1#! /bin/bash 2# 3# This Source Code Form is subject to the terms of the Mozilla Public 4# License, v. 2.0. If a copy of the MPL was not distributed with this 5# file, You can obtain one at http://mozilla.org/MPL/2.0/. 6 7######################################################################## 8# 9# mozilla/security/nss/tests/cert/rcert.sh 10# 11# Certificate generating and handeling for NSS QA, can be included 12# multiple times from all.sh and the individual scripts 13# 14# needs to work on all Unix and Windows platforms 15# 16# included from (don't expect this to be up to date) 17# -------------------------------------------------- 18# all.sh 19# ssl.sh 20# smime.sh 21# tools.sh 22# 23# special strings 24# --------------- 25# FIXME ... known problems, search for this string 26# NOTE .... unexpected behavior 27# 28# FIXME - Netscape - NSS 29######################################################################## 30 31############################## cert_init ############################### 32# local shell function to initialize this script 33######################################################################## 34cert_init() 35{ 36 SCRIPTNAME="cert.sh" 37 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for 38 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it 39 fi 40 if [ -z "${INIT_SOURCED}" ] ; then 41 cd ../common 42 . ./init.sh 43 fi 44 if [ -z "${IOPR_CERT_SOURCED}" ]; then 45 . ../iopr/cert_iopr.sh 46 fi 47 SCRIPTNAME="cert.sh" 48 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` 49 html_head "Certutil and Crlutil Tests" 50 51 LIBDIR="${DIST}/${OBJDIR}/lib" 52 53 ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1` 54 if [ ! "${ROOTCERTSFILE}" ] ; then 55 html_failed "Looking for root certs module." 56 cert_log "ERROR: Root certs module not found." 57 Exit 5 "Fatal - Root certs module not found." 58 else 59 html_passed "Looking for root certs module." 60 fi 61 62 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 63 ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}` 64 fi 65} 66 67cert_log() ###################### write the cert_status file 68{ 69 echo "$SCRIPTNAME $*" 70 echo $* >>${CERT_LOG_FILE} 71} 72 73######################################################################## 74# function wraps calls to pk12util, also: writes action and options 75# to stdout. 76# Params are the same as to pk12util. 77# Returns pk12util status 78# 79pk12u() 80{ 81 echo "${CU_ACTION} --------------------------" 82 83 echo "pk12util $@" 84 ${BINDIR}/pk12util $@ 85 RET=$? 86 87 return $RET 88} 89 90################################ certu ################################# 91# local shell function to call certutil, also: writes action and options to 92# stdout, sets variable RET and writes results to the html file results 93######################################################################## 94certu() 95{ 96 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" 97 EXPECTED=${RETEXPECTED-0} 98 99 if [ -n "${CU_SUBJECT}" ]; then 100 #the subject of the cert contains blanks, and the shell 101 #will strip the quotes off the string, if called otherwise... 102 echo "certutil -s \"${CU_SUBJECT}\" $*" 103 ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $* 104 RET=$? 105 CU_SUBJECT="" 106 else 107 echo "certutil $*" 108 ${PROFTOOL} ${BINDIR}/certutil $* 109 RET=$? 110 fi 111 if [ "$RET" -ne "$EXPECTED" ]; then 112 CERTFAILED=$RET 113 html_failed "${CU_ACTION} ($RET=$EXPECTED) " 114 cert_log "ERROR: ${CU_ACTION} failed $RET" 115 else 116 html_passed "${CU_ACTION}" 117 fi 118 119 return $RET 120} 121 122################################ crlu ################################# 123# local shell function to call crlutil, also: writes action and options to 124# stdout, sets variable RET and writes results to the html file results 125######################################################################## 126crlu() 127{ 128 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" 129 130 CRLUTIL="crlutil -q" 131 echo "$CRLUTIL $*" 132 ${PROFTOOL} ${BINDIR}/$CRLUTIL $* 133 RET=$? 134 if [ "$RET" -ne 0 ]; then 135 CRLFAILED=$RET 136 html_failed "${CU_ACTION} ($RET) " 137 cert_log "ERROR: ${CU_ACTION} failed $RET" 138 else 139 html_passed "${CU_ACTION}" 140 fi 141 142 return $RET 143} 144 145################################ ocspr ################################## 146# local shell function to call ocsresp, also: writes action and options to 147# stdout, sets variable RET and writes results to the html file results 148######################################################################### 149ocspr() 150{ 151 echo "$SCRIPTNAME: ${OR_ACTION} --------------------------" 152 153 OCSPRESP="ocspresp" 154 echo "$OCSPRESP $*" 155 ${PROFTOOL} ${BINDIR}/$OCSPRESP $* 156 RET=$? 157 if [ "$RET" -ne 0 ]; then 158 OCSPFAILED=$RET 159 html_failed "${OR_ACTION} ($RET) " 160 cert_log "ERROR: ${OR_ACTION} failed $RET" 161 else 162 html_passed "${OR_ACTION}" 163 fi 164 165 return $RET 166} 167 168modu() 169{ 170 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" 171 172 MODUTIL="modutil" 173 echo "$MODUTIL $*" 174 # echo is used to press Enter expected by modutil 175 echo | ${BINDIR}/$MODUTIL $* 176 RET=$? 177 if [ "$RET" -ne 0 ]; then 178 MODFAILED=$RET 179 html_failed "${CU_ACTION} ($RET) " 180 cert_log "ERROR: ${CU_ACTION} failed $RET" 181 else 182 html_passed "${CU_ACTION}" 183 fi 184 185 return $RET 186} 187 188############################# cert_init_cert ########################## 189# local shell function to initialize creation of client and server certs 190######################################################################## 191cert_init_cert() 192{ 193 CERTDIR="$1" 194 CERTNAME="$2" 195 CERTSERIAL="$3" 196 DOMAIN="$4" 197 198 if [ ! -d "${CERTDIR}" ]; then 199 mkdir -p "${CERTDIR}" 200 else 201 echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists" 202 fi 203 cd "${CERTDIR}" 204 CERTDIR="." 205 206 PROFILEDIR=`cd ${CERTDIR}; pwd` 207 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 208 PROFILEDIR=`cygpath -m ${PROFILEDIR}` 209 fi 210 if [ -n "${MULTIACCESS_DBM}" ]; then 211 PROFILEDIR="multiaccess:${DOMAIN}" 212 fi 213 214 noise 215} 216 217############################# hw_acc ################################# 218# local shell function to add hw accelerator modules to the db 219######################################################################## 220hw_acc() 221{ 222 HW_ACC_RET=0 223 HW_ACC_ERR="" 224 if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then 225 echo "creating $CERTNAME s cert with hwaccelerator..." 226 #case $ACCELERATOR in 227 #rainbow) 228 229 echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so " 230 echo " -dbdir ${PROFILEDIR} 2>&1 " 231 echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \ 232 -dbdir ${PROFILEDIR} 2>&1 233 if [ "$?" -ne 0 ]; then 234 echo "modutil -add rainbow failed in `pwd`" 235 HW_ACC_RET=1 236 HW_ACC_ERR="modutil -add rainbow" 237 fi 238 239 echo "modutil -add ncipher " 240 echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so " 241 echo " -dbdir ${PROFILEDIR} 2>&1 " 242 echo | ${BINDIR}/modutil -add ncipher \ 243 -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \ 244 -dbdir ${PROFILEDIR} 2>&1 245 if [ "$?" -ne 0 ]; then 246 echo "modutil -add ncipher failed in `pwd`" 247 HW_ACC_RET=`expr $HW_ACC_RET + 2` 248 HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher" 249 fi 250 if [ "$HW_ACC_RET" -ne 0 ]; then 251 html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) " 252 else 253 html_passed "Adding HW accelerators to certDB for ${CERTNAME}" 254 fi 255 256 fi 257 return $HW_ACC_RET 258} 259 260############################# cert_create_cert ######################### 261# local shell function to create client certs 262# initialize DB, import 263# root cert 264# add cert to DB 265######################################################################## 266cert_create_cert() 267{ 268 cert_init_cert "$1" "$2" "$3" "$4" 269 270 CU_ACTION="Initializing ${CERTNAME}'s Cert DB" 271 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 272 if [ "$RET" -ne 0 ]; then 273 return $RET 274 fi 275 276 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB" 277 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 278 if [ "$RET" -ne 0 ]; then 279 return $RET 280 fi 281 282 hw_acc 283 284 CU_ACTION="Import Root CA for $CERTNAME" 285 certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 286 -i "${R_CADIR}/TestCA.ca.cert" 2>&1 287 if [ "$RET" -ne 0 ]; then 288 return $RET 289 fi 290 291 CU_ACTION="Import DSA Root CA for $CERTNAME" 292 certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \ 293 -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1 294 if [ "$RET" -ne 0 ]; then 295 return $RET 296 fi 297 298 299 CU_ACTION="Import EC Root CA for $CERTNAME" 300 certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ 301 -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1 302 if [ "$RET" -ne 0 ]; then 303 return $RET 304 fi 305 306 cert_add_cert "$5" 307 return $? 308} 309 310############################# cert_add_cert ############################ 311# local shell function to add client certs to an existing CERT DB 312# generate request 313# sign request 314# import Cert 315# 316######################################################################## 317cert_add_cert() 318{ 319 CU_ACTION="Generate Cert Request for $CERTNAME" 320 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 321 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 322 if [ "$RET" -ne 0 ]; then 323 return $RET 324 fi 325 326 CU_ACTION="Sign ${CERTNAME}'s Request" 327 certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ 328 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 329 if [ "$RET" -ne 0 ]; then 330 return $RET 331 fi 332 333 CU_ACTION="Import $CERTNAME's Cert" 334 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 335 -i "${CERTNAME}.cert" 2>&1 336 if [ "$RET" -ne 0 ]; then 337 return $RET 338 fi 339 340 cert_log "SUCCESS: $CERTNAME's Cert Created" 341 342# 343# Generate and add DSA cert 344# 345 CU_ACTION="Generate DSA Cert Request for $CERTNAME" 346 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 347 certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 348 -z "${R_NOISE_FILE}" -o req 2>&1 349 if [ "$RET" -ne 0 ]; then 350 return $RET 351 fi 352 353 CU_ACTION="Sign ${CERTNAME}'s DSA Request" 354 certu -C -c "TestCA-dsa" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ 355 -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" "$1" 2>&1 356 if [ "$RET" -ne 0 ]; then 357 return $RET 358 fi 359 360 CU_ACTION="Import $CERTNAME's DSA Cert" 361 certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ 362 -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 363 if [ "$RET" -ne 0 ]; then 364 return $RET 365 fi 366 cert_log "SUCCESS: $CERTNAME's DSA Cert Created" 367 368# Generate DSA certificate signed with RSA 369 CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME" 370 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 371 certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 372 -z "${R_NOISE_FILE}" -o req 2>&1 373 if [ "$RET" -ne 0 ]; then 374 return $RET 375 fi 376 377 CU_ACTION="Sign ${CERTNAME}'s DSA Request with RSA" 378# Avoid conflicting serial numbers with TestCA issuer by keeping 379# this set far away. A smaller number risks colliding with the 380# extended ssl user certificates. 