diff options
Diffstat (limited to '')
-rw-r--r-- | security/nss/tests/iopr/cert_iopr.sh | 405 | ||||
-rw-r--r-- | security/nss/tests/iopr/ocsp_iopr.sh | 231 | ||||
-rw-r--r-- | security/nss/tests/iopr/server_scr/apache_unix.cfg | 47 | ||||
-rw-r--r-- | security/nss/tests/iopr/server_scr/cert_gen.sh | 367 | ||||
-rw-r--r-- | security/nss/tests/iopr/server_scr/cipher.list | 98 | ||||
-rw-r--r-- | security/nss/tests/iopr/server_scr/client.cgi | 526 | ||||
-rw-r--r-- | security/nss/tests/iopr/server_scr/config | 17 | ||||
-rw-r--r-- | security/nss/tests/iopr/server_scr/iis_windows.cfg | 33 | ||||
-rw-r--r-- | security/nss/tests/iopr/server_scr/iopr_server.cfg | 67 | ||||
-rw-r--r-- | security/nss/tests/iopr/server_scr/sslreq.dat | 2 | ||||
-rw-r--r-- | security/nss/tests/iopr/ssl_iopr.sh | 643 |
11 files changed, 2436 insertions, 0 deletions
diff --git a/security/nss/tests/iopr/cert_iopr.sh b/security/nss/tests/iopr/cert_iopr.sh new file mode 100644 index 0000000000..b162a2d81c --- /dev/null +++ b/security/nss/tests/iopr/cert_iopr.sh @@ -0,0 +1,405 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/iopr/cert_iopr.sh +# +# Certificate generating and handeling for NSS interoperability QA. This file +# is included from cert.sh +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## + +IOPR_CERT_SOURCED=1 + +######################################################################## +# function wraps calls to pk12util, also: writes action and options +# to stdout. +# Params are the same as to pk12util. +# Returns pk12util status +# +pk12u() +{ + echo "${CU_ACTION} --------------------------" + + echo "pk12util $@" + ${BINDIR}/pk12util $@ + RET=$? + + return $RET +} + +######################################################################## +# Initializes nss db directory and files if they don't exists +# Params: +# $1 - directory location +# +createDBDir() { + trgDir=$1 + + if [ -z "`ls $trgDir | grep db`" ]; then + trgDir=`cd ${trgDir}; pwd` + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + trgDir=`cygpath -m ${trgDir}` + fi + + CU_ACTION="Initializing DB at ${trgDir}" + certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Loading root cert module to Cert DB at ${trgDir}" + modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + fi +} +######################################################################## +# takes care of downloading config, cert and crl files from remote +# location. +# Params: +# $1 - name of the host file will be downloaded from +# $2 - path to the file as it appeared in url +# $3 - target directory the file will be saved at. +# Returns tstclnt status. +# +download_file() { + host=$1 + filePath=$2 + trgDir=$3 + + file=$trgDir/`basename $filePath` + + createDBDir $trgDir || return $RET + +# echo wget -O $file http://${host}${filePath} +# wget -O $file http://${host}${filePath} +# ret=$? + + req=$file.$$ + echo "GET $filePath HTTP/1.0" > $req + echo >> $req + + echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \ + -v -w ${R_PWFILE} -o + ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \ + -v -w ${R_PWFILE} -o < $req > $file + ret=$? + rm -f $_tmp; + return $ret +} + +######################################################################## +# Uses pk12util, certutil of cerlutil to import files to an nss db located +# at <dir>(the value of $1 parameter). Chooses a utility to use based on +# a file extension. Initializing a db if it does not exists. +# Params: +# $1 - db location directory +# $2 - file name to import +# $3 - nick name an object in the file will be associated with +# $4 - trust arguments +# Returns status of import +# +importFile() { + dir=$1\ + file=$2 + certName=$3 + certTrust=$4 + + [ ! -d $dir ] && mkdir -p $dir; + + createDBDir $dir || return $RET + + case `basename $file | sed 's/^.*\.//'` in + p12) + CU_ACTION="Importing p12 $file to DB at $dir" + pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr + [ $? -ne 0 ] && return 1 + CU_ACTION="Modifying trust for cert $certName at $dir" + certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" + return $? + ;; + + crl) + CU_ACTION="Importing crl $file to DB at $dir" + crlu -d ${dir} -I -n TestCA -i $file + return $? + ;; + + crt | cert) + CU_ACTION="Importing cert $certName with trust $certTrust to $dir" + certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \ + -i "$file" + return $? + ;; + + *) + echo "Unknown file extension: $file:" + return 1 + ;; + esac +} + + +######################################################################### +# Downloads and installs test certs and crl from a remote webserver. +# Generates server cert for reverse testing if reverse test run is turned on. +# Params: +# $1 - host name to download files from. +# $2 - directory at which CA cert will be installed and used for +# signing a server cert. +# $3 - path to a config file in webserver context. +# $4 - ssl server db location +# $5 - ssl client db location +# $5 - ocsp client db location +# +# Returns 0 upon success, otherwise, failed command error code. +# +download_install_certs() { + host=$1 + caDir=$2 + confPath=$3 + sslServerDir=$4 + sslClientDir=$5 + ocspClientDir=$6 + + [ ! -d "$caDir" ] && mkdir -p $caDir; + + #======================================================= + # Getting config file + # + download_file $host "$confPath/iopr_server.cfg" $caDir + RET=$? + if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then + html_failed "Fail to download website config file(ws: $host)" + return 1 + fi + + . $caDir/iopr_server.cfg + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to source config file(ws: $host)" + return $RET + fi + + #======================================================= + # Getting CA file + # + + #----------------- !!!WARNING!!! ----------------------- + # Do NOT copy this scenario. CA should never accompany its + # cert with the private key when deliver cert to a customer. + #----------------- !!!WARNING!!! ----------------------- + + download_file $host $certDir/$caCertName.p12 $caDir + RET=$? + if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then + html_failed "Fail to download $caCertName cert(ws: $host)" + return 1 + fi + tmpFiles="$caDir/$caCertName.p12" + + importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C" + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import $caCertName cert to CA DB(ws: $host)" + return $RET + fi + + CU_ACTION="Exporting Root CA cert(ws: $host)" + certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert + if [ "$RET" -ne 0 ]; then + Exit 7 "Fatal - failed to export $caCertName cert" + fi + + #======================================================= + # Check what tests we want to run + # + doSslTests=0; doOcspTests=0 + # XXX remove "_new" from variables below + [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1 + [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1 + + if [ $doSslTests -eq 1 ]; then + if [ "$reverseRunCGIScript" ]; then + [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir; + #======================================================= + # Import CA cert to server DB + # + importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \ + "TC,C,C" + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import server-client-CA cert to \ + server DB(ws: $host)" + return $RET + fi + + #======================================================= + # Creating server cert + # + CERTNAME=$HOSTADDR + + CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, \ + L=Mountain View, ST=California, C=US" + certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\ + -o $sslServerDir/req 2>&1 + tmpFiles="$tmpFiles $sslServerDir/req" + + # NOTE: + # For possible time synchronization problems (bug 444308) we generate + # certificates valid also some time in past (-w -1) + + CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)" + certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \ + -d "${caDir}" \ + -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \ + -f "${R_PWFILE}" 2>&1 + + importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",," + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import $CERTNAME cert to server\ + DB(ws: $host)" + return $RET + fi + tmpFiles="$tmpFiles $caDir/$CERTNAME.cert" + + #======================================================= + # Download and import CA crl to server DB + # + download_file $host "$certDir/$caCrlName.crl" $sslServerDir + RET=$? + if [ $? -ne 0 ]; then + html_failed "Fail to download $caCertName crl\ + (ws: $host)" + return $RET + fi + tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl" + + importFile $sslServerDir $sslServerDir/TestCA.crl + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import TestCA crt to server\ + DB(ws: $host)" + return $RET + fi + fi # if [ "$reverseRunCGIScript" ] + + [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir; + #======================================================= + # Import CA cert to ssl client DB + # + importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \ + "TC,C,C" + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import server-client-CA cert to \ + server DB(ws: $host)" + return $RET + fi + fi + + if [ $doOcspTests -eq 1 ]; then + [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir; + #======================================================= + # Import CA cert to ocsp client DB + # + importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \ + "TC,C,C" + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import server-client-CA cert to \ + server DB(ws: $host)" + return $RET + fi + fi + + #======================================================= + # Import client certs to client DB + # + for fileName in $downloadFiles; do + certName=`echo $fileName | sed 's/\..*//'` + + if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then + clientDir=$ocspClientDir + elif [ $doSslTests -eq 1 ]; then + clientDir=$sslClientDir + else + continue + fi + + download_file $host "$certDir/$fileName" $clientDir + RET=$? + if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then + html_failed "Fail to download $certName cert(ws: $host)" + return $RET + fi + tmpFiles="$tmpFiles $clientDir/$fileName" + + importFile $clientDir $clientDir/$fileName $certName ",," + RET=$? + if [ $RET -ne 0 ]; then + html_failed "Fail to import $certName cert to client DB\ + (ws: $host)" + return $RET + fi + done + + rm -f $tmpFiles + + return 0 +} + + +######################################################################### +# Initial point for downloading config, cert, crl files for multiple hosts +# involved in interoperability testing. Called from nss/tests/cert/cert.sh +# It will only proceed with downloading if environment variable +# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space. +# +# Returns 1 if interoperability testing is off, 0 otherwise. +# +cert_iopr_setup() { + + if [ "$IOPR" -ne 1 ]; then + return 1 + fi + num=1 + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '` + while [ "$IOPR_HOST_PARAM" ]; do + IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'` + IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'` + [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443 + IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'` + [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr" + + echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\ + $IOPR_CONF_PATH" + + download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \ + ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \ + ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \ + ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} + if [ $? -ne 0 ]; then + echo "wsFlags=\"NOIOPR $wsParam\"" >> \ + ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg + fi + num=`expr $num + 1` + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + done + + return 0 +} diff --git a/security/nss/tests/iopr/ocsp_iopr.sh b/security/nss/tests/iopr/ocsp_iopr.sh new file mode 100644 index 0000000000..dcc6e1ffbd --- /dev/null +++ b/security/nss/tests/iopr/ocsp_iopr.sh @@ -0,0 +1,231 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/iopr/ocsp_iopr.sh +# +# NSS SSL interoperability QA. This file is included from ssl.sh +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## +IOPR_OCSP_SOURCED=1 + +######################################################################## +# The funtion works with variables defined in interoperability +# configuration file that gets downloaded from a webserver. +# The function sets test parameters defind for a particular type +# of testing. +# +# No return value +# +setTestParam() { + type=$1 + testParam=`eval 'echo $'${type}Param` + testDescription=`eval 'echo $'${type}Descr` + testProto=`eval 'echo $'${type}Proto` + testPort=`eval 'echo $'${type}Port` + testResponder=`eval 'echo $'${type}ResponderCert` + testValidCertNames=`eval 'echo $'${type}ValidCertNames` + testRevokedCertNames=`eval 'echo $'${type}RevokedCertNames` + testStatUnknownCertNames=`eval 'echo $'${type}StatUnknownCertNames` +} + +######################################################################## +# The funtion checks status of a cert using ocspclnt. +# Params: +# dbDir - nss cert db location +# cert - cert in question +# respUrl - responder url is available +# defRespCert - trusted responder cert +# +# Return values: +# 0 - test passed, 1 - otherwise. +# +ocsp_get_cert_status() { + dbDir=$1 + cert=$2 + respUrl=$3 + defRespCert=$4 + + if [ -n "$respUrl" -o -n "$defRespCert" ]; then + if [ -z "$respUrl" -o -z "$defRespCert" ]; then + html_failed "Incorrect test params" + return 1 + fi + clntParam="-l $respUrl -t $defRespCert" + fi + + if [ -z "${MEMLEAK_DBG}" ]; then + outFile=$dbDir/ocsptest.out.$$ + echo "ocspclnt -d $dbDir -S $cert $clntParam" + ${BINDIR}/ocspclnt -d $dbDir -S $cert $clntParam >$outFile 2>&1 + ret=$? + echo "ocspclnt output:" + cat $outFile + [ -z "`grep succeeded $outFile`" ] && ret=1 + + rm -f $outFile + return $ret + fi + + OCSP_ATTR="-d $dbDir -S $cert $clntParam" + ${RUN_COMMAND_DBG} ${BINDIR}/ocspclnt ${OCSP_ATTR} +} + +######################################################################## +# The funtion checks status of a cert using ocspclnt. +# Params: +# testType - type of the test based on type of used responder +# servName - FQDM of the responder server +# dbDir - nss cert db location +# +# No return value +# +ocsp_iopr() { + testType=$1 + servName=$2 + dbDir=$3 + + setTestParam $testType + if [ "`echo $testParam | grep NOCOV`" != "" ]; then + echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \ + "run by server configuration" + return 0 + fi + + if [ -z "${MEMLEAK_DBG}" ]; then + html_head "OCSP testing with responder at $IOPR_HOSTADDR. <br>" \ + "Test Type: $testDescription" + fi + + if [ -n "$testResponder" ]; then + responderUrl="$testProto://$servName:$testPort" + else + responderUrl="" + fi + + if [ -z "${MEMLEAK_DBG}" ]; then + for certName in $testValidCertNames; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + html_msg $? 0 "Getting status of a valid cert ($certName)" \ + "produced a returncode of $ret, expected is 0." + done + + for certName in $testRevokedCertNames; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + html_msg $? 1 "Getting status of a unvalid cert ($certName)" \ + "produced a returncode of $ret, expected is 1." + done + + for certName in $testStatUnknownCertNames; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + html_msg $? 1 "Getting status of a cert with unknown status " \ + "($certName) produced a returncode of $ret, expected is 1." + done + else + for certName in $testValidCertNames $testRevokedCertNames \ + $testStatUnknownCertName; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + done + fi +} + +##################################################################### +# Initial point for running ocsp test againt multiple hosts involved in +# interoperability testing. Called from nss/tests/ocsp/ocsp.sh +# It will only proceed with test run for a specific host if environment variable +# IOPR_HOSTADDR_LIST was set, had the host name in the list +# and all needed file were successfully downloaded and installed for the host. +# +# Returns 1 if interoperability testing is off, 0 otherwise. +# +ocsp_iopr_run() { + NO_ECC_CERTS=1 # disable ECC for interoperability tests + + if [ "$IOPR" -ne 1 ]; then + return 1 + fi + cd ${CLIENTDIR} + + if [ -n "${MEMLEAK_DBG}" ]; then + html_head "Memory leak checking - IOPR" + fi + + num=1 + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + while [ "$IOPR_HOST_PARAM" ]; do + IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'` + IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'` + [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443 + + . