summaryrefslogtreecommitdiff
path: root/security/nss/tests/chains/chains.sh
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/tests/chains/chains.sh')
-rw-r--r--security/nss/tests/chains/chains.sh1072
1 files changed, 0 insertions, 1072 deletions
diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh
deleted file mode 100644
index a4e31497d..000000000
--- a/security/nss/tests/chains/chains.sh
+++ /dev/null
@@ -1,1072 +0,0 @@
-#!/bin/bash
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Network Security Services (NSS)
-#
-# The Initial Developer of the Original Code is Sun Microsystems, Inc.
-# Portions created by the Initial Developer are Copyright (C) 2008
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-########################################################################
-#
-# mozilla/security/nss/tests/cert/chains.sh
-#
-# Script to test certificate chains validity.
-#
-# needs to work on all Unix and Windows platforms
-#
-# special strings
-# ---------------
-# FIXME ... known problems, search for this string
-# NOTE .... unexpected behavior
-########################################################################
-
-############################# chains_init ##############################
-# local shell function to initialize this script
-########################################################################
-chains_init()
-{
- if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
- CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
- fi
- if [ -z "${INIT_SOURCED}" ] ; then
- cd ../common
- . ./init.sh
- fi
-
- SCRIPTNAME="chains.sh"
-
- CHAINS_DIR="${HOSTDIR}/chains"
- mkdir -p ${CHAINS_DIR}
- cd ${CHAINS_DIR}
-
- CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
-
- CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
- CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
-
- PK7_NONCE=$CERT_SN_CNT
- SCEN_CNT=0
-
- AIA_FILES="${HOSTDIR}/aiafiles"
-
- CU_DATA=${HOSTDIR}/cu_data
- CRL_DATA=${HOSTDIR}/crl_data
-
- html_head "Certificate Chains Tests"
-}
-
-############################ chains_cleanup ############################
-# local shell function to finish this script (no exit since it might be
-# sourced)
-########################################################################
-chains_cleanup()
-{
- html "</TABLE><BR>"
- cd ${QADIR}
- . common/cleanup.sh
-}
-
-############################ print_cu_data #############################
-# local shell function to print certutil input data
-########################################################################
-print_cu_data()
-{
- echo "=== Certutil input data ==="
- cat ${CU_DATA}
- echo "==="
-}
-
-set_cert_sn()
-{
- if [ -z "${SERIAL}" ]; then
- CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1)
- CERT_SN=${CERT_SN_CNT}
- else
- echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null
- if [ $? -eq 0 ]; then
- CERT_SN=$(echo ${SERIAL} | cut -b 2-)
- CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN})
- else
- CERT_SN=${SERIAL}
- fi
- fi
-}
-
-############################# create_db ################################
-# local shell function to create certificate database
-########################################################################
-create_db()
-{
- DB=$1
-
- [ -d "${DB}" ] && rm -rf ${DB}
- mkdir -p ${DB}
-
- echo "${DB}passwd" > ${DB}/dbpasswd
-
- TESTNAME="Creating DB ${DB}"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "certutil -N -d ${DB} -f ${DB}/dbpasswd"
- ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-}
-
-########################### create_root_ca #############################
-# local shell function to generate self-signed root certificate
-########################################################################
-create_root_ca()
-{
- ENTITY=$1
- ENTITY_DB=${ENTITY}DB
-
- set_cert_sn
- date >> ${NOISE_FILE} 2>&1
-
- CTYPE_OPT=
- if [ -n "${CTYPE}" ]; then
- CTYPE_OPT="-k ${CTYPE}"
- fi
-
- echo "5
-6
-9
-n
-y
--1
-n
-5
-6
-7
-9
-n
-" > ${CU_DATA}
-
- TESTNAME="Creating Root CA ${ENTITY}"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}"
- print_cu_data
- ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-
- TESTNAME="Exporting Root CA ${ENTITY}.der"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der"