381 NEWSERIAL=`expr ${CERTSERIAL} + 20000` 382 certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ 383 -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" "$1" 2>&1 384 if [ "$RET" -ne 0 ]; then 385 return $RET 386 fi 387 388 CU_ACTION="Import $CERTNAME's mixed DSA Cert" 389 certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ 390 -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 391 if [ "$RET" -ne 0 ]; then 392 return $RET 393 fi 394 cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created" 395 396# 397# Generate and add EC cert 398# 399 CURVE="secp384r1" 400 CU_ACTION="Generate EC Cert Request for $CERTNAME" 401 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 402 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 403 -z "${R_NOISE_FILE}" -o req 2>&1 404 if [ "$RET" -ne 0 ]; then 405 return $RET 406 fi 407 408 CU_ACTION="Sign ${CERTNAME}'s EC Request" 409 certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ 410 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 411 if [ "$RET" -ne 0 ]; then 412 return $RET 413 fi 414 415 CU_ACTION="Import $CERTNAME's EC Cert" 416 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ 417 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 418 if [ "$RET" -ne 0 ]; then 419 return $RET 420 fi 421 cert_log "SUCCESS: $CERTNAME's EC Cert Created" 422 423# Generate EC certificate signed with RSA 424 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME" 425 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 426 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 427 -z "${R_NOISE_FILE}" -o req 2>&1 428 if [ "$RET" -ne 0 ]; then 429 return $RET 430 fi 431 432 CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA" 433# Avoid conflicting serial numbers with TestCA issuer by keeping 434# this set far away. A smaller number risks colliding with the 435# extended ssl user certificates. 436 NEWSERIAL=`expr ${CERTSERIAL} + 10000` 437 certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ 438 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1 439 if [ "$RET" -ne 0 ]; then 440 return $RET 441 fi 442 443 CU_ACTION="Import $CERTNAME's mixed EC Cert" 444 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ 445 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 446 if [ "$RET" -ne 0 ]; then 447 return $RET 448 fi 449 cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created" 450 451 return 0 452} 453 454################################# cert_all_CA ################################ 455# local shell function to build the additional Temp. Certificate Authority (CA) 456# used for the "real life" ssl test with 2 different CA's in the 457# client and in the server's dir 458########################################################################## 459cert_all_CA() 460{ 461 echo nss > ${PWFILE} 462 echo > ${EMPTY_FILE} 463 464 ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 465 cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1" 466 467 ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 468 cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" 469 ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 470 cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3" 471 ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 472 cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4" 473 474 475 476 ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 477 cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" 478 ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 479 cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6" 480 ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 481 cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7" 482 483 rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert 484 485 # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 486 # in the chain 487 488 489# 490# Create DSA version of TestCA 491 ALL_CU_SUBJECT="CN=NSS Test CA (DSA), O=BOGUS NSS, L=Mountain View, ST=California, C=US" 492 cert_dsa_CA $CADIR TestCA-dsa -x "CTu,CTu,CTu" ${D_CA} "1" 493# 494# Create DSA versions of the intermediate CA certs 495 ALL_CU_SUBJECT="CN=NSS Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 496 cert_dsa_CA $SERVER_CADIR serverCA-dsa -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" 497 ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 498 cert_dsa_CA $SERVER_CADIR chain-1-serverCA-dsa "-c serverCA-dsa" "u,u,u" ${D_SERVER_CA} "3" 499 ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 500 cert_dsa_CA $SERVER_CADIR chain-2-serverCA-dsa "-c chain-1-serverCA-dsa" "u,u,u" ${D_SERVER_CA} "4" 501 502 ALL_CU_SUBJECT="CN=NSS Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 503 cert_dsa_CA $CLIENT_CADIR clientCA-dsa -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" 504 ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 505 cert_dsa_CA $CLIENT_CADIR chain-1-clientCA-dsa "-c clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "6" 506 ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (DSA), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 507 cert_dsa_CA $CLIENT_CADIR chain-2-clientCA-dsa "-c chain-1-clientCA-dsa" "u,u,u" ${D_CLIENT_CA} "7" 508 509 rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert 510# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 511# in the chain 512 513# 514# Create RSA-PSS version of TestCA 515 ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS), O=BOGUS NSS, L=Mountain View, ST=California, C=US" 516 cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256 517 rm $CADIR/rsapssroot.cert 518 519 ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US" 520 cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1 521 rm $CADIR/rsapssroot.cert 522 523# 524# Create EC version of TestCA 525 CA_CURVE="secp521r1" 526 ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US" 527 cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE} 528# 529# Create EC versions of the intermediate CA certs 530 ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 531 cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE} 532 ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 533 cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE} 534 ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 535 cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE} 536 537 ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 538 cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE} 539 ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 540 cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE} 541 ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 542 cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE} 543 544 rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert 545# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 546# in the chain 547} 548 549################################# cert_CA ################################ 550# local shell function to build the Temp. Certificate Authority (CA) 551# used for testing purposes, creating a CA Certificate and a root cert 552########################################################################## 553cert_CA() 554{ 555 CUR_CADIR=$1 556 NICKNAME=$2 557 SIGNER=$3 558 TRUSTARG=$4 559 DOMAIN=$5 560 CERTSERIAL=$6 561 562 echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME ==========================" 563 564 if [ ! -d "${CUR_CADIR}" ]; then 565 mkdir -p "${CUR_CADIR}" 566 fi 567 cd ${CUR_CADIR} 568 pwd 569 570 LPROFILE=`pwd` 571 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 572 LPROFILE=`cygpath -m ${LPROFILE}` 573 fi 574 if [ -n "${MULTIACCESS_DBM}" ]; then 575 LPROFILE="multiaccess:${DOMAIN}" 576 fi 577 578 if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB 579 CU_ACTION="Creating CA Cert DB" 580 certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1 581 if [ "$RET" -ne 0 ]; then 582 Exit 5 "Fatal - failed to create CA $NICKNAME " 583 fi 584 585 CU_ACTION="Loading root cert module to CA Cert DB" 586 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1 587 if [ "$RET" -ne 0 ]; then 588 return $RET 589 fi 590 591 echo "$SCRIPTNAME: Certificate initialized ----------" 592 fi 593 594 595 ################# Creating CA Cert ###################################### 596 # 597 CU_ACTION="Creating CA Cert $NICKNAME " 598 CU_SUBJECT=$ALL_CU_SUBJECT 599 certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \ 600 -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT 6015 6026 6039 604n 605y 606-1 607n 6085 6096 6107 6119 612n 613CERTSCRIPT 614 615 if [ "$RET" -ne 0 ]; then 616 echo "return value is $RET" 617 Exit 6 "Fatal - failed to create CA cert" 618 fi 619 620 ################# Exporting Root Cert ################################### 621 # 622 CU_ACTION="Exporting Root Cert" 623 certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert 624 if [ "$RET" -ne 0 ]; then 625 Exit 7 "Fatal - failed to export root cert" 626 fi 627 cp root.cert ${NICKNAME}.ca.cert 628} 629 630 631 632 633 634################################ cert_dsa_CA ############################# 635# local shell function to build the Temp. Certificate Authority (CA) 636# used for testing purposes, creating a CA Certificate and a root cert 637# This is the DSA version of cert_CA. 638########################################################################## 639cert_dsa_CA() 640{ 641 CUR_CADIR=$1 642 NICKNAME=$2 643 SIGNER=$3 644 TRUSTARG=$4 645 DOMAIN=$5 646 CERTSERIAL=$6 647 648 echo "$SCRIPTNAME: Creating a DSA CA Certificate $NICKNAME ==========================" 649 650 if [ ! -d "${CUR_CADIR}" ]; then 651 mkdir -p "${CUR_CADIR}" 652 fi 653 cd ${CUR_CADIR} 654 pwd 655 656 LPROFILE=. 