cert.sh (85947B)
1 #! /bin/bash 2 # 3 # This Source Code Form is subject to the terms of the Mozilla Public 4 # License, v. 2.0. If a copy of the MPL was not distributed with this 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/. 6 7 ######################################################################## 8 # 9 # mozilla/security/nss/tests/cert/rcert.sh 10 # 11 # Certificate generating and handeling for NSS QA, can be included 12 # multiple times from all.sh and the individual scripts 13 # 14 # needs to work on all Unix and Windows platforms 15 # 16 # included from (don't expect this to be up to date) 17 # -------------------------------------------------- 18 # all.sh 19 # ssl.sh 20 # smime.sh 21 # tools.sh 22 # 23 # special strings 24 # --------------- 25 # FIXME ... known problems, search for this string 26 # NOTE .... unexpected behavior 27 # 28 # FIXME - Netscape - NSS 29 ######################################################################## 30 31 # 32 # set up the arrays of supported keys. These arrays function like 33 # a single array of a struct the contains the: 34 # keyType (all caps) 35 # keySuffix (that suffix to add to files and cert names) 36 # keyGenCmd (parameters to pass to certutil when generating a key) 37 # keyIsMixed (generate mixed RSA/keyType certchains with RSA as the root) 38 # keySerialOffset (serial offset used when generating mixed certs so 39 # these certs don't colide with other mixed certs or 40 # straight up RSA certs). 41 declare -a keyType 42 declare -a keySuffix 43 declare -a keyGenCmd 44 declare -a keyIsMixed 45 declare -a keySerialOffset 46 keyType=() 47 keySuffix=() 48 keyGenCmd=() 49 keyIsMixed=() 50 keySerialOffset=() 51 52 # we use this function to set up the array programatically so that 53 # 1) we can make sure each element matches it's peers in index, and 54 # 2) the arrays sizes will all be the same, and 55 # 3) we can add or subtract keys based on build flags (so if we don't 56 # support dsa, we can drop the dsa cert test) 57 cert_add_algorithm() 58 { 59 if [[ $# -ne 5 ]]; then 60 html_failed "Test case error, Not enough args in cert_add_algorithm" 61 cert_log "ERROR: Test case error, Not enough args in cert_add_algorithm" 62 Exit 5 "Fatal - Not enough args in cert_add_algorithm" 63 fi 64 keyType+=("$1") 65 keySuffix+=("$2") 66 keyGenCmd+=("$3") 67 keyIsMixed+=("$4") 68 keySerialOffset+=($5) 69 } 70 71 72 ############################## cert_init ############################### 73 # local shell function to initialize this script 74 ######################################################################## 75 cert_init() 76 { 77 SCRIPTNAME="cert.sh" 78 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for 79 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it 80 fi 81 if [ -z "${INIT_SOURCED}" ] ; then 82 cd ../common 83 . ./init.sh 84 fi 85 if [ -z "${IOPR_CERT_SOURCED}" ]; then 86 . ../iopr/cert_iopr.sh 87 fi 88 SCRIPTNAME="cert.sh" 89 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` 90 html_head "Certutil and Crlutil Tests" 91 92 LIBDIR="${DIST}/${OBJDIR}/lib" 93 94 ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi.* | head -1` 95 if [ ! "${ROOTCERTSFILE}" ] ; then 96 html_failed "Looking for root certs module." 97 cert_log "ERROR: Root certs module not found." 98 Exit 5 "Fatal - Root certs module not found." 99 else 100 html_passed "Looking for root certs module." 101 fi 102 103 cert_add_algorithm "RSA" "" "" "false" 0 104 if [ -z ${NSS_DISABLE_DSA} ]; then 105 cert_add_algorithm "DSA" "-dsa" "-k dsa" "true" 20000 106 fi 107 # NOTE: curve is added later, so the full command would be '-k ec -q curve' 108 cert_add_algorithm "ECC" "-ec" "-k ec -q" "true" 10000 109 # currently rsa-pss is only enabled for a subset of tests 110 # this will enable a full suite of RSA-PSS certs, and we would 111 # then remove the explicit ones 112 # ulike the other tests, we would need to change ssl tests as this 113 # will rename some of the RSA-PSS certificates. 114 #cert_add_algorithm "RSA-PSS" "-rsa-pss" "-k rsa -pss -Z sha256" "true" 115 #cert_add_algorithm "RSA-PSS-SHA1" "-rsa-pss-sha1" "-k rsa -pss -Z sha1" "true" 116 117 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 118 ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}` 119 fi 120 } 121 122 cert_log() ###################### write the cert_status file 123 { 124 echo "$SCRIPTNAME $*" 125 echo $* >>${CERT_LOG_FILE} 126 } 127 128 ######################################################################## 129 # function wraps calls to pk12util, also: writes action and options 130 # to stdout. 131 # Params are the same as to pk12util. 132 # Returns pk12util status 133 # 134 pk12u() 135 { 136 echo "${CU_ACTION} --------------------------" 137 138 echo "pk12util $@" 139 ${BINDIR}/pk12util $@ 140 RET=$? 141 142 return $RET 143 } 144 145 ################################ certu ################################# 146 # local shell function to call certutil, also: writes action and options to 147 # stdout, sets variable RET and writes results to the html file results 148 ######################################################################## 149 certu() 150 { 151 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" 152 EXPECTED=${RETEXPECTED-0} 153 154 if [ -n "${CU_SUBJECT}" ]; then 155 #the subject of the cert contains blanks, and the shell 156 #will strip the quotes off the string, if called otherwise... 157 echo "certutil -s \"${CU_SUBJECT}\" $*" 158 ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $* 159 RET=$? 160 CU_SUBJECT="" 161 else 162 echo "certutil $*" 163 ${PROFTOOL} ${BINDIR}/certutil $* 164 RET=$? 165 fi 166 if [ "$RET" -ne "$EXPECTED" ]; then 167 CERTFAILED=$RET 168 html_failed "${CU_ACTION} ($RET=$EXPECTED) " 169 cert_log "ERROR: ${CU_ACTION} failed $RET" 170 else 171 html_passed "${CU_ACTION}" 172 fi 173 174 return $RET 175 } 176 177 ################################ crlu ################################# 178 # local shell function to call crlutil, also: writes action and options to 179 # stdout, sets variable RET and writes results to the html file results 180 ######################################################################## 181 crlu() 182 { 183 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" 184 185 CRLUTIL="crlutil -q" 186 echo "$CRLUTIL $*" 187 ${PROFTOOL} ${BINDIR}/$CRLUTIL $* 188 RET=$? 189 if [ "$RET" -ne 0 ]; then 190 CRLFAILED=$RET 191 html_failed "${CU_ACTION} ($RET) " 192 cert_log "ERROR: ${CU_ACTION} failed $RET" 193 else 194 html_passed "${CU_ACTION}" 195 fi 196 197 return $RET 198 } 199 200 ################################ ocspr ################################## 201 # local shell function to call ocsresp, also: writes action and options to 202 # stdout, sets variable RET and writes results to the html file results 203 ######################################################################### 204 ocspr() 205 { 206 echo "$SCRIPTNAME: ${OR_ACTION} --------------------------" 207 208 OCSPRESP="ocspresp" 209 echo "$OCSPRESP $*" 210 ${PROFTOOL} ${BINDIR}/$OCSPRESP $* 211 RET=$? 212 if [ "$RET" -ne 0 ]; then 213 OCSPFAILED=$RET 214 html_failed "${OR_ACTION} ($RET) " 215 cert_log "ERROR: ${OR_ACTION} failed $RET" 216 else 217 html_passed "${OR_ACTION}" 218 fi 219 220 return $RET 221 } 222 223 modu() 224 { 225 echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" 226 227 MODUTIL="modutil" 228 echo "$MODUTIL $*" 229 # echo is used to press Enter expected by modutil 230 echo | ${BINDIR}/$MODUTIL $* 231 RET=$? 