- ${BINDIR}/certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-}
-
-########################### create_cert_req ############################
-# local shell function to generate certificate sign request
-########################################################################
-create_cert_req()
-{
- ENTITY=$1
- TYPE=$2
-
- ENTITY_DB=${ENTITY}DB
-
- REQ=${ENTITY}Req.der
-
- date >> ${NOISE_FILE} 2>&1
-
- CTYPE_OPT=
- if [ -n "${CTYPE}" ]; then
- CTYPE_OPT="-k ${CTYPE}"
- fi
-
- CA_FLAG=
- EXT_DATA=
- OPTIONS=
-
- if [ "${TYPE}" != "EE" ]; then
- CA_FLAG="-2"
- EXT_DATA="y
--1
-y
-"
- fi
-
- process_crldp
-
- echo "${EXT_DATA}" > ${CU_DATA}
-
- TESTNAME="Creating ${TYPE} certifiate request ${REQ}"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}"
- print_cu_data
- ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-}
-
-############################ create_entity #############################
-# local shell function to create certificate chain entity
-########################################################################
-create_entity()
-{
- ENTITY=$1
- TYPE=$2
-
- if [ -z "${ENTITY}" ]; then
- echo "Configuration error: Unnamed entity"
- exit 1
- fi
-
- DB=${ENTITY}DB
- ENTITY_DB=${ENTITY}DB
-
- case "${TYPE}" in
- "Root")
- create_db "${DB}"
- create_root_ca "${ENTITY}"
- ;;
- "Intermediate" | "Bridge" | "EE")
- create_db "${DB}"
- create_cert_req "${ENTITY}" "${TYPE}"
- ;;
- "*")
- echo "Configuration error: Unknown type ${TYPE}"
- exit 1
- ;;
- esac
-}
-
-########################################################################
-# List of global variables related to certificate extensions processing:
-#
-# Generated by process_extensions and functions called from it:
-# OPTIONS - list of command line policy extensions
-# DATA - list of inpud data related to policy extensions
-#
-# Generated by parse_config:
-# POLICY - list of certificate policies
-# MAPPING - list of policy mappings
-# INHIBIT - inhibit flag
-# AIA - AIA list
-########################################################################
-
-############################ process_policy ############################
-# local shell function to process policy extension parameters and
-# generate input for certutil
-########################################################################
-process_policy()
-{
- if [ -n "${POLICY}" ]; then
- OPTIONS="${OPTIONS} --extCP"
-
- NEXT=
- for ITEM in ${POLICY}; do
- if [ -n "${NEXT}" ]; then
- DATA="${DATA}y
-"
- fi
-
- NEXT=1
- DATA="${DATA}${ITEM}
-1
-
-n
-"
- done
-
- DATA="${DATA}n
-n
-"
- fi
-}
-
-########################### process_mapping ############################
-# local shell function to process policy mapping parameters and
-# generate input for certutil
-########################################################################
-process_mapping()
-{
- if [ -n "${MAPPING}" ]; then
- OPTIONS="${OPTIONS} --extPM"
-
- NEXT=
- for ITEM in ${MAPPING}; do
- if [ -n "${NEXT}" ]; then
- DATA="${DATA}y
-"
- fi
-
- NEXT=1
- IDP=`echo ${ITEM} | cut -d: -f1`
- SDP=`echo ${ITEM} | cut -d: -f2`
- DATA="${DATA}${IDP}
-${SDP}
-"
- done
-
- DATA="${DATA}n
-n
-"
- fi
-}
-
-########################### process_inhibit#############################
-# local shell function to process inhibit extension and generate input
-# for certutil
-########################################################################
-process_inhibit()
-{
- if [ -n "${INHIBIT}" ]; then
- OPTIONS="${OPTIONS} --extIA"
-
- DATA="${DATA}${INHIBIT}
-n
-"
- fi
-}
-
-############################# process_aia ##############################
-# local shell function to process AIA extension parameters and
-# generate input for certutil
-########################################################################
-process_aia()
-{
- if [ -n "${AIA}" ]; then
- OPTIONS="${OPTIONS} --extAIA"
-
- DATA="${DATA}1
-"
-
- for ITEM in ${AIA}; do
- PK7_NONCE=`expr $PK7_NONCE + 1`
-
- echo ${ITEM} | grep ":" > /dev/null
- if [ $? -eq 0 ]; then
- CERT_NICK=`echo ${ITEM} | cut -d: -f1`
- CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
- CERT_LOCAL="${CERT_NICK}${CERT_ISSUER}.der"
- CERT_PUBLIC="${HOST}-$$-${CERT_NICK}${CERT_ISSUER}-${PK7_NONCE}.der"
- else
- CERT_LOCAL="${ITEM}.p7"
- CERT_PUBLIC="${HOST}-$$-${ITEM}-${PK7_NONCE}.p7"
- fi
-
- DATA="${DATA}7