657 if [ -n "${MULTIACCESS_DBM}" ]; then 658 LPROFILE="multiaccess:${DOMAIN}" 659 fi 660 661 ################# Creating a DSA CA Cert ############################### 662 # 663 CU_ACTION="Creating DSA CA Cert $NICKNAME " 664 CU_SUBJECT=$ALL_CU_SUBJECT 665 certu -S -n $NICKNAME -k dsa -t $TRUSTARG -v 600 $SIGNER \ 666 -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ 667 -m $CERTSERIAL 2>&1 <<CERTSCRIPT 6685 6696 6709 671n 672y 673-1 674n 6755 6766 6777 6789 679n 680CERTSCRIPT 681 682 if [ "$RET" -ne 0 ]; then 683 echo "return value is $RET" 684 Exit 6 "Fatal - failed to create DSA CA cert" 685 fi 686 687 ################# Exporting DSA Root Cert ############################### 688 # 689 CU_ACTION="Exporting DSA Root Cert" 690 certu -L -n $NICKNAME -r -d ${LPROFILE} -o dsaroot.cert 691 if [ "$RET" -ne 0 ]; then 692 Exit 7 "Fatal - failed to export dsa root cert" 693 fi 694 cp dsaroot.cert ${NICKNAME}.ca.cert 695} 696 697 698 699 700 701################################ cert_rsa_pss_CA ############################# 702# local shell function to build the Temp. Certificate Authority (CA) 703# used for testing purposes, creating a CA Certificate and a root cert 704# This is the RSA-PSS version of cert_CA. 705########################################################################## 706cert_rsa_pss_CA() 707{ 708 CUR_CADIR=$1 709 NICKNAME=$2 710 SIGNER=$3 711 TRUSTARG=$4 712 DOMAIN=$5 713 CERTSERIAL=$6 714 HASHALG=$7 715 716 echo "$SCRIPTNAME: Creating an RSA-PSS CA Certificate $NICKNAME ==========================" 717 718 if [ ! -d "${CUR_CADIR}" ]; then 719 mkdir -p "${CUR_CADIR}" 720 fi 721 cd ${CUR_CADIR} 722 pwd 723 724 LPROFILE=. 725 if [ -n "${MULTIACCESS_DBM}" ]; then 726 LPROFILE="multiaccess:${DOMAIN}" 727 fi 728 729 HASHOPT= 730 if [ -n "$HASHALG" ]; then 731 HASHOPT="-Z $HASHALG" 732 fi 733 734 ################# Creating an RSA-PSS CA Cert ############################### 735 # 736 CU_ACTION="Creating RSA-PSS CA Cert $NICKNAME " 737 CU_SUBJECT=$ALL_CU_SUBJECT 738 certu -S -n $NICKNAME -k rsa --pss $HASHOPT -t $TRUSTARG -v 600 $SIGNER \ 739 -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ 740 -m $CERTSERIAL 2>&1 <<CERTSCRIPT 7415 7426 7439 744n 745y 746-1 747n 7485 7496 7507 7519 752n 753CERTSCRIPT 754 755 if [ "$RET" -ne 0 ]; then 756 echo "return value is $RET" 757 Exit 6 "Fatal - failed to create RSA-PSS CA cert" 758 fi 759 760 ################# Exporting RSA-PSS Root Cert ############################### 761 # 762 CU_ACTION="Exporting RSA-PSS Root Cert" 763 certu -L -n $NICKNAME -r -d ${LPROFILE} -o rsapssroot.cert 764 if [ "$RET" -ne 0 ]; then 765 Exit 7 "Fatal - failed to export RSA-PSS root cert" 766 fi 767 cp rsapssroot.cert ${NICKNAME}.ca.cert 768} 769 770 771 772 773################################ cert_ec_CA ############################## 774# local shell function to build the Temp. Certificate Authority (CA) 775# used for testing purposes, creating a CA Certificate and a root cert 776# This is the ECC version of cert_CA. 777########################################################################## 778cert_ec_CA() 779{ 780 CUR_CADIR=$1 781 NICKNAME=$2 782 SIGNER=$3 783 TRUSTARG=$4 784 DOMAIN=$5 785 CERTSERIAL=$6 786 CURVE=$7 787 788 echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME ==========================" 789 790 if [ ! -d "${CUR_CADIR}" ]; then 791 mkdir -p "${CUR_CADIR}" 792 fi 793 cd ${CUR_CADIR} 794 pwd 795 796 LPROFILE=. 797 if [ -n "${MULTIACCESS_DBM}" ]; then 798 LPROFILE="multiaccess:${DOMAIN}" 799 fi 800 801 ################# Creating an EC CA Cert ################################ 802 # 803 CU_ACTION="Creating EC CA Cert $NICKNAME " 804 CU_SUBJECT=$ALL_CU_SUBJECT 805 certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \ 806 -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ 807 -m $CERTSERIAL 2>&1 <<CERTSCRIPT 8085 8096 8109 811n 812y 813-1 814n 8155 8166 8177 8189 819n 820CERTSCRIPT 821 822 if [ "$RET" -ne 0 ]; then 823 echo "return value is $RET" 824 Exit 6 "Fatal - failed to create EC CA cert" 825 fi 826 827 ################# Exporting EC Root Cert ################################ 828 # 829 CU_ACTION="Exporting EC Root Cert" 830 certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert 831 if [ "$RET" -ne 0 ]; then 832 Exit 7 "Fatal - failed to export ec root cert" 833 fi 834 cp ecroot.cert ${NICKNAME}.ca.cert 835} 836 837############################## cert_smime_client ############################# 838# local shell function to create client Certificates for S/MIME tests 839############################################################################## 840cert_smime_client() 841{ 842 CERTFAILED=0 843 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============" 844 845 cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE} 846 cert_create_cert ${BOBDIR} "Bob" 40 ${D_BOB} 847 848 echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------" 849 cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE} 850 851## XXX With this new script merging ECC and non-ECC tests, the 852## call to cert_create_cert ends up creating two separate certs 853## one for Eve and another for Eve-ec but they both end up with 854## the same Subject Alt Name Extension, i.e., both the cert for 855## Eve@bogus.com and the cert for Eve-ec@bogus.com end up 856## listing eve@bogus.net in the Certificate Subject Alt Name extension. 857## This can cause a problem later when cmsutil attempts to create 858## enveloped data and accidently picks up the ECC cert (NSS currently 859## does not support ECC for enveloped data creation). This script 860## avoids the problem by ensuring that these conflicting certs are 861## never added to the same cert database (see comment marked XXXX). 862 echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------" 863 cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com" 864 865 #echo "************* Copying CA files to ${SERVERDIR}" 866 #cp ${CADIR}/*.db . 867 #hw_acc 868 869 ######################################################################### 870 # 871 #cd ${CERTDIR} 872 #CU_ACTION="Creating ${CERTNAME}'s Server Cert" 873 #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" 874 #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \ 875 # -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1 876 877 #CU_ACTION="Export Dave's Cert" 878 #cd ${DAVEDIR} 879 #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert 880 881 ################# Importing Certificates for S/MIME tests ############### 882 # 883 echo "$SCRIPTNAME: Importing Certificates ==============================" 884 CU_ACTION="Import Bob's cert into Alice's db" 885 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 886 -i ${R_BOBDIR}/Bob.cert 2>&1 887 888 CU_ACTION="Import Dave's cert into Alice's DB" 889 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 890 -i ${R_DAVEDIR}/Dave.cert 2>&1 891 892 CU_ACTION="Import Dave's cert into Bob's DB" 893 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ 894 -i ${R_DAVEDIR}/Dave.cert 2>&1 895 896 CU_ACTION="Import Eve's cert into Alice's DB" 897 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 898 -i ${R_EVEDIR}/Eve.cert 2>&1 899 900 CU_ACTION="Import Eve's cert into Bob's DB" 901 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ 902 -i ${R_EVEDIR}/Eve.cert 2>&1 903 904 echo "$SCRIPTNAME: Importing EC Certificates ==============================" 905 CU_ACTION="Import Bob's EC cert into Alice's db" 906 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 907 -i ${R_BOBDIR}/Bob-ec.cert 2>&1 908 909 CU_ACTION="Import Dave's EC cert into Alice's DB" 910 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 911 -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 912 913 CU_ACTION="Import Dave's EC cert into Bob's DB" 914 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ 915 -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 916 917## XXXX Do not import Eve's EC cert until we can make sure that 918## the email addresses listed in the Subject Alt Name Extension 919## inside Eve's ECC and non-ECC certs are different. 920# CU_ACTION="Import Eve's EC cert into Alice's DB" 921# certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 922# -i ${R_EVEDIR}/Eve-ec.cert 2>&1 923 924# CU_ACTION="Import Eve's EC cert into Bob's DB" 925# certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ 926# -i ${R_EVEDIR}/Eve-ec.cert 2>&1 927 928 if [ "$CERTFAILED" != 0 ] ; then 929 cert_log "ERROR: SMIME failed $RET" 930 else 931 cert_log "SUCCESS: SMIME passed" 932 fi 933} 934 935############################## cert_extended_ssl ####################### 936# local shell function to create client + server certs for extended SSL test 937######################################################################## 938cert_extended_ssl() 939{ 940 941 ################# Creating Certs for extended SSL test #################### 942 # 943 CERTFAILED=0 944 echo "$SCRIPTNAME: Creating Certificates, issued by the last ===============" 945 echo " of a chain of CA's which are not in the same database============" 946 947 echo "Server Cert" 948 cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER} 949 950 CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" 951 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 952 953 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" 954 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 955 956 CU_ACTION="Generate Cert Request for $CERTNAME (ext)" 957 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 958 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 959 960 CU_ACTION="Sign ${CERTNAME}'s Request (ext)" 961 cp ${CERTDIR}/req ${SERVER_CADIR} 962 certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ 963 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 964 965 CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)" 966 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 967 -i "${CERTNAME}.cert" 2>&1 968 969 CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)" 970 certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 971 -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1 972 973# 974# Repeat the above for DSA certs 975# 976 CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)" 977 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 978 certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ 979 -z "${R_NOISE_FILE}" -o req 2>&1 980 981 CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)" 982 cp ${CERTDIR}/req ${SERVER_CADIR} 983 certu -C -c "chain-2-serverCA-dsa" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ 984 -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1 985 986 CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)" 987 certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ 988 -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 989 990 CU_ACTION="Import Client DSA Root CA -t T,, for $CERTNAME (ext.)" 991 certu -A -n "clientCA-dsa" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 992 -i "${CLIENT_CADIR}/clientCA-dsa.ca.cert" 2>&1 993# 994# done with DSA certs 995# 996# Repeat again for mixed DSA certs 997# 998 CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)" 999 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1000 certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ 1001 -z "${R_NOISE_FILE}" -o req 2>&1 1002 1003 CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)" 1004 cp ${CERTDIR}/req ${SERVER_CADIR} 1005 certu -C -c "chain-2-serverCA" -m 202 -v 60 -d "${P_SERVER_CADIR}" \ 1006 -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1 1007 1008 CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)" 1009 certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ 1010 -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 1011 1012# CU_ACTION="Import Client mixed DSA Root CA -t T,, for $CERTNAME (ext.)" 1013# certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \ 1014# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \ 1015# 2>&1 1016 1017# 1018# Repeat the above for EC certs 1019# 1020 EC_CURVE="secp256r1" 1021 CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" 1022 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1023 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ 1024 -z "${R_NOISE_FILE}" -o req 2>&1 1025 1026 CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" 1027 cp ${CERTDIR}/req ${SERVER_CADIR} 1028 certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ 1029 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 1030 1031 CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" 1032 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ 1033 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 1034 1035 CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)" 1036 certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 1037 -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1 1038# 1039# done with EC certs 1040# 1041# Repeat again for mixed EC certs 1042# 1043 EC_CURVE="secp256r1" 1044 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)" 1045 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1046 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ 1047 -z "${R_NOISE_FILE}" -o req 2>&1 1048 1049 CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)" 1050 cp ${CERTDIR}/req ${SERVER_CADIR} 1051 certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \ 1052 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1 1053 1054 CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)" 1055 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ 1056 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 1057 1058# CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)" 1059# certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \ 1060# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \ 1061# 2>&1 1062 1063 echo "Importing all the server's own CA chain into the servers DB" 1064 for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; 1065 do 1066 N=`basename $CA | sed -e "s/.ca.cert//"` 1067 if [ $N = "serverCA" -o $N = "serverCA-ec" -o $N = "serverCA-dsa" ] ; then 1068 T="-t C,C,C" 1069 else 1070 T="-t u,u,u" 1071 fi 1072 CU_ACTION="Import $N CA $T for $CERTNAME (ext.) " 1073 certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 1074 -i "${CA}" 2>&1 1075 done 1076#============ 1077 echo "Client Cert" 1078 cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT} 1079 1080 CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" 1081 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1082 1083 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" 1084 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 1085 1086 CU_ACTION="Generate Cert Request for $CERTNAME (ext)" 1087 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1088 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \ 1089 -o req 2>&1 1090 1091 CU_ACTION="Sign ${CERTNAME}'s Request (ext)" 1092 cp ${CERTDIR}/req ${CLIENT_CADIR} 1093 certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ 1094 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 1095 1096 CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)" 1097 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 1098 -i "${CERTNAME}.cert" 2>&1 1099 CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)" 1100 certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 1101 -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1 1102 1103# 1104# Repeat the above for DSA certs 1105# 1106 CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)" 1107 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1108 certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ 1109 -z "${R_NOISE_FILE}" -o req 2>&1 1110 1111 CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)" 1112 cp ${CERTDIR}/req ${CLIENT_CADIR} 1113 certu -C -c "chain-2-clientCA-dsa" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ 1114 -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1 1115 1116 CU_ACTION="Import $CERTNAME's DSA Cert -t u,u,u (ext)" 1117 certu -A -n "${CERTNAME}-dsa" -t "u,u,u" -d "${PROFILEDIR}" \ 1118 -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1 1119 1120 CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)" 1121 certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \ 1122 -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1 1123# 1124# done with DSA certs 1125# 1126# 1127# Repeat the above for mixed DSA certs 1128# 1129 CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)" 1130 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1131 certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ 1132 -z "${R_NOISE_FILE}" -o req 2>&1 1133 1134 CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)" 1135 cp ${CERTDIR}/req ${CLIENT_CADIR} 1136 certu -C -c "chain-2-clientCA" -m 302 -v 60 -d "${P_CLIENT_CADIR}" \ 1137 -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1 1138 1139 CU_ACTION="Import $CERTNAME's mixed DSA Cert -t u,u,u (ext)" 1140 certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ 1141 -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 1142 1143# CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)" 1144# certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \ 1145# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1 1146# 1147# done with mixed DSA certs 1148# 1149 1150# 1151# Repeat the above for EC certs 1152# 1153 CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" 1154 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1155 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ 1156 -z "${R_NOISE_FILE}" -o req 2>&1 1157 1158 CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" 1159 cp ${CERTDIR}/req ${CLIENT_CADIR} 1160 certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ 1161 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 1162 1163 CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" 1164 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ 1165 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 1166 1167 CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" 1168 certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \ 1169 -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 1170# 1171# done with EC certs 1172# 1173# 1174# Repeat the above for mixed EC certs 1175# 1176 CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)" 1177 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1178 certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ 1179 -z "${R_NOISE_FILE}" -o req 2>&1 1180 1181 CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)" 1182 cp ${CERTDIR}/req ${CLIENT_CADIR} 1183 certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \ 1184 -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1 1185 1186 CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)" 1187 certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ 1188 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 1189 1190# CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" 1191# certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \ 1192# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 1193# 1194# done with mixed EC certs 1195# 1196 1197 echo "Importing all the client's own CA chain into the servers DB" 1198 for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ; 1199 do 1200 N=`basename $CA | sed -e "s/.ca.cert//"` 1201 if [ $N = "clientCA" -o $N = "clientCA-ec" -o $N = "clientCA-dsa" ] ; then 1202 T="-t T,C,C" 1203 else 1204 T="-t u,u,u" 1205 fi 1206 CU_ACTION="Import $N CA $T for $CERTNAME (ext.)" 1207 certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 1208 -i "${CA}" 2>&1 1209 done 1210 if [ "$CERTFAILED" != 0 ] ; then 1211 cert_log "ERROR: EXT failed $RET" 1212 else 1213 cert_log "SUCCESS: EXT passed" 1214 fi 1215} 1216 1217############################## cert_ssl ################################ 1218# local shell function to create client + server certs for SSL test 1219######################################################################## 1220cert_ssl() 1221{ 1222 ################# Creating Certs for SSL test ########################### 1223 # 1224 CERTFAILED=0 1225 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" 1226 cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT} 1227 1228 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" 1229 echo " ${HOSTADDR} ------------------------------------" 1230 cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER} 1231 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" 1232 echo " ${HOSTADDR}-sni --------------------------------" 1233 CERTSERIAL=101 1234 CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}" 1235 cert_add_cert 1236 CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC" 1237 certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" 1238 1239 CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC" 1240 certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" 1241 1242 CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC" 1243 certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" 1244# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER} 1245# echo "************* Copying CA files to ${SERVERDIR}" 1246# cp ${CADIR}/*.db . 