232 if [ "$RET" -ne 0 ]; then 233 MODFAILED=$RET 234 html_failed "${CU_ACTION} ($RET) " 235 cert_log "ERROR: ${CU_ACTION} failed $RET" 236 else 237 html_passed "${CU_ACTION}" 238 fi 239 240 return $RET 241 } 242 243 ############################# cert_init_cert ########################## 244 # local shell function to initialize creation of client and server certs 245 ######################################################################## 246 cert_init_cert() 247 { 248 CERTDIR="$1" 249 CERTNAME="$2" 250 CERTSERIAL="$3" 251 DOMAIN="$4" 252 253 if [ ! -d "${CERTDIR}" ]; then 254 mkdir -p "${CERTDIR}" 255 else 256 echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists" 257 fi 258 cd "${CERTDIR}" 259 CERTDIR="." 260 261 PROFILEDIR=`cd ${CERTDIR}; pwd` 262 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 263 PROFILEDIR=`cygpath -m ${PROFILEDIR}` 264 fi 265 if [ -n "${MULTIACCESS_DBM}" ]; then 266 PROFILEDIR="multiaccess:${DOMAIN}" 267 fi 268 269 noise 270 } 271 272 ############################# hw_acc ################################# 273 # local shell function to add hw accelerator modules to the db 274 ######################################################################## 275 hw_acc() 276 { 277 HW_ACC_RET=0 278 HW_ACC_ERR="" 279 if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then 280 echo "creating $CERTNAME s cert with hwaccelerator..." 281 #case $ACCELERATOR in 282 #rainbow) 283 284 echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so " 285 echo " -dbdir ${PROFILEDIR} 2>&1 " 286 echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \ 287 -dbdir ${PROFILEDIR} 2>&1 288 if [ "$?" -ne 0 ]; then 289 echo "modutil -add rainbow failed in `pwd`" 290 HW_ACC_RET=1 291 HW_ACC_ERR="modutil -add rainbow" 292 fi 293 294 echo "modutil -add ncipher " 295 echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so " 296 echo " -dbdir ${PROFILEDIR} 2>&1 " 297 echo | ${BINDIR}/modutil -add ncipher \ 298 -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \ 299 -dbdir ${PROFILEDIR} 2>&1 300 if [ "$?" -ne 0 ]; then 301 echo "modutil -add ncipher failed in `pwd`" 302 HW_ACC_RET=`expr $HW_ACC_RET + 2` 303 HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher" 304 fi 305 if [ "$HW_ACC_RET" -ne 0 ]; then 306 html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) " 307 else 308 html_passed "Adding HW accelerators to certDB for ${CERTNAME}" 309 fi 310 311 fi 312 return $HW_ACC_RET 313 } 314 315 ############################# cert_create_cert ######################### 316 # local shell function to create client certs 317 # initialize DB, import 318 # root cert 319 # add cert to DB 320 ######################################################################## 321 cert_create_cert() 322 { 323 cert_init_cert "$1" "$2" "$3" "$4" 324 325 CU_ACTION="Initializing ${CERTNAME}'s Cert DB" 326 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 327 if [ "$RET" -ne 0 ]; then 328 return $RET 329 fi 330 331 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB" 332 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 333 if [ "$RET" -ne 0 ]; then 334 return $RET 335 fi 336 337 hw_acc 338 339 for i in ${!keyType[@]} 340 do 341 suffix=${keySuffix[$i]} 342 CU_ACTION="Import ${keyType[$i]} Root CA for ${CERTNAME}" 343 certu -A -n "TestCA${suffix}" -t "TC,TC,TC" -f "${R_PWFILE}" \ 344 -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA${suffix}.ca.cert" 2>&1 345 if [ "$RET" -ne 0 ]; then 346 return $RET 347 fi 348 done 349 cert_add_cert "$5" 350 return $? 351 } 352 353 ############################# cert_add_cert ############################ 354 # local shell function to add client certs to an existing CERT DB 355 # generate request 356 # sign request 357 # import Cert 358 # 359 ######################################################################## 360 cert_add_cert() 361 { 362 EC_CURVE=secp384r1 363 for i in ${!keyType[@]} 364 do 365 suffix=${keySuffix[$i]} 366 gencmd=${keyGenCmd[$i]} 367 key_type=${keyType[$i]} 368 if [ "$key_type" = "ECC" ]; then 369 gencmd="$gencmd ${EC_CURVE}" 370 fi 371 CU_ACTION="Generate $key_type Cert Request for $CERTNAME" 372 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}${suffix}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 373 certu -R ${gencmd} -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 374 if [ "$RET" -ne 0 ]; then 375 return $RET 376 fi 377 378 CU_ACTION="Sign ${CERTNAME}'s $key_type Request" 379 certu -C -c "TestCA${suffix}" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ 380 -i req -o "${CERTNAME}${suffix}.cert" -f "${R_PWFILE}" "$1" 2>&1 381 if [ "$RET" -ne 0 ]; then 382 return $RET 383 fi 384 385 CU_ACTION="Import $CERTNAME's $key_type Cert" 386 certu -A -n "${CERTNAME}${suffix}" -t "u,u,u" -d "${PROFILEDIR}" \ 387 -f "${R_PWFILE}" -i "${CERTNAME}${suffix}.cert" 2>&1 388 if [ "$RET" -ne 0 ]; then 389 return $RET 390 fi 391 392 cert_log "SUCCESS: $CERTNAME's $key_type Cert Created" 393 394 # Generate mixed certificate signed with RSA 395 if [ "${keyIsMixed[$i]}" = "true" ]; then 396 CU_ACTION="Generate mixed $key_type Cert Request for $CERTNAME" 397 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}${suffix}mixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 398 certu -R ${gencmd} -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 399 -z "${R_NOISE_FILE}" -o req 2>&1 400 if [ "$RET" -ne 0 ]; then 401 return $RET 402 fi 403 404 CU_ACTION="Sign ${CERTNAME}'s $key_type Request with RSA" 405 # Avoid conflicting serial numbers with TestCA issuer by keeping 406 # this set far away. A smaller number risks colliding with the 407 # extended ssl user certificates. 408 NEWSERIAL=`expr ${CERTSERIAL} + ${keySerialOffset[$i]}` 409 certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ 410 -i req -o "${CERTNAME}${suffix}mixed.cert" -f "${R_PWFILE}" "$1" 2>&1 411 if [ "$RET" -ne 0 ]; then 412 return $RET 413 fi 414 415 CU_ACTION="Import $CERTNAME's mixed $key_type Cert" 416 certu -A -n "${CERTNAME}${suffix}mixed" -t "u,u,u" -d "${PROFILEDIR}" \ 417 -f "${R_PWFILE}" -i "${CERTNAME}${suffix}mixed.cert" 2>&1 418 if [ "$RET" -ne 0 ]; then 419 return $RET 420 fi 421 cert_log "SUCCESS: $CERTNAME's mixed $key_type Cert Created" 422 fi 423 done 424 425 # RSA PSS is only 'mixed' and is isn't generated by using from the certuil 426 # command line 427 echo "Importing RSA-PSS server certificate" 428 pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR} 429 # Let's get the key ID of the imported private key. 430 KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \ 431 grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'` 432 433 CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME" 434 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 435 certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \ 436 -z "${R_NOISE_FILE}" -o req 2>&1 437 438 CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request" 439 NEWSERIAL=`expr ${CERTSERIAL} + 30000` 440 certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ 441 -i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1 442 443 CU_ACTION="Import $CERTNAME's RSA-PSS Cert -t u,u,u" 444 certu -A -n "$CERTNAME-rsa-pss" -t "u,u,u" -d "${PROFILEDIR}" \ 445 -f "${R_PWFILE}" -i "${CERTNAME}-rsa-pss.cert" 2>&1 446 cert_log "SUCCESS: $CERTNAME's RSA-PSS Cert Created" 447 448 return 0 449 } 450 451 ################################# cert_all_CA ################################ 452 # local shell function to build the additional Temp. Certificate Authority (CA) 453 # used for the "real life" ssl test with 2 different CA's in the 454 # client and in the server's dir 455 ########################################################################## 456 cert_all_CA() 457 { 458 CA_CURVE="secp521r1" 459 for i in ${!keyType[@]} 460 do 461 suffix=${keySuffix[$i]} 462 key_type=${keyType[$i]} 463 cn_type="" 464 if [ "key_type" != "RSA" ]; then 465 cn_type=" (${key_type})" 466 fi 467 ALL_CU_SUBJECT="CN=NSS Test CA${cn_type}, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 468 cert_CA $key_type $CADIR TestCA${suffix} -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE} 