1#!/bin/bash 2 3export NSS_DEFAULT_DB_TYPE=sql 4 5export BASE_PATH=`dirname $0` 6export SIGN_SCR_LOC=. 7export APPS_TEST_LOC=../../../../../../../dom/apps/tests/signed 8export TOOLKIT_WEBAPPS_TEST_LOC=../../../../../../../toolkit/webapps/tests/data/ 9 10# Creates the entry zip files (unsigned apps) from the source directories 11packageApps() { 12APPS="unsigned_app_1 unsigned_app_origin unsigned_app_origin_toolkit_webapps" 13OLD_PWD=`pwd` 14cd ${BASE_PATH} 15for i in $APPS 16do 17 echo "Creating $i.zip" 18 cd $i && zip -r ../$i.zip . && cd .. 19done 20cd ${OLD_PWD} 21} 22 23 24# Function to create a signing database 25# Parameters: 26# $1: Output directory (where the DB will be created) 27createDb() { 28 29 db=$1 30 31 mkdir -p $db 32 33 # Insecure by design, so... please don't use this for anything serious 34 passwordfile=$db/passwordfile 35 36 echo insecurepassword > $passwordfile 37 certutil -d $db -N -f $passwordfile 2>&1 >/dev/null 38 39} 40 41# Add a CA cert and a signing cert to the database 42# Arguments: 43# $1: DB directory 44# $2: CA CN (don't include the CN=, just the value) 45# $3: Signing Cert CN (don't include the CN=, just the value) 46# $4: CA short name (don't use spaces!) 47# $5: Signing Cert short name (don't use spaces!) 48addCerts() { 49 org="O=Examplla Corporation,L=Mountain View,ST=CA,C=US" 50 ca_subj="CN=${2},${org}" 51 ee_subj="CN=${3},${org}" 52 53 noisefile=/tmp/noise.$$ 54 head -c 32 /dev/urandom > $noisefile 55 56 ca_responses=/tmp/caresponses.$$ 57 ee_responses=/tmp/earesponses 58 59 echo y > $ca_responses # Is this a CA? 60 echo >> $ca_responses # Accept default path length constraint (no constraint) 61 echo y >> $ca_responses # Is this a critical constraint? 62 echo n > $ee_responses # Is this a CA? 63 echo >> $ee_responses # Accept default path length constraint (no constraint) 64 echo y >> $ee_responses # Is this a critical constraint? 65 66 make_cert="certutil -d $db -f $passwordfile -S -g 2048 -Z SHA256 \ 67 -z $noisefile -y 3 -2 --extKeyUsage critical,codeSigning" 68 $make_cert -v 480 -n ${4} -m 1 -s "$ca_subj" \ 69 --keyUsage critical,certSigning -t ",,CTu" -x < $ca_responses 2>&1 >/dev/null 70 $make_cert -v 240 -n ${5} -c ${4} -m 2 -s "$ee_subj" \ 71 --keyUsage critical,digitalSignature -t ",,," < $ee_responses 2>&1 >/dev/null 72 73 # In case we want to inspect the generated certs 74 75 # Also, we'll need this one later on 76 certutil -d $db -L -n ${4} -r -o $db/${4}.der 77 certutil -d $db -L -n ${5} -r -o $db/${5}.der 78 79 rm -f $noisefile $ee_responses $ca_responses 80} 81 82 83# Signs an app 84# Parameters: 85# $1: Database directory 86# $2: Unsigned ZIP file path 87# $3: Signed ZIP file path 88# $4: Store ID for the signed App 89# $5: Version of the signed App 90# $6: Nickname of the signing certificate 91signApp() { 92 93 db=$1 94 95 # Once again, this is INSECURE. It doesn't matter here but 96 # DON'T use this for anything production related 97 passwordfile=$db/passwordfile 98 99 python ${BASE_PATH}/${SIGN_SCR_LOC}/sign_b2g_app.py -d $db -f $passwordfile \ 100 -k ${6} -i ${2} -o ${3} -S ${4} -V ${5} 101} 102 103DB_PATH=${BASE_PATH}/signingDB 104TEST_APP_PATH=${BASE_PATH}/testApps 105 106echo "Warning! The directories ${DB_PATH} and ${TEST_APP_PATH} will be erased!" 107echo "Do you want to proceed anyway?" 