diff options
Diffstat (limited to 'security/nss/tests')
23 files changed, 1244 insertions, 2248 deletions
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh index f664ed488..67aa561bd 100755 --- a/security/nss/tests/all.sh +++ b/security/nss/tests/all.sh @@ -78,7 +78,8 @@ # ######################################################################## -TESTS="cert ssl sdr cipher smime crmf perf tools fips dbtests" +tests="cipher perf cert dbtests tools fips sdr crmf smime ssl" +TESTS=${TESTS:-$tests} SCRIPTNAME=all.sh CLEANUP="${SCRIPTNAME}" cd `dirname $0` # will cause problems if sourced @@ -92,12 +93,17 @@ fi for i in ${TESTS} do SCRIPTNAME=${i}.sh - echo "Running Tests for $i" if [ "$O_CRON" = "ON" ] then - (cd ${QADIR}/$i ; . ./$SCRIPTNAME all file >> ${LOGFILE} 2>&1) + echo "Running tests for $i" >> ${LOGFILE} + echo "TIMESTAMP $i BEGIN: `date`" >> ${LOGFILE} + (cd ${QADIR}/$i ; . ./$SCRIPTNAME all file) >> ${LOGFILE} 2>&1 + echo "TIMESTAMP $i END: `date`" >> ${LOGFILE} else - (cd ${QADIR}/$i ; . ./$SCRIPTNAME all file 2>&1 | tee -a ${LOGFILE}) + echo "Running tests for $i" | tee -a ${LOGFILE} + echo "TIMESTAMP $i BEGIN: `date`" | tee -a ${LOGFILE} + (cd ${QADIR}/$i ; . ./$SCRIPTNAME all file) 2>&1 | tee -a ${LOGFILE} + echo "TIMESTAMP $i END: `date`" | tee -a ${LOGFILE} fi done diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh index 3956a3b23..e667be958 100755 --- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -21,6 +21,7 @@ # the Initial Developer. All Rights Reserved. # # Contributor(s): +# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or @@ -75,7 +76,11 @@ cert_init() fi SCRIPTNAME="cert.sh" CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"` - html_head "Certutil and Crlutil Tests" + if [ -n "$NSS_ENABLE_ECC" ] ; then + html_head "Certutil and Crlutil Tests with ECC" + else + html_head "Certutil and Crlutil Tests" + fi ################## Generate noise for our CA cert. ###################### # NOTE: these keys are only suitable for testing, as this whole thing @@ -140,7 +145,7 @@ certu() return $RET } -################################ certu ################################# +################################ crlu ################################# # local shell function to call crlutil, also: writes action and options to # stdout, sets variable RET and writes results to the html file results ######################################################################## @@ -148,7 +153,7 @@ crlu() { echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" - CRLUTIL=crlutil + CRLUTIL="crlutil -q" echo "$CRLUTIL $*" $CRLUTIL $* RET=$? @@ -257,6 +262,14 @@ cert_create_cert() if [ "$RET" -ne 0 ]; then return $RET fi + if [ -n "$NSS_ENABLE_ECC" ] ; then + CU_ACTION="Import EC Root CA for $CERTNAME" + certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ + -d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + fi cert_add_cert "$5" return $? } @@ -270,7 +283,6 @@ cert_create_cert() ######################################################################## cert_add_cert() { - CU_ACTION="Generate Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 @@ -293,6 +305,64 @@ cert_add_cert() fi cert_log "SUCCESS: $CERTNAME's Cert Created" + +# +# Generate and add EC cert +# + if [ -n "$NSS_ENABLE_ECC" ] ; then + CURVE="secp384r1" + CU_ACTION="Generate EC Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Sign ${CERTNAME}'s EC Request" + certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Import $CERTNAME's EC Cert" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + cert_log "SUCCESS: $CERTNAME's EC Cert Created" + +# Generate EC certificate signed with RSA + CU_ACTION="Generate mixed EC Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA" +# Avoid conflicting serial numbers with TestCA issuer by keeping +# this set far away. A smaller number risks colliding with the +# extended ssl user certificates. + NEWSERIAL=`expr ${CERTSERIAL} + 10000` + certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Import $CERTNAME's mixed EC Cert" + certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created" + fi + return 0 } @@ -325,8 +395,37 @@ cert_all_CA() cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7" rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert - # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is the one of the last + + # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last # in the chain + + if [ -n "$NSS_ENABLE_ECC" ] ; then +# +# Create EC version of TestCA + CA_CURVE="secp521r1" + ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE} +# +# Create EC versions of the intermediate CA certs + ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE} + + ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE} + + rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert +# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last +# in the chain + + fi } ################################# cert_CA ################################ @@ -400,6 +499,70 @@ CERTSCRIPT cp root.cert ${NICKNAME}.ca.cert } +################################ cert_ec_CA ############################## +# local shell function to build the Temp. Certificate Authority (CA) +# used for testing purposes, creating a CA Certificate and a root cert +# This is the ECC version of cert_CA. +########################################################################## +cert_ec_CA() +{ + CUR_CADIR=$1 + NICKNAME=$2 + SIGNER=$3 + TRUSTARG=$4 + DOMAIN=$5 + CERTSERIAL=$6 + CURVE=$7 + + echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME ==========================" + + if [ ! -d "${CUR_CADIR}" ]; then + mkdir -p "${CUR_CADIR}" + fi + cd ${CUR_CADIR} + pwd + + LPROFILE=. + if [ -n "${MULTIACCESS_DBM}" ]; then + LPROFILE="multiaccess:${DOMAIN}" + fi + + ################# Creating an EC CA Cert ################################ + # + CU_ACTION="Creating EC CA Cert $NICKNAME " + CU_SUBJECT=$ALL_CU_SUBJECT + certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \ + -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ + -m $CERTSERIAL 2>&1 <<CERTSCRIPT +5 +6 +9 +n +y +-1 +n +5 +6 +7 +9 +n +CERTSCRIPT + + if [ "$RET" -ne 0 ]; then + echo "return value is $RET" + Exit 6 "Fatal - failed to create EC CA cert" + fi + + ################# Exporting EC Root Cert ################################ + # + CU_ACTION="Exporting EC Root Cert" + certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert + if [ "$RET" -ne 0 ]; then + Exit 7 "Fatal - failed to export ec root cert" + fi + cp ecroot.cert ${NICKNAME}.ca.cert +} + ############################## cert_smime_client ############################# # local shell function to create client Certificates for S/MIME tests ############################################################################## @@ -414,6 +577,17 @@ cert_smime_client() echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------" cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE} +## XXX With this new script merging ECC and non-ECC tests, the +## call to cert_create_cert ends up creating two separate certs +## one for Eve and another for Eve-ec but they both end up with +## the same Subject Alt Name Extension, i.e., both the cert for +## Eve@bogus.com and the cert for Eve-ec@bogus.com end up +## listing eve@bogus.net in the Certificate Subject Alt Name extension. +## This can cause a problem later when cmsutil attempts to create +## enveloped data and accidently picks up the ECC cert (NSS currently +## does not support ECC for enveloped data creation). This script +## avoids the problem by ensuring that these conflicting certs are +## never added to the same cert database (see comment marked XXXX). echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------" cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com" @@ -456,6 +630,32 @@ cert_smime_client() certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ -i ${R_EVEDIR}/Eve.cert 2>&1 + if [ -n "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: Importing EC Certificates ==============================" + CU_ACTION="Import Bob's EC cert into Alice's db" + certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + -i ${R_BOBDIR}/Bob-ec.cert 2>&1 + + CU_ACTION="Import Dave's EC cert into Alice's DB" + certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 + + CU_ACTION="Import Dave's EC cert into Bob's DB" + certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ + -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 + +## XXXX Do not import Eve's EC cert until we can make sure that +## the email addresses listed in the Subject Alt Name Extension +## inside Eve's ECC and non-ECC certs are different. +# CU_ACTION="Import Eve's EC cert into Alice's DB" +# certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ +# -i ${R_EVEDIR}/Eve-ec.cert 2>&1 + +# CU_ACTION="Import Eve's EC cert into Bob's DB" +# certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ +# -i ${R_EVEDIR}/Eve-ec.cert 2>&1 + fi + if [ "$CERTFAILED" != 0 ] ; then cert_log "ERROR: SMIME failed $RET" else @@ -463,11 +663,12 @@ cert_smime_client() fi } -############################## cert_ssl ################################ +############################## cert_extended_ssl ####################### # local shell function to create client + server certs for extended SSL test ######################################################################## cert_extended_ssl() { + ################# Creating Certs for extended SSL test #################### # CERTFAILED=0 @@ -496,11 +697,60 @@ cert_extended_ssl() CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)" certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1 + + if [ -n "$NSS_ENABLE_ECC" ] ; then +# +# Repeat the above for EC certs +# + EC_CURVE="secp256r1" + CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" + cp ${CERTDIR}/req ${SERVER_CADIR} + certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + + CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)" + certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1 +# +# done with EC certs +# +# Repeat again for mixed EC certs +# + EC_CURVE="secp256r1" + CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)" + cp ${CERTDIR}/req ${SERVER_CADIR} + certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \ + -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 + +# CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)" +# certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \ +# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \ +# 2>&1 + fi + echo "Importing all the server's own CA chain into the servers DB" for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; do N=`basename $CA | sed -e "s/.ca.cert//"` - if [ $N = "serverCA" ] ; then + if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then T="-t C,C,C" else T="-t u,u,u" @@ -518,7 +768,8 @@ cert_extended_ssl() CU_ACTION="Generate Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \ + -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request (ext)" cp ${CERTDIR}/req ${CLIENT_CADIR} @@ -531,11 +782,61 @@ cert_extended_ssl() CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)" certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1 + + if [ -n "$NSS_ENABLE_ECC" ] ; then +# +# Repeat the above for EC certs +# + CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" + cp ${CERTDIR}/req ${CLIENT_CADIR} + certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + + CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" + certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \ + -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 +# +# done with EC certs +# +# +# Repeat the above for mixed EC certs +# + CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)" + cp ${CERTDIR}/req ${CLIENT_CADIR} + certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \ + -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 + +# CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" +# certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \ +# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 +# +# done with mixed EC certs +# + fi + echo "Importing all the client's own CA chain into the servers DB" for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ; do N=`basename $CA | sed -e "s/.ca.cert//"` - if [ $N = "clientCA" ] ; then + if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then T="-t T,C,C" else T="-t u,u,u" @@ -565,7 +866,12 @@ cert_ssl() echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" echo " ${HOSTADDR} ------------------------------------" cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER} + CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC" certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} + if [ -n "$NSS_ENABLE_ECC" ] ; then + CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC" + certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} + fi # cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER} # echo "************* Copying CA files to ${SERVERDIR}" # cp ${CADIR}/*.db . @@ -623,8 +929,8 @@ cert_stresscerts() cert_fips() { CERTFAILED=0 - echo "$SCRIPTNAME: Creating FIPS 140-1 DSA Certificates ==============" - cert_init_cert "${FIPSDIR}" "FIPS PUB 140-1 Test Certificate" 1000 "${D_FIPS}" + echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates ==============" + cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}" CU_ACTION="Initializing ${CERTNAME}'s Cert DB" certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 @@ -644,15 +950,151 @@ MODSCRIPT fi CU_ACTION="Generate Certificate for ${CERTNAME}" - CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140-1, L=Mountain View, ST=California, C=US" + CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US" certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1 if [ "$RET" -eq 0 ]; then cert_log "SUCCESS: FIPS passed" fi } +############################## cert_eccurves ########################### +# local shell function to create server certs for all EC curves +######################################################################## +cert_eccurves() +{ + ################# Creating Certs for EC curves test ######################## + # + if [ -n "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: Creating Server CA Issued Certificate for " + echo " EC Curves Test Certificates ------------------------------------" + cert_init_cert ${ECCURVES_DIR} "EC Curves Test Certificates" 1 ${D_ECCURVES} + CU_ACTION="Initializing EC Curve's Cert DB" + certu -N -d "${ECCURVES_DIR}" -f "${R_PWFILE}" 2>&1 + CU_ACTION="Import EC Root CA for $CERTNAME" + certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ + -d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1 + + if [ -n "${NSS_ECC_MORE_THAN_SUITE_B}" ] ; then + CURVE_LIST="c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 \ + c2pnb208w1 c2pnb272w1 c2pnb304w1 c2pnb368w1 \ + c2tnb191v1 c2tnb191v2 c2tnb191v3 c2tnb239v1 \ + c2tnb239v2 c2tnb239v3 c2tnb359v1 c2tnb431r1 \ + nistb163 nistb233 nistb283 nistb409 nistb571 \ + nistk163 nistk233 nistk283 nistk409 nistk571 \ + nistp192 nistp224 nistp256 nistp384 nistp521 \ + prime192v1 prime192v2 prime192v3 \ + prime239v1 prime239v2 prime239v3 \ + secp112r1 secp112r2 secp128r1 secp128r2 secp160k1 \ + secp160r1 secp160r2 secp192k1 secp192r1 secp224k1 \ + secp224r1 secp256k1 secp256r1 secp384r1 secp521r1 \ + sect113r1 sect113r2 sect131r1 sect131r2 sect163k1 sect163r1 \ + sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 \ + sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1" + else + CURVE_LIST="nistp256 nistp384 nistp521" + fi + CERTSERIAL=2000 + + for CURVE in ${CURVE_LIST} + do + CERTFAILED=0 + CERTNAME="Curve-${CURVE}" + CERTSERIAL=`expr $CERTSERIAL + 1 ` + CU_ACTION="Generate EC Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -k ec -q "${CURVE}" -d "${ECCURVES_DIR}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + if [ $RET -eq 0 ] ; then + CU_ACTION="Sign ${CERTNAME}'s EC Request" + certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 + fi + + if [ $RET -eq 0 ] ; then + CU_ACTION="Import $CERTNAME's EC Cert" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${ECCURVES_DIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + fi + done + + fi # if NSS_ENABLE_ECC=1 +} +############################## cert_extensions ############################### +# local shell function to test cert extensions generation. +############################################################################## + +checkRes() +{ + res=$1 + filterList=$2 + + [ $res -ne 0 ] && return 1 + + for fl in `echo $filterList | tr \| ' '`; do + fl="`echo $fl | tr _ ' '`" + expStat=0 + if [ X`echo "$fl" | cut -c 1` = 'X!' ]; then + expStat=1 + fl=`echo $fl | tr -d '!'