-${NSS_AIA_HTTP}/${CERT_PUBLIC}
-"
-
- if [ -n "${NSS_AIA_PATH}" ]; then
- cp ${CERT_LOCAL} ${NSS_AIA_PATH}/${CERT_PUBLIC} 2> /dev/null
- chmod a+r ${NSS_AIA_PATH}/${CERT_PUBLIC}
- echo ${NSS_AIA_PATH}/${CERT_PUBLIC} >> ${AIA_FILES}
- fi
- done
-
- DATA="${DATA}0
-n
-n"
- fi
-}
-
-process_ocsp()
-{
- if [ -n "${OCSP}" ]; then
- OPTIONS="${OPTIONS} --extAIA"
-
- DATA="${DATA}2
-7
-${NSS_AIA_OCSP}:${OCSP}
-0
-n
-n
-"
- fi
-}
-
-process_crldp()
-{
- if [ -n "${CRLDP}" ]; then
- OPTIONS="${OPTIONS} -4"
-
- EXT_DATA="${EXT_DATA}1
-"
-
- for ITEM in ${CRLDP}; do
- CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl"
-
- EXT_DATA="${EXT_DATA}7
-${NSS_AIA_HTTP}/${CRL_PUBLIC}
-"
- done
-
- EXT_DATA="${EXT_DATA}-1
--1
--1
-n
-n
-"
- fi
-}
-
-process_ku_ns_eku()
-{
- if [ -n "${EXT_KU}" ]; then
- OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}"
- fi
- if [ -n "${EXT_NS}" ]; then
- EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1)
- EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2)
-
- OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}"
- DATA="${DATA}${EXT_NS_CODE}
--1
-n
-"
- fi
- if [ -n "${EXT_EKU}" ]; then
- OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}"
- fi
-}
-
-copy_crl()
-
-{
- if [ -z "${NSS_AIA_PATH}" ]; then
- return;
- fi
-
- CRL_LOCAL="${COPYCRL}.crl"
- CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl"
-
- cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
- chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
- echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES}
-}
-
-########################## process_extension ###########################
-# local shell function to process entity extension parameters and
-# generate input for certutil
-########################################################################
-process_extensions()
-{
- OPTIONS=
- DATA=
-
- process_policy
- process_mapping
- process_inhibit
- process_aia
- process_ocsp
- process_ku_ns_eku
-}
-
-############################## sign_cert ###############################
-# local shell function to sign certificate sign reuqest
-########################################################################
-sign_cert()
-{
- ENTITY=$1
- ISSUER=$2
- TYPE=$3
-
- [ -z "${ISSUER}" ] && return
-
- ENTITY_DB=${ENTITY}DB
- ISSUER_DB=${ISSUER}DB
- REQ=${ENTITY}Req.der
- CERT=${ENTITY}${ISSUER}.der
-
- set_cert_sn
-
- EMAIL_OPT=
- if [ "${TYPE}" = "Bridge" ]; then
- EMAIL_OPT="-7 ${ENTITY}@${ISSUER}"
-
- [ -n "${EMAILS}" ] && EMAILS="${EMAILS},"
- EMAILS="${EMAILS}${ENTITY}@${ISSUER}"
- fi
-
- process_extensions
-
- echo "${DATA}" > ${CU_DATA}
-
- TESTNAME="Creating certficate ${CERT} signed by ${ISSUER}"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}"
- print_cu_data
- ${BINDIR}/certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-
- TESTNAME="Importing certificate ${CERT} to ${ENTITY_DB} database"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}"
- ${BINDIR}/certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-}
-
-############################# create_pkcs7##############################
-# local shell function to package bridge certificates into pkcs7
-# package
-########################################################################
-create_pkcs7()
-{
- ENTITY=$1
- ENTITY_DB=${ENTITY}DB
-
- TESTNAME="Generating PKCS7 package from ${ENTITY_DB} database"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "cmsutil -O -r \"${EMAILS}\" -d ${ENTITY_DB} > ${ENTITY}.p7"
- ${BINDIR}/cmsutil -O -r "${EMAILS}" -d ${ENTITY_DB} > ${ENTITY}.p7
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-}
-
-############################# import_key ###############################
-# local shell function to import private key + cert into database
-########################################################################
-import_key()
-{
- KEY_NAME=$1.p12
- DB=$2
-
- KEY_FILE=${QADIR}/libpkix/certs/${KEY_NAME}
-
- TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss"
- ${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-}
-
-
-############################# import_cert ##############################
-# local shell function to import certificate into database
-########################################################################
-import_cert()
-{
- IMPORT=$1
- DB=$2
-