469 470 ALL_CU_SUBJECT="CN=NSS Server Test CA${cn_type}, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 471 cert_CA $key_type $SERVER_CADIR serverCA${suffix} -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE} 472 ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA${cn_type}, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 473 cert_CA $key_type $SERVER_CADIR chain-1-serverCA${suffix} "-c serverCA${suffix}" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE} 474 ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA${cn_type}, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 475 cert_CA $key_type $SERVER_CADIR chain-2-serverCA${suffix} "-c chain-1-serverCA${suffix}" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE} 476 477 ALL_CU_SUBJECT="CN=NSS Client Test CA${cn_type}, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 478 cert_CA $key_type $CLIENT_CADIR clientCA${suffix} -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE} 479 ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA${cn_type}, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 480 cert_CA $key_type $CLIENT_CADIR chain-1-clientCA${suffix} "-c clientCA${suffix}" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE} 481 ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA${cn_type}, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 482 cert_CA $key_type $CLIENT_CADIR chain-2-clientCA${suffix} "-c chain-1-clientCA${suffix}" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE} 483 484 # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 485 # in the chain 486 rm $CLIENT_CADIR/root${suffix}.cert $SERVER_CADIR/root${suffix}.cert 487 done 488 # 489 # Create RSA-PSS version of TestCA 490 ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS), O=BOGUS NSS, L=Mountain View, ST=California, C=US" 491 cert_CA RSA-PSS $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256 492 rm $CADIR/root-rsa-pss.cert 493 494 ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US" 495 cert_CA RSA-PSS $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1 496 rm $CADIR/root-rsa-pss.cert 497 } 498 499 ################################# cert_CA ################################ 500 # local shell function to build the Temp. Certificate Authority (CA) 501 # used for testing purposes, creating a CA Certificate and a root cert 502 # this function calls the key type specific keygen code 503 ########################################################################## 504 cert_CA() 505 { 506 KEY_TYPE=$1 507 CUR_CADIR=$2 508 NICKNAME=$3 509 SIGNER=$4 510 TRUSTARG=$5 511 DOMAIN=$6 512 CERTSERIAL=$7 513 ALG=$8 514 515 #echo "cert_CA: KEY_TYPE=\"$KEY_TYPE\" CUR_CADIR=\"$CUR_CADIR\"" 516 # echo " NICKNAME=\"$NICKNAME\" SIGNER=\"$SIGNER\" TRUSTARG=\"$TRUSTARG\"" 517 # echo " DOMAIN=\"$DOMAIN\" CERTSERIAL=\"$CERTSERIAL\" ALG=\"$ALG\"" 518 519 case "$KEY_TYPE" in 520 RSA) 521 cert_rsa_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" 522 ;; 523 DSA) 524 cert_dsa_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" 525 ;; 526 ECC) 527 cert_ec_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" "${ALG}" 528 ;; 529 RSA-PSS) 530 cert_rsa_pss_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" "${ALG}" 531 ;; 532 *) 533 Exit 9 "Fatal - unknown key type ${KEY_TYPE}, failed to create CA cert" 534 ;; 535 esac 536 } 537 538 539 540 ################################# cert_rsa_CA ############################ 541 # local shell function to build the Temp. Certificate Authority (CA) 542 # used for testing purposes, creating a CA Certificate and a root cert 543 ########################################################################## 544 cert_rsa_CA() 545 { 546 CUR_CADIR=$1 547 NICKNAME=$2 548 SIGNER=$3 549 TRUSTARG=$4 550 DOMAIN=$5 551 CERTSERIAL=$6 552 553 echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME ==========================" 554 555 if [ ! -d "${CUR_CADIR}" ]; then 556 mkdir -p "${CUR_CADIR}" 557 fi 558 cd ${CUR_CADIR} 559 pwd 560 561 LPROFILE=`pwd` 562 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 563 LPROFILE=`cygpath -m ${LPROFILE}` 564 fi 565 if [ -n "${MULTIACCESS_DBM}" ]; then 566 LPROFILE="multiaccess:${DOMAIN}" 567 fi 568 569 if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB 570 CU_ACTION="Creating CA Cert DB" 571 certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1 572 if [ "$RET" -ne 0 ]; then 573 Exit 5 "Fatal - failed to create CA $NICKNAME " 574 fi 575 576 CU_ACTION="Loading root cert module to CA Cert DB" 577 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1 578 if [ "$RET" -ne 0 ]; then 579 return $RET 580 fi 581 582 echo "$SCRIPTNAME: Certificate initialized ----------" 583 fi 584 585 586 ################# Creating CA Cert ###################################### 587 # 588 CU_ACTION="Creating CA Cert $NICKNAME " 589 CU_SUBJECT=$ALL_CU_SUBJECT 590 certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \ 591 -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT 592 5 593 6 594 9 595 n 596 y 597 -1 598 n 599 5 600 6 601 7 602 9 603 n 604 CERTSCRIPT 605 606 if [ "$RET" -ne 0 ]; then 607 echo "return value is $RET" 608 Exit 6 "Fatal - failed to create CA cert" 609 fi 610 611 ################# Exporting Root Cert ################################### 612 # 613 CU_ACTION="Exporting Root Cert" 614 certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert 615 if [ "$RET" -ne 0 ]; then 616 Exit 7 "Fatal - failed to export root cert" 617 fi 618 cp root.cert ${NICKNAME}.ca.cert 619 } 620 621 622 623 624 625 ################################ cert_dsa_CA ############################# 626 # local shell function to build the Temp. Certificate Authority (CA) 627 # used for testing purposes, creating a CA Certificate and a root cert 628 # This is the DSA version of cert_CA. 629 ########################################################################## 630 cert_dsa_CA() 631 { 632 CUR_CADIR=$1 633 NICKNAME=$2 634 SIGNER=$3 635 TRUSTARG=$4 636 DOMAIN=$5 637 CERTSERIAL=$6 638 639 echo "$SCRIPTNAME: Creating a DSA CA Certificate $NICKNAME ==========================" 640 641 if [ ! -d "${CUR_CADIR}" ]; then 642 mkdir -p "${CUR_CADIR}" 643 fi 644 cd ${CUR_CADIR} 645 pwd 646 647 LPROFILE=. 648 if [ -n "${MULTIACCESS_DBM}" ]; then 649 LPROFILE="multiaccess:${DOMAIN}" 650 fi 651 652 ################# Creating a DSA CA Cert ############################### 653 # 654 CU_ACTION="Creating DSA CA Cert $NICKNAME " 655 CU_SUBJECT=$ALL_CU_SUBJECT 656 certu -S -n $NICKNAME -k dsa -t $TRUSTARG -v 600 $SIGNER \ 657 -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ 658 -m $CERTSERIAL 2>&1 <<CERTSCRIPT 659 5 660 6 661 9 662 n 663 y 664 -1 665 n 666 5 667 6 668 7 669 9 670 n 671 CERTSCRIPT 672 673 if [ "$RET" -ne 0 ]; then 674 echo "return value is $RET" 675 Exit 6 "Fatal - failed to create DSA CA cert" 676 fi 677 678 ################# Exporting DSA Root Cert ############################### 679 # 680 CU_ACTION="Exporting DSA Root Cert" 681 certu -L -n $NICKNAME -r -d ${LPROFILE} -o root-dsa.cert 682 if [ "$RET" -ne 0 ]; then 683 Exit 7 "Fatal - failed to export dsa root cert" 684 fi 685 cp root-dsa.cert ${NICKNAME}.ca.cert 686 } 687 688 689 690 691 692 ################################ cert_rsa_pss_CA ############################# 693 # local shell function to build the Temp. Certificate Authority (CA) 694 # used for testing purposes, creating a CA Certificate and a root cert 695 # This is the RSA-PSS version of cert_CA. 696 ########################################################################## 697 cert_rsa_pss_CA() 698 { 699 CUR_CADIR=$1 700 NICKNAME=$2 701 SIGNER=$3 702 TRUSTARG=$4 703 DOMAIN=$5 704 CERTSERIAL=$6 705 HASHALG=$7 706 707 echo "$SCRIPTNAME: Creating an RSA-PSS CA Certificate $NICKNAME ==========================" 708 709 if [ ! -d "${CUR_CADIR}" ]; then 710 mkdir -p "${CUR_CADIR}" 711 fi 712 cd ${CUR_CADIR} 713 pwd 714 715 LPROFILE=. 