1247# hw_acc 1248# CU_ACTION="Creating ${CERTNAME}'s Server Cert" 1249# CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" 1250# certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \ 1251# -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1 1252 1253 if [ "$CERTFAILED" != 0 ] ; then 1254 cert_log "ERROR: SSL failed $RET" 1255 else 1256 cert_log "SUCCESS: SSL passed" 1257 fi 1258 1259 echo "$SCRIPTNAME: Creating database for OCSP stapling tests ===============" 1260 echo "cp -r ${SERVERDIR} ${STAPLINGDIR}" 1261 cp -r ${R_SERVERDIR} ${R_STAPLINGDIR} 1262 pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR} 1263 pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR} 1264 1265 echo "$SCRIPTNAME: Creating database for strsclnt no login tests ===============" 1266 echo "cp -r ${CLIENTDIR} ${NOLOGINDIR}" 1267 cp -r ${R_CLIENTDIR} ${R_NOLOGINDIR} 1268 # change the password to empty 1269 certu -W -d "${R_NOLOGINDIR}" -f "${R_PWFILE}" -@ "${R_EMPTY_FILE}" 2>&1 1270} 1271 1272############################## cert_stresscerts ################################ 1273# local shell function to create client certs for SSL stresstest 1274######################################################################## 1275cert_stresscerts() 1276{ 1277 1278 ############### Creating Certs for SSL stress test ####################### 1279 # 1280 CERTDIR="$CLIENTDIR" 1281 cd "${CERTDIR}" 1282 1283 PROFILEDIR=`cd ${CERTDIR}; pwd` 1284 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 1285 PROFILEDIR=`cygpath -m ${PROFILEDIR}` 1286 fi 1287 if [ -n "${MULTIACCESS_DBM}" ]; then 1288 PROFILEDIR="multiaccess:${D_CLIENT}" 1289 fi 1290 CERTFAILED=0 1291 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" 1292 1293 CONTINUE=$GLOB_MAX_CERT 1294 CERTSERIAL=10 1295 1296 while [ $CONTINUE -ge $GLOB_MIN_CERT ] 1297 do 1298 CERTNAME="TestUser$CONTINUE" 1299# cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL 1300 cert_add_cert 1301 CERTSERIAL=`expr $CERTSERIAL + 1 ` 1302 CONTINUE=`expr $CONTINUE - 1 ` 1303 done 1304 if [ "$CERTFAILED" != 0 ] ; then 1305 cert_log "ERROR: StressCert failed $RET" 1306 else 1307 cert_log "SUCCESS: StressCert passed" 1308 fi 1309} 1310 1311############################## cert_fips ##################################### 1312# local shell function to create certificates for FIPS tests 1313############################################################################## 1314cert_fips() 1315{ 1316 CERTFAILED=0 1317 echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates ==============" 1318 cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}" 1319 1320 CU_ACTION="Initializing ${CERTNAME}'s Cert DB" 1321 certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 1322 1323 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" 1324 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 1325 1326 echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------" 1327 CU_ACTION="Enable FIPS mode on database for ${CERTNAME}" 1328 echo "modutil -dbdir ${PROFILEDIR} -fips true " 1329 ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT 1330y 1331MODSCRIPT 1332 RET=$? 1333 if [ "$RET" -ne 0 ]; then 1334 html_failed "${CU_ACTION} ($RET) " 1335 cert_log "ERROR: ${CU_ACTION} failed $RET" 1336 else 1337 html_passed "${CU_ACTION}" 1338 fi 1339 1340 CU_ACTION="Setting invalid database password in FIPS mode" 1341 RETEXPECTED=255 1342 certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1 1343 CU_ACTION="Attempt to generate a key with exponent of 3 (too small)" 1344 certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 1345 CU_ACTION="Attempt to generate a key with exponent of 17 (too small)" 1346 certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 1347 RETEXPECTED=0 1348 1349 CU_ACTION="Generate Certificate for ${CERTNAME}" 1350 CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US" 1351 certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1 1352 if [ "$RET" -eq 0 ]; then 1353 cert_log "SUCCESS: FIPS passed" 1354 fi 1355 1356} 1357 1358########################## cert_rsa_exponent ################################# 1359# local shell function to verify small rsa exponent can be used (only 1360# run if FIPS has not been turned on in the build). 1361############################################################################## 1362cert_rsa_exponent_nonfips() 1363{ 1364 echo "$SCRIPTNAME: Verify that small RSA exponents still work ==============" 1365 CU_ACTION="Attempt to generate a key with exponent of 3" 1366 certu -G -k rsa -g 2048 -y 3 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" 1367 CU_ACTION="Attempt to generate a key with exponent of 17" 1368 certu -G -k rsa -g 2048 -y 17 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" 1369} 1370 1371############################## cert_eccurves ########################### 1372# local shell function to create server certs for all EC curves 1373######################################################################## 1374cert_eccurves() 1375{ 1376 ################# Creating Certs for EC curves test ######################## 1377 # 1378 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for " 1379 echo " EC Curves Test Certificates ------------------------------------" 1380 1381 cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES} 1382 1383 CU_ACTION="Initializing EC Curve's Cert DB" 1384 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1385 1386 CU_ACTION="Loading root cert module to EC Curve's Cert DB" 1387 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 1388 1389 CU_ACTION="Import EC Root CA for $CERTNAME" 1390 certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ 1391 -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1 1392 1393 CURVE_LIST="nistp256 nistp384 nistp521" 1394 CERTSERIAL=2000 1395 1396 for CURVE in ${CURVE_LIST} 1397 do 1398 CERTFAILED=0 1399 CERTNAME="Curve-${CURVE}" 1400 CERTSERIAL=`expr $CERTSERIAL + 1 ` 1401 CU_ACTION="Generate EC Cert Request for $CERTNAME" 1402 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1403 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 1404 -z "${R_NOISE_FILE}" -o req 2>&1 1405 1406 if [ $RET -eq 0 ] ; then 1407 CU_ACTION="Sign ${CERTNAME}'s EC Request" 1408 certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ 1409 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 1410 fi 1411 1412 if [ $RET -eq 0 ] ; then 1413 CU_ACTION="Import $CERTNAME's EC Cert" 1414 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ 1415 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 1416 fi 1417 done 1418} 1419 1420########################### cert_extensions_test ############################# 1421# local shell function to test cert extensions generation 1422############################################################################## 1423cert_extensions_test() 1424{ 1425 COUNT=`expr ${COUNT} + 1` 1426 CERTNAME=TestExt${COUNT} 1427 CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1428 1429 echo 1430 echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \ 1431 -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ 1432 -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE} 1433 echo "certutil options:" 1434 cat ${TARG_FILE} 1435 ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \ 1436 -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ 1437 -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE} 1438 RET=$? 1439 if [ "${RET}" -ne 0 ]; then 1440 CERTFAILED=1 1441 html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate" 1442 cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed" 1443 return 1 1444 fi 1445 1446 echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME} 1447 EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}` 1448 RET=$? 1449 echo "${EXTLIST}" 1450 if [ "${RET}" -ne 0 ]; then 1451 CERTFAILED=1 1452 html_failed "${TESTNAME} (${COUNT}) - List Certificate" 1453 cert_log "ERROR: ${TESTNAME} - List Certificate failed" 1454 return 1 1455 fi 1456 1457 for FL in `echo ${FILTERLIST} | tr \| ' '`; do 1458 FL="`echo ${FL} | tr _ ' '`" 1459 EXPSTAT=0 1460 if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then 1461 EXPSTAT=1 1462 FL=`echo ${FL} | tr -d '!'` 1463 fi 1464 echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1 1465 RET=$? 1466 if [ "${RET}" -ne "${EXPSTAT}" ]; then 1467 CERTFAILED=1 1468 html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}" 1469 cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed" 1470 return 1 1471 fi 1472 done 1473 1474 html_passed "${TESTNAME} (${COUNT})" 1475 return 0 1476} 1477 1478############################## cert_extensions ############################### 1479# local shell function to run cert extensions tests 1480############################################################################## 1481cert_extensions() 1482{ 1483 CERTNAME=TestExt 1484 cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS} 1485 TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args 1486 1487 COUNT=0 1488 while read ARG OPT FILTERLIST; do 1489 if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then 1490 continue 1491 fi 1492 if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then 1493 TESTNAME="${FILTERLIST}" 1494 continue 1495 fi 1496 if [ X"${ARG}" = "X=" ]; then 1497 cert_extensions_test 1498 rm -f ${TARG_FILE} 1499 else 1500 echo ${ARG} >> ${TARG_FILE} 1501 fi 1502 done < ${QADIR}/cert/certext.txt 1503} 1504 1505cert_make_with_param() 1506{ 1507 DIRPASS="$1" 1508 CERTNAME="$2" 1509 MAKE="$3" 1510 SUBJ="$4" 1511 EXTRA="$5" 1512 EXPECT="$6" 1513 TESTNAME="$7" 1514 1515 echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA} 1516 ${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA} 1517 1518 RET=$? 1519 if [ "${RET}" -ne "${EXPECT}" ]; then 1520 # if we expected failure to create, then delete unexpected certificate 1521 if [ "${EXPECT}" -ne 0 ]; then 1522 ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME} 1523 fi 1524 1525 CERTFAILED=1 1526 html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}" 1527 cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed" 1528 return 1 1529 fi 1530 1531 html_passed "${TESTNAME} (${COUNT})" 1532 return 0 1533} 1534 1535cert_list_and_count_dns() 1536{ 1537 DIRPASS="$1" 1538 CERTNAME="$2" 1539 EXPECT="$3" 1540 EXPECTCOUNT="$4" 1541 TESTNAME="$5" 1542 1543 echo certutil ${DIRPASS} -L ${CERTNAME} 1544 ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} 1545 1546 RET=$? 1547 if [ "${RET}" -ne "${EXPECT}" ]; then 1548 CERTFAILED=1 1549 html_failed "${TESTNAME} (${COUNT}) - list and count" 1550 cert_log "ERROR: ${TESTNAME} - list and count failed" 1551 return 1 1552 fi 1553 1554 LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS` 1555 if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then 1556 CERTFAILED=1 1557 html_failed "${TESTNAME} (${COUNT}) - list and count" 1558 cert_log "ERROR: ${TESTNAME} - list and count failed" 1559 return 1 1560 fi 1561 1562 html_passed "${TESTNAME} (${COUNT})" 1563 return 0 1564} 1565 1566cert_dump_ext_to_file() 1567{ 1568 DIRPASS="$1" 1569 CERTNAME="$2" 1570 OID="$3" 1571 OUTFILE="$4" 1572 EXPECT="$5" 1573 TESTNAME="$6" 1574 1575 echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} 1576 echo "writing output to ${OUTFILE}" 1577 ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE} 1578 1579 RET=$? 