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg + RES=$? + + num=`expr $num + 1` + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + + if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then + continue + fi + + #======================================================= + # Check what server is configured to run ssl tests + # + [ -z "`echo ${supportedTests_new} | grep -i ocsp`" ] && continue; + + # Testing directories defined by webserver. + if [ -n "${MEMLEAK_DBG}" ]; then + LOGNAME=iopr-${IOPR_HOSTADDR} + LOGFILE=${LOGDIR}/${LOGNAME}.log + fi + + # Testing directories defined by webserver. + echo "Testing ocsp interoperability. + Client: local(tstclnt). + Responder: remote($IOPR_HOSTADDR)" + + for ocspTestType in ${supportedTests_new}; do + if [ -z "`echo $ocspTestType | grep -i ocsp`" ]; then + continue + fi + if [ -n "${MEMLEAK_DBG}" ]; then + ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \ + ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} 2>> ${LOGFILE} + else + ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \ + ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} + fi + done + + if [ -n "${MEMLEAK_DBG}" ]; then + log_parse + ret=$? + html_msg ${ret} 0 "${LOGNAME}" \ + "produced a returncode of $ret, expected is 0" + fi + + echo "================================================" + echo "Done testing ocsp interoperability with $IOPR_HOSTADDR" + done + + if [ -n "${MEMLEAK_DBG}" ]; then + html "</TABLE><BR>" + fi + + NO_ECC_CERTS=0 + return 0 +} + diff --git a/security/nss/tests/iopr/server_scr/apache_unix.cfg b/security/nss/tests/iopr/server_scr/apache_unix.cfg new file mode 100644 index 0000000000..3992bf52d7 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/apache_unix.cfg @@ -0,0 +1,47 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# Apache OPENSSL configuration file +# + +# +# Define what type of system this is. +# +$clientSys = "openssl"; + +# +# Cipher conversion table file +# +$cipherTableFile = "$certDir/cipher.list"; + +#-------------------------------------------- +# Web server specific variables start here: +# + +# +# Location of installed openssl binary +# +$opensslb = "/usr/local/bin/openssl"; + + +# +# General location of apache server +# +$apacheHttpd="/var/httpd-ssl"; + +# +# HTTP Request file +# +$reqFile = "$apacheHttpd/cgi-bin/sslreq.dat"; + +# +# OpenSSL certificate directory +# +$certDir = "$apacheHttpd/cert"; + +# +# CA certificate file +# +$caCertFile = "$certDir/serverCA.crt"; diff --git a/security/nss/tests/iopr/server_scr/cert_gen.sh b/security/nss/tests/iopr/server_scr/cert_gen.sh new file mode 100644 index 0000000000..6611a0f416 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/cert_gen.sh @@ -0,0 +1,367 @@ +#!/bin/bash + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +###################################################################################### +# Server and client certs and crl generator functions. Generated files placed in a <dir> +# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory. +# This functions is used for manual webserver configuration and it is not a part of +# nss test run. +# To create certs use the following command: +# sh cert_iopr.sh cert_gen <dir> <cert name> [cert req] +# Where: +# dir - directory where to place created files +# cert name - name of created server cert(FQDN) +# cert req - cert request to be used for cert generation. +# +repAndExec() { + echo + if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then + shift + echo certutil -s "$CU_SUBJECT" $@ + certutil -s "$CU_SUBJECT" $@ + RET=$? + else + echo $@ + $@ + RET=$? + fi + + return $RET +} + +setExtData() { + extData=$1 + + fldNum=0 + extData=`echo $extData | sed 's/,/ /g'` + for extDT in $extData; do + if [ $fldNum -eq 0 ]; then + eval extType=$extDT + fldNum=1 + continue + fi + eval data${fldNum}=$extDT + fldNum=`expr $fldNum + 1` + done +} + +signCert() { + dir=$1 + crtDir=$2 + crtName=$3 + crtSN=$4 + req=$5 + cuAddParam=$6 + extList=$7 + + if [ -z "$certSigner" ]; then + certSigner=TestCA + fi + + extCmdLine="" + extCmdFile=$dir/extInFile; rm -f $extCmdFile + touch $extCmdFile + extList=`echo $extList | sed 's/;/ /g'` + for ext in $extList; do + setExtData $ext + [ -z "$extType" ] && echo "incorrect extention format" && return 1 + case $extType in + ocspDR) + extCmdLine="$extCmdLine -6" + cat <<EOF >> $extCmdFile +5 +9 +y +EOF + break + exit 1 + ;; + AIA) + extCmdLine="$extCmdLine -9" + cat <<EOF >> $extCmdFile +2 +7 +$data1 +0 +n +n +EOF + break + ;; + *) + echo "Unsupported extension type: $extType" + break + ;; + esac + done + echo "cmdLine: $extCmdLine" + echo "cmdFile: "`cat $extCmdFile` + repAndExec \ + certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \ + -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1 + return $RET +} + +createSignedCert() { + dir=$1 + certDir=$2 + certName=$3 + certSN=$4 + certSubj=$5 + keyType=$6 + extList=$7 + + echo Creating cert $certName-$keyType with SN=$certSN + + CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + repAndExec \ + certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \ + -k $keyType -o $dir/req 2>&1 + [ "$RET" -ne 0 ] && return $RET + + signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList + ret=$? + [ "$ret" -ne 0 ] && return $ret + + rm -f $dir/req + + repAndExec \ + certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \ + -i "$dir/${certName}-$keyType.crt" 2>&1 + [ "$RET" -ne 0 ] && return $RET + + cp "$dir/${certName}-$keyType.crt" $certDir + + repAndExec \ + pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \ + -k ${PW_FILE} -W iopr + [ "$RET" -ne 0 ] && return $RET + return 0 +} + +generateAndExportSSLCerts() { + dir=$1 + certDir=$2 + serverName=$3 + servCertReq=$4 + + if [ "$servCertReq" -a -f $servCertReq ]; then + grep REQUEST $servCertReq >/dev/null 2>&1 + signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a` + ret=$? + [ "$ret" -ne 0 ] && return $ret + fi + + certName=$serverName + createSignedCert $dir $certDir $certName 500 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + createSignedCert $dir $certDir $certName 501 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser510 + createSignedCert $dir $certDir $certName 510 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser511 + createSignedCert $dir $certDir $certName 511 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser512 + createSignedCert $dir $certDir $certName 512 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=TestUser513 + createSignedCert $dir $certDir $certName 513 "$certSubj" dsa + ret=$? + [ "$ret" -ne 0 ] && return $ret +} + +generateAndExportOCSPCerts() { + dir=$1 + certDir=$2 + + certName=ocspTrustedResponder + createSignedCert $dir $certDir $certName 525 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDesignatedResponder + createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspTRTestUser514 + createSignedCert $dir $certDir $certName 514 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspTRTestUser516 + createSignedCert $dir $certDir $certName 516 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCATestUser518 + createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCATestUser520 + createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRTestUser522 + createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRTestUser524 + createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + generateAndExportCACert $dir "" TestCA-unknown + [ $? -ne 0 ] && return $ret + + certSigner=TestCA-unknown + + certName=ocspTRUnkownIssuerCert + createSignedCert $dir $certDir $certName 531 "$certSubj" rsa + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspRCAUnkownIssuerCert + createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2561 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certName=ocspDRUnkownIssuerCert + createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \ + AIA,http://dochinups.red.iplanet.com:2562 + ret=$? + [ "$ret" -ne 0 ] && return $ret + + certSigner="" + + return 0 +} + +generateAndExportCACert() { + dir=$1 + certDirL=$2 + caName=$3 + + certName=TestCA + [ "$caName" ] && certName=$caName + CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + repAndExec \ + certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \ + -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF +5 +6 +9 +n +y +-1 +n +EOF + + if [ "$certDirL" ]; then + repAndExec \ + certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt + [ "$RET" -ne 0 ] && return $RET + + repAndExec \ + pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr + [ "$RET" -ne 0 ] && return $RET + fi +} + + +generateCerts() { + certDir=$1 + serverName=$2 + reuseCACert=$3 + servCertReq=$4 + + [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1 + [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1 + + mkdir -p $certDir + [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1 + + + dir=/tmp/db.