716 if [ -n "${MULTIACCESS_DBM}" ]; then 717 LPROFILE="multiaccess:${DOMAIN}" 718 fi 719 720 HASHOPT= 721 if [ -n "$HASHALG" ]; then 722 HASHOPT="-Z $HASHALG" 723 fi 724 725 ################# Creating an RSA-PSS CA Cert ############################### 726 # 727 CU_ACTION="Creating RSA-PSS CA Cert $NICKNAME " 728 CU_SUBJECT=$ALL_CU_SUBJECT 729 certu -S -n $NICKNAME -k rsa --pss $HASHOPT -t $TRUSTARG -v 600 $SIGNER \ 730 -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ 731 -m $CERTSERIAL 2>&1 <<CERTSCRIPT 732 5 733 6 734 9 735 n 736 y 737 -1 738 n 739 5 740 6 741 7 742 9 743 n 744 CERTSCRIPT 745 746 if [ "$RET" -ne 0 ]; then 747 echo "return value is $RET" 748 Exit 6 "Fatal - failed to create RSA-PSS CA cert" 749 fi 750 751 ################# Exporting RSA-PSS Root Cert ############################### 752 # 753 CU_ACTION="Exporting RSA-PSS Root Cert" 754 certu -L -n $NICKNAME -r -d ${LPROFILE} -o root-rsa-pss.cert 755 if [ "$RET" -ne 0 ]; then 756 Exit 7 "Fatal - failed to export RSA-PSS root cert" 757 fi 758 cp root-rsa-pss.cert ${NICKNAME}.ca.cert 759 } 760 761 762 763 764 ################################ cert_ec_CA ############################## 765 # local shell function to build the Temp. Certificate Authority (CA) 766 # used for testing purposes, creating a CA Certificate and a root cert 767 # This is the ECC version of cert_CA. 768 ########################################################################## 769 cert_ec_CA() 770 { 771 CUR_CADIR=$1 772 NICKNAME=$2 773 SIGNER=$3 774 TRUSTARG=$4 775 DOMAIN=$5 776 CERTSERIAL=$6 777 CURVE=$7 778 779 echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME ==========================" 780 781 if [ ! -d "${CUR_CADIR}" ]; then 782 mkdir -p "${CUR_CADIR}" 783 fi 784 cd ${CUR_CADIR} 785 pwd 786 787 LPROFILE=. 788 if [ -n "${MULTIACCESS_DBM}" ]; then 789 LPROFILE="multiaccess:${DOMAIN}" 790 fi 791 792 ################# Creating an EC CA Cert ################################ 793 # 794 CU_ACTION="Creating EC CA Cert $NICKNAME " 795 CU_SUBJECT=$ALL_CU_SUBJECT 796 certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \ 797 -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ 798 -m $CERTSERIAL 2>&1 <<CERTSCRIPT 799 5 800 6 801 9 802 n 803 y 804 -1 805 n 806 5 807 6 808 7 809 9 810 n 811 CERTSCRIPT 812 813 if [ "$RET" -ne 0 ]; then 814 echo "return value is $RET" 815 Exit 6 "Fatal - failed to create EC CA cert" 816 fi 817 818 ################# Exporting EC Root Cert ################################ 819 # 820 CU_ACTION="Exporting EC Root Cert" 821 certu -L -n $NICKNAME -r -d ${LPROFILE} -o root-ec.cert 822 if [ "$RET" -ne 0 ]; then 823 Exit 7 "Fatal - failed to export ec root cert" 824 fi 825 cp root-ec.cert ${NICKNAME}.ca.cert 826 } 827 828 ############################## cert_smime_client ############################# 829 # local shell function to create client Certificates for S/MIME tests 830 ############################################################################## 831 cert_smime_client() 832 { 833 CERTFAILED=0 834 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============" 835 836 cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE} 837 cert_create_cert ${BOBDIR} "Bob" 40 ${D_BOB} 838 839 echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------" 840 cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE} 841 842 ## XXX With this new script merging ECC and non-ECC tests, the 843 ## call to cert_create_cert ends up creating two separate certs 844 ## one for Eve and another for Eve-ec but they both end up with 845 ## the same Subject Alt Name Extension, i.e., both the cert for 846 ## Eve@example.com and the cert for Eve-ec@example.com end up 847 ## listing eve@example.net in the Certificate Subject Alt Name extension. 848 ## This can cause a problem later when cmsutil attempts to create 849 ## enveloped data and accidently picks up the ECC cert (NSS currently 850 ## does not support ECC for enveloped data creation). This script 851 ## avoids the problem by ensuring that these conflicting certs are 852 ## never added to the same cert database (see comment marked XXXX). 853 echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------" 854 cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@example.net,eve@example.org,beve@example.com" 855 856 #echo "************* Copying CA files to ${SERVERDIR}" 857 #cp ${CADIR}/*.db . 858 #hw_acc 859 860 ######################################################################### 861 # 862 #cd ${CERTDIR} 863 #CU_ACTION="Creating ${CERTNAME}'s Server Cert" 864 #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" 865 #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \ 866 # -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1 867 868 #CU_ACTION="Export Dave's Cert" 869 #cd ${DAVEDIR} 870 #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert 871 872 ################# Importing Certificates for S/MIME tests ############### 873 # 874 echo "$SCRIPTNAME: Importing Certificates ==============================" 875 CU_ACTION="Import Bob's cert into Alice's db" 876 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 877 -i ${R_BOBDIR}/Bob.cert 2>&1 878 879 CU_ACTION="Import Dave's cert into Alice's DB" 880 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 881 -i ${R_DAVEDIR}/Dave.cert 2>&1 882 883 CU_ACTION="Import Dave's cert into Bob's DB" 884 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ 885 -i ${R_DAVEDIR}/Dave.cert 2>&1 886 887 CU_ACTION="Import Eve's cert into Alice's DB" 888 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 889 -i ${R_EVEDIR}/Eve.cert 2>&1 890 891 CU_ACTION="Import Eve's cert into Bob's DB" 892 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ 893 -i ${R_EVEDIR}/Eve.cert 2>&1 894 895 echo "$SCRIPTNAME: Importing EC Certificates ==============================" 896 CU_ACTION="Import Bob's EC cert into Alice's db" 897 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 898 -i ${R_BOBDIR}/Bob-ec.cert 2>&1 899 900 CU_ACTION="Import Dave's EC cert into Alice's DB" 901 certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 902 -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 903 904 CU_ACTION="Import Dave's EC cert into Bob's DB" 905 certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ 906 -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 907 908 ## XXXX Do not import Eve's EC cert until we can make sure that 909 ## the email addresses listed in the Subject Alt Name Extension 910 ## inside Eve's ECC and non-ECC certs are different. 