1580 if [ "${RET}" -ne "${EXPECT}" ]; then 1581 CERTFAILED=1 1582 html_failed "${TESTNAME} (${COUNT}) - dump to file" 1583 cert_log "ERROR: ${TESTNAME} - dump to file failed" 1584 return 1 1585 fi 1586 1587 html_passed "${TESTNAME} (${COUNT})" 1588 return 0 1589} 1590 1591cert_delete() 1592{ 1593 DIRPASS="$1" 1594 CERTNAME="$2" 1595 EXPECT="$3" 1596 TESTNAME="$4" 1597 1598 echo certutil ${DIRPASS} -D ${CERTNAME} 1599 ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME} 1600 1601 RET=$? 1602 if [ "${RET}" -ne "${EXPECT}" ]; then 1603 CERTFAILED=1 1604 html_failed "${TESTNAME} (${COUNT}) - delete cert" 1605 cert_log "ERROR: ${TESTNAME} - delete cert failed" 1606 return 1 1607 fi 1608 1609 html_passed "${TESTNAME} (${COUNT})" 1610 return 0 1611} 1612 1613cert_inc_count() 1614{ 1615 COUNT=`expr ${COUNT} + 1` 1616} 1617 1618############################## cert_crl_ssl ############################ 1619# test adding subject-alt-name, dumping, and adding generic extension 1620######################################################################## 1621cert_san_and_generic_extensions() 1622{ 1623 EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der 1624 1625 DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}" 1626 CERTNAME="-n WithSAN" 1627 MAKE="-S -t ,, -x -z ${R_NOISE_FILE}" 1628 SUBJ="CN=example.com" 1629 1630 TESTNAME="san-and-generic-extensions" 1631 1632 cert_inc_count 1633 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1634 "--extSAN example.com" 255 \ 1635 "create cert with invalid SAN parameter" 1636 1637 cert_inc_count 1638 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1639 "--extSAN example.com,dns:www.example.com" 255 \ 1640 "create cert with invalid SAN parameter" 1641 1642 TN="create cert with valid SAN parameter" 1643 1644 cert_inc_count 1645 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1646 "--extSAN dns:example.com,dns:www.example.com" 0 \ 1647 "${TN}" 1648 1649 cert_inc_count 1650 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \ 1651 "${TN}" 1652 1653 cert_inc_count 1654 cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \ 1655 "dump extension 2.5.29.17 to file ${EXTDUMP}" 1656 1657 cert_inc_count 1658 cert_delete "${DIR}" "${CERTNAME}" 0 \ 1659 "${TN}" 1660 1661 cert_inc_count 1662 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \ 1663 "expect failure to list cert, because we deleted it" 1664 1665 cert_inc_count 1666 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1667 "--extGeneric ${EXTDUMP}" 255 \ 1668 "create cert with invalid generic ext parameter" 1669 1670 cert_inc_count 1671 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1672 "--extGeneric not-critical:${EXTDUMP}" 255 \ 1673 "create cert with invalid generic ext parameter" 1674 1675 cert_inc_count 1676 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1677 "--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \ 1678 "create cert with invalid generic ext parameter" 1679 1680 TN="create cert with valid generic ext parameter" 1681 1682 cert_inc_count 1683 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1684 "--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \ 1685 "${TN}" 1686 1687 cert_inc_count 1688 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \ 1689 "${TN}" 1690 1691 cert_inc_count 1692 cert_delete "${DIR}" "${CERTNAME}" 0 \ 1693 "${TN}" 1694 1695 cert_inc_count 1696 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \ 1697 "expect failure to list cert, because we deleted it" 1698} 1699 1700############################## cert_crl_ssl ############################ 1701# local shell function to generate certs and crls for SSL tests 1702######################################################################## 1703cert_crl_ssl() 1704{ 1705 1706 ################# Creating Certs ################################### 1707 # 1708 CERTFAILED=0 1709 CERTSERIAL=${CRL_GRP_1_BEGIN} 1710 1711 cd $CADIR 1712 1713 PROFILEDIR=`cd ${CLIENTDIR}; pwd` 1714 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 1715 PROFILEDIR=`cygpath -m ${PROFILEDIR}` 1716 fi 1717 CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1` 1718 echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ===" 1719 CU_ACTION="Creating client test certs" 1720 1721 while [ $CERTSERIAL -le $CRL_GRPS_END ] 1722 do 1723 CERTNAME="TestUser$CERTSERIAL" 1724 cert_add_cert 1725 CERTSERIAL=`expr $CERTSERIAL + 1 ` 1726 done 1727 1728 #################### CRL Creation ############################## 1729 CRL_GEN_RES=0 1730 echo "$SCRIPTNAME: Creating CA CRL =====================================" 1731 1732 CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1` 1733 CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END} 1734 CRL_FILE=${CRL_FILE_GRP_1} 1735 1736 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1737 CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority" 1738 CRL_GRP_END_=`expr ${CRL_GRP_END} - 1` 1739 crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \ 1740 -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI 1741update=$CRLUPDATE 1742addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE 1743addext reasonCode 0 4 1744addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA" 1745EOF_CRLINI 1746# This extension should be added to the list, but currently nss has bug 1747#addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1 1748 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1749 chmod 600 ${CRL_FILE_GRP_1}_or 1750 1751 1752 CU_ACTION="Generating CRL (DSA) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-dsa authority" 1753 1754# Until Bug 292285 is resolved, do not encode x400 Addresses. After 1755# the bug is resolved, reintroduce "x400Address:x400Address" within 1756# addext issuerAltNames ... 1757 crlu -q -d $CADIR -G -n "TestCA-dsa" -f ${R_PWFILE} \ 1758 -o ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI 1759update=$CRLUPDATE 1760addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE 1761addext reasonCode 0 4 1762addext issuerAltNames 0 "rfc822Name:ca-dsaemail@ca.com|dnsName:ca-dsa.com|directoryName:CN=NSS Test CA (DSA),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-dsa.com|ipAddress:192.168.0.1|registerID=reg CA (DSA)" 1763EOF_CRLINI 1764 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1765 chmod 600 ${CRL_FILE_GRP_1}_or-dsa 1766 1767 1768 1769 CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority" 1770 1771# Until Bug 292285 is resolved, do not encode x400 Addresses. After 1772# the bug is resolved, reintroduce "x400Address:x400Address" within 1773# addext issuerAltNames ... 1774 crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \ 1775 -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI 1776update=$CRLUPDATE 1777addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE 1778addext reasonCode 0 4 1779addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)" 1780EOF_CRLINI 1781 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1782 chmod 600 ${CRL_FILE_GRP_1}_or-ec 1783 1784 echo test > file 1785 ############################# Modification ################################## 1786 1787 echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============" 1788 sleep 2 1789 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1790 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` 1791 CU_ACTION="Modify CRL by adding one more cert" 1792 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \ 1793 -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI 1794update=$CRLUPDATE 1795addcert ${CRL_GRP_END} $CRL_GRP_DATE 1796EOF_CRLINI 1797 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1798 chmod 600 ${CRL_FILE_GRP_1}_or1 1799 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or" 1800 1801 1802 CU_ACTION="Modify CRL (DSA) by adding one more cert" 1803 crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1-dsa \ 1804 -i ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI 1805update=$CRLUPDATE 1806addcert ${CRL_GRP_END} $CRL_GRP_DATE 1807EOF_CRLINI 1808 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1809 chmod 600 ${CRL_FILE_GRP_1}_or1-dsa 1810 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa" 1811 1812 1813 CU_ACTION="Modify CRL (ECC) by adding one more cert" 1814 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \ 1815 -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI 1816update=$CRLUPDATE 1817addcert ${CRL_GRP_END} $CRL_GRP_DATE 1818EOF_CRLINI 1819 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1820 chmod 600 ${CRL_FILE_GRP_1}_or1-ec 1821 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec" 1822 1823 ########### Removing one cert ${UNREVOKED_CERT_GRP_1} ####################### 1824 echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ===============" 1825 CU_ACTION="Modify CRL by removing one cert" 1826 sleep 2 1827 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1828 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \ 1829 -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI 1830update=$CRLUPDATE 1831rmcert ${UNREVOKED_CERT_GRP_1} 1832EOF_CRLINI 1833 chmod 600 ${CRL_FILE_GRP_1} 1834 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1" 1835 1836 1837 CU_ACTION="Modify CRL (DSA) by removing one cert" 1838 sleep 2 1839 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1840 crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \ 1841 -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI 1842update=$CRLUPDATE 1843rmcert ${UNREVOKED_CERT_GRP_1} 1844EOF_CRLINI 1845 chmod 600 ${CRL_FILE_GRP_1} 1846 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-dsa" 1847 1848 1849 1850 CU_ACTION="Modify CRL (ECC) by removing one cert" 1851 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \ 1852 -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI 1853update=$CRLUPDATE 1854rmcert ${UNREVOKED_CERT_GRP_1} 1855EOF_CRLINI 1856 chmod 600 ${CRL_FILE_GRP_1}-ec 1857 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec" 1858 1859 ########### Creating second CRL which includes groups 1 and 2 ############## 1860 CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1` 1861 CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END} 1862 1863 echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ===============" 1864 sleep 2 1865 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1866 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` 1867 CU_ACTION="Creating CRL for groups 1 and 2" 1868 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2} \ 1869 -i ${CRL_FILE_GRP_1} <<EOF_CRLINI 1870update=$CRLUPDATE 1871addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE 1872addext invalidityDate 0 $CRLUPDATE 1873rmcert ${UNREVOKED_CERT_GRP_2} 1874EOF_CRLINI 1875 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1876 chmod 600 ${CRL_FILE_GRP_2} 1877 CU_ACTION="Creating CRL (ECC) for groups 1 and 2" 1878 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \ 1879 -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI 1880update=$CRLUPDATE 1881addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE 1882addext invalidityDate 0 $CRLUPDATE 1883rmcert ${UNREVOKED_CERT_GRP_2} 1884EOF_CRLINI 1885 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1886 chmod 600 ${CRL_FILE_GRP_2}-ec 1887 1888 ########### Creating second CRL which includes groups 1, 2 and 3 ############## 1889 CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1` 1890 CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END} 1891 1892 1893 1894 echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3 ===============" 1895 sleep 2 1896 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1897 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` 1898 CU_ACTION="Creating CRL for groups 1, 2 and 3" 1899 crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3} \ 1900 -i ${CRL_FILE_GRP_2} <<EOF_CRLINI 1901update=$CRLUPDATE 1902addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE 1903rmcert ${UNREVOKED_CERT_GRP_3} 1904addext crlNumber 0 2 1905EOF_CRLINI 1906 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1907 chmod 600 ${CRL_FILE_GRP_3} 1908 CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3" 1909 crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \ 1910 -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI 1911update=$CRLUPDATE 1912addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE 1913rmcert ${UNREVOKED_CERT_GRP_3} 1914addext crlNumber 0 2 1915EOF_CRLINI 1916 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1917 chmod 600 ${CRL_FILE_GRP_3}-ec 1918 1919 ############ Importing Server CA Issued CRL for certs of first group ####### 1920 1921 echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}" 1922 CU_ACTION="Importing CRL for groups 1" 1923 crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}" 1924 crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}" 1925 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1926 CU_ACTION="Importing CRL (ECC) for groups 1" 1927 crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}" 1928 crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \ 1929 -d "${R_SERVERDIR}" 1930 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1931 1932 if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then 1933 cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES" 1934 else 1935 cert_log "SUCCESS: SSL CRL prep passed" 1936 fi 1937} 1938 1939################# 1940# Verify the we can successfully change the password on the database 1941# 1942cert_test_password() 1943{ 1944 CERTFAILED=0 1945 echo "$SCRIPTNAME: Create A Password Test Cert ==============" 1946 cert_init_cert "${DBPASSDIR}" "Password Test Cert" 1000 "${D_DBPASSDIR}" 1947 1948 echo "$SCRIPTNAME: Create A Password Test Ca --------" 1949 ALL_CU_SUBJECT="CN=NSS Password Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1950 cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1" 1951 1952 # now change the password 1953 CU_ACTION="Changing password on ${CERTNAME}'s Cert DB" 1954 certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1 1955 1956 # finally make sure we can use the old key with the new password 1957 CU_ACTION="Generate Certificate for ${CERTNAME} with new password" 1958 CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1959 certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1 1960 if [ "$RET" -eq 0 ]; then 1961 cert_log "SUCCESS: PASSWORD passed" 1962 fi 1963 CU_ACTION="Verify Certificate for ${CERTNAME} with new password" 1964 certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 1965} 1966 1967############################### 1968# test if we can distrust a certificate. 1969# 1970# we create 3 new certs: 1971# 1 leaf signed by the trusted root. 1972# 1 intermediate signed by the trusted root. 1973# 1 leaf signed by the intermediate. 1974# 1975# we mark the first leaf and the intermediate as explicitly untrusted. 1976# we then try to verify the two leaf certs for our possible usages. 1977# All verification should fail. 1978# 1979cert_test_distrust() 1980{ 1981 echo "$SCRIPTNAME: Creating Distrusted Certificate" 1982 cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST} 1983 CU_ACTION="Mark CERT as unstrusted" 1984 certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1 1985 echo "$SCRIPTNAME: Creating Distrusted Intermediate" 1986 CERTNAME="DistrustedCA" 1987 ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1988 cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1 1989 CU_ACTION="Import Distrusted Intermediate" 1990 certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 1991 -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1 1992 1993 # now create the last leaf signed by our distrusted CA 1994 # since it's not signed by TestCA it requires more steps. 1995 CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA" 1996 CERTNAME="LeafChainedToDistrustedCA" 1997 CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1998 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 1999 2000 CU_ACTION="Sign ${CERTNAME}'s Request" 2001 cp ${CERTDIR}/req ${CADIR} 2002 certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \ 2003 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 2004 2005 CU_ACTION="Import $CERTNAME's Cert -t u,u,u" 2006 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2007 -i "${CERTNAME}.cert" 2>&1 2008 2009 RETEXPECTED=255 2010 CU_ACTION="Verify ${CERTNAME} Cert for SSL Server" 2011 certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2012 CU_ACTION="Verify ${CERTNAME} Cert for SSL Client" 2013 certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2014 CU_ACTION="Verify ${CERTNAME} Cert for Email signer" 2015 certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2016 CU_ACTION="Verify ${CERTNAME} Cert for Email recipient" 2017 certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2018 CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder" 2019 certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2020 CU_ACTION="Verify ${CERTNAME} Cert for Object Signer" 2021 certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2022 2023 CERTNAME="Distrusted" 2024 CU_ACTION="Verify ${CERTNAME} Cert for SSL Server" 2025 certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2026 CU_ACTION="Verify ${CERTNAME} Cert for SSL Client" 2027 certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2028 CU_ACTION="Verify ${CERTNAME} Cert for Email signer" 2029 certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2030 CU_ACTION="Verify ${CERTNAME} Cert for Email recipient" 2031 certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2032 CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder" 2033 certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2034 CU_ACTION="Verify ${CERTNAME} Cert for Object Signer" 2035 certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2036 RETEXPECTED=0 2037} 2038 2039cert_test_ocspresp() 2040{ 2041 echo "$SCRIPTNAME: OCSP response creation selftest" 2042 OR_ACTION="perform selftest" 2043 RETEXPECTED=0 2044 ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1 2045} 2046 2047cert_test_implicit_db_init() 2048{ 2049 echo "$SCRIPTNAME: test implicit database init" 2050 2051 CU_ACTION="Add cert with trust flags to db with implicit init" 2052 mkdir ${IMPLICIT_INIT_DIR} 2053 certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert" 2054} 2055 2056check_sign_algo() 2057{ 2058 certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ 2059 sed -n '/^ *Data:/,/^$/{ 2060/^ Signature Algorithm/,/^ *Salt length/s/^ //p 2061}' > ${TMP}/signalgo.txt 2062 2063 diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt 2064 RET=$? 2065 if [ "$RET" -ne 0 ]; then 2066 CERTFAILED=$RET 2067 html_failed "${CU_ACTION} ($RET) " 2068 cert_log "ERROR: ${CU_ACTION} failed $RET" 2069 else 2070 html_passed "${CU_ACTION}" 2071 fi 2072} 2073 2074cert_test_rsapss() 2075{ 2076 TEMPFILES="$TEMPFILES ${TMP}/signalgo.exp ${TMP}/signalgo.txt" 2077 2078 cert_init_cert "${RSAPSSDIR}" "RSA-PSS Test Cert" 1000 "${D_RSAPSS}" 2079 2080 CU_ACTION="Initialize Cert DB" 2081 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2082 2083 CU_ACTION="Import RSA CA Cert" 2084 certu -A -n "TestCA" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2085 -i "${R_CADIR}/TestCA.ca.cert" 2>&1 2086 2087 CU_ACTION="Import RSA-PSS CA Cert" 2088 certu -A -n "TestCA-rsa-pss" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2089 -i "${R_CADIR}/TestCA-rsa-pss.ca.cert" 2>&1 2090 2091 CU_ACTION="Verify RSA-PSS CA Cert" 2092 certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2093 2094 CU_ACTION="Import RSA-PSS CA Cert (SHA1)" 2095 certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2096 -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 2097 2098 CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)" 2099 certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2100 -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1 2101 RETEXPECTED=255 2102 certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2103 RETEXPECTED=0 2104 2105 CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)" 2106 certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2107 -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1 2108 RETEXPECTED=255 2109 certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 2110 RETEXPECTED=0 2111 2112 CERTSERIAL=200 2113 2114 # Subject certificate: RSA 2115 # Issuer certificate: RSA 2116 # Signature: RSA-PSS (explicit, with --pss-sign) 2117 CERTNAME="TestUser-rsa-pss1" 2118 2119 CU_ACTION="Generate Cert Request for $CERTNAME" 2120 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2121 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 2122 2123 CU_ACTION="Sign ${CERTNAME}'s Request" 2124 certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2125 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2126 2127 CU_ACTION="Import $CERTNAME's Cert" 2128 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2129 -i "${CERTNAME}.cert" 2>&1 2130 2131 CU_ACTION="Verify $CERTNAME's Cert" 2132 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2133 cat > ${TMP}/signalgo.exp <<EOF 2134Signature Algorithm: PKCS #1 RSA-PSS Signature 2135 Parameters: 2136 Hash algorithm: SHA-256 2137 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2138 Mask hash algorithm: SHA-256 2139 Salt length: 32 (0x20) 2140EOF 2141 check_sign_algo 2142 2143 CERTSERIAL=`expr $CERTSERIAL + 1` 2144 2145 # Subject certificate: RSA 2146 # Issuer certificate: RSA 2147 # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512) 2148 CERTNAME="TestUser-rsa-pss2" 2149 2150 CU_ACTION="Generate Cert Request for $CERTNAME" 2151 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2152 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 