` + fi + certutil -d ${CERT_EXTENSIONS_DIR} -L -n $CERTNAME | grep "$fl" >/dev/null 2>&1 + [ $? -ne $expStat ] && return 1 + done + return 0 +} + -############################## cert_stresscerts ################################ +cert_extensions() +{ + + CERTNAME=TestExt + cert_create_cert ${CERT_EXTENSIONS_DIR} $CERTNAME 90 ${D_CERT_EXTENSTIONS} + TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args + + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + + count=0 + while read arg opt filterList; do + if [ X"`echo $arg | cut -c 1`" = "X#" ]; then + continue + fi + if [ X"`echo $arg | cut -c 1`" = "X!" ]; then + testName="$filterList" + continue + fi + if [ X"$arg" = "X=" ]; then + count=`expr $count + 1` + echo "#################################################" + CU_ACTION="Testing $testName" + certutil -d ${CERT_EXTENSIONS_DIR} -D -n $CERTNAME + echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n $CERTNAME \ + -t "u,u,u" -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ + -z "${R_NOISE_FILE}" -$opt < $TARG_FILE + certutil -d ${CERT_EXTENSIONS_DIR} -S -n $CERTNAME -t "u,u,u" \ + -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ + -z "${R_NOISE_FILE}" -$opt < $TARG_FILE + ret=$? + echo "certutil options:" + cat $TARG_FILE + checkRes $ret "$filterList" + RET=$? + if [ "$RET" -ne 0 ]; then + CERTFAILED=$RET + html_failed "<TR><TD>${CU_ACTION} ($RET) " + cert_log "ERROR: ${CU_ACTION} failed $RET" + else + html_passed "<TR><TD>${CU_ACTION}" + fi + rm -f $TARG_FILE + else + echo $arg >> $TARG_FILE + fi + done < ${QADIR}/cert/certext.txt +} + + +############################## cert_crl_ssl ############################ # local shell function to generate certs and crls for SSL tests ######################################################################## cert_crl_ssl() @@ -688,48 +1130,92 @@ cert_crl_ssl() CRLUPDATE=`date +%Y%m%d%H%M%SZ` CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority" CRL_GRP_END_=`expr ${CRL_GRP_END} - 1` - crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI + crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \ + -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI update=$CRLUPDATE addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE addext reasonCode 0 4 -addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|x400Address:x400Address|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA" +addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA" EOF_CRLINI # This extension should be added to the list, but currently nss has bug #addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` - chmod 600 ${CRL_FILE_GRP_1}_or + if [ -n "$NSS_ENABLE_ECC" ] ; then + CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority" + +# Until Bug 292285 is resolved, do not encode x400 Addresses. After +# the bug is resolved, reintroduce "x400Address:x400Address" within +# addext issuerAltNames ... + crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \ + -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE +addext reasonCode 0 4 +addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)" +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_1}_or-ec + fi + echo test > file ############################# Modification ################################## echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============" sleep 2 + CRLUPDATE=`date "+%Y%m%d%H%M%SZ"` CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"` - CU_ACTION="Modification CRL by adding one more cert" + CU_ACTION="Modify CRL by adding one more cert" crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \ -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI +update=$CRLUPDATE addcert ${CRL_GRP_END} $CRL_GRP_DATE EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` chmod 600 ${CRL_FILE_GRP_1}_or1 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or" + if [ -n "$NSS_ENABLE_ECC" ] ; then + CU_ACTION="Modify CRL (ECC) by adding one more cert" + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \ + -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_END} $CRL_GRP_DATE +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_1}_or1-ec + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec" + fi ########### Removing one cert ${UNREVOKED_CERT_GRP_1} ####################### echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ===============" - CU_ACTION="Modification CRL by removing one cert" + CU_ACTION="Modify CRL by removing one cert" + sleep 2 + CRLUPDATE=`date "+%Y%m%d%H%M%SZ"` crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \ -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI +update=$CRLUPDATE rmcert ${UNREVOKED_CERT_GRP_1} EOF_CRLINI chmod 600 ${CRL_FILE_GRP_1} TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1" + if [ -n "$NSS_ENABLE_ECC" ] ; then + CU_ACTION="Modify CRL (ECC) by removing one cert" + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \ + -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI +update=$CRLUPDATE +rmcert ${UNREVOKED_CERT_GRP_1} +EOF_CRLINI + chmod 600 ${CRL_FILE_GRP_1}-ec + TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec" + fi ########### Creating second CRL which includes groups 1 and 2 ############## CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1` CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END} echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ===============" + sleep 2 CRLUPDATE=`date "+%Y%m%d%H%M%SZ"` CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"` CU_ACTION="Creating CRL for groups 1 and 2" @@ -742,6 +1228,18 @@ rmcert ${UNREVOKED_CERT_GRP_2} EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` chmod 600 ${CRL_FILE_GRP_2} + if [ -n "$NSS_ENABLE_ECC" ] ; then + CU_ACTION="Creating CRL (ECC) for groups 1 and 2" + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \ + -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE +addext invalidityDate 0 $CRLUPDATE +rmcert ${UNREVOKED_CERT_GRP_2} +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_2}-ec + fi ########### Creating second CRL which includes groups 1, 2 and 3 ############## CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1` @@ -761,13 +1259,33 @@ addext crlNumber 0 2 EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` chmod 600 ${CRL_FILE_GRP_3} + if [ -n "$NSS_ENABLE_ECC" ] ; then + CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3" + crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \ + -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI +update=$CRLUPDATE +addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE +rmcert ${UNREVOKED_CERT_GRP_3} +addext crlNumber 0 2 +EOF_CRLINI + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + chmod 600 ${CRL_FILE_GRP_3}-ec + fi ############ Importing Server CA Issued CRL for certs of first group ####### echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}" CU_ACTION="Importing CRL for groups 1" + crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}" crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}" CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + if [ -n "$NSS_ENABLE_ECC" ] ; then + CU_ACTION="Importing CRL (ECC) for groups 1" + crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}" + crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \ + -d "${R_SERVERDIR}" + CRL_GEN_RES=`expr $? + $CRL_GEN_RES` + fi if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES" @@ -796,6 +1314,8 @@ cert_extended_ssl cert_ssl cert_smime_client cert_fips +cert_eccurves +cert_extensions cert_crl_ssl if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then cert_stresscerts diff --git a/security/nss/tests/cert/certext.txt b/security/nss/tests/cert/certext.txt new file mode 100644 index 000000000..493cd375e --- /dev/null +++ b/security/nss/tests/cert/certext.txt @@ -0,0 +1,132 @@ +# File syntax: +# '#' comments. +# If the line starts from '!'('! TEST_N Test Name String'), +# then 'Test Name String' will be the name of a test(starting +# from second space till the rest of the line). +# All uncommented lines are hard codded answers to certutil +# extension questions. +# Line '= N string1|string2|string3': '=' is a stop sign +# of certutil inputs and start of the test. 'N' is the number +# of extension that will be tested. 'string1|string2|string3' +# are grep patterns for test result verification. '_' in stringN +# will be replaced to a space. +# ################################################################ +! TEST_1 Certificate Key Usage Extension +0 +1 +2 +3 +4 +5 +6 +10 +n += 1 Certificate_Key_Usage|Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing +# ################################################################ +! TEST_2 Certificate Key Usage Extension +0 +1 +2 +3 +4 +5 +6 +10 +y += 1 Certificate_Key_Usage|Digital_Signature|Critical:_True +# ################################################################ +! TEST_3 Certificate Basic Constraints Extension +y +-1 +n += 2 Name:_Certificate_Basic_Constraints|Data:_Is_a_CA_with_no_maximum +# ################################################################ +! TEST_4 Certificate Basic Constraints Extension +n +-1 +y += 2 Name:_Certificate_Basic_Constraints|Data:_Is_not_a_CA|Critical:_True +# ################################################################ +! TEST_5 Certificate Authority Key Identifier Extension +y +12341235123 + + +y += 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Key_ID:|12341235123 +# ################################################################ +! TEST_6 Certificate Authority Key Identifier Extension +y + +3 +test.com + +214123 +y += 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Issuer:|DNS_name:_"test.com"|Serial_Number:|214123 +# ################################################################ +! TEST_7 CRL Distribution Points Extension +1 +1 +InstanceOfOtherName +2 +rfc822Name +3 +test.com +4 +test@test.com +6 +ediPArtyName +8 +ipAddress +9 +123451235 +10 +0 +10 +n +n += 4 Name:_CRL_Distribution_Points|InstanceOfOtherName|rfc822Name|test.com|test@test.com|ediPArtyName +# ################################################################# +! TEST_8 CRL Distribution Points Extension +2 +SN=asdfsdf +4 +3 +test.com +10 +n +n += 4 Name:_CRL_Distribution_Points|X520_Title|"asdfsdf"|Reasons:|DNS_name:_"test.com" +# ################################################################ +! TEST_9 Certificate Type Extension +0 +1 +2 +10 +n += 5 Name:_Certificate_Type|Data:_<SSL_Client,SSL_Server,S/MIME> +# ################################################################ +! TEST_10 Extended Key Usage Extension +0 +1 +2 +3 +4 +5 +6 +10 +y += 6 Name:_Extended_Key_Usage|Critical:_True|TLS_Web_Server_Authentication_Certificate|TLS_Web_Client_Authentication_Certificate|Code_Signing_Certificate|E-Mail_Protection_Certificate|Time_Stamping_Certifcate|OCSP_Responder_Certificate|Strong_Crypto_Export_Approved +# ################################################################ +! TEST_11 Certificate Key Usage Extension + +1 +2 +3 +4 +5 +6 +10 +n += 1 Certificate_Key_Usage|!Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing diff --git a/security/nss/tests/cert/eccert.sh b/security/nss/tests/cert/eccert.sh deleted file mode 100644 index e1a172455..000000000 --- a/security/nss/tests/cert/eccert.sh +++ /dev/null @@ -1,886 +0,0 @@ -#! /bin/sh -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1994-2000 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -######################################################################## -# -# mozilla/security/nss/tests/cert/rcert.sh -# -# Certificate generating and handeling for NSS QA, can be included -# multiple times from all.sh and the individual scripts -# -# needs to work on all Unix and Windows platforms -# -# included from (don't expect this to be up to date) -# -------------------------------------------------- -# all.sh -# ssl.sh -# smime.sh -# tools.sh -# -# special strings -# --------------- -# FIXME ... known problems, search for this string -# NOTE .... unexpected behavior -# -# FIXME - Netscape - NSS -######################################################################## - -############################## cert_init ############################### -# local shell function to initialize this script -######################################################################## -cert_init() -{ - SCRIPTNAME="cert.sh" - if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for - CLEANUP="${SCRIPTNAME}" # cleaning this script will do it - fi - if [ -z "${INIT_SOURCED}" ] ; then - cd ../common - . ./init.sh - fi - SCRIPTNAME="cert.sh" - html_head "Certutil Tests" - - ################## Generate noise for our CA cert. ###################### - # NOTE: these keys are only suitable for testing, as this whole thing - # bypasses the entropy gathering. Don't use this method to generate - # keys and certs for product use or deployment. - # - ps -efl > ${NOISE_FILE} 2>&1 - ps aux >> ${NOISE_FILE} 2>&1 - noise - -} - -cert_log() ###################### write the cert_status file -{ - echo "$SCRIPTNAME $*" - echo $* >>${CERT_LOG_FILE} -} - -################################ noise ################################## -# Generate noise for our certs -# -# NOTE: these keys are only suitable for testing, as this whole thing bypasses -# the entropy gathering. Don't use this method to generate keys and certs for -# product use or deployment. -######################################################################### -noise() -{ - #netstat >> ${NOISE_FILE} 2>&1 - date >> ${NOISE_FILE} 2>&1 -} - -################################ certu ################################# -# local shell function to call certutil, also: writes action and options to -# stdout, sets variable RET and writes results to the html file results -######################################################################## -certu() -{ - echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" - - if [ -n "${CU_SUBJECT}" ]; then - #the subject of the cert contains blanks, and the shell - #will strip the quotes off the string, if called otherwise... - echo "certutil -s \"${CU_SUBJECT}\" $*" - certutil -s "${CU_SUBJECT}" $* - RET=$? - CU_SUBJECT="" - else - echo "certutil $*" - certutil $* - RET=$? - fi - if [ "$RET" -ne 0 ]; then - CERTFAILED=$RET - html_failed "<TR><TD>${CU_ACTION} ($RET) " - cert_log "ERROR: ${CU_ACTION} failed $RET" - else - html_passed "<TR><TD>${CU_ACTION}" - fi - - # echo "Contine?" - # cat > /dev/null - return $RET -} - -############################# cert_init_cert ########################## -# local shell function to initialize creation of client and server certs -######################################################################## -cert_init_cert() -{ - CERTDIR="$1" - CERTNAME="$2" - CERTSERIAL="$3" - DOMAIN="$4" - - if [ ! -d "${CERTDIR}" ]; then - mkdir -p "${CERTDIR}" - else - echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists" - fi - cd "${CERTDIR}" - CERTDIR="." - - PROFILEDIR=${CERTDIR} - if [ -n "${MULTIACCESS_DBM}" ]; then - PROFILEDIR="multiaccess:${DOMAIN}" - fi - - noise -} - -############################# hw_acc ################################# -# local shell function to add hw accelerator modules to the db -######################################################################## -hw_acc() -{ - HW_ACC_RET=0 - HW_ACC_ERR="" - if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then - echo "creating $CERTNAME s cert with hwaccelerator..." - #case $ACCELERATOR in - #rainbow) - - - echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so " - echo " -dbdir ${PROFILEDIR} 2>&1 " - echo | modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \ - -dbdir ${PROFILEDIR} 2>&1 - if [ "$?" -ne 0 ]; then - echo "modutil -add rainbow failed in `pwd`" - HW_ACC_RET=1 - HW_ACC_ERR="modutil -add rainbow" - fi - - echo "modutil -add ncipher " - echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so " - echo " -dbdir ${PROFILEDIR} 2>&1 " - echo | modutil -add ncipher \ - -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \ - -dbdir ${PROFILEDIR} 2>&1 - if [ "$?" -ne 0 ]; then - echo "modutil -add ncipher failed in `pwd`" - HW_ACC_RET=`expr $HW_ACC_RET + 2` - HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher" - fi - if [ "$HW_ACC_RET" -ne 0 ]; then - html_failed "<TR><TD>Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) " - else - html_passed "<TR><TD>Adding HW accelerators to certDB for ${CERTNAME}" - fi - - fi - return $HW_ACC_RET -} - -############################# cert_create_cert ######################### -# local shell function to create client certs -# initialize DB, import -# root cert -# add cert to DB -######################################################################## -cert_create_cert() -{ - cert_init_cert "$1" "$2" "$3" "$4" - - CU_ACTION="Initializing ${CERTNAME}'s Cert DB" - certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - hw_acc - CU_ACTION="Import Root CA for $CERTNAME" - certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${R_CADIR}/root.