- CERT_NICK=`echo ${IMPORT} | cut -d: -f1`
- CERT_ISSUER=`echo ${IMPORT} | cut -d: -f2`
- CERT_TRUST=`echo ${IMPORT} | cut -d: -f3`
-
- if [ "${CERT_ISSUER}" = "x" ]; then
- CERT_ISSUER=
- CERT=${CERT_NICK}.cert
- CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
- else
- CERT=${CERT_NICK}${CERT_ISSUER}.der
- CERT_FILE=${CERT}
- fi
-
- IS_ASCII=`grep -c -- "-----BEGIN CERTIFICATE-----" ${CERT_FILE}`
-
- ASCII_OPT=
- if [ "${IS_ASCII}" -gt 0 ]; then
- ASCII_OPT="-a"
- fi
-
- TESTNAME="Importing certificate ${CERT} to ${DB} database"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t \"${CERT_TRUST}\" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}"
- ${BINDIR}/certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t "${CERT_TRUST}" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-}
-
-import_crl()
-{
- IMPORT=$1
- DB=$2
-
- CRL_NICK=`echo ${IMPORT} | cut -d: -f1`
- CRL_FILE=${CRL_NICK}.crl
-
- if [ ! -f "${CRL_FILE}" ]; then
- return
- fi
-
- TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}"
- ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-}
-
-create_crl()
-{
- ISSUER=$1
- ISSUER_DB=${ISSUER}DB
-
- CRL=${ISSUER}.crl
-
- DATE=$(date -u '+%Y%m%d%H%M%SZ')
- UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ')
-
- echo "update=${DATE}" > ${CRL_DATA}
- echo "nextupdate=${UPDATE}" >> ${CRL_DATA}
-
- TESTNAME="Create CRL for ${ISSUER_DB}"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
- echo "=== Crlutil input data ==="
- cat ${CRL_DATA}
- echo "==="
- ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-}
-
-revoke_cert()
-{
- ISSUER=$1
- ISSUER_DB=${ISSUER}DB
-
- CRL=${ISSUER}.crl
-
- set_cert_sn
-
- sleep 1
- DATE=$(date -u '+%Y%m%d%H%M%SZ')
- echo "update=${DATE}" > ${CRL_DATA}
- echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA}
-
- TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
- echo "=== Crlutil input data ==="
- cat ${CRL_DATA}
- echo "==="
- ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
- html_msg $? 0 "${SCENARIO}${TESTNAME}"
-}
-
-########################################################################
-# List of global variables related to certificate verification:
-#
-# Generated by parse_config:
-# DB - DB used for testing
-# FETCH - fetch flag (used with AIA extension)
-# POLICY - list of policies
-# TRUST - trust anchor
-# VERIFY - list of certificates to use as vfychain parameters
-# EXP_RESULT - expected result
-# REV_OPTS - revocation options
-########################################################################
-
-############################# verify_cert ##############################
-# local shell function to verify certificate validity
-########################################################################
-verify_cert()
-{
- DB_OPT=
- FETCH_OPT=
- POLICY_OPT=
- TRUST_OPT=
- VFY_CERTS=
- VFY_LIST=
-
- if [ -n "${DB}" ]; then
- DB_OPT="-d ${DB}"
- fi
-
- if [ -n "${FETCH}" ]; then
- FETCH_OPT="-f"
- if [ -z "${NSS_AIA_HTTP}" ]; then
- echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined"
- return
- fi
- fi
-
- for ITEM in ${POLICY}; do
- POLICY_OPT="${POLICY_OPT} -o ${ITEM}"
- done
-
- for ITEM in ${TRUST}; do
- echo ${ITEM} | grep ":" > /dev/null
- if [ $? -eq 0 ]; then
- CERT_NICK=`echo ${ITEM} | cut -d: -f1`
- CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
- CERT=${CERT_NICK}${CERT_ISSUER}.der
-
- TRUST_OPT="${TRUST_OPT} -t ${CERT}"
- else
- TRUST_OPT="${TRUST_OPT} -t ${ITEM}"
- fi
- done
-
- for ITEM in ${VERIFY}; do
- CERT_NICK=`echo ${ITEM} | cut -d: -f1`
- CERT_ISSUER=`echo ${ITEM} | cut -d: -f2`
-
- if [ "${CERT_ISSUER}" = "x" ]; then
- CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert"
- VFY_CERTS="${VFY_CERTS} ${CERT}"
- VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
- else
- CERT=${CERT_NICK}${CERT_ISSUER}.der
- VFY_CERTS="${VFY_CERTS} ${CERT}"
- VFY_LIST="${VFY_LIST} ${CERT}"
- fi
- done
-
- VFY_OPTS_TNAME="${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
- VFY_OPTS_ALL="${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
-
- TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
- echo "${SCRIPTNAME}: ${TESTNAME}"
- echo "vfychain ${VFY_OPTS_ALL}"
-
- if [ -z "${MEMLEAK_DBG}" ]; then
- VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1)
- RESULT=$?