$$ + if [ -z "$reuseCACert" ]; then + if [ -d "$dir" ]; then + rm -f $dir + fi + + PW_FILE=$dir/nss.pwd + NOISE_FILE=$dir/nss.noise + + mkdir -p $dir + [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1 + + echo nss > $PW_FILE + date >> ${NOISE_FILE} 2>&1 + + repAndExec \ + certutil -d $dir -N -f $PW_FILE + [ "$RET" -ne 0 ] && return $RET + + generateAndExportCACert $dir $certDir + [ "$RET" -ne 0 ] && return $RET + else + dir=$reuseCACert + PW_FILE=$dir/nss.pwd + NOISE_FILE=$dir/nss.noise + hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu` + [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \ + return $RET; + fi + + generateAndExportSSLCerts $dir $certDir $serverName $servCertReq + [ "$RET" -ne 0 ] && return $RET + + generateAndExportOCSPCerts $dir $certDir + [ "$RET" -ne 0 ] && return $RET + + crlUpdate=`date +%Y%m%d%H%M%SZ` + crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'` + repAndExec \ + crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI +update=$crlUpdate +nextupdate=$crlNextUpdate +addcert 509-511 $crlUpdate +addcert 516 $crlUpdate +addcert 520 $crlUpdate +addcert 524 $crlUpdate +EOF_CRLINI + [ "$RET" -ne 0 ] && return $RET + + rm -rf $dir + return 0 +} + + +if [ -z "$1" -o -z "$2" ]; then + echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]" + exit 1 +fi +generateCerts $1 $2 "$3" $4 +exit $? diff --git a/security/nss/tests/iopr/server_scr/cipher.list b/security/nss/tests/iopr/server_scr/cipher.list new file mode 100644 index 0000000000..668084c37a --- /dev/null +++ b/security/nss/tests/iopr/server_scr/cipher.list @@ -0,0 +1,98 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +nss openssl iis + +# +# SSL v3.0 cipher suites. +# +SSL3_RSA_WITH_NULL_MD5 NULL-MD5 i +SSL3_RSA_WITH_NULL_SHA NULL-SHA z +SSL3_RSA_WITH_RC4_128_MD5 RC4-MD5 c +SSL3_RSA_WITH_RC4_128_SHA RC4-SHA n +SSL3_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA +SSL3_RSA_WITH_DES_CBC_SHA DES-CBC-SHA e +SSL3_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA d + +SSL3_DH_DSS_WITH_DES_CBC_SHA Not_implemented. +SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented. +SSL3_DH_RSA_WITH_DES_CBC_SHA Not_implemented. +SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented. +SSL3_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA s +SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA q +SSL3_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA +SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA + +SSL3_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 +SSL3_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA +SSL3_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA + +SSL3_FORTEZZA_KEA_WITH_NULL_SHA Not_implemented. +SSL3_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not_implemented. +SSL3_FORTEZZA_KEA_WITH_RC4_128_SHA Not_implemented. + +# +# Next four added to have ciphers below for SSL3 protocol +# +SSL3_RSA_WITH_AES_128_CBC_SHA AES128-SHA +SSL3_RSA_WITH_AES_256_CBC_SHA AES256-SHA + +# +#TLS v1.0 cipher suites. +# +TLS_RSA_WITH_NULL_MD5 NULL-MD5 +TLS_RSA_WITH_NULL_SHA NULL-SHA +TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 +TLS_RSA_WITH_RC4_128_SHA RC4-SHA +TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA +TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA +TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA + +TLS_DH_DSS_WITH_DES_CBC_SHA Not_implemented. +TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not_implemented. +TLS_DH_RSA_WITH_DES_CBC_SHA Not_implemented. +TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not_implemented. +TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA +TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA +TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA +TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA + +TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 +TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA +TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA + +# +#AES ciphersuites from RFC3268, extending TLS v1.0 +# + +TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA +TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA + +TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA +TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA +TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA +TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA + +TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA +TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA +TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA +TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA + +TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA +TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA + +# +#Additional cipher suites +# +#Note: these ciphers can also be used in SSL v3. +# +TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA + +# +# FIPS cipher list +# +TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented +TLS_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented +SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA Not_implemented +SSL3_RSA_FIPS_WITH_DES_CBC_SHA Not_implemented diff --git a/security/nss/tests/iopr/server_scr/client.cgi b/security/nss/tests/iopr/server_scr/client.cgi new file mode 100644 index 0000000000..581ad06d1e --- /dev/null +++ b/security/nss/tests/iopr/server_scr/client.cgi @@ -0,0 +1,526 @@ +#!/usr/bin/perl + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +#-------------------------------------------------------------- +# cgi script that parses request argument to appropriate +# open ssl or tstclntw options and starts ssl client. +# + +use CGI qw/:standard/; + +use subs qw(debug); + +#-------------------------------------------------------------- +# Prints out an error string and exits the script with an +# exitStatus. +# Param: +# str : an error string +# exitStat: an exit status of the program +# +sub svr_error { + my ($str, $exitStat) = @_; + + if (!defined $str || $str eq "") { + $str = $ERR; + } + print "SERVER ERROR: $str\n"; + if ($exitStat) { + print end_html if ($osDataArr{wservRun}); + exit $exitStat; + } +} + +#-------------------------------------------------------------- +# Prints out a debug message +# Params: +# str: debug message +# inVal: additional value to print(optional) +# +sub debug { + my ($str, $inVal) = @_; + + print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1); +} + + +#-------------------------------------------------------------- +# Initializes execution context depending on a webserver the +# script is running under. +# +sub init { + %osDataArr = ( + loadSupportedCipthersFn => \&osSpecific, + cipherIsSupportedFn => \&verifyCipherSupport, + cipherListFn => \&convertCipher, + buildCipherTableFn => \&buildCipherTable, + execCmdFn => \&osSpecific, + ); + + $scriptName = $ENV{'SCRIPT_NAME'}; + if (!defined $scriptName) { + $DEBUG=1; + debug "Debug is ON"; + } + $DEBUG=1; + + $svrSoft = $ENV{'SERVER_SOFTWARE'}; + if (defined $svrSoft) { + $_ = $svrSoft; + /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS"); + /.*Apache.