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - cert_add_cert "$5" - return $? -} - -############################# cert_create_certs ######################## -# local shell function to create client certs -# initialize DB, import -# root certs (RSA and EC) -# add certs (RSA and EC) to DB -######################################################################## -cert_create_certs() -{ - cert_init_cert "$1" "$2" "$3" "$4" - - CU_ACTION="Initializing ${CERTNAME}'s Cert DB" - certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - hw_acc - CU_ACTION="Import Root CA for $CERTNAME" - certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${R_CADIR}/root.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - CU_ACTION="Import EC Root CA for $CERTNAME" - certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${R_CADIR}/ecroot.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - cert_add_certs "$5" - return $? -} - -############################# cert_add_cert ############################ -# local shell function to add client certs to an existing CERT DB -# generate request -# sign request -# import Cert -# -######################################################################## -cert_add_cert() -{ - - CU_ACTION="Generate Cert Request for $CERTNAME" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Import $CERTNAME's Cert" - certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - cert_log "SUCCESS: $CERTNAME's Cert Created" - return 0 -} - -############################# cert_add_certs ############################ -# local shell function to add client certs to an existing CERT DB -# generate request -# sign request -# import Cert -# -# Do this for both RSA and EC certs -######################################################################## -cert_add_certs() -{ - CURVE="secp160r2" - - CU_ACTION="Generate Cert Request for $CERTNAME" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Import $CERTNAME's Cert" - certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - cert_log "SUCCESS: $CERTNAME's Cert Created" - -# -# Generate and add EC cert -# - CU_ACTION="Generate EC Cert Request for $CERTNAME" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Sign ${CERTNAME}'s EC Request" - certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Import $CERTNAME's EC Cert" - certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}-ec.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - cert_log "SUCCESS: $CERTNAME's EC Cert Created" - - return 0 -} - -################################# cert_all_CA ################################ -# local shell function to build the additional Temp. Certificate Authority (CA) -# used for the "real life" ssl test with 2 different CA's in the -# client and in teh server's dir -########################################################################## -cert_all_CA() -{ - CA_CURVE="secp160r1" - - echo nss > ${PWFILE} - - ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1" - -# Create EC version of TestCA - ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US" - cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE} - - ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" - ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3" - ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4" - -# -# Create EC versions of the above CA certs -# - ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE} - ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE} - ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE} - - - ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" - ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6" - ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7" - -# -# Create EC versions of the above CA certs -# - ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE} - ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE} - ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE} - - rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert - rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert - # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is the one of the last - # in the chain -} - -################################# cert_CA ################################ -# local shell function to build the Temp. Certificate Authority (CA) -# used for testing purposes, creating a CA Certificate and a root cert -########################################################################## -cert_CA() -{ - CUR_CADIR=$1 - NICKNAME=$2 - SIGNER=$3 - TRUSTARG=$4 - DOMAIN=$5 - CERTSERIAL=$6 - - echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME ==========================" - - if [ ! -d "${CUR_CADIR}" ]; then - mkdir -p "${CUR_CADIR}" - fi - cd ${CUR_CADIR} - pwd - - LPROFILE=. - if [ -n "${MULTIACCESS_DBM}" ]; then - LPROFILE="multiaccess:${DOMAIN}" - fi - - if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB - CU_ACTION="Creating CA Cert DB" - certu -N -d ${LPROFILE} -f ${R_PWFILE} 2>&1 - if [ "$RET" -ne 0 ]; then - Exit 5 "Fatal - failed to create CA $NICKNAME " - fi - echo "$SCRIPTNAME: Certificate initialized ----------" - fi - - - ################# Creating CA Cert ###################################### - # - CU_ACTION="Creating CA Cert $NICKNAME " - CU_SUBJECT=$ALL_CU_SUBJECT - certu -S -n $NICKNAME -t $TRUSTARG -v 60 $SIGNER -d ${LPROFILE} -1 -2 -5 \ - -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT -5 -9 -n -y --1 -n -5 -6 -7 -9 -n -CERTSCRIPT - - if [ "$RET" -ne 0 ]; then - echo "return value is $RET" - Exit 6 "Fatal - failed to create CA cert" - fi - - ################# Exporting Root Cert ################################### - # - CU_ACTION="Exporting Root Cert" - certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert - if [ "$RET" -ne 0 ]; then - Exit 7 "Fatal - failed to export root cert" - fi - cp root.cert ${NICKNAME}.ca.cert -} - -################################ cert_ec_CA ############################## -# local shell function to build the Temp. Certificate Authority (CA) -# used for testing purposes, creating a CA Certificate and a root cert -# This is the ECC version of cert_CA. -########################################################################## -cert_ec_CA() -{ - CUR_CADIR=$1 - NICKNAME=$2 - SIGNER=$3 - TRUSTARG=$4 - DOMAIN=$5 - CERTSERIAL=$6 - CURVE=$7 - - echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME ==========================" - - if [ ! -d "${CUR_CADIR}" ]; then - mkdir -p "${CUR_CADIR}" - fi - cd ${CUR_CADIR} - pwd - - LPROFILE=. - if [ -n "${MULTIACCESS_DBM}" ]; then - LPROFILE="multiaccess:${DOMAIN}" - fi - - ################# Creating an EC CA Cert ################################ - # - CU_ACTION="Creating EC CA Cert $NICKNAME " - CU_SUBJECT=$ALL_CU_SUBJECT - certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 60 $SIGNER \ - -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ - -m $CERTSERIAL 2>&1 <<CERTSCRIPT -5 -9 -n -y --1 -n -5 -6 -7 -9 -n -CERTSCRIPT - - if [ "$RET" -ne 0 ]; then - echo "return value is $RET" - Exit 6 "Fatal - failed to create EC CA cert" - fi - - ################# Exporting EC Root Cert ################################ - # - CU_ACTION="Exporting EC Root Cert" - certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert - if [ "$RET" -ne 0 ]; then - Exit 7 "Fatal - failed to export ec root cert" - fi - cp ecroot.cert ${NICKNAME}.ca.cert -} - -############################## cert_smime_client ############################# -# local shell function to create client Certificates for S/MIME tests -############################################################################## -cert_smime_client() -{ - CERTFAILED=0 - echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============" - - cert_create_certs ${ALICEDIR} "Alice" 30 ${D_ALICE} - cert_create_certs ${BOBDIR} "Bob" 40 ${D_BOB} - - echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------" - cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE} - - echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------" - cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com" - - #echo "************* Copying CA files to ${SERVERDIR}" - #cp ${CADIR}/*.db . - #hw_acc - - ######################################################################### - # - #cd ${CERTDIR} - #CU_ACTION="Creating ${CERTNAME}'s Server Cert" - #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" - #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \ - # -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1 - - #CU_ACTION="Export Dave's Cert" - #cd ${DAVEDIR} - #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert - - ################# Importing Certificates for S/MIME tests ############### - # - echo "$SCRIPTNAME: Importing Certificates ==============================" - CU_ACTION="Import Bob's cert into Alice's db" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ - -i ${R_BOBDIR}/Bob.cert 2>&1 - - CU_ACTION="Import Dave's cert into Alice's DB" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ - -i ${R_DAVEDIR}/Dave.cert 2>&1 - - CU_ACTION="Import Dave's cert into Bob's DB" - certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ - -i ${R_DAVEDIR}/Dave.cert 2>&1 - - CU_ACTION="Import Eve's cert into Alice's DB" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ - -i ${R_EVEDIR}/Eve.cert 2>&1 - - CU_ACTION="Import Eve's cert into Bob's DB" - certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ - -i ${R_EVEDIR}/Eve.cert 2>&1 - - if [ "$CERTFAILED" != 0 ] ; then - cert_log "ERROR: SMIME failed $RET" - else - cert_log "SUCCESS: SMIME passed" - fi -} - -############################## cert_ssl ################################ -# local shell function to create client + server certs for extended SSL test -######################################################################## -cert_extended_ssl() -{ - EC_CURVE="sect163r1" - - ################# Creating Certs for extended SSL test #################### - # - CERTFAILED=0 - echo "$SCRIPTNAME: Creating Certificates, issued by the last ===============" - echo " of a chain of CA's which are not in the same database============" - - echo "Server Cert" - cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER} - - CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" - certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Generate Cert Request for $CERTNAME (ext)" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request (ext)" - cp ${CERTDIR}/req ${SERVER_CADIR} - certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)" - certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}.cert" 2>&1 - - CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)" - certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1 -# -# Repeat the above for EC certs -# - CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" - cp ${CERTDIR}/req ${SERVER_CADIR} - certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ - -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" - certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}-ec.cert" 2>&1 - - CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)" - certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1 -# -# done with EC certs -# - echo "Importing all the server's own CA chain into the servers DB" - for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; - do - N=`basename $CA | sed -e "s/.ca.cert//"` - if [ $N = "serverCA" ] ; then - T="-t C,C,C" - else - T="-t u,u,u" - fi - CU_ACTION="Import $N CA $T for $CERTNAME (ext.) " - certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${CA}" 2>&1 - done -#============ - echo "Client Cert" - cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT} - - CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" - certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Generate Cert Request for $CERTNAME (ext)" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request (ext)" - cp ${CERTDIR}/req ${CLIENT_CADIR} - certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)" - certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}.cert" 2>&1 - CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)" - certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1 -# -# Repeat the above for EC certs -# - CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" - cp ${CERTDIR}/req ${CLIENT_CADIR} - certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ - -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" - certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}-ec.cert" 2>&1 - CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" - certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 -# -# done with EC certs -# - echo "Importing all the client's own CA chain into the servers DB" - for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ; - do - N=`basename $CA | sed -e "s/.ca.cert//"` - if [ $N = "clientCA" ] ; then - T="-t T,C,C" - else - T="-t u,u,u" - fi - CU_ACTION="Import $N CA $T for $CERTNAME (ext.)" - certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${CA}" 2>&1 - done - if [ "$CERTFAILED" != 0 ] ; then - cert_log "ERROR: EXT failed $RET" - else - cert_log "SUCCESS: EXT passed" - fi -} - -############################## cert_ssl ################################ -# local shell function to create client + server certs for SSL test -######################################################################## -cert_ssl() -{ - ################# Creating Certs for SSL test ########################### - # - CERTFAILED=0 - echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" - cert_create_certs ${CLIENTDIR} "TestUser" 70 ${D_CLIENT} - - echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" - echo " ${HOSTADDR} ------------------------------------" - cert_create_certs ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER} - certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} - certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER} -# echo "************* Copying CA files to ${SERVERDIR}" -# cp ${CADIR}/*.db . -# hw_acc -# CU_ACTION="Creating ${CERTNAME}'s Server Cert" -# CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" -# certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \ -# -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1 - - if [ "$CERTFAILED" != 0 ] ; then - cert_log "ERROR: SSL failed $RET" - else - cert_log "SUCCESS: SSL passed" - fi -} -############################## cert_stresscerts ################################ -# local shell function to create client certs for SSL stresstest -######################################################################## -cert_stresscerts() -{ - - ############### Creating Certs for SSL stress test ####################### - # - CERTDIR="$CLIENTDIR" - cd "${CERTDIR}" - - PROFILEDIR=${CERTDIR} - if [ -n "${MULTIACCESS_DBM}" ]; then - PROFILEDIR="multiaccess:${D_CLIENT}" - fi - CERTFAILED=0 - echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" - - CONTINUE=$GLOB_MAX_CERT - CERTSERIAL=10 - - while [ $CONTINUE -ge $GLOB_MIN_CERT ] - do - CERTNAME="TestUser$CONTINUE" -# cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL - cert_add_certs - CERTSERIAL=`expr $CERTSERIAL + 1 ` - CONTINUE=`expr $CONTINUE - 1 ` - done - if [ "$CERTFAILED" != 0 ] ; then - cert_log "ERROR: StressCert failed $RET" - else - cert_log "SUCCESS: StressCert passed" - fi -} - -############################## cert_fips ##################################### -# local shell function to create certificates for FIPS tests -############################################################################## -cert_fips() -{ - CERTFAILED=0 - echo "$SCRIPTNAME: Creating FIPS 140-1 DSA Certificates ==============" - cert_init_cert "${FIPSDIR}" "FIPS PUB 140-1 Test Certificate" 1000 "${D_FIPS}" - - CU_ACTION="Initializing ${CERTNAME}'s Cert DB" - certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 - - echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------" - CU_ACTION="Enable FIPS mode on database for ${CERTNAME}" - echo "modutil -dbdir ${PROFILEDIR} -fips true " - modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT -y -MODSCRIPT - RET=$? - if [ "$RET" -ne 0 ]; then - html_failed "<TR><TD>${CU_ACTION} ($RET) " - cert_log "ERROR: ${CU_ACTION} failed $RET" - else - html_passed "<TR><TD>${CU_ACTION}" - fi - - CU_ACTION="Generate Certificate for ${CERTNAME}" - CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140-1, L=Mountain View, ST=California, C=US" - certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -m 500 -z "${R_NOISE_FILE}" 2>&1 - if [ "$RET" -eq 0 ]; then - cert_log "SUCCESS: FIPS passed" - fi -} - -############################## cert_cleanup ############################ -# local shell function to finish this script (no exit since it might be -# sourced) -######################################################################## -cert_cleanup() -{ - cert_log "$SCRIPTNAME: finished $SCRIPTNAME" - html "</TABLE><BR>" - cd ${QADIR} - . common/cleanup.sh -} - -################## main ################################################# - -cert_init -cert_all_CA -cert_extended_ssl -cert_ssl -cert_smime_client -cert_fips -if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then - cert_stresscerts - #following lines to be used when databases are to be reused - #cp -r /u/sonmi/tmp/stress/kentuckyderby.13/* $HOSTDIR - #cp -r $HOSTDIR/../${HOST}.2/* $HOSTDIR - -fi -cert_cleanup diff --git a/security/nss/tests/cipher/cipher.sh b/security/nss/tests/cipher/cipher.sh index 50ff55104..b154e06b5 100755 --- a/security/nss/tests/cipher/cipher.sh +++ b/security/nss/tests/cipher/cipher.sh @@ -75,7 +75,7 @@ cipher_init() mkdir -p ${CIPHERDIR} - cd ${CIPHERTESTDIR} + cd ${CIPHERDIR} P_CIPHER=. if [ -n "${MULTIACCESS_DBM}" ]; then P_CIPHER="multiaccess:${D_CIPHER}" @@ -93,10 +93,29 @@ cipher_main() PARAM=`echo $PARAM | sed -e "s/_-/ -/g"` TESTNAME=`echo $TESTNAME | sed -e "s/_/ /g"` echo "$SCRIPTNAME: $TESTNAME --------------------------------" - echo "bltest -T -m $PARAM -d ${P_CIPHER}" - - bltest -T -m $PARAM -d ${P_CIPHER} - html_msg $? $EXP_RET "$TESTNAME" + failedStr="" + inOff=0 + res=0 + while [ $inOff -lt 8 ] + do + outOff=0 + while [ $outOff -lt 8 ] + do + echo "bltest -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff" + bltest -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff + if [ $? -ne 0 ]; then + failedStr="$failedStr[$inOff:$outOff]" + fi + outOff=`expr $outOff + 1` + done + inOff=`expr $inOff + 1` + done + if [ -n "$failedStr" ]; then + html_msg 1 $EXP_RET "$TESTNAME (Failed in/out offset pairs:" \ + " $failedStr)" + else + html_msg $res $EXP_RET "$TESTNAME" + fi fi done < ${CIPHER_TXT} } diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh index 0c0126372..7ad4caff0 100644 --- a/security/nss/tests/common/init.sh +++ b/security/nss/tests/common/init.sh @@ -102,6 +102,19 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then esac } + detect_core() + { + [ ! -f $CORELIST_FILE ] && touch $CORELIST_FILE + mv $CORELIST_FILE ${CORELIST_FILE}.old + coreStr=`find $HOSTDIR -type f -name '*core*'` + res=0 + if [ -n "$coreStr" ]; then + sum $coreStr > $CORELIST_FILE + res=`cat $CORELIST_FILE ${CORELIST_FILE}.old | sort | uniq -u | wc -l` + fi + return $res + } + #html functions to give the resultfiles a consistant look html() ######################### write the results.html file { # 3 functions so we can put targets in the output.log easier @@ -109,12 +122,24 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then } html_passed() { + html_detect_core "$@" || return html "$* ${HTML_PASSED}" } html_failed() { + html_detect_core "$@" || return html "$* ${HTML_FAILED}" } + html_detect_core() + { + detect_core + if [ $? -ne 0 ]; then + echo "$*. Core file is detected." + html "$* ${HTML_FAILED_CORE}" + return 1 + fi + return 0 + } html_head() { html "<TABLE BORDER=1><TR><TH COLSPAN=3>$*</TH></TR>" @@ -136,6 +161,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then fi } HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>' + HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>' HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>' @@ -176,7 +202,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then PATH=.\;${DIST}/${OBJDIR}/bin\;${DIST}/${OBJDIR}/lib\;$PATH PATH=`perl ../path_uniq -d ';' "$PATH"` else - PATH=.:/bin:/usr/bin:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:$PATH + PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:/bin:/usr/bin:$PATH # added /bin and /usr/bin in the beginning so a local perl will # be used PATH=`perl ../path_uniq -d ':' "$PATH"` @@ -354,19 +380,23 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then DAVEDIR=${HOSTDIR}/dave EVEDIR=${HOSTDIR}/eve FIPSDIR=${HOSTDIR}/fips + ECCURVES_DIR=${HOSTDIR}/eccurves SERVER_CADIR=${HOSTDIR}/serverCA CLIENT_CADIR=${HOSTDIR}/clientCA EXT_SERVERDIR=${HOSTDIR}/ext_server EXT_CLIENTDIR=${HOSTDIR}/ext_client + CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions + PWFILE=${TMP}/tests.pw.$$ NOISE_FILE=${TMP}/tests_noise.$$ + CORELIST_FILE=${TMP}/clist.$$ FIPSPWFILE=${TMP}/tests.fipspw.$$ FIPSBADPWFILE=${TMP}/tests.fipsbadpw.$$ FIPSP12PWFILE=${TMP}/tests.fipsp12pw.$$ - FIPSCERTNICK="FIPS_PUB_140-1_Test_Certificate" + FIPSCERTNICK="FIPS_PUB_140_Test_Certificate" # domains to handle ipc based access to databases D_CA="TestCA.$version" @@ -379,8 +409,10 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then D_SERVER="Server.$version" D_CLIENT="Client.$version" D_FIPS="FIPS.$version" + D_ECCURVES="ECCURVES.$version" D_EXT_SERVER="ExtendedServer.$version" D_EXT_CLIENT="ExtendedClient.$version" + D_CERT_EXTENSTIONS="CertExtensions.$version" # we need relative pathnames of these files abd directories, since our # tools can't handle the unix style absolut pathnames on cygnus @@ -394,6 +426,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then R_EVEDIR=../eve R_EXT_SERVERDIR=../ext_server R_EXT_CLIENTDIR=../ext_client + R_CERT_EXT=../cert_extensions # # profiles are either paths or domains depending on the setting of diff --git a/security/nss/tests/dbtests/dbtests.sh b/security/nss/tests/dbtests/dbtests.sh index 313978316..86b9d7e61 100755 --- a/security/nss/tests/dbtests/dbtests.sh +++ b/security/nss/tests/dbtests/dbtests.sh @@ -84,10 +84,6 @@ dbtest_init() # in the output.log, otherwise we can't tell what's a real error RONLY_DIR=${HOSTDIR}/ronlydir EMPTY_DIR=${HOSTDIR}/emptydir - grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { - html_head "SSL Test failure" - Exit : "Fatal - SSL of cert.sh needs to pass first" - } html_head "CERT and Key DB Tests" diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh index 6a4986f0f..71dd9a28c 100755 --- a/security/nss/tests/fips/fips.sh +++ b/security/nss/tests/fips/fips.sh @@ -70,7 +70,7 @@ fips_init() . ./cert.sh fi SCRIPTNAME=fips.sh - html_head "FIPS 140-1 Compliance Tests" + html_head "FIPS 140 Compliance Tests" grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || { Exit 15 "Fatal - FIPS of cert.sh needs to pass first" @@ -92,11 +92,11 @@ fips_init() cd ${FIPSDIR} } -############################## fips_140_1 ############################## +############################## fips_140 ############################## # local shell function to test basic functionality of NSS while in -# FIPS 140-1 compliant mode +# FIPS 140 compliant mode ######################################################################## -fips_140_1() +fips_140() { echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------" echo "modutil -dbdir ${P_R_FIPSDIR} -list" @@ -214,6 +214,6 @@ fips_cleanup() fips_init -fips_140_1 +fips_140 fips_cleanup diff --git a/security/nss/tests/fixtests.sh b/security/nss/tests/fixtests.sh deleted file mode 100755 index 42cbdf8ee..000000000 --- a/security/nss/tests/fixtests.sh +++ /dev/null @@ -1,117 +0,0 @@ -#!/bin/sh -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is the elliptic curve test suite. -# -# The Initial Developer of the Original Code is -# Sun Microsystems, Inc. -# Portions created by the Initial Developer are Copyright (C) 2003 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -####################### fix_test_scripts ####################### -# -# Depending on the argument either enable or disable EC based -# tests in the cert and ssl directories. -# -################################################################ -fix_test_scripts() -{ - FLAG=$1 - CERT_DIR=cert - CERT_SCRIPT=cert.sh - SMIME_DIR=smime - SMIME_SCRIPT=smime.sh - SSL_DIR=ssl - SSLAUTH=sslauth.txt - SSLCOV=sslcov.txt - SSL_SCRIPT=ssl.sh - SSLSTRESS=sslstress.txt - TOOLS_DIR=tools - TOOLS_SCRIPT=tools.sh - EC_PREFIX=ec - NOEC_PREFIX=noec - - if [ xx$FLAG = xx"enable_ecc" ]; then - if [ -f $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT -a \ - -f $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLAUTH -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLCOV -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLSTRESS -a \ - -f $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT ]; then - echo "noecc files exist" - else - echo "noecc files are missing" - echo "Saving files as noec" - cp $CERT_DIR/$CERT_SCRIPT $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT - cp $SMIME_DIR/$SMIME_SCRIPT $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT - cp $SSL_DIR/$SSLAUTH $SSL_DIR/$NOEC_PREFIX$SSLAUTH - cp $SSL_DIR/$SSLCOV $SSL_DIR/$NOEC_PREFIX$SSLCOV - cp $SSL_DIR/$SSL_SCRIPT $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT - cp $SSL_DIR/$SSLSTRESS $SSL_DIR/$NOEC_PREFIX$SSLSTRESS - cp $TOOLS_DIR/$TOOLS_SCRIPT $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT - fi - echo "Overwriting with ec versions" - cp $CERT_DIR/$EC_PREFIX$CERT_SCRIPT $CERT_DIR/$CERT_SCRIPT - cp $SMIME_DIR/$EC_PREFIX$SMIME_SCRIPT $SMIME_DIR/$SMIME_SCRIPT - cp $SSL_DIR/$EC_PREFIX$SSLAUTH $SSL_DIR/$SSLAUTH - cp $SSL_DIR/$EC_PREFIX$SSLCOV $SSL_DIR/$SSLCOV - cp $SSL_DIR/$EC_PREFIX$SSL_SCRIPT $SSL_DIR/$SSL_SCRIPT - cp $SSL_DIR/$EC_PREFIX$SSLSTRESS $SSL_DIR/$SSLSTRESS - cp $TOOLS_DIR/$EC_PREFIX$TOOLS_SCRIPT $TOOLS_DIR/$TOOLS_SCRIPT - elif [ xx$FLAG = xx"disable_ecc" ]; then - if [ -f $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT -a \ - -f $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLAUTH -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLCOV -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLSTRESS -a \ - -f $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT ]; then - echo "noecc files exist" - echo "Overwriting with noec versions" - cp $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT $CERT_DIR/$CERT_SCRIPT - cp $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT $SMIME_DIR/$SMIME_SCRIPT - cp $SSL_DIR/$NOEC_PREFIX$SSLAUTH $SSL_DIR/$SSLAUTH - cp $SSL_DIR/$NOEC_PREFIX$SSLCOV $SSL_DIR/$SSLCOV - cp $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT $SSL_DIR/$SSL_SCRIPT - cp $SSL_DIR/$NOEC_PREFIX$SSLSTRESS $SSL_DIR/$SSLSTRESS - cp $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT $TOOLS_DIR/$TOOLS_SCRIPT - else - echo "Already disabled." - fi - else - echo "Needs either \"enable_ecc\" or \"disable_ecc\" as argument." - fi -} - - -fix_test_scripts $1 diff --git a/security/nss/tests/perf/perf.sh b/security/nss/tests/perf/perf.sh index 7fee17c1e..d92182754 100755 --- a/security/nss/tests/perf/perf.sh +++ b/security/nss/tests/perf/perf.sh @@ -67,6 +67,7 @@ perf_init() } perf_init +cd ${PERFDIR} RSAPERF_OUT=`rsaperf -i 300 -s -n none` RSAPERF_OUT=`echo $RSAPERF_OUT | sed \ -e "s/^/RSAPERF: $OBJDIR /" \ diff --git a/security/nss/tests/pkcs11/netscape/trivial/configure.in b/security/nss/tests/pkcs11/netscape/trivial/configure.in index 32889ddc1..62950b97a 100644 --- a/security/nss/tests/pkcs11/netscape/trivial/configure.in +++ b/security/nss/tests/pkcs11/netscape/trivial/configure.in @@ -1,34 +1,39 @@ dnl -dnl The contents of this file are subject to the Mozilla Public -dnl License Version 1.1 (the "License"); you may not use this file -dnl except in compliance with the License. You may obtain a copy of -dnl the License at http://www.mozilla.org/MPL/ -dnl -dnl Software distributed under the License is distributed on an "AS -dnl IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -dnl implied. See the License for the specific language governing -dnl rights and limitations under the License. -dnl +dnl ***** BEGIN LICENSE BLOCK ***** +dnl Version: MPL 1.1/GPL 2.0/LGPL 2.1 +dnl +dnl The contents of this file are subject to the Mozilla Public License Version +dnl 1.1 (the "License"); you may not use this file except in compliance with +dnl the License. You may obtain a copy of the License at +dnl http://www.mozilla.org/MPL/ +dnl +dnl Software distributed under the License is distributed on an "AS IS" basis, +dnl WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +dnl for the specific language governing rights and limitations under the +dnl License. +dnl dnl The Original Code is a trivial PKCS#11 test program. -dnl -dnl The Initial Developer of the Original Code is Netscape -dnl Communications Corp. Portions created by Netscape are -dnl Copyright (C) 2000. All Rights Reserved. -dnl -dnl Contributor(s): dnl -dnl Alternatively, the contents of this file may be used under the -dnl terms of the GNU General Public License Version 2 or later (the -dnl "GPL"), in which case the provisions of the GPL are applicable -dnl instead of those above. If you wish to allow use of your -dnl version of this file only under the terms of the GPL and not to -dnl allow others to use your version of this file under the MPL, -dnl indicate your decision by deleting the provisions above and -dnl replace them with the notice and other provisions required by -dnl the GPL. If you do not delete the provisions above, a recipient -dnl may use your version of this file under either the MPL or the -dnl GPL. +dnl The Initial Developer of the Original Code is +dnl Netscape Communications Corp. +dnl Portions created by the Initial Developer are Copyright (C) 2000 +dnl the Initial Developer. All Rights Reserved. +dnl +dnl Contributor(s): +dnl +dnl Alternatively, the contents of this file may be used under the terms of +dnl either the GNU General Public License Version 2 or later (the "GPL"), or +dnl the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +dnl in which case the provisions of the GPL or the LGPL are applicable instead +dnl of those above. If you wish to allow use of your version of this file only +dnl under the terms of either the GPL or the LGPL, and not to allow others to +dnl use your version of this file under the terms of the MPL, indicate your +dnl decision by deleting the