" cert_inc_count cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ "--extSAN example.com" 255 \ "create cert with invalid SAN parameter" cert_inc_count cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ "--extSAN example.com,dns:www.example.com" 255 \ "create cert with invalid SAN parameter" TN="create cert with valid SAN parameter" cert_inc_count cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ "--extSAN dns:example.com,dns:www.example.com" 0 \ "${TN}" cert_inc_count cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \ "${TN}" cert_inc_count cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \ "dump extension 2.5.29.17 to file ${EXTDUMP}" cert_inc_count cert_delete "${DIR}" "${CERTNAME}" 0 \ "${TN}" cert_inc_count cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \ "expect failure to list cert, because we deleted it" cert_inc_count cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ "--extGeneric ${EXTDUMP}" 255 \ "create cert with invalid generic ext parameter" cert_inc_count cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ "--extGeneric not-critical:${EXTDUMP}" 255 \ "create cert with invalid generic ext parameter" cert_inc_count cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ "--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \ "create cert with invalid generic ext parameter" TN="create cert with valid generic ext parameter" cert_inc_count cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ "--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \ "${TN}" cert_inc_count cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \ "${TN}" cert_inc_count cert_delete "${DIR}" "${CERTNAME}" 0 \ "${TN}" cert_inc_count cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \ "expect failure to list cert, because we deleted it" } ############################## cert_crl_ssl ############################ # local shell function to generate certs and crls for SSL tests ######################################################################## cert_crl_ssl() { ################# Creating Certs ################################### # CERTFAILED=0 CERTSERIAL=${CRL_GRP_1_BEGIN} cd $CADIR PROFILEDIR=`cd ${CLIENTDIR}; pwd` if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then PROFILEDIR=`cygpath -m ${PROFILEDIR}` fi CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1` echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ===" CU_ACTION="Creating client test certs" while [ $CERTSERIAL -le $CRL_GRPS_END ] do CERTNAME="TestUser$CERTSERIAL" cert_add_cert CERTSERIAL=`expr $CERTSERIAL + 1 ` done #################### CRL Creation ############################## CRL_GEN_RES=0 echo "$SCRIPTNAME: Creating CA CRL =====================================" CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1` CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END} CRL_FILE=${CRL_FILE_GRP_1} CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority" CRL_GRP_END_=`expr ${CRL_GRP_END} - 1` crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \ -o ${CRL_FILE_GRP_1}_or < file ############################# Modification ################################## echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============" sleep 2 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` CU_ACTION="Modify CRL by adding one more cert" crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \ -i ${CRL_FILE_GRP_1}_or <&1 # finally make sure we can use the old key with the new password CU_ACTION="Generate Certificate for ${CERTNAME} with new password" CU_SUBJECT="CN=${CERTNAME}, E=password@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1 if [ "$RET" -eq 0 ]; then cert_log "SUCCESS: PASSWORD passed" fi CU_ACTION="Verify Certificate for ${CERTNAME} with new password" certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 } ############################### # test if we can distrust a certificate. # # we create 3 new certs: # 1 leaf signed by the trusted root. # 1 intermediate signed by the trusted root. # 1 leaf signed by the intermediate. # # we mark the first leaf and the intermediate as explicitly untrusted. # we then try to verify the two leaf certs for our possible usages. # All verification should fail. # cert_test_distrust() { echo "$SCRIPTNAME: Creating Distrusted Certificate" cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST} CU_ACTION="Mark CERT as unstrusted" certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1 echo "$SCRIPTNAME: Creating Distrusted Intermediate" CERTNAME="DistrustedCA" ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1 CU_ACTION="Import Distrusted Intermediate" certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1 # now create the last leaf signed by our distrusted CA # since it's not signed by TestCA it requires more steps. CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA" CERTNAME="LeafChainedToDistrustedCA" CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" cp ${CERTDIR}/req ${CADIR} certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import $CERTNAME's Cert -t