- echo "${VFY_OUT}"
- else
- VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE})
- RESULT=$?
- echo "${VFY_OUT}"
- fi
-
- echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null
- E5990=$?
- echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null
- E8030=$?
-
- if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then
- echo "Result of this test is not valid due to network time out."
- html_unknown "${SCENARIO}${TESTNAME}"
- return
- fi
-
- echo "Returned value is ${RESULT}, expected result is ${EXP_RESULT}"
-
- if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then
- html_passed "${SCENARIO}${TESTNAME}"
- elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then
- html_passed "${SCENARIO}${TESTNAME}"
- else
- html_failed "${SCENARIO}${TESTNAME}"
- fi
-}
-
-check_ocsp()
-{
- OCSP_CERT=$1
-
- CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1`
- CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2`
-
- if [ "${CERT_ISSUER}" = "x" ]; then
- CERT_ISSUER=
- CERT=${CERT_NICK}.cert
- CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
- else
- CERT=${CERT_NICK}${CERT_ISSUER}.der
- CERT_FILE=${CERT}
- fi
-
- OCSP_HOST=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
-
- if [ "${OS_ARCH}" = "WINNT" ]; then
- ping -n 1 ${OCSP_HOST}
- return $?
- elif [ "${OS_ARCH}" = "HP-UX" ]; then
- ping ${OCSP_HOST} -n 1
- return $?
- else
- ping -c 1 ${OCSP_HOST}
- return $?
- fi
-}
-
-############################ parse_result ##############################
-# local shell function to process expected result value
-# this function was created for case that expected result depends on
-# some conditions - in our case type of cert DB
-#
-# default results are pass and fail
-# this function added parsable values in format:
-# type1:value1 type2:value2 .... typex:valuex
-#
-# allowed types are dbm, sql, all (all means all other cases)
-# allowed values are pass and fail
-#
-# if this format is not used, EXP_RESULT will stay unchanged (this also
-# covers pass and fail states)
-########################################################################
-parse_result()
-{
- for RES in ${EXP_RESULT}
- do
- RESTYPE=$(echo ${RES} | cut -d: -f1)
- RESSTAT=$(echo ${RES} | cut -d: -f2)
-
- if [ "${RESTYPE}" = "${NSS_DEFAULT_DB_TYPE}" -o "${RESTYPE}" = "all" ]; then
- EXP_RESULT=${RESSTAT}
- break
- fi
- done
-}
-
-############################ parse_config ##############################
-# local shell function to parse and process file containing certificate
-# chain configuration and list of tests
-########################################################################
-parse_config()
-{
- SCENARIO=
- LOGNAME=
-
- while read KEY VALUE
- do
- case "${KEY}" in
- "entity")
- ENTITY="${VALUE}"
- TYPE=
- ISSUER=
- CTYPE=
- POLICY=
- MAPPING=
- INHIBIT=
- AIA=
- CRLDP=
- OCSP=
- DB=
- EMAILS=
- EXT_KU=
- EXT_NS=
- EXT_EKU=
- SERIAL=
- ;;
- "type")
- TYPE="${VALUE}"
- ;;
- "issuer")
- if [ -n "${ISSUER}" ]; then
- if [ -z "${DB}" ]; then
- create_entity "${ENTITY}" "${TYPE}"
- fi
- sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
- fi
-
- ISSUER="${VALUE}"
- POLICY=
- MAPPING=
- INHIBIT=
- AIA=
- EXT_KU=
