#! /bin/bash # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. ######################################################################## # # mozilla/security/nss/tests/iopr/cert_iopr.sh # # Certificate generating and handeling for NSS interoperability QA. This file # is included from cert.sh # # needs to work on all Unix and Windows platforms # # special strings # --------------- # FIXME ... known problems, search for this string # NOTE .... unexpected behavior ######################################################################## IOPR_CERT_SOURCED=1 ######################################################################## # function wraps calls to pk12util, also: writes action and options # to stdout. # Params are the same as to pk12util. # Returns pk12util status # pk12u() { echo "${CU_ACTION} --------------------------" echo "pk12util $@" ${BINDIR}/pk12util $@ RET=$? return $RET } ######################################################################## # Initializes nss db directory and files if they don't exists # Params: # $1 - directory location # createDBDir() { trgDir=$1 if [ -z "`ls $trgDir | grep db`" ]; then trgDir=`cd ${trgDir}; pwd` if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then trgDir=`cygpath -m ${trgDir}` fi CU_ACTION="Initializing DB at ${trgDir}" certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi CU_ACTION="Loading root cert module to Cert DB at ${trgDir}" modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi fi } ######################################################################## # takes care of downloading config, cert and crl files from remote # location. # Params: # $1 - name of the host file will be downloaded from # $2 - path to the file as it appeared in url # $3 - target directory the file will be saved at. # Returns tstclnt status. # download_file() { host=$1 filePath=$2 trgDir=$3 file=$trgDir/`basename $filePath` createDBDir $trgDir || return $RET # echo wget -O $file http://${host}${filePath} # wget -O $file http://${host}${filePath} # ret=$? req=$file.$$ echo "GET $filePath HTTP/1.0" > $req echo >> $req echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \ -v -w ${R_PWFILE} -o ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \ -v -w ${R_PWFILE} -o < $req > $file ret=$? rm -f $_tmp; return $ret } ######################################################################## # Uses pk12util, certutil of cerlutil to import files to an nss db located # at (the value of $1 parameter). Chooses a utility to use based on # a file extension. Initializing a db if it does not exists. # Params: # $1 - db location directory # $2 - file name to import # $3 - nick name an object in the file will be associated with # $4 - trust arguments # Returns status of import # importFile() { dir=$1\ file=$2 certName=$3 certTrust=$4 [ ! -d $dir ] && mkdir -p $dir; createDBDir $dir || return $RET case `basename $file | sed 's/^.*\.//'` in p12) CU_ACTION="Importing p12 $file to DB at $dir" pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr [ $? -ne 0 ] && return 1 CU_ACTION="Modifying trust for cert $certName at $dir" certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" return $? ;; crl) CU_ACTION="Importing crl $file to DB at $dir" crlu -d ${dir} -I -n TestCA -i $file return $? ;; crt | cert) CU_ACTION="Importing cert $certName with trust $certTrust to $dir" certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \ -i "$file" return $? ;; *) echo "Unknown file extension: $file:" return 1 ;; esac } ######################################################################### # Downloads and installs test certs and crl from a remote webserver. # Generates server cert for reverse testing if reverse test run is turned on. # Params: # $1 - host name to download files from. # $2 - directory at which CA cert will be installed and used for # signing a server cert. # $3 - path to a config file in webserver context. # $4 - ssl server db location # $5 - ssl client db location # $5 - ocsp client db location # # Returns 0 upon success, otherwise, failed command error code. # download_install_certs() { host=$1 caDir=$2 confPath=$3 sslServerDir=$4 sslClientDir=$5 ocspClientDir=$6 [ ! -d "$caDir" ] && mkdir -p $caDir; #======================================================= # Getting config file # download_file $host "$confPath/iopr_server.cfg" $caDir RET=$? if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then html_failed "Fail to download website config file(ws: $host)" return 1 fi . $caDir/iopr_server.cfg RET=$? if [ $RET -ne 0 ]; then html_failed "Fail to source config file(ws: $host)" return $RET fi #======================================================= # Getting CA file # #----------------- !!!WARNING!!! ----------------------- # Do NOT copy this scenario. CA should never accompany its # cert with the private key when deliver cert to a customer. #----------------- !!!WARNING!!! ----------------------- download_file $host $certDir/$caCertName.p12 $caDir RET=$? if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then html_failed "Fail to download $caCertName cert(ws: $host)" return 1 fi tmpFiles="$caDir/$caCertName.p12" importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C" RET=$? if [ $RET -ne 