u,u,u" certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 RETEXPECTED=255 CU_ACTION="Verify ${CERTNAME} Cert for SSL Server" certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Verify ${CERTNAME} Cert for SSL Client" certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Verify ${CERTNAME} Cert for Email signer" certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Verify ${CERTNAME} Cert for Email recipient" certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder" certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Verify ${CERTNAME} Cert for Object Signer" certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CERTNAME="Distrusted" CU_ACTION="Verify ${CERTNAME} Cert for SSL Server" certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Verify ${CERTNAME} Cert for SSL Client" certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Verify ${CERTNAME} Cert for Email signer" certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Verify ${CERTNAME} Cert for Email recipient" certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder" certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Verify ${CERTNAME} Cert for Object Signer" certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 RETEXPECTED=0 } cert_test_ocspresp() { echo "$SCRIPTNAME: OCSP response creation selftest" OR_ACTION="perform selftest" RETEXPECTED=0 ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1 } cert_test_implicit_db_init() { echo "$SCRIPTNAME: test implicit database init" CU_ACTION="Add cert with trust flags to db with implicit init" mkdir ${IMPLICIT_INIT_DIR} certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert" } cert_test_token_uri() { echo "$SCRIPTNAME: specify token with PKCS#11 URI" CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'` BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'` CU_ACTION="List keys in NSS Certificate DB" certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI} # This token shouldn't have any keys CU_ACTION="List keys in NSS Builtin Objects" RETEXPECTED=255 certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI} RETEXPECTED=0 } check_sign_algo() { certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ sed -n '/^ *Data:/,/^$/{ /^ Signature Algorithm/,/^ *Salt length/s/^ //p }' > ${TMP}/signalgo.txt diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt RET=$? if [ "$RET" -ne 0 ]; then CERTFAILED=$RET html_failed "${CU_ACTION} ($RET) " cert_log "ERROR: ${CU_ACTION} failed $RET" else html_passed "${CU_ACTION}" fi } cert_test_rsapss() { TEMPFILES="$TEMPFILES ${TMP}/signalgo.exp ${TMP}/signalgo.txt" cert_init_cert "${RSAPSSDIR}" "RSA-PSS Test Cert" 1000 "${D_RSAPSS}" CU_ACTION="Initialize Cert DB" certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 CU_ACTION="Import RSA CA Cert" certu -A -n "TestCA" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${R_CADIR}/TestCA.ca.cert" 2>&1 CU_ACTION="Import RSA-PSS CA Cert" certu -A -n "TestCA-rsa-pss" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${R_CADIR}/TestCA-rsa-pss.ca.cert" 2>&1 CU_ACTION="Verify RSA-PSS CA Cert" certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}" CU_ACTION="Import RSA-PSS CA Cert (SHA1)" certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)" certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1 RETEXPECTED=255 certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 RETEXPECTED=0 CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)" certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1 RETEXPECTED=255 certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 RETEXPECTED=0 CERTSERIAL=200 # Subject certificate: RSA # Issuer certificate: RSA # Signature: RSA-PSS (explicit, with --pss-sign) CERTNAME="TestUser-rsa-pss1" CU_ACTION="Generate Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Verify $CERTNAME's Cert" certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" cat > ${TMP}/signalgo.exp <&1 CU_ACTION="Sign ${CERTNAME}'s Request" certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Verify $CERTNAME's Cert" certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" cat > ${TMP}/signalgo.exp <&1 CU_ACTION="Sign ${CERTNAME}'s Request" certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Verify $CERTNAME's Cert" certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" cat > ${TMP}/signalgo.exp <&1 CU_ACTION="Sign ${CERTNAME}'s Request" certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Verify $CERTNAME's Cert" certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" cat > ${TMP}/signalgo.exp <&1 CU_ACTION="Sign ${CERTNAME}'s Request" certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Verify $CERTNAME's Cert" certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" cat > ${TMP}/signalgo.exp <&1 CU_ACTION="Sign ${CERTNAME}'s Request" # Sign without --pss-sign nor -Z option certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Verify $CERTNAME's Cert" certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" cat > ${TMP}/signalgo.exp <&1 CU_ACTION="Sign ${CERTNAME}'s