provisions above and replace them with the notice +dnl and other provisions required by the GPL or the LGPL. If you do not delete +dnl the provisions above, a recipient may use your version of this file under +dnl the terms of any one of the MPL, the GPL or the LGPL. dnl +dnl ***** END LICENSE BLOCK ***** dnl My revision info: "@(#) $RCSfile$ $Revision$ $Date$" dnl Don't use AC_REVISION; it's broken diff --git a/security/nss/tests/smime/ecsmime.sh b/security/nss/tests/smime/ecsmime.sh deleted file mode 100644 index e94000bfa..000000000 --- a/security/nss/tests/smime/ecsmime.sh +++ /dev/null @@ -1,260 +0,0 @@ -#! /bin/sh -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1994-2000 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -######################################################################## -# -# mozilla/security/nss/tests/smime/smime.sh -# -# Script to test NSS smime -# -# needs to work on all Unix and Windows platforms -# -# special strings -# --------------- -# FIXME ... known problems, search for this string -# NOTE .... unexpected behavior -# -######################################################################## - -############################## smime_init ############################## -# local shell function to initialize this script -######################################################################## -smime_init() -{ - SCRIPTNAME=smime.sh # sourced - $0 would point to all.sh - - if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for - CLEANUP="${SCRIPTNAME}" # cleaning this script will do it - fi - - if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then - cd ../common - . ./init.sh - fi - if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here - cd ../cert - . ./cert.sh - fi - SCRIPTNAME=smime.sh - html_head "S/MIME Tests" - - grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { - Exit 11 "Fatal - S/MIME of cert.sh needs to pass first" - } - - SMIMEDIR=${HOSTDIR}/smime - R_SMIMEDIR=../smime - mkdir -p ${SMIMEDIR} - cd ${SMIMEDIR} - cp ${QADIR}/smime/alice.txt ${SMIMEDIR} -} - - -############################## smime_main ############################## -# local shell function to test basic signed and enveloped messages -# from 1 --> 2" -######################################################################## -smime_main() -{ - - echo "$SCRIPTNAME: Signing Attached Message (ECDSA SHA1) ------------------" - echo "cmsutil -S -N Alice-ec -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.sig" - cmsutil -S -N Alice-ec -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.sig - html_msg $? 0 "Create Signature Alice (ECDSA SHA1)" "." - - echo "cmsutil -D -i alice-ec.sig -d ${P_R_BOBDIR} -o alice-ec.data1" - cmsutil -D -i alice-ec.sig -d ${P_R_BOBDIR} -o alice-ec.data1 - html_msg $? 0 "Decode Alice's Signature (ECDSA SHA1)" "." - - echo "diff alice.txt alice-ec.data1" - diff alice.txt alice-ec.data1 - html_msg $? 0 "Compare Decoded Signature and Original (ECDSA SHA1)" "." - - echo "$SCRIPTNAME: Signing Attached Message (SHA1) ------------------" - echo "cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig" - cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig - html_msg $? 0 "Create Signature Alice (SHA1)" "." - - echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1" - cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1 - html_msg $? 0 "Decode Alice's Signature (SHA1)" "." - - echo "diff alice.txt alice.data1" - diff alice.txt alice.data1 - html_msg $? 0 "Compare Decoded Signature and Original (SHA1)" "." - - echo "$SCRIPTNAME: Signing Attached Message (SHA256) ------------------" - echo "cmsutil -S -N Alice -H SHA256 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig" - cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig - html_msg $? 0 "Create Signature Alice (SHA256)" "." - - echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1" - cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1 - html_msg $? 0 "Decode Alice's Signature (SHA256)" "." - - echo "diff alice.txt alice.data1" - diff alice.txt alice.data1 - html_msg $? 0 "Compare Decoded Signature and Original (SHA256)" "." - - echo "$SCRIPTNAME: Signing Attached Message (SHA384) ------------------" - echo "cmsutil -S -N Alice -H SHA384 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig" - cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig - html_msg $? 0 "Create Signature Alice (SHA384)" "." - - echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1" - cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1 - html_msg $? 0 "Decode Alice's Signature (SHA384)" "." - - echo "diff alice.txt alice.data1" - diff alice.txt alice.data1 - html_msg $? 0 "Compare Decoded Signature and Original (SHA384)" "." - - echo "$SCRIPTNAME: Signing Attached Message (SHA512) ------------------" - echo "cmsutil -S -N Alice -H SHA512 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig" - cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig - html_msg $? 0 "Create Signature Alice (SHA512)" "." - - echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1" - cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1 - html_msg $? 0 "Decode Alice's Signature (SHA512)" "." - - echo "diff alice.txt alice.data1" - diff alice.txt alice.data1 - html_msg $? 0 "Compare Decoded Signature and Original (SHA512)" "." - - echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------" - echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\" - echo " -o alice.env" - cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env - html_msg $? 0 "Create Enveloped Data Alice" "." - - echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1" - cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1 - html_msg $? 0 "Decode Enveloped Data Alice" "." - - echo "diff alice.txt alice.data1" - diff alice.txt alice.data1 - html_msg $? 0 "Compare Decoded Enveloped Data and Original" "." - - # multiple recip - echo "$SCRIPTNAME: Testing multiple recipients ------------------------------" - echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o alicecc.env \\" - echo " -r bob@bogus.com,dave@bogus.com" - cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \ - -r bob@bogus.com,dave@bogus.com - ret=$? - html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "." - if [ $ret != 0 ] ; then - echo "certutil -L -d ${P_R_ALICEDIR}" - certutil -L -d ${P_R_ALICEDIR} - echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com" - certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com - fi - - echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------" - echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o aliceve.env \\" - echo " -r eve@bogus.net" - cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \ - -r eve@bogus.net - ret=$? - html_msg $ret 0 "Encrypt to a Multiple Email cert" "." - - echo "cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2" - cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2 - html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Bob" "." - - echo "cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3" - cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3 - html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Dave" "." - - echo "cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4" - cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4 - html_msg $? 0 "Decrypt with a Multiple Email cert" "." - - diff alice.txt alice.data2 - html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Bob" "." - - diff alice.txt alice.data3 - html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Dave" "." - - diff alice.txt alice.data4 - html_msg $? 0 "Compare Decoded with Multiple Email cert" "." - - echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------" - echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\" - echo " -d ${P_R_ALICEDIR} > co.der" - cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der - html_msg $? 0 "Create Certs-Only Alice" "." - - echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}" - cmsutil -D -i co.der -d ${P_R_BOBDIR} - html_msg $? 0 "Verify Certs-Only by CA" "." - - echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------" - echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\" - echo " -r \"bob@bogus.com\" > alice.enc" - cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \ - -r "bob@bogus.com" > alice.enc - html_msg $? 0 "Create Encrypted-Data" "." - - echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\" - echo " -o alice.data2" - cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2 - html_msg $? 0 "Decode Encrypted-Data" "." - - diff alice.txt alice.data2 - html_msg $? 0 "Compare Decoded and Original Data" "." -} - -############################## smime_cleanup ########################### -# local shell function to finish this script (no exit since it might be -# sourced) -######################################################################## -smime_cleanup() -{ - html "</TABLE><BR>" - cd ${QADIR} - . common/cleanup.sh -} - -################## main ################################################# - -smime_init -smime_main -smime_cleanup - diff --git a/security/nss/tests/smime/smime.sh b/security/nss/tests/smime/smime.sh index f8e2e6c8c..78d840099 100755 --- a/security/nss/tests/smime/smime.sh +++ b/security/nss/tests/smime/smime.sh @@ -21,6 +21,7 @@ # the Initial Developer. All Rights Reserved. # # Contributor(s): +# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or @@ -71,7 +72,12 @@ smime_init() . ./cert.sh fi SCRIPTNAME=smime.sh - html_head "S/MIME Tests" + + if [ -n "$NSS_ENABLE_ECC" ] ; then + html_head "S/MIME Tests with ECC" + else + html_head "S/MIME Tests" + fi grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { Exit 11 "Fatal - S/MIME of cert.sh needs to pass first" @@ -86,7 +92,7 @@ smime_init() smime_sign() { - HASH_CMD=-H ${HASH} + HASH_CMD="-H ${HASH}" SIG=sig.${HASH} echo "$SCRIPTNAME: Signing Detached Message {$HASH} ------------------" @@ -110,6 +116,32 @@ smime_sign() echo "diff alice.txt alice.data.${HASH}" diff alice.txt alice.data.${HASH} html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "." + +# Test ECDSA signing for all hash algorithms. + if [ -n "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------" + echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}" + cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG} + html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "." + + echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} " + cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} + html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "." + + echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------" + echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}" + cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG} + html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "." + + echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}" + cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH} + html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "." + + echo "diff alice.txt alice-ec.data.${HASH}" + diff alice.txt alice-ec.data.${HASH} + html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "." + fi + } @@ -146,7 +178,7 @@ smime_main() # multiple recip echo "$SCRIPTNAME: Testing multiple recipients ------------------------------" - echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o alicecc.env \\" + echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\" echo " -r bob@bogus.com,dave@bogus.com" cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \ -r bob@bogus.com,dave@bogus.com @@ -160,7 +192,7 @@ smime_main() fi echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------" - echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o aliceve.env \\" + echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\" echo " -r eve@bogus.net" cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \ -r eve@bogus.net diff --git a/security/nss/tests/ssl/ecssl.sh b/security/nss/tests/ssl/ecssl.sh deleted file mode 100644 index e2c3e8dd8..000000000 --- a/security/nss/tests/ssl/ecssl.sh +++ /dev/null @@ -1,350 +0,0 @@ -#! /bin/sh -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1994-2000 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -######################################################################## -# -# mozilla/security/nss/tests/ssl/ecssl.sh -# -# Script to test NSS SSL -# -# needs to work on all Unix and Windows platforms -# -# special strings -# --------------- -# FIXME ... known problems, search for this string -# NOTE .... unexpected behavior -# -######################################################################## - -############################## ssl_init ################################ -# local shell function to initialize this script -######################################################################## -ssl_init() -{ - SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh - - if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for - CLEANUP="${SCRIPTNAME}" # cleaning this script will do it - fi - - if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then - cd ../common - . ./init.sh - fi - if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here - cd ../cert - . ./cert.sh - fi - SCRIPTNAME=ssl.sh - echo "$SCRIPTNAME: SSL tests ===============================" - - grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { - html_head "SSL Test failure" - Exit 8 "Fatal - SSL of cert.sh needs to pass first" - } - - PORT=${PORT-8443} - - # Test case files - SSLCOV=${QADIR}/ssl/sslcov.txt - SSLAUTH=${QADIR}/ssl/sslauth.txt - SSLSTRESS=${QADIR}/ssl/sslstress.txt - REQUEST_FILE=${QADIR}/ssl/sslreq.txt - - #temparary files - SERVEROUTFILE=${TMP}/tests_server.$$ - SERVERPID=${TMP}/tests_pid.$$ - - R_SERVERPID=../tests_pid.