0 ]; then html_failed "Fail to import $caCertName cert to CA DB(ws: $host)" return $RET fi CU_ACTION="Exporting Root CA cert(ws: $host)" certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert if [ "$RET" -ne 0 ]; then Exit 7 "Fatal - failed to export $caCertName cert" fi #======================================================= # Check what tests we want to run # doSslTests=0; doOcspTests=0 # XXX remove "_new" from variables below [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1 [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1 if [ $doSslTests -eq 1 ]; then if [ "$reverseRunCGIScript" ]; then [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir; #======================================================= # Import CA cert to server DB # importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \ "TC,C,C" RET=$? if [ $RET -ne 0 ]; then html_failed "Fail to import server-client-CA cert to \ server DB(ws: $host)" return $RET fi #======================================================= # Creating server cert # CERTNAME=$HOSTADDR CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, \ L=Mountain View, ST=California, C=US" certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\ -o $sslServerDir/req 2>&1 tmpFiles="$tmpFiles $sslServerDir/req" # NOTE: # For possible time synchronization problems (bug 444308) we generate # certificates valid also some time in past (-w -1) CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)" certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \ -d "${caDir}" \ -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \ -f "${R_PWFILE}" 2>&1 importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",," RET=$? if [ $RET -ne 0 ]; then html_failed "Fail to import $CERTNAME cert to server\ DB(ws: $host)" return $RET fi tmpFiles="$tmpFiles $caDir/$CERTNAME.cert" #======================================================= # Download and import CA crl to server DB # download_file $host "$certDir/$caCrlName.crl" $sslServerDir RET=$? if [ $? -ne 0 ]; then html_failed "Fail to download $caCertName crl\ (ws: $host)" return $RET fi tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl" importFile $sslServerDir $sslServerDir/TestCA.crl RET=$? if [ $RET -ne 0 ]; then html_failed "Fail to import TestCA crt to server\ DB(ws: $host)" return $RET fi fi # if [ "$reverseRunCGIScript" ] [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir; #======================================================= # Import CA cert to ssl client DB # importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \ "TC,C,C" RET=$? if [ $RET -ne 0 ]; then html_failed "Fail to import server-client-CA cert to \ server DB(ws: $host)" return $RET fi fi if [ $doOcspTests -eq 1 ]; then [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir; #======================================================= # Import CA cert to ocsp client DB # importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \ "TC,C,C" RET=$? if [ $RET -ne 0 ]; then html_failed "Fail to import server-client-CA cert to \ server DB(ws: $host)" return $RET fi fi #======================================================= # Import client certs to client DB # for fileName in $downloadFiles; do certName=`echo $fileName | sed 's/\..*//'` if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then clientDir=$ocspClientDir elif [ $doSslTests -eq 1 ]; then clientDir=$sslClientDir else continue fi download_file $host "$certDir/$fileName" $clientDir RET=$? if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then html_failed "Fail to download $certName cert(ws: $host)" return $RET fi tmpFiles="$tmpFiles $clientDir/$fileName" importFile $clientDir $clientDir/$fileName $certName ",," RET=$? if [ $RET -ne 0 ]; then html_failed "Fail to import $certName cert to client DB\ (ws: $host)" return $RET fi done rm -f $tmpFiles return 0 } ######################################################################### # Initial point for downloading config, cert, crl files for multiple hosts # involved in interoperability testing. Called from nss/tests/cert/cert.sh # It will only proceed with downloading if environment variable # IOPR_HOSTADDR_LIST is set and has a value of host names separated by space. # # Returns 1 if interoperability testing is off, 0 otherwise. # cert_iopr_setup() { if [ "$IOPR" -ne 1 ]; then return 1 fi num=1 IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '` while [ "$IOPR_HOST_PARAM" ]; do IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'` IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'` [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443 IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'` [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr" echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\ $IOPR_CONF_PATH" download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \ ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \ ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \ ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} if [ $? -ne 0 ]; then echo "wsFlags=\"NOIOPR $wsParam\"" >> \ ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg fi num=`expr $num + 1` IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` done return 0 }