Request" RETEXPECTED=255 certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 RETEXPECTED=0 CERTSERIAL=`expr $CERTSERIAL + 1` # Subject certificate: RSA-PSS # Issuer certificate: RSA-PSS # Signature: RSA-PSS (with compatible hash algorithm) CERTNAME="TestUser-rsa-pss8" CU_ACTION="Generate Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Verify $CERTNAME's Cert" certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" cat > ${TMP}/signalgo.exp <&1 CU_ACTION="Sign ${CERTNAME}'s Request" certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Verify $CERTNAME's Cert" certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" cat > ${TMP}/signalgo.exp <&1 CU_ACTION="Sign ${CERTNAME}'s Request" # Sign without --pss-sign nor -Z option certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Verify $CERTNAME's Cert" certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" cat > ${TMP}/signalgo.exp <&1 CU_ACTION="Sign ${CERTNAME}'s Request" RETEXPECTED=255 certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 RETEXPECTED=0 } cert_test_orphan_key_delete() { CU_ACTION="Create orphan key in serverdir" certu -G -k ec -q nistp256 -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR} # Let's get the key ID of the first orphan key. # The output of certutil -K (list keys) isn't well formatted. # The initial part may or may not contain white space, which # makes the use of awk to filter the column unreliable. # To fix that, we remove the initial field using sed, then select the # column that contains the key ID. ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \ sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'` CU_ACTION="Delete orphan key" certu -F -f "${R_PWFILE}" -k ${ORPHAN} -d ${PROFILEDIR} # Ensure that the key is removed certu -K -f "${R_PWFILE}" -d ${PROFILEDIR} | grep ${ORPHAN} RET=$? if [ "$RET" -eq 0 ]; then html_failed "Deleting orphan key ($RET)" cert_log "ERROR: Deleting orphan key failed $RET" fi } cert_test_orphan_key_reuse() { CU_ACTION="Create orphan key in serverdir" certu -G -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR} # Let's get the key ID of the first orphan key. # The output of certutil -K (list keys) isn't well formatted. # The initial part may or may not contain white space, which # makes the use of awk to filter the column unreliable. # To fix that, we remove the initial field using sed, then select the # column that contains the key ID. ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \ sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'` CU_ACTION="Create cert request for orphan key" certu -R -f "${R_PWFILE}" -k ${ORPHAN} -s "CN=orphan" -d ${PROFILEDIR} \ -o ${SERVERDIR}/orphan.req # Ensure that creating the request really works by listing it, and check # if listing was successful. ${BINDIR}/pp -t certificate-request -i ${SERVERDIR}/orphan.req RET=$? if [ "$RET" -ne 0 ]; then html_failed "Listing cert request for orphan key ($RET)" cert_log "ERROR: Listing cert request for orphan key failed $RET" fi } cert_test_rsapss_policy() { CERTSERIAL=`expr $CERTSERIAL + 1` CERTNAME="TestUser-rsa-pss-policy" # Subject certificate: RSA-PSS # Issuer certificate: RSA # Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1) CU_ACTION="Generate Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request" certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 CU_ACTION="Import $CERTNAME's Cert" certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${CERTNAME}.cert" 2>&1 CU_ACTION="Verify $CERTNAME's Cert" certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}" CU_ACTION="Verify $CERTNAME's Cert with Policy" cp ${PROFILEDIR}/pkcs11.txt pkcs11.txt.orig cat >> ${PROFILEDIR}/pkcs11.txt << ++EOF++ library= name=Policy config="disallow=SHA1" ++EOF++ RETEXPECTED=255 certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}" RETEXPECTED=0 cp pkcs11.txt.orig ${PROFILEDIR}/pkcs11.txt } ############################## cert_cleanup ############################ # local shell function to finish this script (no exit since it might be # sourced) ######################################################################## cert_cleanup() { cert_log "$SCRIPTNAME: finished $SCRIPTNAME" html "
" cd ${QADIR} . common/cleanup.sh } ################## main ################################################# cert_init cert_all_CA cert_test_implicit_db_init cert_extended_ssl cert_ssl cert_test_orphan_key_delete cert_test_orphan_key_reuse cert_smime_client IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED` if [ $IS_FIPS_DISABLED -ne 0 ]; then cert_rsa_exponent_nonfips else cert_fips fi cert_eccurves cert_extensions cert_san_and_generic_extensions cert_test_password cert_test_distrust cert_test_ocspresp cert_test_rsapss if [ "${TEST_MODE}" = "SHARED_DB" ] ; then cert_test_rsapss_policy fi cert_test_token_uri if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then cert_crl_ssl else echo "$SCRIPTNAME: Skipping CRL Tests" fi if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then cert_stresscerts fi cert_iopr_setup cert_cleanup