2153 2154 CU_ACTION="Sign ${CERTNAME}'s Request" 2155 certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2156 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2157 2158 CU_ACTION="Import $CERTNAME's Cert" 2159 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2160 -i "${CERTNAME}.cert" 2>&1 2161 2162 CU_ACTION="Verify $CERTNAME's Cert" 2163 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2164 cat > ${TMP}/signalgo.exp <<EOF 2165Signature Algorithm: PKCS #1 RSA-PSS Signature 2166 Parameters: 2167 Hash algorithm: SHA-512 2168 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2169 Mask hash algorithm: SHA-512 2170 Salt length: 64 (0x40) 2171EOF 2172 check_sign_algo 2173 2174 CERTSERIAL=`expr $CERTSERIAL + 1` 2175 2176 # Subject certificate: RSA 2177 # Issuer certificate: RSA-PSS 2178 # Signature: RSA-PSS 2179 CERTNAME="TestUser-rsa-pss3" 2180 2181 CU_ACTION="Generate Cert Request for $CERTNAME" 2182 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2183 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 2184 2185 CU_ACTION="Sign ${CERTNAME}'s Request" 2186 certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2187 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2188 2189 CU_ACTION="Import $CERTNAME's Cert" 2190 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2191 -i "${CERTNAME}.cert" 2>&1 2192 2193 CU_ACTION="Verify $CERTNAME's Cert" 2194 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2195 cat > ${TMP}/signalgo.exp <<EOF 2196Signature Algorithm: PKCS #1 RSA-PSS Signature 2197 Parameters: 2198 Hash algorithm: SHA-256 2199 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2200 Mask hash algorithm: SHA-256 2201 Salt length: 32 (0x20) 2202EOF 2203 check_sign_algo 2204 2205 CERTSERIAL=`expr $CERTSERIAL + 1` 2206 2207 # Subject certificate: RSA-PSS 2208 # Issuer certificate: RSA 2209 # Signature: RSA-PSS (explicit, with --pss-sign) 2210 CERTNAME="TestUser-rsa-pss4" 2211 2212 CU_ACTION="Generate Cert Request for $CERTNAME" 2213 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2214 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2215 2216 CU_ACTION="Sign ${CERTNAME}'s Request" 2217 certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2218 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2219 2220 CU_ACTION="Import $CERTNAME's Cert" 2221 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2222 -i "${CERTNAME}.cert" 2>&1 2223 2224 CU_ACTION="Verify $CERTNAME's Cert" 2225 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2226 cat > ${TMP}/signalgo.exp <<EOF 2227Signature Algorithm: PKCS #1 RSA-PSS Signature 2228 Parameters: 2229 Hash algorithm: SHA-256 2230 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2231 Mask hash algorithm: SHA-256 2232 Salt length: 32 (0x20) 2233EOF 2234 check_sign_algo 2235 2236 CERTSERIAL=`expr $CERTSERIAL + 1` 2237 2238 # Subject certificate: RSA-PSS 2239 # Issuer certificate: RSA-PSS 2240 # Signature: RSA-PSS (explicit, with --pss-sign) 2241 CERTNAME="TestUser-rsa-pss5" 2242 2243 CU_ACTION="Generate Cert Request for $CERTNAME" 2244 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2245 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2246 2247 CU_ACTION="Sign ${CERTNAME}'s Request" 2248 certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2249 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2250 2251 CU_ACTION="Import $CERTNAME's Cert" 2252 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2253 -i "${CERTNAME}.cert" 2>&1 2254 2255 CU_ACTION="Verify $CERTNAME's Cert" 2256 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2257 cat > ${TMP}/signalgo.exp <<EOF 2258Signature Algorithm: PKCS #1 RSA-PSS Signature 2259 Parameters: 2260 Hash algorithm: SHA-256 2261 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2262 Mask hash algorithm: SHA-256 2263 Salt length: 32 (0x20) 2264EOF 2265 check_sign_algo 2266 2267 CERTSERIAL=`expr $CERTSERIAL + 1` 2268 2269 # Subject certificate: RSA-PSS 2270 # Issuer certificate: RSA-PSS 2271 # Signature: RSA-PSS (implicit, without --pss-sign) 2272 CERTNAME="TestUser-rsa-pss6" 2273 2274 CU_ACTION="Generate Cert Request for $CERTNAME" 2275 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2276 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2277 2278 CU_ACTION="Sign ${CERTNAME}'s Request" 2279 # Sign without --pss-sign nor -Z option 2280 certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2281 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2282 2283 CU_ACTION="Import $CERTNAME's Cert" 2284 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2285 -i "${CERTNAME}.cert" 2>&1 2286 2287 CU_ACTION="Verify $CERTNAME's Cert" 2288 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2289 cat > ${TMP}/signalgo.exp <<EOF 2290Signature Algorithm: PKCS #1 RSA-PSS Signature 2291 Parameters: 2292 Hash algorithm: SHA-256 2293 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2294 Mask hash algorithm: SHA-256 2295 Salt length: 32 (0x20) 2296EOF 2297 check_sign_algo 2298 2299 CERTSERIAL=`expr $CERTSERIAL + 1` 2300 2301 # Subject certificate: RSA-PSS 2302 # Issuer certificate: RSA-PSS 2303 # Signature: RSA-PSS (with conflicting hash algorithm) 2304 CERTNAME="TestUser-rsa-pss7" 2305 2306 CU_ACTION="Generate Cert Request for $CERTNAME" 2307 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2308 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2309 2310 CU_ACTION="Sign ${CERTNAME}'s Request" 2311 RETEXPECTED=255 2312 certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2313 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2314 RETEXPECTED=0 2315 2316 CERTSERIAL=`expr $CERTSERIAL + 1` 2317 2318 # Subject certificate: RSA-PSS 2319 # Issuer certificate: RSA-PSS 2320 # Signature: RSA-PSS (with compatible hash algorithm) 2321 CERTNAME="TestUser-rsa-pss8" 2322 2323 CU_ACTION="Generate Cert Request for $CERTNAME" 2324 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2325 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2326 2327 CU_ACTION="Sign ${CERTNAME}'s Request" 2328 certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2329 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2330 2331 CU_ACTION="Import $CERTNAME's Cert" 2332 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2333 -i "${CERTNAME}.cert" 2>&1 2334 2335 CU_ACTION="Verify $CERTNAME's Cert" 2336 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2337 cat > ${TMP}/signalgo.exp <<EOF 2338Signature Algorithm: PKCS #1 RSA-PSS Signature 2339 Parameters: 2340 Hash algorithm: SHA-256 2341 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2342 Mask hash algorithm: SHA-256 2343 Salt length: 32 (0x20) 2344EOF 2345 check_sign_algo 2346 2347 CERTSERIAL=`expr $CERTSERIAL + 1` 2348 2349 # Subject certificate: RSA 2350 # Issuer certificate: RSA 2351 # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1) 2352 CERTNAME="TestUser-rsa-pss9" 2353 2354 CU_ACTION="Generate Cert Request for $CERTNAME" 2355 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2356 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 2357 2358 CU_ACTION="Sign ${CERTNAME}'s Request" 2359 certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2360 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2361 2362 CU_ACTION="Import $CERTNAME's Cert" 2363 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2364 -i "${CERTNAME}.cert" 2>&1 2365 2366 CU_ACTION="Verify $CERTNAME's Cert" 2367 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2368 cat > ${TMP}/signalgo.exp <<EOF 2369Signature Algorithm: PKCS #1 RSA-PSS Signature 2370 Parameters: 2371 Hash algorithm: default, SHA-1 2372 Mask algorithm: default, MGF1 2373 Mask hash algorithm: default, SHA-1 2374 Salt length: default, 20 (0x14) 2375EOF 2376 check_sign_algo 2377 2378 CERTSERIAL=`expr $CERTSERIAL + 1` 2379 2380 # Subject certificate: RSA-PSS 2381 # Issuer certificate: RSA-PSS 2382 # Signature: RSA-PSS (implicit, without --pss-sign, default parameters) 2383 CERTNAME="TestUser-rsa-pss10" 2384 2385 CU_ACTION="Generate Cert Request for $CERTNAME" 2386 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2387 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 2388 2389 CU_ACTION="Sign ${CERTNAME}'s Request" 2390 # Sign without --pss-sign nor -Z option 2391 certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2392 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2393 2394 CU_ACTION="Import $CERTNAME's Cert" 2395 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2396 -i "${CERTNAME}.cert" 2>&1 2397 2398 CU_ACTION="Verify $CERTNAME's Cert" 2399 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2400 cat > ${TMP}/signalgo.exp <<EOF 2401Signature Algorithm: PKCS #1 RSA-PSS Signature 2402 Parameters: 2403 Hash algorithm: default, SHA-1 2404 Mask algorithm: default, MGF1 2405 Mask hash algorithm: default, SHA-1 2406 Salt length: default, 20 (0x14) 2407EOF 2408 check_sign_algo 2409 2410 CERTSERIAL=`expr $CERTSERIAL + 1` 2411 2412 # Subject certificate: RSA-PSS 2413 # Issuer certificate: RSA-PSS 2414 # Signature: RSA-PSS (with conflicting hash algorithm, default parameters) 2415 CERTNAME="TestUser-rsa-pss11" 2416 2417 CU_ACTION="Generate Cert Request for $CERTNAME" 2418 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2419 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2420 2421 CU_ACTION="Sign ${CERTNAME}'s Request" 2422 RETEXPECTED=255 2423 certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2424 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2425 RETEXPECTED=0 2426} 2427 2428############################## cert_cleanup ############################ 2429# local shell function to finish this script (no exit since it might be 2430# sourced) 2431######################################################################## 2432cert_cleanup() 2433{ 2434 cert_log "$SCRIPTNAME: finished $SCRIPTNAME" 2435 html "</TABLE><BR>" 2436 cd ${QADIR} 2437 . common/cleanup.sh 2438} 2439 2440################## main ################################################# 2441 2442cert_init 2443cert_all_CA 2444cert_test_implicit_db_init 2445cert_extended_ssl 2446cert_ssl 2447cert_smime_client 2448IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED` 2449if [ $IS_FIPS_DISABLED -ne 0 ]; then 2450 cert_rsa_exponent_nonfips 2451else 2452 cert_fips 2453fi 2454cert_eccurves 2455cert_extensions 2456cert_san_and_generic_extensions 2457cert_test_password 2458cert_test_distrust 2459cert_test_ocspresp 2460cert_test_rsapss 2461 2462if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then 2463 cert_crl_ssl 2464else 2465 echo "$SCRIPTNAME: Skipping CRL Tests" 2466fi 2467 2468if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then 2469 cert_stresscerts 2470fi 2471 2472cert_iopr_setup 2473 2474cert_cleanup 2475