- EXT_NS=
- EXT_EKU=
- ;;
- "ctype")
- CTYPE="${VALUE}"
- ;;
- "policy")
- POLICY="${POLICY} ${VALUE}"
- ;;
- "mapping")
- MAPPING="${MAPPING} ${VALUE}"
- ;;
- "inhibit")
- INHIBIT="${VALUE}"
- ;;
- "aia")
- AIA="${AIA} ${VALUE}"
- ;;
- "crldp")
- CRLDP="${CRLDP} ${VALUE}"
- ;;
- "ocsp")
- OCSP="${VALUE}"
- ;;
- "db")
- DB="${VALUE}DB"
- create_db "${DB}"
- ;;
- "import")
- IMPORT="${VALUE}"
- import_cert "${IMPORT}" "${DB}"
- import_crl "${IMPORT}" "${DB}"
- ;;
- "import_key")
- IMPORT="${VALUE}"
- import_key "${IMPORT}" "${DB}"
- ;;
- "crl")
- ISSUER="${VALUE}"
- create_crl "${ISSUER}"
- ;;
- "revoke")
- REVOKE="${VALUE}"
- ;;
- "serial")
- SERIAL="${VALUE}"
- ;;
- "copycrl")
- COPYCRL="${VALUE}"
- copy_crl "${COPYCRL}"
- ;;
- "verify")
- VERIFY="${VALUE}"
- TRUST=
- POLICY=
- FETCH=
- EXP_RESULT=
- REV_OPTS=
- USAGE_OPT=
- ;;
- "cert")
- VERIFY="${VERIFY} ${VALUE}"
- ;;
- "testdb")
- if [ -n "${VALUE}" ]; then
- DB="${VALUE}DB"
- else
- DB=
- fi
- ;;
- "trust")
- TRUST="${TRUST} ${VALUE}"
- ;;
- "fetch")
- FETCH=1
- ;;
- "result")
- EXP_RESULT="${VALUE}"
- parse_result
- ;;
- "rev_type")
- REV_OPTS="${REV_OPTS} -g ${VALUE}"
- ;;
- "rev_flags")
- REV_OPTS="${REV_OPTS} -h ${VALUE}"
- ;;
- "rev_mtype")
- REV_OPTS="${REV_OPTS} -m ${VALUE}"
- ;;
- "rev_mflags")
- REV_OPTS="${REV_OPTS} -s ${VALUE}"
- ;;
- "scenario")
- SCENARIO="${VALUE}: "
-
- CHAINS_DIR="${HOSTDIR}/chains/${VALUE}"
- mkdir -p ${CHAINS_DIR}
- cd ${CHAINS_DIR}
-
- if [ -n "${MEMLEAK_DBG}" ]; then
- LOGNAME="libpkix-${VALUE}"
- LOGFILE="${LOGDIR}/${LOGNAME}"
- fi
-
- SCEN_CNT=$(expr ${SCEN_CNT} + 1)
- ;;
- "sleep")
- sleep ${VALUE}
- ;;
- "break")
- break
- ;;
- "check_ocsp")
- check_ocsp ${VALUE}
- if [ $? -ne 0 ]; then
- echo "OCSP server not accessible, skipping OCSP tests"
- break;
- fi
- ;;
- "ku")
- EXT_KU="${VALUE}"
- ;;
- "ns")
- EXT_NS="${VALUE}"
- ;;
- "eku")
- EXT_EKU="${VALUE}"
- ;;
- "usage")
- USAGE_OPT="-u ${VALUE}"
- ;;
- "")
- if [ -n "${ENTITY}" ]; then
- if [ -z "${DB}" ]; then
- create_entity "${ENTITY}" "${TYPE}"
- fi
- sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
- if [ "${TYPE}" = "Bridge" ]; then
- create_pkcs7 "${ENTITY}"
- fi
- ENTITY=
- fi
-
- if [ -n "${VERIFY}" ]; then
- verify_cert
- VERIFY=
- fi
-
- if [ -n "${REVOKE}" ]; then
- revoke_cert "${REVOKE}" "${DB}"
- REVOKE=
- fi
- ;;
- *)
- if [ `echo ${KEY} | cut -b 1` != "#" ]; then
- echo "Configuration error: Unknown keyword ${KEY}"
- exit 1
- fi
- ;;
- esac
- done
-
- if [ -n "${MEMLEAK_DBG}" ]; then
- log_parse
- html_msg $? 0 "${SCENARIO}Memory leak checking"
- fi
-}
-
-############################# chains_main ##############################
-# local shell function to process all testing scenarios
-########################################################################
-chains_main()
-{
- while read LINE
- do
- > ${AIA_FILES}
-
- parse_config < "${QADIR}/chains/scenarios/${LINE}"
-
- while read AIA_FILE
- do
- rm ${AIA_FILE} 2> /dev/null
- done < ${AIA_FILES}
- rm ${AIA_FILES}
- done < "${CHAINS_SCENARIOS}"
-}
-
-################################ main ##################################
-
-chains_init
-chains_main
-chains_cleanup
-
View Lorry Controller Status