*/ && ($osDataArr{wserv} = "Apache"); + $osDataArr{wservRun} = 1; + } else { + $osDataArr{wserv} = "Apache"; + $osDataArr{wservRun} = 0; + } +} + +#-------------------------------------------------------------- +# Function-spigot to handle errors is OS specific functions are +# not implemented for a particular OS. +# Returns: +# always returns 0(failure) +# +sub osSpecific { + $ERR = "This function should be swapped to os specific function."; + return 0; +} + +#-------------------------------------------------------------- +# Sets os specific execution context values. +# Returns: +# 1 upon success, or 0 upon failure(if OS was not recognized) +# +sub setFunctRefs { + + debug("Entering setFunctRefs function", $osDataArr{wserv}); + + if ($osDataArr{wserv} eq "Apache") { + $osDataArr{osConfigFile} = "apache_unix.cfg"; + $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL'; + $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile'; + $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix; + $osDataArr{execCmdFn} = \&execClientCmd_Unix; + } elsif ($osDataArr{wserv} eq "IIS") { + $osDataArr{osConfigFile} = "iis_windows.cfg"; + $osDataArr{suppCiphersCmd} = '$tstclntwb'; + $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile'; + $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win; + $osDataArr{execCmdFn} = \&execClientCmd_Win; + } else { + $ERR = "Unknown Web Server type."; + return 0; + } + return 1; +} + +#-------------------------------------------------------------- +# Parses data from HTTP request. Will print a form if request +# does not contain sufficient number of parameters. +# Returns: +# 1 if request has sufficient number of parameters +# 0 if not. +sub getReqData { + my $debug = param('debug'); + $in_host = param('host'); + $in_port = param('port'); + $in_cert = param('cert'); + $in_cipher = param('cipher'); + + if (!$osDataArr{wservRun}) { + $in_host="goa1"; + $in_port="443"; + $in_cert="TestUser511"; + $in_cipher = "SSL3_RSA_WITH_NULL_SHA"; + } + + debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher"); + + if (defined $debug && $debug == "debug on") { + $DEBUG = 1; + } + + if (!defined $in_host || $in_host eq "" || + !defined $in_port || $in_port eq "" || + !defined $in_cert || $in_cert eq "") { + if ($osDataArr{wservRun}) { + print h1('Command description form:'), + start_form(-method=>"get"), + "Host: ",textfield('host'),p, + "Port: ",textfield('port'),p, + "Cert: ",textfield('cert'),p, + "Cipher: ",textfield('cipher'),p, + checkbox_group(-name=>'debug', + -values=>['debug on ']), + submit, + end_form, + hr; + } else { + print "Printing html form to get client arguments\n"; + } + $ERR = "the following parameters are required: host, port, cert"; + return 0; + } else { + print "<pre>" if ($osDataArr{wservRun}); + return 1; + } +} + + +#-------------------------------------------------------------- +# Building cipher conversion table from file based on the OS. +# Params: +# tfile: cipher conversion file. +# sysName: system name +# tblPrt: returned pointer to a table. +sub buildCipherTable { + my ($tfile, $sysName, $tblPrt) = @_; + my @retArr = @$tblPrt; + my %table, %rtable; + my $strCount = 0; + + debug("Entering getReqData function", "$tfile:$sysName:$tblPrt"); + + ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/); + if (!open(TFILE, "$tfile")) { + $ERR = "Missing cipher conversion table file."; + return 0; + } + foreach (<TFILE>) { + chop; + /^#.*/ && next; + /^\s*$/ && next; + if ($strCount++ == 0) { + my @sysArr = split /\s+/; + $colCount = 0; + for (;$colCount <= $#sysArr;$colCount++) { + last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/); + } + next; + } + my @ciphArr = split /\s+/, $_; + $table{$ciphArr[0]} = $ciphArr[$colCount]; + $rtable{$ciphArr[$colCount]} = $ciphArr[0]; + } + close(TFILE); + $cipherTablePtr[0] = \%table; + $cipherTablePtr[1] = \%rtable; + return 1 +} + +#-------------------------------------------------------------- +# Client configuration function. Loads client configuration file. +# Initiates cipher table. Loads cipher list supported by ssl client. +# +sub configClient { + + debug "Entering configClient function"; + + my $res = &setFunctRefs(); + return $res if (!$res); + + open(CFILE, $osDataArr{'osConfigFile'}) || + ($ERR = "Missing configuration file." && return 0); + foreach (<CFILE>) { + /^#.*/ && next; + chop; + eval $_; + } + close(CFILE); + + local @cipherTablePtr = (); + $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0; + $osDataArr{cipherTable} = $cipherTablePtr[0]; + $osDataArr{rcipherTable} = $cipherTablePtr[1]; + + local $suppCiphersTablePrt; + &{$osDataArr{'loadSupportedCipthersFn'}} || return 0; + $osDataArr{suppCiphersTable} = $suppCiphersTablePrt; +} + +#-------------------------------------------------------------- +# Verifies that a particular cipher is supported. +# Params: +# checkCipher: cipher name +# Returns: +# 1 - cipher is supported(also echos the cipher). +# 0 - not supported. +# +sub verifyCipherSupport { + my ($checkCipher) = @_; + my @suppCiphersTable = @{$osDataArr{suppCiphersTable}}; + + debug("Entering verifyCipherSupport", $checkCipher); + foreach (@suppCiphersTable) { + return 1 if ($checkCipher eq $_); + } + $ERR = "cipher is not supported."; + return 0; +} + +#-------------------------------------------------------------- +# Converts long(?name of the type?) cipher name to +# openssl/tstclntw cipher name. +# Returns: +# 0 if cipher was not listed. 1 upon success. +# +sub convertCipher { + my ($cipher) = @_; + my @retList; + my $resStr; + my %cipherTable = %{$osDataArr{cipherTable}}; + + debug("Entering convertCipher", $cipher); + if (defined $cipher) { + my $cphr = $cipherTable{$cipher}; + if (!defined $cphr) { + $ERR = "cipher is not listed."; + return 0; + } + &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0; + $ciphers = "$cphr"; + return 1; + } + return 0; +} + +################################################################# +# UNIX Apache Specific functions +#---------------------------------------------------------------- + +#-------------------------------------------------------------- +# Executes ssl client command to get a list of ciphers supported +# by client. +# +sub getSupportedCipherList_Unix { + my @arr, @suppCiphersTable; + + debug "Entering getSupportedCipherList_Unix function"; + + eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"'; + if (!open (OUT, "$sLisrCmd|")) { + $ERR="Can not run command to verify supported cipher list."; + return 0; + } + @arr = <OUT>; + chop $arr[0]; + @suppCiphersTable = split /:/, $arr[0]; + debug("Supported ciphers", $arr[0]); + $suppCiphersTablePrt = \@suppCiphersTable; + close(OUT); + return 1; +} + +#-------------------------------------------------------------- +# Lunches ssl client command in response to a request. +# +# +sub execClientCmd_Unix { + my $proto; + local $ciphers; + + debug "Entering execClientCmd_Unix"; + if (defined $in_cipher && $in_cipher ne "") { + my @arr = split /_/, $in_cipher, 2; + $proto = "-".$arr[0]; + $proto =~ tr /SLT/slt/; + $proto = "-tls1" if ($proto eq "-tls"); + return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher)); + $ciphers = "-cipher $ciphers"; + debug("Return from cipher conversion", "$ciphers"); + } + + eval '$command = "'.$osDataArr{'clientRunCmd'}.'"'; + debug("Executing command", $command); + if (!open CMD_OUT, "$command 2>&1 |") { + $ERR = "can not launch client"; + return 0; + } + + my @cmdOutArr = <CMD_OUT>; + + foreach (@cmdOutArr) { + print $_; + } + + my $haveVerify = 0; + my $haveErrors = 0; + foreach (@cmdOutArr) { + chop; + if (/unknown option/) { + $haveErrors++; + svr_error "unknown option\n"; + next; + } + if (/:no ciphers available/) { + $haveErrors++; + svr_error "no cipthers available\n"; + next; + } + if (/verify error:/) { + $haveErrors++; + svr_error "unable to do verification\n"; + next; + } + if (/alert certificate revoked:/) { + $haveErrors++; + svr_error "attempt to connect with revoked sertificate\n"; + next; + } + if (/(error|ERROR)/) { + $haveErrors++; + svr_error "found errors in server log\n"; + next; + } + /verify return:1/ && ($haveVerify = 1); + } + if ($haveVerify == 0) { + svr_error "no 'verify return:1' found in server log\n"; + $haveErrors++; + } + + if ($haveErrors > 0) { + $ERR = "Have $haveErrors server errors"; + debug "Exiting execClientCmd_Unix"; + return 0; + } + debug "Exiting execClientCmd_Unix"; + return 1; +} + +################################################################# +# Windows IIS Specific functions +#---------------------------------------------------------------- + +#-------------------------------------------------------------- +# Executes ssl client command to get a list of ciphers supported +# by client. +# +sub getSupportedCipherList_Win { + my @arr, @suppCiphersTable; + + debug "Entering getSupportedCipherList_Win function"; + + eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"'; + if (!open (OUT, "$sLisrCmd|")) { + $ERR="Can not run command to verify supported cipher list."; + return 0; + } + my $startCipherList = 0; + foreach (<OUT>) { + chop; + if ($startCipherList) { + /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1; + next; + } + /.*from list below.