#! /bin/bash
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
########################################################################
#
# mozilla/security/nss/tests/iopr/cert_iopr.sh
#
# Certificate generating and handeling for NSS interoperability QA. This file
# is included from cert.sh
#
# needs to work on all Unix and Windows platforms
#
# special strings
# ---------------
# FIXME ... known problems, search for this string
# NOTE .... unexpected behavior
########################################################################
IOPR_CERT_SOURCED=1
########################################################################
# function wraps calls to pk12util, also: writes action and options
# to stdout.
# Params are the same as to pk12util.
# Returns pk12util status
#
pk12u()
{
echo "${CU_ACTION} --------------------------"
echo "pk12util $@"
${BINDIR}/pk12util $@
RET=$?
return $RET
}
########################################################################
# Initializes nss db directory and files if they don't exists
# Params:
# $1 - directory location
#
createDBDir() {
trgDir=$1
if [ -z
"`ls $trgDir | grep db`" ];
then
trgDir=`cd ${trgDir}; pwd`
if [
"${OS_ARCH}" =
"WINNT" -a
"$OS_NAME" =
"CYGWIN_NT" ];
then
trgDir=`cygpath -m ${trgDir}`
fi
CU_ACTION=
"Initializing DB at ${trgDir}"
certu -N -d
"${trgDir}" -f
"${R_PWFILE}" 2>&1
if [
"$RET" -ne 0 ];
then
return $RET
fi
CU_ACTION=
"Loading root cert module to Cert DB at ${trgDir}"
modu -add
"RootCerts" -libfile
"${ROOTCERTSFILE}" -dbdir
"${trgDir}" 2>&1
if [
"$RET" -ne 0 ];
then
return $RET
fi
fi
}
########################################################################
# takes care of downloading config, cert and crl files from remote
# location.
# Params:
# $1 - name of the host file will be downloaded from
# $2 - path to the file as it appeared in url
# $3 - target directory the file will be saved at.
# Returns tstclnt status.
#
download_file() {
host=$1
filePath=$2
trgDir=$3
file=$trgDir/`basename $filePath`
createDBDir $trgDir || return $RET
# echo wget -O $file http://${host}${filePath}
# wget -O $file http://${host}${filePath}
# ret=$?
req=$file.$$
echo "GET $filePath HTTP/1.0" > $req
echo >> $req
echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
-v -w ${R_PWFILE} -o
${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
-v -w ${R_PWFILE} -o < $req > $file
ret=$?
rm -f $_tmp;
return $ret
}
########################################################################
# Uses pk12util, certutil of cerlutil to import files to an nss db located
# at <dir>(the value of $1 parameter). Chooses a utility to use based on
# a file extension. Initializing a db if it does not exists.
# Params:
# $1 - db location directory
# $2 - file name to import
# $3 - nick name an object in the file will be associated with
# $4 - trust arguments
# Returns status of import
#
importFile() {
dir=$1\
file=$2
certName=$3
certTrust=$4
[ ! -d $dir ] && mkdir -p $dir;
createDBDir $dir || return $RET
case `basename $file | sed
's/^.*\.//'` in
p12)
CU_ACTION=
"Importing p12 $file to DB at $dir"
pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr
[ $? -ne 0 ] && return 1
CU_ACTION=
"Modifying trust for cert $certName at $dir"
certu -M -n
"$certName" -t
"$certTrust" -f
"${R_PWFILE}" -d
"${dir}"
return $?
;;
crl)
CU_ACTION=
"Importing crl $file to DB at $dir"
crlu -d ${dir} -I -n TestCA -i $file
return $?
;;
crt | cert)
CU_ACTION=
"Importing cert $certName with trust $certTrust to $dir"
certu -A -n
"$certName" -t
"$certTrust" -f
"${R_PWFILE}" -d
"${dir}" \
-i
"$file"
return $?
;;
*)
echo "Unknown file extension: $file:"
return 1
;;
esac
}
#########################################################################
# Downloads and installs test certs and crl from a remote webserver.
# Generates server cert for reverse testing if reverse test run is turned on.
# Params:
# $1 - host name to download files from.
# $2 - directory at which CA cert will be installed and used for
# signing a server cert.
# $3 - path to a config file in webserver context.
# $4 - ssl server db location
# $5 - ssl client db location
# $5 - ocsp client db location
#
# Returns 0 upon success, otherwise, failed command error code.
#
download_install_certs() {
host=$1
caDir=$2
confPath=$3
sslServerDir=$4
sslClientDir=$5
ocspClientDir=$6
[ ! -d
"$caDir" ] && mkdir -p $caDir;
#=======================================================
# Getting config file
#
download_file $host
"$confPath/iopr_server.cfg" $caDir
RET=$?
if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ];
then
html_failed
"Fail to download website config file(ws: $host)"
return 1
fi
. $caDir/iopr_server.cfg
RET=$?
if [ $RET -ne 0 ];
then
html_failed
"Fail to source config file(ws: $host)"
return $RET
fi
#=======================================================
# Getting CA file
#
#----------------- !!!WARNING!!! -----------------------
# Do NOT copy this scenario. CA should never accompany its
# cert with the private key when deliver cert to a customer.
#----------------- !!!WARNING!!! -----------------------
download_file $host $certDir/$caCertName.p12 $caDir
RET=$?
if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ];
then
html_failed
"Fail to download $caCertName cert(ws: $host)"
return 1
fi
tmpFiles=
"$caDir/$caCertName.p12"
importFile $caDir $caDir/$caCertName.p12 $caCertName
"TC,C,C"
RET=$?