$$ - - TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}" - - fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't - #fileout=1 - #verbose="-v" #FIXME - see where this is usefull - - USER_NICKNAME=TestUser - NORM_EXT="" - - cd ${CLIENTDIR} -} - -########################### is_selfserv_alive ########################## -# local shell function to exit with a fatal error if selfserver is not -# running -######################################################################## -is_selfserv_alive() -{ - if [ ! -f "${SERVERPID}" ]; then - echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist" - sleep 5 - if [ ! -f "${SERVERPID}" ]; then - Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist" - fi - fi - PID=`cat ${SERVERPID}` - #if [ "${OS_ARCH}" = "Linux" ]; then - kill -0 $PID >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" - #else - #$PS -e | grep $PID >/dev/null || \ - #Exit 10 "Fatal - selfserv process not detectable" - #fi -} - -########################### wait_for_selfserv ########################## -# local shell function to wait until selfserver is running and initialized -######################################################################## -wait_for_selfserv() -{ - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -q " - echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \\" - #echo "tstclnt -q started at `date`" - tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} - if [ $? -ne 0 ]; then - html_failed "<TR><TD> Wait for Server " - echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} -q \\" - echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" - tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} - elif [ sparam = "-c ABCDEFGHIJKLMNOPQRSTabcdefghijklmnvy" ] ; then # "$1" = "cov" ] ; then - html_passed "<TR><TD> Wait for Server" - fi - is_selfserv_alive -} - -########################### kill_selfserv ############################## -# local shell function to kill the selfserver after the tests are done -######################################################################## -kill_selfserv() -{ - ${KILL} `cat ${SERVERPID}` - wait `cat ${SERVERPID}` - if [ ${fileout} -eq 1 ]; then - cat ${SERVEROUTFILE} - fi - # On Linux selfserv needs up to 30 seconds to fully die and free - # the port. Wait until the port is free. (Bug 129701) - if [ "${OS_ARCH}" = "Linux" ]; then - until selfserv -b -p ${PORT} 2>/dev/null; do - sleep 1 - done - fi - rm ${SERVERPID} -} - -########################### start_selfserv ############################# -# local shell function to start the selfserver with the parameters required -# for this test and log information (parameters, start time) -# also: wait until the server is up and running -######################################################################## -start_selfserv() -{ - if [ -n "$testname" ] ; then - echo "$SCRIPTNAME: $testname ----" - fi - sparam=`echo $sparam | sed -e 's;_; ;g'` - echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \\" - echo " -e ${HOSTADDR}-ec \\" - echo " -w nss ${sparam} -i ${R_SERVERPID} $verbose &" - echo "selfserv started at `date`" - if [ ${fileout} -eq 1 ]; then - selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \ - -e ${HOSTADDR}-ec \ - -w nss ${sparam} -i ${R_SERVERPID} $verbose \ - > ${SERVEROUTFILE} 2>&1 & - else - selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \ - -e ${HOSTADDR}-ec \ - -w nss ${sparam} -i ${R_SERVERPID} $verbose & - fi - wait_for_selfserv -} - -############################## ssl_cov ################################# -# local shell function to perform SSL Cipher Coverage tests -######################################################################## -ssl_cov() -{ - html_head "SSL Cipher Coverage $NORM_EXT" - - testname="" - sparam="-c ABCDEFGHIJKLMNOPQRSTabcdefghijklmnvyz" - start_selfserv # Launch the server - - p="" - - while read tls param testname - do - p=`echo "$testname" | sed -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS - - if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then - echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - elif [ "$tls" != "#" ] ; then - echo "$SCRIPTNAME: running $testname ----------------------------" - TLS_FLAG=-T - if [ $tls = "TLS" ]; then - TLS_FLAG="" - fi - - is_selfserv_alive - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} \\" - echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" - - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} -f \ - -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? - cat ${TMP}/$HOST.tmp.$$ - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - html_msg $ret 0 "${testname}" - fi - done < ${SSLCOV} - - kill_selfserv - html "</TABLE><BR>" -} - -############################## ssl_auth ################################ -# local shell function to perform SSL Client Authentication tests -######################################################################## -ssl_auth() -{ - html_head "SSL Client Authentication $NORM_EXT" - - while read value sparam cparam testname - do - if [ $value != "#" ]; then - cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` - start_selfserv - - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} \\" - echo " ${cparam} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ - -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? - cat ${TMP}/$HOST.tmp.$$ - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - - html_msg $ret $value "${testname}" \ - "produced a returncode of $ret, expected is $value" - kill_selfserv - fi - done < ${SSLAUTH} - - html "</TABLE><BR>" -} - - -############################## ssl_stress ############################## -# local shell function to perform SSL stress test -######################################################################## -ssl_stress() -{ - html_head "SSL Stress Test $NORM_EXT" - - while read value sparam cparam testname - do - p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS - if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then - echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - elif [ $value != "#" ]; then - cparam=`echo $cparam | sed -e 's;_; ;g'` - start_selfserv - if [ `uname -n` = "sjsu" ] ; then - echo "debugging disapering selfserv... ps -ef | grep selfserv" - ps -ef | grep selfserv - fi - - echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \\" - echo " $verbose ${HOSTADDR}" - echo "strsclnt started at `date`" - strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \ - $verbose ${HOSTADDR} - ret=$? - echo "strsclnt completed at `date`" - html_msg $ret $value "${testname}" - if [ `uname -n` = "sjsu" ] ; then - echo "debugging disapering selfserv... ps -ef | grep selfserv" - ps -ef | grep selfserv - fi - kill_selfserv - fi - done < ${SSLSTRESS} - - html "</TABLE><BR>" -} - - -############################## ssl_cleanup ############################# -# local shell function to finish this script (no exit since it might be -# sourced) -######################################################################## -ssl_cleanup() -{ - rm $SERVERPID 2>/dev/null - cd ${QADIR} - . common/cleanup.sh -} - -################## main ################################################# - -#this script may be sourced from the distributed stress test - in this case do nothing... - -if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then - ssl_init - ssl_cov - ssl_auth - ssl_stress - - SERVERDIR=$EXT_SERVERDIR - CLIENTDIR=$EXT_CLIENTDIR - R_SERVERDIR=$R_EXT_SERVERDIR - R_CLIENTDIR=$R_EXT_CLIENTDIR - P_R_SERVERDIR=$P_R_EXT_SERVERDIR - P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR - USER_NICKNAME=ExtendedSSLUser - NORM_EXT="Extended test" - cd ${CLIENTDIR} - ssl_cov - ssl_auth - ssl_stress - ssl_cleanup -fi diff --git a/security/nss/tests/ssl/ecsslauth.txt b/security/nss/tests/ssl/ecsslauth.txt deleted file mode 100644 index e7204feb2..000000000 --- a/security/nss/tests/ssl/ecsslauth.txt +++ /dev/null @@ -1,50 +0,0 @@ -# -# This file defines the tests for client auth. -# -# expected -# return server client Test Case name -# value params params -# ------ ------ ------ --------------- - 0 -r -w_nss TLS Request don't require client auth (client does not provide auth) - 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password) - 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth) - 0 -r_-r -w_nss TLS Require client auth (client does not provide auth) - 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) - 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth) - 0 -r -T_-w_nss SSL3 Request don't require client auth (client does not provide auth) - 0 -r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) - 0 -r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) - 0 -r_-r -T_-w_nss SSL3 Require client auth (client does not provide auth) - 254 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) - 0 -r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth (client auth) - 0 -r_-r_-r -w_nss TLS Request don't require client auth on 2nd hs (client does not provide auth) - 0 -r_-r_-r -w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) - 0 -r_-r_-r -w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) - 0 -r_-r_-r_-r -w_nss TLS Require client auth on 2nd hs (client does not provide auth) - 1 -r_-r_-r_-r -w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password) - 0 -r_-r_-r_-r -w_nss_-n_TestUser_ TLS Require client auth on 2nd hs (client auth) - 0 -r_-r_-r -T_-w_nss SSL3 Request don't require client auth on 2nd hs (client does not provide auth) - 0 -r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) - 0 -r_-r_-r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) - 0 -r_-r_-r_-r -T_-w_nss SSL3 Require client auth on 2nd hs (client does not provide auth) - 1 -r_-r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) - 0 -r_-r_-r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) -# -# Use EC cert for client authentication -# - 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password) - 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth) - 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password) - 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth) - 0 -r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password) - 0 -r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth) - 254 -r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password) - 0 -r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth) - 0 -r_-r_-r -w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password) - 0 -r_-r_-r -w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth) - 1 -r_-r_-r_-r -w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password) - 0 -r_-r_-r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth) - 0 -r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) - 0 -r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) - 1 -r_-r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password) - 0 -r_-r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) diff --git a/security/nss/tests/ssl/ecsslcov.txt b/security/nss/tests/ssl/ecsslcov.txt deleted file mode 100644 index f01e56899..000000000 --- a/security/nss/tests/ssl/ecsslcov.txt +++ /dev/null @@ -1,83 +0,0 @@ -# -# This file enables test coverage of the various SSL ciphers -# -# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We -# mix up the enable functions so we can tests boths paths. -# -# Enable Cipher Test Name -# TLS -# - noTLS A SSL2 RC4 128 WITH MD5 - TLS B SSL2 RC4 128 EXPORT40 WITH MD5 - TLS C SSL2 RC2 128 CBC WITH MD5 - noTLS D SSL2 RC2 128 CBC EXPORT40 WITH MD5 - TLS E SSL2 DES 64 CBC WITH MD5 - noTLS F SSL2 DES 192 EDE3 CBC WITH MD5 -# -# ECC ciphers (SSL3) -# - noTLS G SSL3 ECDH ECDSA WITH NULL SHA - noTLS H SSL3 ECDH ECDSA WITH RC4 128 SHA - noTLS I SSL3 ECDH ECDSA WITH DES CBC SHA - noTLS J SSL3 ECDH ECDSA WITH 3DES EDE CBC SHA - noTLS K SSL3 ECDH ECDSA WITH AES 128 CBC SHA - noTLS L SSL3 ECDH ECDSA WITH AES 256 CBC SHA - noTLS M SSL3 ECDH RSA WITH NULL SHA - noTLS N SSL3 ECDH RSA WITH RC4 128 SHA - noTLS O SSL3 ECDH RSA WITH DES CBC SHA - noTLS P SSL3 ECDH RSA WITH 3DES EDE CBC SHA - noTLS Q SSL3 ECDH RSA WITH AES 128 CBC SHA - noTLS R SSL3 ECDH RSA WITH AES 256 CBC SHA - noTLS S SSL3 ECDHE ECDSA WITH AES 128 CBC SHA - noTLS T SSL3 ECDHE RSA WITH AES 128 CBC SHA -# -# ECC ciphers (TLS) -# - TLS G TLS ECDH ECDSA WITH NULL SHA - TLS H TLS ECDH ECDSA WITH RC4 128 SHA - TLS I TLS ECDH ECDSA WITH DES CBC SHA - TLS J TLS ECDH ECDSA WITH 3DES EDE CBC SHA - TLS K TLS ECDH ECDSA WITH AES 128 CBC SHA - TLS L TLS ECDH ECDSA WITH AES 256 CBC SHA - TLS M TLS ECDH RSA WITH NULL SHA - TLS N TLS ECDH RSA WITH RC4 128 SHA - TLS O TLS ECDH RSA WITH DES CBC SHA - TLS P TLS ECDH RSA WITH 3DES EDE CBC SHA - TLS Q TLS ECDH RSA WITH AES 128 CBC SHA - TLS R TLS ECDH RSA WITH AES 256 CBC SHA - TLS S TLS ECDHE ECDSA WITH AES 128 CBC SHA - TLS T TLS ECDHE RSA WITH AES 128 CBC SHA -# -# -# noTLS a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA -# noTLS b SSL3 FORTEZZA DMS WITH RC4 128 SHA - noTLS c SSL3 RSA WITH RC4 128 MD5 - noTLS d SSL3 RSA WITH 3DES EDE CBC SHA - noTLS e SSL3 RSA WITH DES CBC SHA - noTLS f SSL3 RSA EXPORT WITH RC4 40 MD5 - noTLS g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5 -# noTLS h SSL3 FORTEZZA DMS WITH NULL SHA - noTLS i SSL3 RSA WITH NULL MD5 - noTLS j SSL3 RSA FIPS WITH 3DES EDE CBC SHA - noTLS k SSL3 RSA FIPS WITH DES CBC SHA - noTLS l SSL3 RSA EXPORT WITH DES CBC SHA (new) - noTLS m SSL3 RSA EXPORT WITH RC4 56 SHA (new) - noTLS n SSL3 RSA WITH RC4 128 SHA - noTLS v SSL3 RSA WITH AES 128 CBC SHA - noTLS y SSL3 RSA WITH AES 256 CBC SHA - noTLS z SSL3 RSA WITH NULL SHA -# - TLS c TLS RSA WITH RC4 128 MD5 - TLS d TLS RSA WITH 3DES EDE CBC SHA - TLS e TLS RSA WITH DES CBC SHA - TLS f TLS RSA EXPORT WITH RC4 40 MD5 - TLS g TLS RSA EXPORT WITH RC2 CBC 40 MD5 - TLS i TLS RSA WITH NULL MD5 - TLS j TLS RSA FIPS WITH 3DES EDE CBC SHA - TLS k TLS RSA FIPS WITH DES CBC SHA - TLS l TLS RSA EXPORT WITH DES CBC SHA (new) - TLS m TLS RSA EXPORT WITH RC4 56 SHA (new) - TLS n TLS RSA WITH RC4 128 SHA - TLS v TLS RSA WITH AES 128 CBC SHA - TLS y TLS RSA WITH AES 256 CBC SHA - TLS z TLS RSA WITH NULL SHA diff --git a/security/nss/tests/ssl/ecsslstress.txt b/security/nss/tests/ssl/ecsslstress.txt deleted file mode 100644 index f9feb5d99..000000000 --- a/security/nss/tests/ssl/ecsslstress.txt +++ /dev/null @@ -1,24 +0,0 @@ -# -# This file defines the tests for client auth. -# -# expected -# return server client Test Case name -# value params params -# ------ ------ ------ --------------- - 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 - 0 _ -c_1000_-C_c Stress SSL3 RC4 128 with MD5 - 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 -# -# ECC ciphers -# XXX Session reuse does not seem to work for ECDH-ECDSA, ECDHE-ECDSA ciphers -# but works ok for ECDHE-RSA ciphers. With session reuse turned off -# setting up 1000 connections would take too long so use only 10 connections -# - 0 -c_H -c_10_-C_H_-N Stress TLS ECDH-ECDSA RC4 128 with SHA (no reuse) - 0 -c_S -c_10_-C_S_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse) - 0 -c_T -c_1000_-C_T Stress TLS ECDHE-RSA AES 128 CBC with SHA - -# -# add client auth versions here... -# -# 0 -r -w_bogus_-n_"Test_User" TLS Request don't require client auth (bad password) diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index 1ad1ca843..9603f1805 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -21,6 +21,7 @@ # the Initial Developer. All Rights Reserved. # # Contributor(s): +# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or @@ -102,6 +103,12 @@ ssl_init() USER_NICKNAME=TestUser NORM_EXT="" + if [ -n "$NSS_ENABLE_ECC" ] ; then + ECC_STRING=" - with ECC" + else + ECC_STRING="" + fi + cd ${CLIENTDIR} } @@ -123,12 +130,11 @@ is_selfserv_alive() else PID=`cat ${SERVERPID}` fi - #if [ "${OS_ARCH}" = "Linux" ]; then - kill -0 $PID >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" - #else - #$PS -e | grep $PID >/dev/null || \ - #Exit 10 "Fatal - selfserv process not detectable" - #fi + + echo "kill -0 ${PID} >/dev/null 2>/dev/null" + kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" + + echo "selfserv with PID ${PID} found at `date`" } ########################### wait_for_selfserv ########################## @@ -136,9 +142,9 @@ is_selfserv_alive() ######################################################################## wait_for_selfserv() { + echo "waiting for selfserv at `date`" echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" - #echo "tstclnt -q started at `date`" tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} if [ $? -ne 0 ]; then @@ -147,7 +153,7 @@ wait_for_selfserv() echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} - elif [ sparam = "-c ABCDEFabcdefghijklmnvy" ] ; then # "$1" = "cov" ] ; then + elif [ "$sparam" = "$CSHORT" -o "$sparam" = "$CLONG" ] ; then html_passed "<TR><TD> Wait for Server" fi is_selfserv_alive @@ -163,18 +169,33 @@ kill_selfserv() else PID=`cat ${SERVERPID}` fi - ${KILL} ${PID} + + echo "trying to kill selfserv with PID ${PID} at `date`" + + if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then + echo "${KILL} ${PID}" + ${KILL} ${PID} + else + echo "${KILL} -USR1 ${PID}" + ${KILL} -USR1 ${PID} + fi wait ${PID} if [ ${fileout} -eq 1 ]; then cat ${SERVEROUTFILE} fi + # On Linux selfserv needs up to 30 seconds to fully die and free # the port. Wait until the port is free. (Bug 129701) if [ "${OS_ARCH}" = "Linux" ]; then + echo "selfserv -b -p ${PORT} 2>/dev/null;" until selfserv -b -p ${PORT} 2>/dev/null; do + echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;" sleep 1 done fi + + echo "selfserv with PID ${PID} killed at `date`" + rm ${SERVERPID} } @@ -189,16 +210,24 @@ start_selfserv() echo "$SCRIPTNAME: $testname ----" fi sparam=`echo $sparam | sed -e 's;_; ;g'` + if [ -n "$NSS_ENABLE_ECC" ] ; then + ECC_OPTIONS="-e ${HOSTADDR}-ec" + else + ECC_OPTIONS="" + fi + if [ "$1" = "mixed" ]; then + ECC_OPTIONS="-e ${HOSTADDR}-ecmixed" + fi + echo "selfserv starting at `date`" echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" - echo " -w nss ${sparam} -i ${R_SERVERPID} $verbose &" - echo "selfserv started at `date`" + echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &" if [ ${fileout} -eq 1 ]; then selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - -w nss ${sparam} -i ${R_SERVERPID} $verbose \ + ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \ > ${SERVEROUTFILE} 2>&1 & else selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - -w nss ${sparam} -i ${R_SERVERPID} $verbose & + ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose & fi # The PID $! returned by the MKS or Cygwin shell is not the PID of # the real background process, but rather the PID of a helper @@ -214,6 +243,14 @@ start_selfserv() # other than the MKS shell.) SHELL_SERVERPID=$! wait_for_selfserv + + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then + PID=${SHELL_SERVERPID} + else + PID=`cat ${SERVERPID}` + fi + + echo "selfserv with PID ${PID} started at `date`" } ############################## ssl_cov ################################# @@ -221,28 +258,63 @@ start_selfserv() ######################################################################## ssl_cov() { - html_head "SSL Cipher Coverage $NORM_EXT - $BYPASS_STRING" + html_head "SSL Cipher Coverage $NORM_EXT - $BYPASS_STRING $ECC_STRING" testname="" - sparam="-c ABCDEFabcdefghijklmnvyz" + if [ -n "$NSS_ENABLE_ECC" ] ; then + sparam="$CLONG" + else + sparam="$CSHORT" + fi + + mixed=0 start_selfserv # Launch the server p="" - while read tls param testname + while read ectype tls param testname do p=`echo "$testname" | sed -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - elif [ "$tls" != "#" ] ; then + elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$ectype" != "#" ] ; then echo "$SCRIPTNAME: running $testname ----------------------------" TLS_FLAG=-T - if [ $tls = "TLS" ]; then + if [ "$tls" = "TLS" ]; then TLS_FLAG="" fi - is_selfserv_alive +# These five tests need an EC cert signed with RSA +# This requires a different certificate loaded in selfserv +# due to a (current) NSS limitation of only loaded one cert +# per type so the default selfserv setup will not work. +#:C00B TLS ECDH RSA WITH NULL SHA +#:C00C TLS ECDH RSA WITH RC4 128 SHA +#:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA +#:C00E TLS ECDH RSA WITH AES 128 CBC SHA +#:C00F TLS ECDH RSA WITH AES 256 CBC SHA + + if [ $mixed -eq 0 ]; then + if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then + kill_selfserv + start_selfserv mixed + mixed=1 + else + is_selfserv_alive + fi + else + if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then + is_selfserv_alive + else + kill_selfserv + start_selfserv + mixed=0 + fi + fi + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} \\" echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" @@ -253,7 +325,8 @@ ssl_cov() ret=$? cat ${TMP}/$HOST.tmp.$$ rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - html_msg $ret 0 "${testname}" + html_msg $ret 0 "${testname}" \ + "produced a returncode of $ret, expected is 0" fi done < ${SSLCOV} @@ -266,11 +339,13 @@ ssl_cov() ######################################################################## ssl_auth() { - html_head "SSL Client Authentication $NORM_EXT - $BYPASS_STRING" + html_head "SSL Client Authentication $NORM_EXT - $BYPASS_STRING $ECC_STRING" - while read value sparam cparam testname + while read ectype value sparam cparam testname do - if [ $value != "#" ]; then + if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$ectype" != "#" ]; then cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` start_selfserv @@ -299,17 +374,33 @@ ssl_auth() ######################################################################## ssl_stress() { - html_head "SSL Stress Test $NORM_EXT - $BYPASS_STRING" + html_head "SSL Stress Test $NORM_EXT - $BYPASS_STRING $ECC_STRING" - while read value sparam cparam testname + while read ectype value sparam cparam testname do + if [ -z "$ectype" ]; then + # silently ignore blank lines + continue + fi p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - elif [ $value != "#" ]; then - cparam=`echo $cparam | sed -e 's;_; ;g'` - start_selfserv - if [ `uname -n` = "sjsu" ] ; then + elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$ectype" != "#" ]; then + cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` + +# These tests need the mixed cert +# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) +# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) + p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`; + if [ "$p" = "-c_:C00E" ]; then + start_selfserv mixed + else + start_selfserv + fi + + if [ "`uname -n`" = "sjsu" ] ; then echo "debugging disapering selfserv... ps -ef | grep selfserv" ps -ef | grep selfserv fi @@ -321,8 +412,10 @@ ssl_stress() $verbose ${HOSTADDR} ret=$? echo "strsclnt completed at `date`" - html_msg $ret $value "${testname}" - if [ `uname -n` = "sjsu" ] ; then + html_msg $ret $value \ + "${testname}" \ + "produced a returncode of $ret, expected is $value. " + if [ "`uname -n`" = "sjsu" ] ; then echo "debugging disapering selfserv... ps -ef | grep selfserv" ps -ef | grep selfserv fi @@ -339,7 +432,7 @@ ssl_stress() ssl_crl_ssl() { - html_head "CRL SSL Client Tests $NORM_EXT" + html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING" # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it. # Cert number $UNREVOKED_CERT_GRP_1 was not revoked @@ -347,9 +440,11 @@ ssl_crl_ssl() CRL_GROUP_RANGE=$CRL_GRP_1_RANGE UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1 - while read value sparam cparam testname + while read ectype value sparam cparam testname do - if [ $value != "#" ]; then + if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$ectype" != "#" ]; then servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` pwd=`echo $cparam | grep nss` user=`echo $cparam | grep TestUser` @@ -443,6 +538,7 @@ is_revoked() { load_group_crl() { group=$1 + ectype=$2 OUTFILE_TMP=${TMP}/$HOST.tmp.$$ grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}` @@ -454,6 +550,15 @@ load_group_crl() { return 1; fi + # Add -ec suffix for ECC + if [ "$ectype" = "ECC" ] ; then + ecsuffix="-ec" + eccomment="ECC " + else + ecsuffix="" + eccomment="" + fi + if [ "$RELOAD_CRL" != "" ]; then if [ $group -eq 1 ]; then echo "==================== Resetting to group 1 crl ===================" @@ -461,18 +566,18 @@ load_group_crl() { start_selfserv is_selfserv_alive fi - echo "================= Reloading CRL for group $grpBegin - $grpEnd =============" + echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd =============" echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" - echo " -w nss -n TestUser${UNREVOKED_CERT_GRP_1}" + echo " -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}" echo "Request:" - echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}" + echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}" echo "" echo "RELOAD time $i" tstclnt -p ${PORT} -h ${HOSTADDR} -f \ - -d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1} \ - <<_EOF_REQUEST_ >${OUTFILE_TMP} 2>&1 -GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd} + -d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \ + >${OUTFILE_TMP} 2>&1 <<_EOF_REQUEST_ +GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} _EOF_REQUEST_ cat ${OUTFILE_TMP} @@ -485,11 +590,12 @@ _EOF_REQUEST_ echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv =====" kill_selfserv - CU_ACTION="Importing CRL for groups $grpBegin - $grpEnd" - crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd} \ + CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd" + crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \ -p ../tests.pw.928 ret=$? if [ "$ret" -eq 0 ]; then + html_passed "<TR><TD> ${CU_ACTION}" return 1 fi start_selfserv @@ -502,7 +608,7 @@ _EOF_REQUEST_ ssl_crl_cache() { - html_head "Cache CRL SSL Client Tests $NORM_EXT" + html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING" SSLAUTH_TMP=${TMP}/authin.tl.tmp SERV_ARG=-r_-r rm -f ${SSLAUTH_TMP} @@ -514,82 +620,89 @@ ssl_crl_cache() do sparam=$SERV_ARG start_selfserv - while read value sparam cparam testname + while read ectype value sparam cparam testname do - servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` - pwd=`echo $cparam | grep nss` - user=`echo $cparam | grep TestUser` - _cparam=$cparam - case $servarg in - 1) if [ -z "$pwd" -o -z "$user" ]; then - rev_modvalue=0 - else - rev_modvalue=254 - fi - ;; - 2) rev_modvalue=254 ;; - - 3) if [ -z "$pwd" -o -z "$user" ]; then - rev_modvalue=0 - else - rev_modvalue=1 - fi - ;; - 4) rev_modvalue=1 ;; - esac - TEMP_NUM=0 - LOADED_GRP=1 - while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] - do - while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ] + if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + else + servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` + pwd=`echo $cparam | grep nss` + user=`echo $cparam | grep TestUser` + _cparam=$cparam + case $servarg in + 1) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=254 + fi + ;; + 2) rev_modvalue=254 ;; + + 3) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=1 + fi + ;; + 4) rev_modvalue=1 ;; + esac + TEMP_NUM=0 + LOADED_GRP=1 + while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] do - CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}` - TEMP_NUM=`expr $TEMP_NUM + 1` - USER_NICKNAME="TestUser${CURR_SER_NUM}" - cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` - - echo "Server Args: $SERV_ARG" - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" - echo " ${cparam} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ - -d ${R_CLIENTDIR} < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? - cat ${TMP}/$HOST.tmp.$$ - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - is_revoked ${CURR_SER_NUM} ${LOADED_GRP} - isRevoked=$? - if [ $isRevoked -eq 0 ]; then - modvalue=$rev_modvalue - testAddMsg="revoked" - else - modvalue=$value - testAddMsg="not revoked" - fi - - is_selfserv_alive - ss_status=$? - if [ "$ss_status" -ne 0 ]; then - html_msg $ret $modvalue \ - "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ - "produced a returncode of $ret, expected is $modvalue. " \ - "selfserv is not alive!" - else - html_msg $ret $modvalue \ - "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ - "produced a returncode of $ret, expected is $modvalue" + while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ] + do + CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}` + TEMP_NUM=`expr $TEMP_NUM + 1` + USER_NICKNAME="TestUser${CURR_SER_NUM}" + cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` + + echo "Server Args: $SERV_ARG" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + -d ${R_CLIENTDIR} < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + is_revoked ${CURR_SER_NUM} ${LOADED_GRP} + isRevoked=$? + if [ $isRevoked -eq 0 ]; then + modvalue=$rev_modvalue + testAddMsg="revoked" + else + modvalue=$value + testAddMsg="not revoked" + fi + + is_selfserv_alive + ss_status=$? + if [ "$ss_status" -ne 0 ]; then + html_msg $ret $modvalue \ + "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue. " \ + "selfserv is not alive!" + else + html_msg $ret $modvalue \ + "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue" + fi + done + LOADED_GRP=`expr $LOADED_GRP + 1` + TEMP_NUM=0 + if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then + load_group_crl $LOADED_GRP $ectype + html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \ + "produced a returncode of $ret, expected is 0" fi done - LOADED_GRP=`expr $LOADED_GRP + 1` - TEMP_NUM=0 - if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then - load_group_crl $LOADED_GRP - html_msg $ret 0 "Load group $LOADED_GRP crl " \ - "produced a returncode of $ret, expected is 0" - fi - done - load_group_crl 1 + # Restart selfserv to roll back to two initial group 1 crls + # TestCA CRL and TestCA-ec CRL + kill_selfserv + start_selfserv + fi done < ${SSLAUTH_TMP} kill_selfserv SERV_ARG="${SERV_ARG}_-r" @@ -637,7 +750,7 @@ ssl_run() ssl_auth ssl_stress - # the next round off ssl tests will only run if these vars are reset + # the next round of ssl tests will only run if these vars are reset SERVERDIR=$ORIG_SERVERDIR CLIENTDIR=$ORIG_CLIENTDIR R_SERVERDIR=$ORIG_R_SERVERDIR @@ -647,13 +760,15 @@ ssl_run() USER_NICKNAME=TestUser NORM_EXT= cd ${QADIR}/ssl - ssl_cleanup } ################## main ################################################# #this script may be sourced from the distributed stress test - in this case do nothing... +CSHORT="-c ABCDEFcdefgijklmnvyz" +CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz" + if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then ssl_init @@ -668,7 +783,6 @@ if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then ssl_crl_ssl ssl_crl_cache - ssl_cleanup # Test all combinations of server bypass and client bypass CLIENT_OPTIONS="-B -s" @@ -680,4 +794,5 @@ if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then BYPASS_STRING="Server Bypass" ssl_run + ssl_cleanup fi diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt index c150e1090..deb30c3b6 100644 --- a/security/nss/tests/ssl/sslauth.txt +++ b/security/nss/tests/ssl/sslauth.txt @@ -1,31 +1,50 @@ # # This file defines the tests for client auth. # -# expected -# return server client Test Case name -# value params params -# ------ ------ ------ --------------- - 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth) - 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password) - 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth) - 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth) - 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) - 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth) - 0 -r -T_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) - 0 -r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) - 0 -r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) - 254 -r_-r -T_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) - 254 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) - 0 -r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth (client auth) - 0 -r_-r_-r -w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth) - 0 -r_-r_-r -w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) - 0 -r_-r_-r -w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) - 1 -r_-r_-r_-r -w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth) - 1 -r_-r_-r_-r -w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password) - 0 -r_-r_-r_-r -w_nss_-n_TestUser_ TLS Require client auth on 2nd hs (client auth) - 0 -r_-r_-r -T_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) - 0 -r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) - 0 -r_-r_-r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) - 1 -r_-r_-r_-r -T_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) - 1 -r_-r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) - 0 -r_-r_-r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) +# expected +# Enable return server client Test Case name +# ECC value params params +# ------- ------ ------ ------ --------------- + noECC 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth) + noECC 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password) + noECC 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth) + noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth) + noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) + noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth) + noECC 0 -r -T_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) + noECC 0 -r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) + noECC 0 -r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) + noECC 254 -r_-r -T_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) + noECC 254 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) + noECC 0 -r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth (client auth) + noECC 0 -r_-r_-r -w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -w_nss_-n_TestUser_ TLS Require client auth on 2nd hs (client auth) + noECC 0 -r_-r_-r -T_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -T_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) +# +# Use EC cert for