1#!/bin/bash
2
3export NSS_DEFAULT_DB_TYPE=sql
4
5export BASE_PATH=`dirname $0`
6export SIGN_SCR_LOC=.
7export APPS_TEST_LOC=../../../../../../../dom/apps/tests/signed
8export TOOLKIT_WEBAPPS_TEST_LOC=../../../../../../../toolkit/webapps/tests/data/
9
10# Creates the entry zip files (unsigned apps) from the source directories
11packageApps() {
12APPS="unsigned_app_1 unsigned_app_origin unsigned_app_origin_toolkit_webapps"
13OLD_PWD=`pwd`
14cd ${BASE_PATH}
15for i in $APPS
16do
17  echo "Creating $i.zip"
18  cd $i && zip -r ../$i.zip . && cd ..
19done
20cd ${OLD_PWD}
21}
22
23
24# Function to create a signing database
25# Parameters:
26# $1: Output directory (where the DB will be created)
27createDb() {
28
29  db=$1
30
31  mkdir -p $db
32
33  # Insecure by design, so... please don't use this for anything serious
34  passwordfile=$db/passwordfile
35
36  echo insecurepassword > $passwordfile
37  certutil -d $db -N -f $passwordfile 2>&1 >/dev/null
38
39}
40
41# Add a CA cert and a signing cert to the database
42# Arguments:
43#   $1: DB directory
44#   $2: CA CN (don't include the CN=, just the value)
45#   $3: Signing Cert CN (don't include the CN=, just the value)
46#   $4: CA short name (don't use spaces!)
47#   $5: Signing Cert short name (don't use spaces!)
48addCerts() {
49  org="O=Examplla Corporation,L=Mountain View,ST=CA,C=US"
50  ca_subj="CN=${2},${org}"
51  ee_subj="CN=${3},${org}"
52
53  noisefile=/tmp/noise.$$
54  head -c 32 /dev/urandom > $noisefile
55
56  ca_responses=/tmp/caresponses.$$
57  ee_responses=/tmp/earesponses
58
59  echo y >  $ca_responses # Is this a CA?
60  echo >>   $ca_responses # Accept default path length constraint (no constraint)
61  echo y >> $ca_responses # Is this a critical constraint?
62  echo n >  $ee_responses # Is this a CA?
63  echo >>   $ee_responses # Accept default path length constraint (no constraint)
64  echo y >> $ee_responses # Is this a critical constraint?
65
66  make_cert="certutil -d $db -f $passwordfile -S -g 2048 -Z SHA256 \
67                    -z $noisefile -y 3 -2 --extKeyUsage critical,codeSigning"
68  $make_cert -v 480 -n ${4}        -m 1 -s "$ca_subj" \
69      --keyUsage critical,certSigning      -t ",,CTu" -x < $ca_responses 2>&1 >/dev/null
70  $make_cert -v 240 -n ${5} -c ${4} -m 2 -s "$ee_subj" \
71      --keyUsage critical,digitalSignature -t ",,,"      < $ee_responses 2>&1 >/dev/null
72
73  # In case we want to inspect the generated certs
74
75  # Also, we'll need this one later on
76  certutil -d $db -L -n ${4} -r -o $db/${4}.der
77  certutil -d $db -L -n ${5} -r -o $db/${5}.der
78
79  rm -f $noisefile $ee_responses $ca_responses
80}
81
82
83# Signs an app
84# Parameters:
85# $1: Database directory
86# $2: Unsigned ZIP file path
87# $3: Signed ZIP file path
88# $4: Store ID for the signed App
89# $5: Version of the signed App
90# $6: Nickname of the signing certificate
91signApp() {
92
93  db=$1
94
95  # Once again, this is INSECURE. It doesn't matter here but
96  # DON'T use this for anything production related
97  passwordfile=$db/passwordfile
98
99  python ${BASE_PATH}/${SIGN_SCR_LOC}/sign_b2g_app.py -d $db -f $passwordfile \
100         -k ${6} -i ${2} -o ${3} -S ${4} -V ${5}
101}
102
103DB_PATH=${BASE_PATH}/signingDB
104TEST_APP_PATH=${BASE_PATH}/testApps
105
106echo "Warning! The directories ${DB_PATH} and ${TEST_APP_PATH} will be erased!"
107echo "Do you want to proceed anyway?"