911 # CU_ACTION="Import Eve's EC cert into Alice's DB" 912 # certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ 913 # -i ${R_EVEDIR}/Eve-ec.cert 2>&1 914 915 # CU_ACTION="Import Eve's EC cert into Bob's DB" 916 # certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ 917 # -i ${R_EVEDIR}/Eve-ec.cert 2>&1 918 919 if [ "$CERTFAILED" != 0 ] ; then 920 cert_log "ERROR: SMIME failed $RET" 921 else 922 cert_log "SUCCESS: SMIME passed" 923 fi 924 } 925 926 ############################## cert_extended_ssl ####################### 927 # local shell function to create client + server certs for extended SSL test 928 ######################################################################## 929 cert_extended_ssl() 930 { 931 932 ################# Creating Certs for extended SSL test #################### 933 # 934 CERTFAILED=0 935 echo "$SCRIPTNAME: Creating Certificates, issued by the last ===============" 936 echo " of a chain of CA's which are not in the same database============" 937 938 echo "Server Cert" 939 cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER} 940 941 CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" 942 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 943 944 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" 945 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 946 947 EC_CURVE="secp256r1" 948 for i in ${!keyType[@]} 949 do 950 suffix=${keySuffix[$i]} 951 gencmd=${keyGenCmd[$i]} 952 key_type=${keyType[$i]} 953 if [ "$key_type" = "ECC" ]; then 954 gencmd="$gencmd ${EC_CURVE}" 955 fi 956 957 CU_ACTION="Generate $key_type Cert Request for $CERTNAME (ext)" 958 CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}${suffix}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 959 certu -R -d "${PROFILEDIR}" $gencmd -f "${R_PWFILE}" \ 960 -z "${R_NOISE_FILE}" -o req 2>&1 961 962 CU_ACTION="Sign ${CERTNAME}'s $key_type Request (ext)" 963 cp ${CERTDIR}/req ${SERVER_CADIR} 964 certu -C -c "chain-2-serverCA${suffix}" -m 200 -v 60 \ 965 -d "${P_SERVER_CADIR}" -i req -o "${CERTNAME}${suffix}.cert" \ 966 -f "${R_PWFILE}" 2>&1 967 968 CU_ACTION="Import $CERTNAME's $key_type Cert -t u,u,u (ext)" 969 certu -A -n "${CERTNAME}${suffix}" -t "u,u,u" -d "${PROFILEDIR}" \ 970 -f "${R_PWFILE}" -i "${CERTNAME}${suffix}.cert" 2>&1 971 972 CU_ACTION="Import Client $key_type Root CA -t T,, for $CERTNAME (ext.)" 973 certu -A -n "clientCA${suffix}" -t "T,," -f "${R_PWFILE}" \ 974 -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA${suffix}.ca.cert" 2>&1 975 # Generate mixed certificate signed with RSA 976 if [ "${keyIsMixed[$i]}" = "true" ]; then 977 NEWSERIAL=`expr ${keySerialOffset[$i]} + 200` 978 CU_ACTION="Generate mixed $key_type Cert Request for $CERTNAME (ext)" 979 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}${suffix}mixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 980 certu -R -d "${PROFILEDIR}" ${gencmd} -f "${R_PWFILE}" \ 981 -z "${R_NOISE_FILE}" -o req 2>&1 982 983 CU_ACTION="Sign ${CERTNAME}'s mixed $key_type Request (ext)" 984 cp ${CERTDIR}/req ${SERVER_CADIR} 985 certu -C -c "chain-2-serverCA" -m ${NEWSERIAL} -v 60 \ 986 -d "${P_SERVER_CADIR}" -i req -o "${CERTNAME}${suffix}mixed.cert" \ 987 -f "${R_PWFILE}" 2>&1 988 989 CU_ACTION="Import $CERTNAME's mixed ${key_type} Cert -t u,u,u (ext)" 990 certu -A -n "${CERTNAME}${suffix}mixed" -t "u,u,u" -d "${PROFILEDIR}" \ 991 -f "${R_PWFILE}" -i "${CERTNAME}${suffix}mixed.cert" 2>&1 992 993 # CU_ACTION="Import Client mixed $key_type Root CA -t T,, for $CERTNAME (ext.)" 994 # certu -A -n "clientCA${suffix}mixed" -t "T,," -f "${R_PWFILE}" \ 995 # -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA${suffix}mixed.ca.cert" \ 996 # 2>&1 997 fi 998 done 999 1000 # Check that a repeated import with a different nickname doesn't change the 1001 # nickname of the existing cert (bug 1458518). 1002 # We want to search for the results using grep, to avoid subset matches, 1003 # we'll use one of the longer nicknames for testing. 1004 # (Because "grep -w hostname" matches "grep -w hostname-dsamixed") 1005 MYDBPASS="-d ${PROFILEDIR} -f ${R_PWFILE}" 1006 TESTNAME="Ensure there's exactly one match for ${CERTNAME}-ecmixed" 1007 cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-ecmixed" 0 1 "${TESTNAME}" 1008 1009 CU_ACTION="Repeated import of $CERTNAME's mixed EC Cert with different nickname" 1010 certu -A -n "${CERTNAME}-repeated-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ 1011 -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 1012 1013 TESTNAME="Ensure there's still exactly one match for ${CERTNAME}-ecmixed" 1014 cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-ecmixed" 0 1 "${TESTNAME}" 1015 1016 TESTNAME="Ensure there's zero matches for ${CERTNAME}-repeated-ecmixed" 1017 cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-repeated-ecmixed" 0 0 "${TESTNAME}" 1018 1019 echo "Importing all the server's own CA chain into the servers DB" 1020 for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; 1021 do 1022 N=`basename $CA | sed -e "s/.ca.cert//"` 1023 if [[ "$N" =~ ^serverCA(-.*)?$ ]]; then 1024 T="-t C,C,C" 1025 else 1026 T="-t u,u,u" 1027 fi 1028 CU_ACTION="Import $N CA $T for $CERTNAME (ext.) " 1029 certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 1030 -i "${CA}" 2>&1 1031 done 1032 #============ 1033 echo "Client Cert" 1034 cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT} 1035 1036 CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" 1037 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1038 1039 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" 1040 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 1041 1042 for i in ${!keyType[@]} 1043 do 1044 suffix=${keySuffix[$i]} 1045 gencmd=${keyGenCmd[$i]} 1046 key_type=${keyType[$i]} 1047 if [ "$key_type" = "ECC" ]; then 1048 gencmd="$gencmd ${EC_CURVE}" 1049 fi 1050 1051 CU_ACTION="Generate $key_type Cert Request for $CERTNAME (ext)" 1052 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}${suffix}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1053 certu -R -d "${PROFILEDIR}" ${gencmd} -f "${R_PWFILE}" \ 1054 -z "${R_NOISE_FILE}" -o req 2>&1 1055 1056 CU_ACTION="Sign ${CERTNAME}'s $key_type Request (ext)" 1057 cp ${CERTDIR}/req ${CLIENT_CADIR} 1058 certu -C -c "chain-2-clientCA${suffix}" -m 300 -v 60 \ 1059 -d "${P_CLIENT_CADIR}" -i req -o "${CERTNAME}${suffix}.cert" \ 1060 -f "${R_PWFILE}" 2>&1 1061 1062 CU_ACTION="Import $CERTNAME's $key_type Cert -t u,u,u (ext)" 1063 certu -A -n "${CERTNAME}${suffix}" -t "u,u,u" -d "${PROFILEDIR}" \ 1064 -f "${R_PWFILE}" -i "${CERTNAME}${suffix}.cert" 2>&1 1065 CU_ACTION="Import Server $key_type Root CA -t C,C,C for $CERTNAME (ext.)" 1066 certu -A -n "serverCA${suffix}" -t "C,C,C" -f "${R_PWFILE}" \ 1067 -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA${suffix}.ca.cert" 2>&1 1068 # Generate mixed certificate signed with RSA 1069 if [ "${keyIsMixed[$i]}" = "true" ]; then 1070 NEWSERIAL=`expr ${keySerialOffset[$i]} + 300` 1071 CU_ACTION="Generate mixed $key_type Cert Request for $CERTNAME (ext)" 1072 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1073 certu -R -d "${PROFILEDIR}" ${gencmd} -f "${R_PWFILE}" \ 1074 -z "${R_NOISE_FILE}" -o req 2>&1 1075 1076 CU_ACTION="Sign ${CERTNAME}'s mixed ${key_type} Request (ext)" 1077 cp ${CERTDIR}/req ${CLIENT_CADIR} 1078 certu -C -c "chain-2-clientCA" -m ${NEWSERIAL}-v 60 \ 1079 -d "${P_CLIENT_CADIR}" -i req -o "${CERTNAME}${suffix}mixed.cert" \ 1080 -f "${R_PWFILE}" 2>&1 1081 1082 CU_ACTION="Import $CERTNAME's mixed ${key_type} Cert -t u,u,u (ext)" 1083 certu -A -n "${CERTNAME}${suffix}mixed" -t "u,u,u" -d "${PROFILEDIR}" \ 1084 -f "${R_PWFILE}" -i "${CERTNAME}${suffix}mixed.cert" 2>&1 1085 1086 # CU_ACTION="Import Server ${key_type} Root CA -t C,C,C for $CERTNAME (ext.)" 1087 # certu -A -n "serverCA${suffix}" -t "C,C,C" -f "${R_PWFILE}" \ 1088 # -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA${suffix}.ca.cert" 2>&1 1089 fi 1090 done 1091 1092 echo "Importing all the client's own CA chain into the servers DB" 1093 for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ; 1094 do 1095 N=`basename $CA | sed -e "s/.ca.cert//"` 1096 if [[ "$N" =~ ^clientCA(-.*)?