*/ && ($startCipherList = 1); + } + debug("Supported ciphers", join ':', @suppCiphersTable); + $suppCiphersTablePrt = \@suppCiphersTable; + close(OUT); + return 1; +} + +#-------------------------------------------------------------- +# Lunches ssl client command in response to a request. +# +# +sub execClientCmd_Win { + my $proto; + local $ciphers; + + debug "Entering execClientCmd_Win"; + if (defined $in_cipher && $in_cipher ne "") { + my @arr = split /_/, $in_cipher, 2; + $proto = "-2 -3 -T"; + + $proto =~ s/-T// if ($arr[0] eq "TLS"); + $proto =~ s/-3// if ($arr[0] eq "SSL3"); + $proto =~ s/-2// if ($arr[0] eq "SSL2"); + return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher)); + $ciphers = "-c $ciphers"; + debug("Return from cipher conversion", $ciphers); + } + + eval '$command = "'.$osDataArr{'clientRunCmd'}.'"'; + debug("Executing command", $command); + if (!open CMD_OUT, "$command 2>&1 |") { + $ERR = "can not launch client"; + return 0; + } + + my @cmdOutArr = <CMD_OUT>; + + foreach (@cmdOutArr) { + print $_; + } + + my $haveVerify = 0; + my $haveErrors = 0; + foreach (@cmdOutArr) { + chop; + if (/unknown option/) { + $haveErrors++; + svr_error "unknown option\n"; + next; + } + if (/Error performing handshake/) { + $haveErrors++; + svr_error "Error performing handshake\n"; + next; + } + if (/Error creating credentials/) { + $haveErrors++; + svr_error "Error creating credentials\n"; + next; + } + if (/Error .* authenticating server credentials!/) { + $haveErrors++; + svr_error "Error authenticating server credentials\n"; + next; + } + if (/(error|ERROR|Error)/) { + $haveErrors++; + svr_error "found errors in server log\n"; + next; + } + } + + if ($haveErrors > 0) { + $ERR = "Have $haveErrors server errors"; + debug "Exiting execClientCmd_Win"; + return 0; + } + debug "Exiting execClientCmd_Win"; + return 1; +} + +################################################################# +# Main line of execution +#---------------------------------------------------------------- +&init; + +if ($osDataArr{wservRun}) { + print header('text/html'). + start_html('iopr client'); +} + +print "SCRIPT=OK\n"; + +if (!&getReqData) { + svr_error($ERR, 1); +} + +if (!&configClient) { + svr_error($ERR, 1); +} + +&{$osDataArr{'execCmdFn'}} || svr_error; + +if ($osDataArr{wservRun}) { + print "</pre>"; + print end_html; +} diff --git a/security/nss/tests/iopr/server_scr/config b/security/nss/tests/iopr/server_scr/config new file mode 100644 index 0000000000..9e65b926c8 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/config @@ -0,0 +1,17 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +certDir=/iopr +caCertName=TestCA +caCrlName=TestCA +userCertNames="TestUser510 TestUser511" +userRevokedCertNames="TestUser510" +reverseRunCGIScript="/cgi-bin/client.cgi" +supportedTests="SslSingleHs" +# SslSingleHs: ssl single handshake with out client cert auth +SslSingleHsPort=443 +SslSingleHsUrl=/ +SslSingleHsParam=NOAUTH:NOCOV:NOCRL +#ParamSslSingleHandshakeWithOutClientCertAuth="443 / NOAUTH:NOCOV:NOCRL" +#ParamSslSingleHandshakeWithOutClientCertAuth="443 /" diff --git a/security/nss/tests/iopr/server_scr/iis_windows.cfg b/security/nss/tests/iopr/server_scr/iis_windows.cfg new file mode 100644 index 0000000000..76499b8b61 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/iis_windows.cfg @@ -0,0 +1,33 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# IIS windows configuration file +# + +# +# Define what type of system this is. +# +$clientSys = "iis"; + +# +# Cipher conversion table file +# +$cipherTableFile = "cipher.list"; + +#-------------------------------------------- +# Web server specific variables start here: +# + +# +# Location of installed tstclntb binary +# +$tstclntwb = "./tstclntw.exe"; + +# +# HTTP Request file +# +$reqFile = "sslreq.dat"; + + diff --git a/security/nss/tests/iopr/server_scr/iopr_server.cfg b/security/nss/tests/iopr/server_scr/iopr_server.cfg new file mode 100644 index 0000000000..2b196e0154 --- /dev/null +++ b/security/nss/tests/iopr/server_scr/iopr_server.cfg @@ -0,0 +1,67 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +certDir=/iopr +caCertName=TestCA +caCrlName=TestCA + +#old values +userCertNames="TestUser510-rsa TestUser512-rsa" +userRevokedCertNames="TestUser510-rsa" +reverseRunCGIScript="/cgi-bin/client.cgi" +#reverseTestParam=NOREVALL +supportedTests="SslSingleHs SslSecondHs" +#supportedTests="SslSecondHs" + + +downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt" +# Keep a space at the end of +SslClntValidCertName="TestUser512-rsa" +SslClntRevokedCertName="TestUser510-rsa" +reverseRunCGIScript="/cgi-bin/client.cgi" +#reverseTestParam=NOREVALL + +supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder" + +# +# SslSingleHs: ssl single handshake with out client cert auth +SslSingleHsDescr="ssl with single handshake without client cert auth" +SslSingleHsPort=443 +SslSingleHsUrl=/iopr_test/test_pg.html +SslSingleHsParam=NOAUTH + +# +# SslSecondHs: ssl with secondary hs when accessing direcory +# that requires cert verification +SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification" +SslSecondHsPort=443 +SslSecondHsUrl=/iopr_test_2hs/test_pg.html +SslSecondHsParam=NOCOV + +# +# OcspTrustedResponder - trusted responder key is used to sign OCSP response +# +OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response" +OcspTrustedResponderProto=http +OcspTrustedResponderPort=2560 +OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa +OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa" +OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa" +OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa" + +# +# OcspResponderCA - CA key is used to sign OCSP response +# +OcspResponderCADescr="CA key is used to sign OCSP response" +OcspResponderCAValidCertNames="ocspRCATestUser518-rsa" +OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa" +OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa" + +# +# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response +# +OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response" +OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa" +OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa" +OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa" diff --git a/security/nss/tests/iopr/server_scr/sslreq.dat b/security/nss/tests/iopr/server_scr/sslreq.dat new file mode 100644 index 0000000000..2f7ad7736e --- /dev/null +++ b/security/nss/tests/iopr/server_scr/sslreq.dat @@ -0,0 +1,2 @@ +GET / HTTP/1.0
+
diff --git a/security/nss/tests/iopr/ssl_iopr.sh b/security/nss/tests/iopr/ssl_iopr.sh new file mode 100644 index 0000000000..0f9742662d --- /dev/null +++ b/security/nss/tests/iopr/ssl_iopr.sh @@ -0,0 +1,643 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/iopr/ssl_iopr.sh +# +# NSS SSL interoperability QA. This file is included from ssl.sh +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## +IOPR_SSL_SOURCED=1 + +######################################################################## +# The functions works with variables defined in interoperability +# configuration file that was downloaded from a webserver. +# It tries to find unrevoked cert based on value of variable +# "SslClntValidCertName" defined in the configuration file. +# Params NONE. +# Returns 0 if found, 1 otherwise. +# +setValidCert() { + testUser=$SslClntValidCertName + [ -z "$testUser" ] && return 1 + return 0 +} + +######################################################################## +# The funtions works with variables defined in interoperability +# configuration file that was downloaded from a webserver. +# The function sets port, url, param and description test parameters +# that was defind for a particular type of testing. +# Params: +# $1 - supported types of testing. Currently have maximum +# of two: forward and reverse. But more can be defined. +# No return value +# +setTestParam() { + type=$1 + sslPort=`eval 'echo $'${type}Port` + sslUrl=`eval 'echo $'${type}Url` + testParam=`eval 'echo $'${type}Param` + testDescription=`eval 'echo $'${type}Descr` + [ -z "$sslPort" ] && sslPort=443 + [ -z "$sslUrl" ] && sslUrl="/iopr_test/test_pg.html" + [ "$sslUrl" = "/" ] && sslUrl="/test_pg.html" +} + + +####################################################################### +# local shell function to perform SSL Cipher Suite Coverage tests +# in interoperability mode. Tests run against web server by using nss +# test client +# Params: +# $1 - supported type of testing. +# $2 - testing host +# $3 - nss db location +# No return value +# +ssl_iopr_cov_ext_server() +{ + testType=$1 + host=$2 + dbDir=$3 + + setTestParam $testType + if [ "`echo $testParam | grep NOCOV`" != "" ]; then + echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \ + "run by server configuration" + return 0 + fi + + html_head "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR" \ + "$BYPASS_STRING $NORM_EXT): $testDescription" + + setValidCert; ret=$? + if [ $ret -ne 0 ]; then + html_failed "Fail to find valid test cert(ws: $host)" + return $ret + fi + + SSL_REQ_FILE=${TMP}/sslreq.dat.