108select answer in "Yes" "No"
109do
110  case $answer in
111    Yes) break;;
112    No) exit 1;;
113  esac
114done
115
116rm -rf ${DB_PATH} ${TEST_APP_PATH}
117
118TRUSTED_EE=trusted_ee1
119UNTRUSTED_EE=untrusted_ee1
120TRUSTED_CA=trusted_ca1
121UNTRUSTED_CA=untrusted_ca1
122
123# First, we'll create a new couple of signing DBs
124createDb $DB_PATH
125addCerts $DB_PATH "Valid CA" "Store Cert" trusted_ca1 ${TRUSTED_EE}
126addCerts $DB_PATH "Invalid CA" "Invalid Cert" ${UNTRUSTED_CA} ${UNTRUSTED_EE}
127
128# Then we'll create the unsigned apps
129echo "Creating unsigned apps"
130packageApps
131
132# And then we'll create all the test apps...
133mkdir -p ${TEST_APP_PATH}
134
135# We need:
136# A valid signed file, with two different versions:
137#    valid_app_1.zip
138#    valid_app_2.zip
139VALID_UID=`uuidgen`
140signApp $DB_PATH ${BASE_PATH}/unsigned_app_1.zip \
141        $TEST_APP_PATH/valid_app_1.zip \
142        $VALID_UID 1 ${TRUSTED_EE}
143signApp $DB_PATH ${BASE_PATH}/unsigned_app_1.zip \
144        $TEST_APP_PATH/valid_app_2.zip \
145        $VALID_UID 2 ${TRUSTED_EE}
146
147
148# A corrupt_package:
149#    corrupt_app_1.zip
150# A corrupt package is a package with a entry modified, for example...
151CURDIR=`pwd`
152export TEMP_DIR=$TEST_APP_PATH/aux_unzip_$$
153mkdir -p $TEMP_DIR
154cd  $TEMP_DIR
155unzip ../valid_app_1.zip 2>&1 >/dev/null
156echo " - " >> index.html
157zip -r ../corrupt_app_1.zip * 2>&1 >/dev/null
158cd $CURDIR
159rm -rf $TEMP_DIR
160
161# A file signed by a unknown issuer
162#    unknown_issuer_app_1.zip
163INVALID_UID=`uuidgen`
164signApp $DB_PATH ${BASE_PATH}/unsigned_app_1.zip \
165        $TEST_APP_PATH/unknown_issuer_app_1.zip \
166        $INVALID_UID 1 ${UNTRUSTED_EE}
167
168# And finally a priviledged signed file that includes the origin on the manifest
169# to avoid that reverting again
170PRIV_UID=`uuidgen`
171signApp $DB_PATH ${BASE_PATH}/unsigned_app_origin.zip \
172        $TEST_APP_PATH/origin_app_1.zip \
173        $PRIV_UID 1 ${TRUSTED_EE}
174
175# A privileged signed app needed for a toolkit/webapps test
176PRIV_TOOLKIT_UID=`uuidgen`
177signApp $DB_PATH ${BASE_PATH}/unsigned_app_origin_toolkit_webapps.zip \
178        $TEST_APP_PATH/custom_origin.zip \
179        $PRIV_TOOLKIT_UID 1 ${TRUSTED_EE}
180
181# Now let's copy the trusted cert to the app directory so we have everything
182# on the same place...
183cp ${DB_PATH}/${TRUSTED_CA}.der ${TEST_APP_PATH}
184
185cat <<EOF
186
187All done. The new test files are in ${TEST_APP_PATH}. You should copy the
188contents of that directory to the dom/apps/tests/signed directory and to
189the security/manager/ssl/tests/unit/test_signed_apps (which should be the
190parent of this directory) to install them.
191
192EOF
193
194echo "Do you wish me to do that for you now?"
195select answer in "Yes" "No"
196do
197  case $answer in
198    Yes) break;;
199    No) echo "Ok, not installing the new files"
200        echo "You should run: "
201        echo cp ${TEST_APP_PATH}/* ${BASE_PATH}/${APPS_TEST_LOC}
202        echo cp ${TEST_APP_PATH}/* ${TEST_APP_PATH}/../unsigned_app_1.zip ${BASE_PATH}/..
203        echo cp ${TEST_APP_PATH}/* ${BASE_PATH}/${TOOLKIT_WEBAPPS_TEST_LOC}
204        echo "to install them"
205        exit 0;;
206  esac
207done
208
209cp ${TEST_APP_PATH}/* ${BASE_PATH}/${APPS_TEST_LOC}
210cp ${TEST_APP_PATH}/* ${TEST_APP_PATH}/../unsigned_app_1.zip ${BASE_PATH}/..
211cp ${TEST_APP_PATH}/* ${BASE_PATH}/${TOOLKIT_WEBAPPS_TEST_LOC}
212
213echo "Done!"
214