client authentication +# + ECC 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password) + ECC 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth) + ECC 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password) + ECC 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth) + ECC 0 -r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password) + ECC 0 -r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth) + ECC 254 -r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password) + ECC 0 -r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth) + ECC 0 -r_-r_-r -w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth) + ECC 0 -r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt index 52cbae7f5..739988645 100644 --- a/security/nss/tests/ssl/sslcov.txt +++ b/security/nss/tests/ssl/sslcov.txt @@ -4,45 +4,91 @@ # NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We # mix up the enable functions so we can tests boths paths. # -# Enable Cipher Test Name -# TLS -# - noTLS A SSL2 RC4 128 WITH MD5 - TLS B SSL2 RC4 128 EXPORT40 WITH MD5 - TLS C SSL2 RC2 128 CBC WITH MD5 - noTLS D SSL2 RC2 128 CBC EXPORT40 WITH MD5 - TLS E SSL2 DES 64 CBC WITH MD5 - noTLS F SSL2 DES 192 EDE3 CBC WITH MD5 -# -# noTLS a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA -# noTLS b SSL3 FORTEZZA DMS WITH RC4 128 SHA - noTLS c SSL3 RSA WITH RC4 128 MD5 - noTLS d SSL3 RSA WITH 3DES EDE CBC SHA - noTLS e SSL3 RSA WITH DES CBC SHA - noTLS f SSL3 RSA EXPORT WITH RC4 40 MD5 - noTLS g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5 -# noTLS h SSL3 FORTEZZA DMS WITH NULL SHA - noTLS i SSL3 RSA WITH NULL MD5 - noTLS j SSL3 RSA FIPS WITH 3DES EDE CBC SHA - noTLS k SSL3 RSA FIPS WITH DES CBC SHA - noTLS l SSL3 RSA EXPORT WITH DES CBC SHA (new) - noTLS m SSL3 RSA EXPORT WITH RC4 56 SHA (new) - noTLS n SSL3 RSA WITH RC4 128 SHA - noTLS v SSL3 RSA WITH AES 128 CBC SHA - noTLS y SSL3 RSA WITH AES 256 CBC SHA - noTLS z SSL3 RSA WITH NULL SHA -# - TLS c TLS RSA WITH RC4 128 MD5 - TLS d TLS RSA WITH 3DES EDE CBC SHA - TLS e TLS RSA WITH DES CBC SHA - TLS f TLS RSA EXPORT WITH RC4 40 MD5 - TLS g TLS RSA EXPORT WITH RC2 CBC 40 MD5 - TLS i TLS RSA WITH NULL MD5 - TLS j TLS RSA FIPS WITH 3DES EDE CBC SHA - TLS k TLS RSA FIPS WITH DES CBC SHA - TLS l TLS RSA EXPORT WITH DES CBC SHA (new) - TLS m TLS RSA EXPORT WITH RC4 56 SHA (new) - TLS n TLS RSA WITH RC4 128 SHA - TLS v TLS RSA WITH AES 128 CBC SHA - TLS y TLS RSA WITH AES 256 CBC SHA - TLS z TLS RSA WITH NULL SHA +# Enable Enable Cipher Test Name +# EC TLS +# + noECC noTLS A SSL2 RC4 128 WITH MD5 + noECC TLS B SSL2 RC4 128 EXPORT40 WITH MD5 + noECC TLS C SSL2 RC2 128 CBC WITH MD5 + noECC noTLS D SSL2 RC2 128 CBC EXPORT40 WITH MD5 + noECC TLS E SSL2 DES 64 CBC WITH MD5 + noECC noTLS F SSL2 DES 192 EDE3 CBC WITH MD5 +# +# noECC noTLS a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA +# noECC noTLS b SSL3 FORTEZZA DMS WITH RC4 128 SHA + noECC noTLS c SSL3 RSA WITH RC4 128 MD5 + noECC noTLS d SSL3 RSA WITH 3DES EDE CBC SHA + noECC noTLS e SSL3 RSA WITH DES CBC SHA + noECC noTLS f SSL3 RSA EXPORT WITH RC4 40 MD5 + noECC noTLS g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5 +# noECC noTLS h SSL3 FORTEZZA DMS WITH NULL SHA + noECC noTLS i SSL3 RSA WITH NULL MD5 + noECC noTLS j SSL3 RSA FIPS WITH 3DES EDE CBC SHA + noECC noTLS k SSL3 RSA FIPS WITH DES CBC SHA + noECC noTLS l SSL3 RSA EXPORT WITH DES CBC SHA (new) + noECC noTLS m SSL3 RSA EXPORT WITH RC4 56 SHA (new) + noECC noTLS n SSL3 RSA WITH RC4 128 SHA + noECC noTLS v SSL3 RSA WITH AES 128 CBC SHA + noECC noTLS y SSL3 RSA WITH AES 256 CBC SHA + noECC noTLS z SSL3 RSA WITH NULL SHA +# + noECC TLS c TLS RSA WITH RC4 128 MD5 + noECC TLS d TLS RSA WITH 3DES EDE CBC SHA + noECC TLS e TLS RSA WITH DES CBC SHA + noECC TLS f TLS RSA EXPORT WITH RC4 40 MD5 + noECC TLS g TLS RSA EXPORT WITH RC2 CBC 40 MD5 + noECC TLS i TLS RSA WITH NULL MD5 + noECC TLS j TLS RSA FIPS WITH 3DES EDE CBC SHA + noECC TLS k TLS RSA FIPS WITH DES CBC SHA + noECC TLS l TLS RSA EXPORT WITH DES CBC SHA (new) + noECC TLS m TLS RSA EXPORT WITH RC4 56 SHA (new) + noECC TLS n TLS RSA WITH RC4 128 SHA + noECC TLS v TLS RSA WITH AES 128 CBC SHA + noECC TLS y TLS RSA WITH AES 256 CBC SHA + noECC TLS z TLS RSA WITH NULL SHA +# +# ECC ciphers (SSL3) +# + ECC noTLS :C001 SSL3 ECDH ECDSA WITH NULL SHA + ECC noTLS :C002 SSL3 ECDH ECDSA WITH RC4 128 SHA + ECC noTLS :C003 SSL3 ECDH ECDSA WITH 3DES EDE CBC SHA + ECC noTLS :C004 SSL3 ECDH ECDSA WITH AES 128 CBC SHA + ECC noTLS :C005 SSL3 ECDH ECDSA WITH AES 256 CBC SHA + ECC noTLS :C006 SSL3 ECDHE ECDSA WITH NULL SHA + ECC noTLS :C007 SSL3 ECDHE ECDSA WITH RC4 128 SHA + ECC noTLS :C008 SSL3 ECDHE ECDSA WITH 3DES EDE CBC SHA + ECC noTLS :C009 SSL3 ECDHE ECDSA WITH AES 128 CBC SHA + ECC noTLS :C00A SSL3 ECDHE ECDSA WITH AES 256 CBC SHA + ECC noTLS :C00B SSL3 ECDH RSA WITH NULL SHA + ECC noTLS :C00C SSL3 ECDH RSA WITH RC4 128 SHA + ECC noTLS :C00D SSL3 ECDH RSA WITH 3DES EDE CBC SHA + ECC noTLS :C00E SSL3 ECDH RSA WITH AES 128 CBC SHA + ECC noTLS :C00F SSL3 ECDH RSA WITH AES 256 CBC SHA + ECC noTLS :C010 SSL3 ECDHE RSA WITH NULL SHA + ECC noTLS :C011 SSL3 ECDHE RSA WITH RC4 128 SHA + ECC noTLS :C012 SSL3 ECDHE RSA WITH 3DES EDE CBC SHA + ECC noTLS :C013 SSL3 ECDHE RSA WITH AES 128 CBC SHA + ECC noTLS :C014 SSL3 ECDHE RSA WITH AES 256 CBC SHA +# +# ECC ciphers (TLS) +# + ECC TLS :C001 TLS ECDH ECDSA WITH NULL SHA + ECC TLS :C002 TLS ECDH ECDSA WITH RC4 128 SHA + ECC TLS :C003 TLS ECDH ECDSA WITH 3DES EDE CBC SHA + ECC TLS :C004 TLS ECDH ECDSA WITH AES 128 CBC SHA + ECC TLS :C005 TLS ECDH ECDSA WITH AES 256 CBC SHA + ECC TLS :C006 TLS ECDHE ECDSA WITH NULL SHA + ECC TLS :C007 TLS ECDHE ECDSA WITH RC4 128 SHA + ECC TLS :C008 TLS ECDHE ECDSA WITH 3DES EDE CBC SHA + ECC TLS :C009 TLS ECDHE ECDSA WITH AES 128 CBC SHA + ECC TLS :C00A TLS ECDHE ECDSA WITH AES 256 CBC SHA + ECC TLS :C00B TLS ECDH RSA WITH NULL SHA + ECC TLS :C00C TLS ECDH RSA WITH RC4 128 SHA + ECC TLS :C00D TLS ECDH RSA WITH 3DES EDE CBC SHA + ECC TLS :C00E TLS ECDH RSA WITH AES 128 CBC SHA + ECC TLS :C00F TLS ECDH RSA WITH AES 256 CBC SHA + ECC TLS :C010 TLS ECDHE RSA WITH NULL SHA + ECC TLS :C011 TLS ECDHE RSA WITH RC4 128 SHA + ECC TLS :C012 TLS ECDHE RSA WITH 3DES EDE CBC SHA + ECC TLS :C013 TLS ECDHE RSA WITH AES 128 CBC SHA + ECC TLS :C014 TLS ECDHE RSA WITH AES 256 CBC SHA diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt index 253faa48e..97f67c207 100644 --- a/security/nss/tests/ssl/sslstress.txt +++ b/security/nss/tests/ssl/sslstress.txt @@ -1,14 +1,34 @@ # -# This file defines the tests for client auth. +# This file defines the stress tests for SSL/TLS. # -# expected -# return server client Test Case name -# value params params -# ------ ------ ------ --------------- - 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 - 0 _ -c_1000_-C_c_-T Stress SSL3 RC4 128 with MD5 - 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 +# expected +# Enable return server client Test Case name +# ECC value params params +# ------- ------ ------ ------ --------------- + noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 + noECC 0 _ -c_1000_-C_c_-T Stress SSL3 RC4 128 with MD5 + noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 + # # add client auth versions here... # -# 0 -r -w_bogus_-n_"Test_User" TLS Request don't require client auth (bad password) + noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (client auth) + noECC 0 -r_-r -c_100_-C_c_-T_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (client auth) + noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (client auth) + +# +# ############################ ECC ciphers ############################ +# + ECC 0 -c_:C009 -c_100_-C_:C009_-N_-T Stress SSL3 ECDHE-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C013 -c_1000_-C_:C013_-T Stress SSL3 ECDHE-RSA AES 128 CBC with SHA + ECC 0 -c_:C004 -2_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C00E -2_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C013 -2_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA +# +# add client auth versions here... +# + ECC 0 -r_-r_-c_:C009 -c_10_-C_:C009_-N_-T_-n_TestUser-ec Stress SSL3 ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C013 -c_100_-C_:C013_-T_-n_TestUser-ec Stress SSL3 ECDHE-RSA AES 128 CBC with SHA (client auth) + ECC 0 -r_-r_-c_:C004 -c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C00E -c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) + ECC 0 -r_-r_-c_:C013 -c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth) diff --git a/security/nss/tests/tools/ectools.sh b/security/nss/tests/tools/ectools.sh deleted file mode 100644 index 65e8d7ce1..000000000 --- a/security/nss/tests/tools/ectools.sh +++ /dev/null @@ -1,210 +0,0 @@ -#! /bin/sh -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1994-2000 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -######################################################################## -# -# mozilla/security/nss/tests/tools/tools.sh -# -# Script to test basic functionallity of NSS tools -# -# needs to work on all Unix and Windows platforms -# -# tests implemented: -# pk12util -# signtool -# -# special strings -# --------------- -# FIXME ... known problems, search for this string -# NOTE .... unexpected behavior -######################################################################## - -############################## tools_init ############################## -# local shell function to initialize this script -######################################################################## -tools_init() -{ - SCRIPTNAME=tools.sh # sourced - $0 would point to all.sh - - if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for - CLEANUP="${SCRIPTNAME}" # cleaning this script will do it - fi - - if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then - cd ../common - . ./init.sh - fi - if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here - cd ../cert - . ./cert.sh - fi - SCRIPTNAME=tools.sh - html_head "Tools Tests" - - grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { - Exit 15 "Fatal - S/MIME of cert.sh needs to pass first" - } - - TOOLSDIR=${HOSTDIR}/tools - COPYDIR=${TOOLSDIR}/copydir - - R_TOOLSDIR=../tools - R_COPYDIR=../tools/copydir - P_R_COPYDIR=${R_COPYDIR} - if [ -n "${MULTIACCESS_DBM}" ]; then - P_R_COPYDIR="multiaccess:Tools.$version" - fi - - mkdir -p ${TOOLSDIR} - mkdir -p ${COPYDIR} - mkdir -p ${TOOLSDIR}/html - cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html - - cd ${TOOLSDIR} -} - -############################## tools_p12 ############################### -# local shell function to test basic functionality of pk12util -######################################################################## -tools_p12() -{ - echo "$SCRIPTNAME: Exporting Alice's email cert & key------------------" - echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" - echo " -w ${R_PWFILE}" - pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ - -w ${R_PWFILE} 2>&1 - ret=$? - html_msg $ret 0 "Exporting Alice's email cert & key (pk12util -o)" - check_tmpfile - - echo "$SCRIPTNAME: Importing Alice's email cert & key -----------------" - echo "pk12util -i Alice.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" - pk12util -i Alice.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 - ret=$? - html_msg $ret 0 "Importing Alice's email cert & key (pk12util -i)" - check_tmpfile - - echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------" - echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" - echo " -w ${R_PWFILE}" - pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ - -w ${R_PWFILE} 2>&1 - ret=$? - html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)" - check_tmpfile - - echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------" - echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" - pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 - ret=$? - html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)" - check_tmpfile - -} - -############################## tools_sign ############################## -# local shell function pk12util uses a hardcoded tmp file, if this exists -# and is owned by another user we don't get reasonable errormessages -######################################################################## -check_tmpfile() -{ - if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then - echo "Error: pk12util temp file exists. Please remove this file and" - echo " rerun the test (/tmp/Pk12uTemp) " - fi -} - -############################## tools_sign ############################## -# local shell function to test basic functionality of signtool -######################################################################## -tools_sign() -{ - echo "$SCRIPTNAME: Create objsign cert -------------------------------" - echo "signtool -G \"objectsigner\" -d ${P_R_ALICEDIR} -p \"nss\"" - signtool -G "objsigner" -d ${P_R_ALICEDIR} -p "nss" 2>&1 <<SIGNSCRIPT -y -TEST -MOZ -NSS -NY -US -liz -liz@moz.org -SIGNSCRIPT - html_msg $? 0 "Create objsign cert (signtool -G)" - - echo "$SCRIPTNAME: Signing a set of files ----------------------------" - echo "signtool -Z nojs.jar -d ${P_R_ALICEDIR} -p \"nss\" -k objsigner \\" - echo " ${R_TOOLSDIR}/html" - signtool -Z nojs.jar -d ${P_R_ALICEDIR} -p "nss" -k objsigner \ - ${R_TOOLSDIR}/html - html_msg $? 0 "Signing a set of files (signtool -Z)" - - echo "$SCRIPTNAME: Listing signed files in jar ----------------------" - echo "signtool -v nojs.jar -d ${P_R_ALICEDIR} -p nss -k objsigner" - signtool -v nojs.jar -d ${P_R_ALICEDIR} -p nss -k objsigner - html_msg $? 0 "Listing signed files in jar (signtool -v)" - - echo "$SCRIPTNAME: Show who signed jar ------------------------------" - echo "signtool -w nojs.jar -d ${P_R_ALICEDIR}" - signtool -w nojs.jar -d ${P_R_ALICEDIR} - html_msg $? 0 "Show who signed jar (signtool -w)" -} - -############################## tools_cleanup ########################### -# local shell function to finish this script (no exit since it might be -# sourced) -######################################################################## -tools_cleanup() -{ - html "</TABLE><BR>" - cd ${QADIR} - . common/cleanup.sh -} - -################## main ################################################# - -tools_init - -tools_p12 - -tools_sign -tools_cleanup - - diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh index 73d817366..b32eed254 100644 --- a/security/nss/tests/tools/tools.sh +++ b/security/nss/tests/tools/tools.sh @@ -21,6 +21,7 @@ # the Initial Developer. All Rights Reserved. # # Contributor(s): +# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or @@ -74,7 +75,12 @@ tools_init() . ./cert.sh fi SCRIPTNAME=tools.sh - html_head "Tools Tests" + + if [ -n "$NSS_ENABLE_ECC" ] ; then + html_head "Tools Tests with ECC" + else + html_head "Tools Tests" + fi grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { Exit 15 "Fatal - S/MIME of cert.sh needs to pass first" @@ -87,7 +93,7 @@ tools_init() R_COPYDIR=../tools/copydir P_R_COPYDIR=${R_COPYDIR} if [ -n "${MULTIACCESS_DBM}" ]; then - P_R_COPYDIR="multiaccess:Tools.$version" + P_R_COPYDIR="multiaccess:Tools.$version" fi mkdir -p ${TOOLSDIR} @@ -125,6 +131,32 @@ tools_p12() ret=$? html_msg $ret 0 "Listing Alice's pk12 file (pk12util -l)" check_tmpfile + + if [ -n "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------" + echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" + echo " -w ${R_PWFILE}" + pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ + -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)" + check_tmpfile + + echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------" + echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" + pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)" + check_tmpfile + + echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------" + echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}" + pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)" + check_tmpfile + fi + } ############################## tools_sign ############################## |