$ ]]; then 1097 T="-t T,C,C" 1098 else 1099 T="-t u,u,u" 1100 fi 1101 echo " $T" 1102 CU_ACTION="Import $N CA $T for $CERTNAME (ext.)" 1103 certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 1104 -i "${CA}" 2>&1 1105 done 1106 if [ "$CERTFAILED" != 0 ] ; then 1107 cert_log "ERROR: EXT failed $RET" 1108 else 1109 cert_log "SUCCESS: EXT passed" 1110 fi 1111 } 1112 1113 ############################## cert_ssl ################################ 1114 # local shell function to create client + server certs for SSL test 1115 ######################################################################## 1116 cert_ssl() 1117 { 1118 ################# Creating Certs for SSL test ########################### 1119 # 1120 CERTFAILED=0 1121 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" 1122 cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT} 1123 1124 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" 1125 echo " ${HOSTADDR} ------------------------------------" 1126 cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER} 1127 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" 1128 echo " ${HOSTADDR}-sni --------------------------------" 1129 CERTSERIAL=101 1130 CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}" 1131 cert_add_cert 1132 for i in ${!keyType[@]} 1133 do 1134 suffix=${keySuffix[$i]} 1135 key_type=${keyType[$i]} 1136 CU_ACTION="Modify trust attributes of $key_type Root CA -t TC,TC,TC" 1137 certu -M -n "TestCA${suffix}" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" 1138 done 1139 1140 # cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER} 1141 # echo "************* Copying CA files to ${SERVERDIR}" 1142 # cp ${CADIR}/*.db . 1143 # hw_acc 1144 # CU_ACTION="Creating ${CERTNAME}'s Server Cert" 1145 # CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" 1146 # certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \ 1147 # -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1 1148 1149 if [ "$CERTFAILED" != 0 ] ; then 1150 cert_log "ERROR: SSL failed $RET" 1151 else 1152 cert_log "SUCCESS: SSL passed" 1153 fi 1154 1155 echo "$SCRIPTNAME: Creating database for OCSP stapling tests ===============" 1156 echo "cp -r ${SERVERDIR} ${STAPLINGDIR}" 1157 cp -r ${R_SERVERDIR} ${R_STAPLINGDIR} 1158 pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR} 1159 pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR} 1160 1161 echo "$SCRIPTNAME: Creating database for strsclnt no login tests ===============" 1162 echo "cp -r ${CLIENTDIR} ${NOLOGINDIR}" 1163 cp -r ${R_CLIENTDIR} ${R_NOLOGINDIR} 1164 # change the password to empty 1165 certu -W -d "${R_NOLOGINDIR}" -f "${R_PWFILE}" -@ "${R_EMPTY_FILE}" 2>&1 1166 } 1167 1168 ############################## cert_stresscerts ################################ 1169 # local shell function to create client certs for SSL stresstest 1170 ######################################################################## 1171 cert_stresscerts() 1172 { 1173 1174 ############### Creating Certs for SSL stress test ####################### 1175 # 1176 CERTDIR="$CLIENTDIR" 1177 cd "${CERTDIR}" 1178 1179 PROFILEDIR=`cd ${CERTDIR}; pwd` 1180 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 1181 PROFILEDIR=`cygpath -m ${PROFILEDIR}` 1182 fi 1183 if [ -n "${MULTIACCESS_DBM}" ]; then 1184 PROFILEDIR="multiaccess:${D_CLIENT}" 1185 fi 1186 CERTFAILED=0 1187 echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" 1188 1189 CONTINUE=$GLOB_MAX_CERT 1190 CERTSERIAL=10 1191 1192 while [ $CONTINUE -ge $GLOB_MIN_CERT ] 1193 do 1194 CERTNAME="TestUser$CONTINUE" 1195 # cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL 1196 cert_add_cert 1197 CERTSERIAL=`expr $CERTSERIAL + 1 ` 1198 CONTINUE=`expr $CONTINUE - 1 ` 1199 done 1200 if [ "$CERTFAILED" != 0 ] ; then 1201 cert_log "ERROR: StressCert failed $RET" 1202 else 1203 cert_log "SUCCESS: StressCert passed" 1204 fi 1205 } 1206 1207 ############################## cert_fips ##################################### 1208 # local shell function to create certificates for FIPS tests 1209 ############################################################################## 1210 cert_fips() 1211 { 1212 CERTFAILED=0 1213 echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates ==============" 1214 cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}" 1215 1216 CU_ACTION="Initializing ${CERTNAME}'s Cert DB" 1217 certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 1218 1219 CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" 1220 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 1221 1222 echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------" 1223 CU_ACTION="Enable FIPS mode on database for ${CERTNAME}" 1224 echo "modutil -dbdir ${PROFILEDIR} -fips true " 1225 ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT 1226 y 1227 MODSCRIPT 1228 RET=$? 1229 if [ "$RET" -ne 0 ]; then 1230 html_failed "${CU_ACTION} ($RET) " 1231 cert_log "ERROR: ${CU_ACTION} failed $RET" 1232 else 1233 html_passed "${CU_ACTION}" 1234 fi 1235 1236 CU_ACTION="Setting invalid database password in FIPS mode" 1237 RETEXPECTED=255 1238 certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1 1239 CU_ACTION="Attempt to generate a key with exponent of 3 (too small)" 1240 certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 1241 CU_ACTION="Attempt to generate a key with exponent of 17 (too small)" 1242 certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 1243 RETEXPECTED=0 1244 1245 CU_ACTION="Generate Certificate for ${CERTNAME}" 1246 CU_SUBJECT="CN=${CERTNAME}, E=fips@example.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US" 1247 certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k ec -q nistp256 -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1 1248 if [ "$RET" -eq 0 ]; then 1249 cert_log "SUCCESS: FIPS passed" 1250 fi 1251 1252 } 1253 1254 ########################## cert_rsa_exponent ################################# 1255 # local shell function to verify small rsa exponent can be used (only 1256 # run if FIPS has not been turned on in the build). 1257 ############################################################################## 1258 cert_rsa_exponent_nonfips() 1259 { 1260 echo "$SCRIPTNAME: Verify that small RSA exponents still work ==============" 1261 CU_ACTION="Attempt to generate a key with exponent of 3" 1262 certu -G -k rsa -g 2048 -y 3 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" 1263 CU_ACTION="Attempt to generate a key with exponent of 17" 1264 certu -G -k rsa -g 2048 -y 17 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" 1265 } 1266 1267 ############################## cert_eccurves ########################### 1268 # local shell function to create server certs for all EC curves 1269 ######################################################################## 1270 cert_eccurves() 1271 { 1272 ################# Creating Certs for EC curves test ######################## 1273 # 1274 echo "$SCRIPTNAME: Creating Server CA Issued Certificate for " 1275 echo " EC Curves Test Certificates ------------------------------------" 1276 1277 cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES} 1278 1279 CU_ACTION="Initializing EC Curve's Cert DB" 1280 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1281 1282 CU_ACTION="Loading root cert module to EC Curve's Cert DB" 1283 modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 1284 1285 CU_ACTION="Import EC Root CA for $CERTNAME" 1286 certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ 1287 -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1 1288 1289 CURVE_LIST="nistp256 nistp384 nistp521" 1290 CERTSERIAL=2000 1291 1292 for CURVE in ${CURVE_LIST} 1293 do 1294 CERTFAILED=0 1295 CERTNAME="Curve-${CURVE}" 1296 CERTSERIAL=`expr $CERTSERIAL + 1 ` 1297 CU_ACTION="Generate EC Cert Request for $CERTNAME" 1298 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1299 certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 1300 -z "${R_NOISE_FILE}" -o req 2>&1 1301 1302 if [ $RET -eq 0 ] ; then 1303 CU_ACTION="Sign ${CERTNAME}'s EC Request" 1304 certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ 1305 -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 1306 fi 1307 1308 if [ $RET -eq 0 ] ; then 1309 CU_ACTION="Import $CERTNAME's EC Cert" 1310 certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ 1311 -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 1312 fi 1313 done 1314 } 1315 1316 ########################### cert_extensions_test ############################# 1317 # local shell function to test cert extensions generation 1318 ############################################################################## 1319 cert_extensions_test() 1320 { 1321 COUNT=`expr ${COUNT} + 1` 1322 CERTNAME=TestExt${COUNT} 1323 CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1324 1325 echo 1326 echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \ 1327 -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ 1328 -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE} 1329 echo "certutil options:" 1330 cat ${TARG_FILE} 1331 ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \ 1332 -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ 1333 -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE} 1334 RET=$? 