108select answer in "Yes" "No" 109do 110 case $answer in 111 Yes) break;; 112 No) exit 1;; 113 esac 114done 115 116rm -rf ${DB_PATH} ${TEST_APP_PATH} 117 118TRUSTED_EE=trusted_ee1 119UNTRUSTED_EE=untrusted_ee1 120TRUSTED_CA=trusted_ca1 121UNTRUSTED_CA=untrusted_ca1 122 123# First, we'll create a new couple of signing DBs 124createDb $DB_PATH 125addCerts $DB_PATH "Valid CA" "Store Cert" trusted_ca1 ${TRUSTED_EE} 126addCerts $DB_PATH "Invalid CA" "Invalid Cert" ${UNTRUSTED_CA} ${UNTRUSTED_EE} 127 128# Then we'll create the unsigned apps 129echo "Creating unsigned apps" 130packageApps 131 132# And then we'll create all the test apps... 133mkdir -p ${TEST_APP_PATH} 134 135# We need: 136# A valid signed file, with two different versions: 137# valid_app_1.zip 138# valid_app_2.zip 139VALID_UID=`uuidgen` 140signApp $DB_PATH ${BASE_PATH}/unsigned_app_1.zip \ 141 $TEST_APP_PATH/valid_app_1.zip \ 142 $VALID_UID 1 ${TRUSTED_EE} 143signApp $DB_PATH ${BASE_PATH}/unsigned_app_1.zip \ 144 $TEST_APP_PATH/valid_app_2.zip \ 145 $VALID_UID 2 ${TRUSTED_EE} 146 147 148# A corrupt_package: 149# corrupt_app_1.zip 150# A corrupt package is a package with a entry modified, for example... 151CURDIR=`pwd` 152export TEMP_DIR=$TEST_APP_PATH/aux_unzip_$$ 153mkdir -p $TEMP_DIR 154cd $TEMP_DIR 155unzip ../valid_app_1.zip 2>&1 >/dev/null 156echo " - " >> index.html 157zip -r ../corrupt_app_1.zip * 2>&1 >/dev/null 158cd $CURDIR 159rm -rf $TEMP_DIR 160 161# A file signed by a unknown issuer 162# unknown_issuer_app_1.zip 163INVALID_UID=`uuidgen` 164signApp $DB_PATH ${BASE_PATH}/unsigned_app_1.zip \ 165 $TEST_APP_PATH/unknown_issuer_app_1.zip \ 166 $INVALID_UID 1 ${UNTRUSTED_EE} 167 168# And finally a priviledged signed file that includes the origin on the manifest 169# to avoid that reverting again 170PRIV_UID=`uuidgen` 171signApp $DB_PATH ${BASE_PATH}/unsigned_app_origin.zip \ 172 $TEST_APP_PATH/origin_app_1.zip \ 173 $PRIV_UID 1 ${TRUSTED_EE} 174 175# A privileged signed app needed for a toolkit/webapps test 176PRIV_TOOLKIT_UID=`uuidgen` 177signApp $DB_PATH ${BASE_PATH}/unsigned_app_origin_toolkit_webapps.zip \ 178 $TEST_APP_PATH/custom_origin.zip \ 179 $PRIV_TOOLKIT_UID 1 ${TRUSTED_EE} 180 181# Now let's copy the trusted cert to the app directory so we have everything 182# on the same place... 183cp ${DB_PATH}/${TRUSTED_CA}.der ${TEST_APP_PATH} 184 185cat <<EOF 186 187All done. The new test files are in ${TEST_APP_PATH}. You should copy the 188contents of that directory to the dom/apps/tests/signed directory and to 189the security/manager/ssl/tests/unit/test_signed_apps (which should be the 190parent of this directory) to install them. 191 192EOF 193 194echo "Do you wish me to do that for you now?" 195select answer in "Yes" "No" 196do 197 case $answer in 198 Yes) break;; 199 No) echo "Ok, not installing the new files" 200 echo "You should run: " 201 echo cp ${TEST_APP_PATH}/* ${BASE_PATH}/${APPS_TEST_LOC} 202 echo cp ${TEST_APP_PATH}/* ${TEST_APP_PATH}/../unsigned_app_1.zip ${BASE_PATH}/.. 203 echo cp ${TEST_APP_PATH}/* ${BASE_PATH}/${TOOLKIT_WEBAPPS_TEST_LOC} 204 echo "to install them" 205 exit 0;; 206 esac 207done 208 209cp ${TEST_APP_PATH}/* ${BASE_PATH}/${APPS_TEST_LOC} 210cp ${TEST_APP_PATH}/* ${TEST_APP_PATH}/../unsigned_app_1.zip ${BASE_PATH}/.. 211cp ${TEST_APP_PATH}/* ${BASE_PATH}/${TOOLKIT_WEBAPPS_TEST_LOC} 212 213echo "Done!" 214