if [ $RET -ne 0 ];
then
html_failed
"Fail to import $caCertName cert to CA DB(ws: $host)"
return $RET
fi
CU_ACTION=
"Exporting Root CA cert(ws: $host)"
certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert
if [
"$RET" -ne 0 ];
then
Exit 7
"Fatal - failed to export $caCertName cert"
fi
#=======================================================
# Check what tests we want to run
#
doSslTests=0; doOcspTests=0
# XXX remove "_new" from variables below
[ -n
"`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
[ -n
"`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
if [ $doSslTests -eq 1 ];
then
if [
"$reverseRunCGIScript" ];
then
[ ! -d
"$sslServerDir" ] && mkdir -p $sslServerDir;
#=======================================================
# Import CA cert to server DB
#
importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
"TC,C,C"
RET=$?
if [ $RET -ne 0 ];
then
html_failed
"Fail to import server-client-CA cert to \
server DB(ws: $host)
"
return $RET
fi
#=======================================================
# Creating server cert
#
CERTNAME=$HOSTADDR
CU_ACTION=
"Generate Cert Request for $CERTNAME (ws: $host)"
CU_SUBJECT=
"CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, \
L=Mountain View, ST=California, C=US
"
certu -R -d
"${sslServerDir}" -f
"${R_PWFILE}" -z
"${R_NOISE_FILE}"\
-o $sslServerDir/req 2>&1
tmpFiles=
"$tmpFiles $sslServerDir/req"
# NOTE:
# For possible time synchronization problems (bug 444308) we generate
# certificates valid also some time in past (-w -1)
CU_ACTION=
"Sign ${CERTNAME}'s Request (ws: $host)"
certu -C -c
"$caCertName" -m `date +
"%s"` -v 60 -w -1 \
-d
"${caDir}" \
-i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
-f
"${R_PWFILE}" 2>&1
importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME
",,"
RET=$?
if [ $RET -ne 0 ];
then
html_failed
"Fail to import $CERTNAME cert to server\
DB(ws: $host)
"
return $RET
fi
tmpFiles=
"$tmpFiles $caDir/$CERTNAME.cert"
#=======================================================
# Download and import CA crl to server DB
#
download_file $host
"$certDir/$caCrlName.crl" $sslServerDir
RET=$?
if [ $? -ne 0 ];
then
html_failed
"Fail to download $caCertName crl\
(ws: $host)
"
return $RET
fi
tmpFiles=
"$tmpFiles $sslServerDir/$caCrlName.crl"
importFile $sslServerDir $sslServerDir/TestCA.crl
RET=$?
if [ $RET -ne 0 ];
then
html_failed
"Fail to import TestCA crt to server\
DB(ws: $host)
"
return $RET
fi
fi # if [ "$reverseRunCGIScript" ]
[ ! -d
"$sslClientDir" ] && mkdir -p $sslClientDir;
#=======================================================
# Import CA cert to ssl client DB
#
importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
"TC,C,C"
RET=$?
if [ $RET -ne 0 ];
then
html_failed
"Fail to import server-client-CA cert to \
server DB(ws: $host)
"
return $RET
fi
fi
if [ $doOcspTests -eq 1 ];
then
[ ! -d
"$ocspClientDir" ] && mkdir -p $ocspClientDir;
#=======================================================
# Import CA cert to ocsp client DB
#
importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
"TC,C,C"
RET=$?
if [ $RET -ne 0 ];
then
html_failed
"Fail to import server-client-CA cert to \
server DB(ws: $host)
"
return $RET
fi
fi
#=======================================================
# Import client certs to client DB
#
for fileName in $downloadFiles;
do
certName=`
echo $fileName | sed
's/\..*//'`
if [ -n
"`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ];
then
clientDir=$ocspClientDir
elif [ $doSslTests -eq 1 ];
then
clientDir=$sslClientDir
else
continue
fi
download_file $host
"$certDir/$fileName" $clientDir
RET=$?
if [ $RET -ne 0 -o ! -f $clientDir/$fileName ];
then
html_failed
"Fail to download $certName cert(ws: $host)"
return $RET
fi
tmpFiles=
"$tmpFiles $clientDir/$fileName"
importFile $clientDir $clientDir/$fileName $certName
",,"
RET=$?
if [ $RET -ne 0 ];
then
html_failed
"Fail to import $certName cert to client DB\
(ws: $host)
"
return $RET
fi
done
rm -f $tmpFiles
return 0
}
#########################################################################
# Initial point for downloading config, cert, crl files for multiple hosts
# involved in interoperability testing. Called from nss/tests/cert/cert.sh
# It will only proceed with downloading if environment variable
# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.
#
# Returns 1 if interoperability testing is off, 0 otherwise.
#
cert_iopr_setup() {
if [
"$IOPR" -ne 1 ];
then
return 1
fi
num=1
IOPR_HOST_PARAM=`
echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d
' '`
while [
"$IOPR_HOST_PARAM" ];
do
IOPR_HOSTADDR=`
echo $IOPR_HOST_PARAM | cut -f 1 -d
':'`
IOPR_DOWNLOAD_PORT=`
echo "$IOPR_HOST_PARAM:" | cut -f 2 -d
':'`
[ -z
"$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443
IOPR_CONF_PATH=`
echo "$IOPR_HOST_PARAM:" | cut -f 3 -d
':'`
[ -z
"$IOPR_CONF_PATH" ] && IOPR_CONF_PATH=
"/iopr"
echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
$IOPR_CONF_PATH
"
download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
if [ $? -ne 0 ];
then
echo "wsFlags=\"NOIOPR $wsParam\
"" >> \
${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
fi
num=`expr $num + 1`
IOPR_HOST_PARAM=`
echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d
' '`
done
return 0
}