1335 if [ "${RET}" -ne 0 ]; then 1336 CERTFAILED=1 1337 html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate" 1338 cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed" 1339 return 1 1340 fi 1341 1342 echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME} 1343 EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}` 1344 RET=$? 1345 echo "${EXTLIST}" 1346 if [ "${RET}" -ne 0 ]; then 1347 CERTFAILED=1 1348 html_failed "${TESTNAME} (${COUNT}) - List Certificate" 1349 cert_log "ERROR: ${TESTNAME} - List Certificate failed" 1350 return 1 1351 fi 1352 1353 for FL in `echo ${FILTERLIST} | tr \| ' '`; do 1354 FL="`echo ${FL} | tr _ ' '`" 1355 EXPSTAT=0 1356 if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then 1357 EXPSTAT=1 1358 FL=`echo ${FL} | tr -d '!'` 1359 fi 1360 echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1 1361 RET=$? 1362 if [ "${RET}" -ne "${EXPSTAT}" ]; then 1363 CERTFAILED=1 1364 html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}" 1365 cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed" 1366 return 1 1367 fi 1368 done 1369 1370 html_passed "${TESTNAME} (${COUNT})" 1371 return 0 1372 } 1373 1374 ############################## cert_extensions ############################### 1375 # local shell function to run cert extensions tests 1376 ############################################################################## 1377 cert_extensions() 1378 { 1379 CERTNAME=TestExt 1380 cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS} 1381 TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args 1382 1383 COUNT=0 1384 while read ARG OPT FILTERLIST; do 1385 if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then 1386 continue 1387 fi 1388 if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then 1389 TESTNAME="${FILTERLIST}" 1390 continue 1391 fi 1392 if [ X"${ARG}" = "X=" ]; then 1393 cert_extensions_test 1394 rm -f ${TARG_FILE} 1395 else 1396 echo ${ARG} >> ${TARG_FILE} 1397 fi 1398 done < ${QADIR}/cert/certext.txt 1399 } 1400 1401 cert_make_with_param() 1402 { 1403 DIRPASS="$1" 1404 CERTNAME="$2" 1405 MAKE="$3" 1406 SUBJ="$4" 1407 EXTRA="$5" 1408 EXPECT="$6" 1409 TESTNAME="$7" 1410 1411 echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA} 1412 ${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA} 1413 1414 RET=$? 1415 if [ "${RET}" -ne "${EXPECT}" ]; then 1416 # if we expected failure to create, then delete unexpected certificate 1417 if [ "${EXPECT}" -ne 0 ]; then 1418 ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME} 1419 fi 1420 1421 CERTFAILED=1 1422 html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}" 1423 cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed" 1424 return 1 1425 fi 1426 1427 html_passed "${TESTNAME} (${COUNT})" 1428 return 0 1429 } 1430 1431 cert_check_nickname_exists() 1432 { 1433 MYDIRPASS="$1" 1434 MYCERTNAME="$2" 1435 EXPECT="$3" 1436 EXPECTCOUNT="$4" 1437 MYTESTNAME="$5" 1438 1439 echo certutil ${MYDIRPASS} -L 1440 ${BINDIR}/certutil ${MYDIRPASS} -L 1441 1442 RET=$? 1443 if [ "${RET}" -ne "${EXPECT}" ]; then 1444 CERTFAILED=1 1445 html_failed "${MYTESTNAME} - list" 1446 cert_log "ERROR: ${MYTESTNAME} - list" 1447 return 1 1448 fi 1449 1450 LISTCOUNT=`${BINDIR}/certutil ${MYDIRPASS} -L | grep -wc ${MYCERTNAME}` 1451 if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then 1452 CERTFAILED=1 1453 html_failed "${MYTESTNAME} - list and count" 1454 cert_log "ERROR: ${MYTESTNAME} - list and count failed" 1455 return 1 1456 fi 1457 1458 html_passed "${MYTESTNAME}" 1459 return 0 1460 } 1461 1462 cert_list_and_count_dns() 1463 { 1464 DIRPASS="$1" 1465 CERTNAME="$2" 1466 EXPECT="$3" 1467 EXPECTCOUNT="$4" 1468 TESTNAME="$5" 1469 1470 echo certutil ${DIRPASS} -L ${CERTNAME} 1471 ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} 1472 1473 RET=$? 1474 if [ "${RET}" -ne "${EXPECT}" ]; then 1475 CERTFAILED=1 1476 html_failed "${TESTNAME} (${COUNT}) - list and count" 1477 cert_log "ERROR: ${TESTNAME} - list and count failed" 1478 return 1 1479 fi 1480 1481 LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS` 1482 if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then 1483 CERTFAILED=1 1484 html_failed "${TESTNAME} (${COUNT}) - list and count" 1485 cert_log "ERROR: ${TESTNAME} - list and count failed" 1486 return 1 1487 fi 1488 1489 html_passed "${TESTNAME} (${COUNT})" 1490 return 0 1491 } 1492 1493 cert_dump_ext_to_file() 1494 { 1495 DIRPASS="$1" 1496 CERTNAME="$2" 1497 OID="$3" 1498 OUTFILE="$4" 1499 EXPECT="$5" 1500 TESTNAME="$6" 1501 1502 echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} 1503 echo "writing output to ${OUTFILE}" 1504 ${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE} 1505 1506 RET=$? 1507 if [ "${RET}" -ne "${EXPECT}" ]; then 1508 CERTFAILED=1 1509 html_failed "${TESTNAME} (${COUNT}) - dump to file" 1510 cert_log "ERROR: ${TESTNAME} - dump to file failed" 1511 return 1 1512 fi 1513 1514 html_passed "${TESTNAME} (${COUNT})" 1515 return 0 1516 } 1517 1518 cert_delete() 1519 { 1520 DIRPASS="$1" 1521 CERTNAME="$2" 1522 EXPECT="$3" 1523 TESTNAME="$4" 1524 1525 echo certutil ${DIRPASS} -D ${CERTNAME} 1526 ${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME} 1527 1528 RET=$? 1529 if [ "${RET}" -ne "${EXPECT}" ]; then 1530 CERTFAILED=1 1531 html_failed "${TESTNAME} (${COUNT}) - delete cert" 1532 cert_log "ERROR: ${TESTNAME} - delete cert failed" 1533 return 1 1534 fi 1535 1536 html_passed "${TESTNAME} (${COUNT})" 1537 return 0 1538 } 1539 1540 cert_inc_count() 1541 { 1542 COUNT=`expr ${COUNT} + 1` 1543 } 1544 1545 ############################## cert_crl_ssl ############################ 1546 # test adding subject-alt-name, dumping, and adding generic extension 1547 ######################################################################## 1548 cert_san_and_generic_extensions() 1549 { 1550 EXTDUMP=sanext.der 1551 1552 DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}" 1553 CERTNAME="-n WithSAN" 1554 MAKE="-S -t ,, -x -z ${R_NOISE_FILE}" 1555 SUBJ="CN=example.com" 1556 1557 TESTNAME="san-and-generic-extensions" 1558 1559 cert_inc_count 1560 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1561 "--extSAN example.com" 255 \ 1562 "create cert with invalid SAN parameter" 1563 1564 cert_inc_count 1565 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1566 "--extSAN example.com,dns:www.example.com" 255 \ 1567 "create cert with invalid SAN parameter" 1568 1569 TN="create cert with valid SAN parameter" 1570 1571 cert_inc_count 1572 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1573 "--extSAN dns:example.com,dns:www.example.com" 0 \ 1574 "${TN}" 1575 1576 cert_inc_count 1577 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \ 1578 "${TN}" 1579 1580 cert_inc_count 1581 cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \ 1582 "dump extension 2.5.29.17 to file ${EXTDUMP}" 1583 1584 cert_inc_count 1585 cert_delete "${DIR}" "${CERTNAME}" 0 \ 1586 "${TN}" 1587 1588 cert_inc_count 1589 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \ 1590 "expect failure to list