$$ + echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE + echo >> $SSL_REQ_FILE + + while read ecc tls param testname therest; do + [ -z "$ecc" -o "$ecc" = "#" -o "`echo $testname | grep FIPS`" -o \ + "$ecc" = "ECC" ] && continue; + + echo "$SCRIPTNAME: running $testname ----------------------------" + TLS_FLAG=-T + if [ "$tls" = "TLS" ]; then + TLS_FLAG="" + fi + + resFile=${TMP}/$HOST.tmpRes.$$ + rm $resFile 2>/dev/null + + echo "tstclnt -p ${sslPort} -h ${host} -c ${param} ${TLS_FLAG} \\" + echo " -n $testUser -v -w nss ${CLIEN_OPTIONS} -f \\" + echo " -d ${dbDir} < ${SSL_REQ_FILE} > $resFile" + + ${BINDIR}/tstclnt -p ${sslPort} -h ${host} -c ${param} \ + ${TLS_FLAG} ${CLIEN_OPTIONS} -f -n $testUser -v -w nss \ + -d ${dbDir} < ${SSL_REQ_FILE} >$resFile 2>&1 + ret=$? + grep "ACCESS=OK" $resFile + test $? -eq 0 -a $ret -eq 0 + ret=$? + [ $ret -ne 0 ] && cat $resFile + rm -f $resFile 2>/dev/null + html_msg $ret 0 "${testname}" + done < ${SSLCOV} + rm -f $SSL_REQ_FILE 2>/dev/null + + html "</TABLE><BR>" +} + +####################################################################### +# local shell function to perform SSL Client Authentication tests +# in interoperability mode. Tests run against web server by using nss +# test client +# Params: +# $1 - supported type of testing. +# $2 - testing host +# $3 - nss db location +# No return value +# +ssl_iopr_auth_ext_server() +{ + testType=$1 + host=$2 + dbDir=$3 + + setTestParam $testType + if [ "`echo $testParam | grep NOAUTH`" != "" ]; then + echo "SSL Client Authentication WebServ($IOPR_HOSTADDR) excluded from " \ + "run by server configuration" + return 0 + fi + + html_head "SSL Client Authentication WebServ($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): + $testDescription" + + setValidCert;ret=$? + if [ $ret -ne 0 ]; then + html_failed "Fail to find valid test cert(ws: $host)" + return $ret + fi + + SSL_REQ_FILE=${TMP}/sslreq.dat.$$ + echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE + echo >> $SSL_REQ_FILE + + SSLAUTH_TMP=${TMP}/authin.tl.tmp + grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" > ${SSLAUTH_TMP} + + while read ecc value sparam cparam testname; do + [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue; + + cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" ` + + echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \\" + echo " -d ${dbDir} -v < ${SSL_REQ_FILE}" + + resFile=${TMP}/$HOST.tmp.$$ + rm $rsFile 2>/dev/null + + ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \ + -d ${dbDir} -v < ${SSL_REQ_FILE} >$resFile 2>&1 + ret=$? + grep "ACCESS=OK" $resFile + test $? -eq 0 -a $ret -eq 0 + ret=$? + [ $ret -ne 0 ] && cat $resFile + rm $resFile 2>/dev/null + + html_msg $ret $value "${testname}. Client params: $cparam"\ + "produced a returncode of $ret, expected is $value" + done < ${SSLAUTH_TMP} + rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE} + + html "</TABLE><BR>" +} + +######################################################################## +# local shell function to perform SSL interoperability test with/out +# revoked certs tests. Tests run against web server by using nss +# test client +# Params: +# $1 - supported type of testing. +# $2 - testing host +# $3 - nss db location +# No return value +# +ssl_iopr_crl_ext_server() +{ + testType=$1 + host=$2 + dbDir=$3 + + setTestParam $testType + if [ "`echo $testParam | grep NOCRL`" != "" ]; then + echo "CRL SSL Client Tests of WebServerv($IOPR_HOSTADDR) excluded from " \ + "run by server configuration" + return 0 + fi + + html_head "CRL SSL Client Tests of WebServer($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): $testDescription" + + SSL_REQ_FILE=${TMP}/sslreq.dat.$$ + echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE + echo >> $SSL_REQ_FILE + + SSLAUTH_TMP=${TMP}/authin.tl.tmp + grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" | grep -v bogus | \ + grep -v none > ${SSLAUTH_TMP} + + while read ecc value sparam _cparam testname; do + [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue; + + rev_modvalue=254 + for testUser in $SslClntValidCertName $SslClntRevokedCertName; do + cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" ` + + echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} \\" + echo " -f -d ${dbDir} -v ${cparam} < ${SSL_REQ_FILE}" + resFile=${TMP}/$HOST.tmp.$$ + rm -f $resFile 2>/dev/null + ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \ + -d ${dbDir} -v < ${SSL_REQ_FILE} \ + > $resFile 2>&1 + ret=$? + grep "ACCESS=OK" $resFile + test $? -eq 0 -a $ret -eq 0 + ret=$? + [ $ret -ne 0 ] && ret=$rev_modvalue; + [ $ret -ne 0 ] && cat $resFile + rm -f $resFile 2>/dev/null + + if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then + modvalue=$rev_modvalue + testAddMsg="revoked" + else + testAddMsg="not revoked" + modvalue=$value + fi + html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue" + done + done < ${SSLAUTH_TMP} + rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE} + + html "</TABLE><BR>" +} + + +######################################################################## +# local shell function to perform SSL Cipher Coverage tests of nss server +# by invoking remote test client on web server side. +# Invoked only if reverse testing is supported by web server. +# Params: +# $1 - remote web server host +# $2 - open port to connect to invoke CGI script +# $3 - host where selfserv is running(name of the host nss tests +# are running) +# $4 - port where selfserv is running +# $5 - selfserv nss db location +# No return value +# +ssl_iopr_cov_ext_client() +{ + host=$1 + port=$2 + sslHost=$3 + sslPort=$4 + serDbDir=$5 + + html_head "SSL Cipher Coverage of SelfServ $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT" + + setValidCert + ret=$? + if [ $res -ne 0 ]; then + html_failed "Fail to find valid test cert(ws: $host)" + return $ret + fi + + # P_R_SERVERDIR switch require for selfserv to work. + # Will be restored after test + OR_P_R_SERVERDIR=$P_R_SERVERDIR + P_R_SERVERDIR=$serDbDir + OR_P_R_CLIENTDIR=$P_R_CLIENTDIR + P_R_CLIENTDIR=$serDbDir + testname="" + sparam="-vvvc ABCDEFcdefgijklmnvyz" + # Launch the server + start_selfserv + + while read ecc tls param cipher therest; do + [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue; + echo "============= Beginning of the test ====================" + echo + + is_selfserv_alive + + TEST_IN=${TMP}/${HOST}_IN.tmp.$$ + TEST_OUT=${TMP}/$HOST.tmp.$$ + rm -f $TEST_IN $TEST_OUT 2>/dev/null + + echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser&cipher=$cipher HTTP/1.0" > $TEST_IN + echo >> $TEST_IN + + echo "------- Request ----------------------" + cat $TEST_IN + echo "------- Command ----------------------" + echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h $host \< $TEST_IN \>\> $TEST_OUT + + ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h $host <$TEST_IN > $TEST_OUT + + echo "------- Server output Begin ----------" + cat $TEST_OUT + echo "------- Server output End ----------" + + echo "Checking for errors in log file..." + grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null + if [ $? -eq 0 ]; then + grep "cipher is not supported" $TEST_OUT 2>&1 >/dev/null + if [ $? -eq 0 ]; then + echo "Skiping test: no support for the cipher $cipher on server side" + continue + fi + + grep -i "SERVER ERROR:" $TEST_OUT + ret=$? + if [ $ret -eq 0 ]; then + echo "Found problems. Reseting exit code to failure." + + ret=1 + else + ret=0 + fi + else + echo "Script was not executed. Reseting exit code to failure." + ret=11 + fi + + html_msg $ret 0 "Test ${cipher}. Server params: $sparam " \ + " produced a returncode of $ret, expected is 0" + rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null + done < ${SSLCOV} + kill_selfserv + + P_R_SERVERDIR=$OR_P_R_SERVERDIR + P_R_CLIENTDIR=$OR_P_R_CLIENTDIR + + rm -f ${TEST_IN} ${TEST_OUT} + html "</TABLE><BR>" +} + +######################################################################## +# local shell function to perform SSL Authentication tests of nss server +# by invoking remove test client on web server side +# Invoked only if reverse testing is supported by web server. +# Params: +# $1 - remote web server host +# $2 - open port to connect to invoke CGI script +# $3 - host where selfserv is running(name of the host nss tests +# are running) +# $4 - port where selfserv is running +# $5 - selfserv nss db location +# No return value +# +ssl_iopr_auth_ext_client() +{ + host=$1 + port=$2 + sslHost=$3 + sslPort=$4 + serDbDir=$5 + + html_head "SSL Client Authentication with Selfserv from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT" + + setValidCert + ret=$? + if [ $res -ne 0 ]; then + html_failed "Fail to find valid test cert(ws: $host)" + return $ret + fi + + OR_P_R_SERVERDIR=$P_R_SERVERDIR + P_R_SERVERDIR=${serDbDir} + OR_P_R_CLIENTDIR=$P_R_CLIENTDIR + P_R_CLIENTDIR=${serDbDir} + + SSLAUTH_TMP=${TMP}/authin.tl.tmp + + grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP} + + while read ecc value sparam cparam testname; do + [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue; + + echo "Server params: $sparam" + sparam=$sparam" -vvvc ABCDEFcdefgijklmnvyz" + start_selfserv + + TEST_IN=${TMP}/$HOST_IN.tmp.$$ + TEST_OUT=${TMP}/$HOST.tmp.$$ + rm -f $TEST_IN $TEST_OUT 2>/dev/null + + echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN + echo >> $TEST_IN + + echo "------- Request ----------------------" + cat $TEST_IN + echo "------- Command ----------------------" + echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h $host \< $TEST_IN \>\> $TEST_OUT + + ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h $host <$TEST_IN > $TEST_OUT + + echo "------- Server output Begin ----------" + cat $TEST_OUT + echo "------- Server output End ----------" + + echo "Checking for errors in log file..." + grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null + if [ $? -eq 0 ]; then + echo "Checking for error in log file..." + grep -i "SERVER ERROR:" $TEST_OUT + ret=$? + if [ $ret -eq 0 ]; then + echo "Found problems. Reseting exit code to failure." + ret=1 + else + ret=0 + fi + else + echo "Script was not executed. Reseting exit code to failure." + ret=11 + fi + + html_msg $ret $value "${testname}. Server params: $sparam"\ + "produced a returncode of $ret, expected is $value" + kill_selfserv + rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null + done < ${SSLAUTH_TMP} + + P_R_SERVERDIR=$OR_P_R_SERVERDIR + P_R_CLIENTDIR=$OR_P_R_CLIENTDIR + + rm -f ${SSLAUTH_TMP} ${TEST_IN} ${TEST_OUT} + html "</TABLE><BR>" +} + +######################################################################### +# local shell function to perform SSL CRL testing of nss server +# by invoking remote test client on web server side +# Invoked only if reverse testing is supported by web server. +# Params: +# $1 - remote web server host +# $2 - open port to connect to invoke CGI script +# $3 - host where selfserv is running(name of the host nss tests +# are running) +# $4 - port where selfserv is running +# $5 - selfserv nss db location +# No return value +# +ssl_iopr_crl_ext_client() +{ + host=$1 + port=$2 + sslHost=$3 + sslPort=$4 + serDbDir=$5 + + html_head "CRL SSL Selfserv Tests from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT" + + OR_P_R_SERVERDIR=$P_R_SERVERDIR + P_R_SERVERDIR=${serDbDir} + OR_P_R_CLIENTDIR=$P_R_CLIENTDIR + P_R_CLIENTDIR=$serDbDir + + SSLAUTH_TMP=${TMP}/authin.tl.tmp + grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP} + + while read ecc value sparam _cparam testname; do + [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue; + sparam="$sparam -vvvc ABCDEFcdefgijklmnvyz" + start_selfserv + + for testUser in $SslClntValidCertName $SslClntRevokedCertName; do + + is_selfserv_alive + + TEST_IN=${TMP}/${HOST}_IN.tmp.$$ + TEST_OUT=${TMP}/$HOST.tmp.$$ + rm -f $TEST_IN $TEST_OUT 2>/dev/null + + echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN + echo >> $TEST_IN + + echo "------- Request ----------------------" + cat $TEST_IN + echo "------- Command ----------------------" + echo tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h ${host} \< $TEST_IN \>\> $TEST_OUT + + ${BINDIR}/tstclnt -d $serDbDir -v -w ${R_PWFILE} -o -p $port \ + -h ${host} <$TEST_IN > $TEST_OUT + echo "------- Request ----------------------" + cat $TEST_IN + echo "------- Server output Begin ----------" + cat $TEST_OUT + echo "------- Server output End ----------" + + echo "Checking for errors in log file..." + grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null + if [ $? -eq 0 ]; then + grep -i "SERVER ERROR:" $TEST_OUT + ret=$? + if [ $ret -eq 0 ]; then + echo "Found problems. Reseting exit code to failure." + ret=1 + else + ret=0 + fi + else + echo "Script was not executed. Reseting exit code to failure." + ret=11 + fi + + if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then + modvalue=1 + testAddMsg="revoked" + else + testAddMsg="not revoked" + modvalue=0 + fi + + html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue(selfserv args: $sparam)" + rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null + done + kill_selfserv + done < ${SSLAUTH_TMP} + + P_R_SERVERDIR=$OR_P_R_SERVERDIR + P_R_CLIENTDIR=$OR_P_R_CLIENTDIR + + rm -f ${SSLAUTH_TMP} + html "</TABLE><BR>" +} + +##################################################################### +# Initial point for running ssl test againt multiple hosts involved in +# interoperability testing. Called from nss/tests/ssl/ssl.sh +# It will only proceed with test run for a specific host if environment variable +# IOPR_HOSTADDR_LIST was set, had the host name in the list +# and all needed file were successfully downloaded and installed for the host. +# +# Returns 1 if interoperability testing is off, 0 otherwise. +# +ssl_iopr_run() { + if [ "$IOPR" -ne 1 ]; then + return 1 + fi + cd ${CLIENTDIR} + + ORIG_ECC_CERT=${NO_ECC_CERTS} + NO_ECC_CERTS=1 # disable ECC for interoperability tests + + NSS_SSL_ENABLE_RENEGOTIATION=u + export NSS_SSL_ENABLE_RENEGOTIATION + + num=1 + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + while [ "$IOPR_HOST_PARAM" ]; do + IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'` + IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'` + [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443 + + . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg + RES=$? + + if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then + num=`expr $num + 1` + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + continue + fi + + #======================================================= + # Check if server is capable to run ssl tests + # + [ -z "`echo ${supportedTests_new} | grep -i ssl`" ] && continue; + + # Testing directories defined by webserver. + echo "Testing ssl interoperability. + Client: local(tstclnt). + Server: remote($IOPR_HOSTADDR:$IOPR_OPEN_PORT)" + + for sslTestType in ${supportedTests_new}; do + if [ -z "`echo $sslTestType | grep -i ssl`" ]; then + continue + fi + ssl_iopr_cov_ext_server $sslTestType ${IOPR_HOSTADDR} \ + ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} + ssl_iopr_auth_ext_server $sslTestType ${IOPR_HOSTADDR} \ + ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} + ssl_iopr_crl_ext_server $sslTestType ${IOPR_HOSTADDR} \ + ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} + done + + + # Testing selfserv with client located at the webserver. + echo "Testing ssl interoperability. + Client: remote($IOPR_HOSTADDR:$PORT) + Server: local(selfserv)" + ssl_iopr_cov_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \ + ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} + ssl_iopr_auth_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \ + ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} + ssl_iopr_crl_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \ + ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} + echo "================================================" + echo "Done testing interoperability with $IOPR_HOSTADDR" + num=`expr $num + 1` + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + done + NO_ECC_CERTS=${ORIG_ECC_CERTS} + return 0 +} + |