cert, because we deleted it" 1591 1592 cert_inc_count 1593 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1594 "--extGeneric ${EXTDUMP}" 255 \ 1595 "create cert with invalid generic ext parameter" 1596 1597 cert_inc_count 1598 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1599 "--extGeneric not-critical:${EXTDUMP}" 255 \ 1600 "create cert with invalid generic ext parameter" 1601 1602 cert_inc_count 1603 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1604 "--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \ 1605 "create cert with invalid generic ext parameter" 1606 1607 TN="create cert with valid generic ext parameter" 1608 1609 cert_inc_count 1610 cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \ 1611 "--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \ 1612 "${TN}" 1613 1614 cert_inc_count 1615 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \ 1616 "${TN}" 1617 1618 cert_inc_count 1619 cert_delete "${DIR}" "${CERTNAME}" 0 \ 1620 "${TN}" 1621 1622 cert_inc_count 1623 cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \ 1624 "expect failure to list cert, because we deleted it" 1625 } 1626 1627 ############################## cert_crl_ssl ############################ 1628 # local shell function to generate certs and crls for SSL tests 1629 ######################################################################## 1630 cert_crl_ssl() 1631 { 1632 1633 ################# Creating Certs ################################### 1634 # 1635 CERTFAILED=0 1636 CERTSERIAL=${CRL_GRP_1_BEGIN} 1637 1638 cd $CADIR 1639 1640 PROFILEDIR=`cd ${CLIENTDIR}; pwd` 1641 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 1642 PROFILEDIR=`cygpath -m ${PROFILEDIR}` 1643 fi 1644 CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1` 1645 echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ===" 1646 CU_ACTION="Creating client test certs" 1647 1648 while [ $CERTSERIAL -le $CRL_GRPS_END ] 1649 do 1650 CERTNAME="TestUser$CERTSERIAL" 1651 cert_add_cert 1652 CERTSERIAL=`expr $CERTSERIAL + 1 ` 1653 done 1654 1655 #################### CRL Creation ############################## 1656 CRL_GEN_RES=0 1657 echo "$SCRIPTNAME: Creating CA CRL =====================================" 1658 1659 CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1` 1660 CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END} 1661 CRL_FILE=${CRL_FILE_GRP_1} 1662 1663 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1664 1665 for i in ${!keyType[@]} 1666 do 1667 suffix=${keySuffix[$i]} 1668 key_type=${keyType[$i]} 1669 CU_ACTION="Generating CRL ($key_type) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA${suffix} authority" 1670 CRL_GRP_END_=`expr ${CRL_GRP_END} - 1` 1671 crlu -d $CADIR -G -n "TestCA${suffix}" -f ${R_PWFILE} \ 1672 -o ${CRL_FILE_GRP_1}_or${suffix} <<EOF_CRLINI 1673 update=$CRLUPDATE 1674 addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE 1675 addext reasonCode 0 4 1676 addext issuerAltNames 0 "rfc822Name:ca${suffix}email@ca.com|dnsName:ca${suffix}.com|directoryName:CN=NSS Test CA ($key_type),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca${suffix}.com|ipAddress:192.168.0.1|registerID=reg CA ($key_type)" 1677 EOF_CRLINI 1678 # This extension should be added to the list, but currently nss has bug 1679 #addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1 1680 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1681 chmod 600 ${CRL_FILE_GRP_1}_or${suffix} 1682 done 1683 1684 echo test > file 1685 ############################# Modification ################################## 1686 1687 echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============" 1688 sleep 2 1689 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1690 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` 1691 for i in ${!keyType[@]} 1692 do 1693 suffix=${keySuffix[$i]} 1694 key_type=${keyType[$i]} 1695 CU_ACTION="Modify CRL ($key_type)by adding one more cert" 1696 crlu -d $CADIR -M -n "TestCA${suffix}" -f ${R_PWFILE} \ 1697 -o ${CRL_FILE_GRP_1}_or1${suffix} \ 1698 -i ${CRL_FILE_GRP_1}_or${suffix} <<EOF_CRLINI 1699 update=$CRLUPDATE 1700 addcert ${CRL_GRP_END} $CRL_GRP_DATE 1701 EOF_CRLINI 1702 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1703 chmod 600 ${CRL_FILE_GRP_1}_or1${suffix} 1704 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or${suffix}" 1705 done 1706 1707 ########### Removing one cert ${UNREVOKED_CERT_GRP_1} ####################### 1708 sleep 2 1709 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1710 for i in ${!keyType[@]} 1711 do 1712 suffix=${keySuffix[$i]} 1713 key_type=${keyType[$i]} 1714 echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ===============" 1715 CU_ACTION="Modify CRL ($key_type) by removing one cert" 1716 crlu -d $CADIR -M -n "TestCA${suffix}" -f ${R_PWFILE} \ 1717 -o ${CRL_FILE_GRP_1}${suffix} \ 1718 -i ${CRL_FILE_GRP_1}_or1${suffix} <<EOF_CRLINI 1719 update=$CRLUPDATE 1720 rmcert ${UNREVOKED_CERT_GRP_1} 1721 EOF_CRLINI 1722 chmod 600 ${CRL_FILE_GRP_1}${suffix} 1723 TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1${suffix}" 1724 done 1725 1726 ########### Creating second CRL which includes groups 1 and 2 ############## 1727 CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1` 1728 CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END} 1729 1730 echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ===============" 1731 sleep 2 1732 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1733 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` 1734 1735 for i in ${!keyType[@]} 1736 do 1737 suffix=${keySuffix[$i]} 1738 key_type=${keyType[$i]} 1739 CU_ACTION="Creating CRL ($key_type} for groups 1 and 2" 1740 crlu -d $CADIR -M -n "TestCA${suffix}" -f ${R_PWFILE} \ 1741 -o ${CRL_FILE_GRP_2}${suffix} \ 1742 -i ${CRL_FILE_GRP_1}${suffix} <<EOF_CRLINI 1743 update=$CRLUPDATE 1744 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE 1745 addext invalidityDate 0 $CRLUPDATE 1746 rmcert ${UNREVOKED_CERT_GRP_2} 1747 EOF_CRLINI 1748 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1749 chmod 600 ${CRL_FILE_GRP_2}${suffix} 1750 done 1751 1752 ########### Creating second CRL which includes groups 1, 2 and 3 ############## 1753 CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1` 1754 CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END} 1755 1756 echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3 ===============" 1757 sleep 2 1758 CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"` 1759 CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"` 1760 for i in ${!keyType[@]} 1761 do 1762 suffix=${keySuffix[$i]} 1763 key_type=${keyType[$i]} 1764 CU_ACTION="Creating CRL ($key_type) for groups 1, 2 and 3" 1765 crlu -d $CADIR -M -n "TestCA${suffix}" -f ${R_PWFILE} \ 1766 -o ${CRL_FILE_GRP_3}${suffix} \ 1767 -i ${CRL_FILE_GRP_2}${suffix} <<EOF_CRLINI 1768 update=$CRLUPDATE 1769 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE 1770 rmcert ${UNREVOKED_CERT_GRP_3} 1771 addext crlNumber 0 2 1772 EOF_CRLINI 1773 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1774 chmod 600 ${CRL_FILE_GRP_3}${suffix} 1775 done 1776 1777 ############ Importing Server CA Issued CRL for certs of first group ####### 1778 1779 echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}" 1780 for i in ${!keyType[@]} 1781 do 1782 suffix=${keySuffix[$i]} 1783 key_type=${keyType[$i]} 1784 CU_ACTION="Importing CRL ($key_type) for groups 1" 1785 crlu -D -n TestCA${suffix} -f "${R_PWFILE}" -d "${R_SERVERDIR}" 1786 crlu -I -i ${CRL_FILE}${suffix} -n "TestCA${suffix}" -f "${R_PWFILE}" -d "${R_SERVERDIR}" 1787 CRL_GEN_RES=`expr $? + $CRL_GEN_RES` 1788 done 1789 if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then 1790 cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES" 1791 else 1792 cert_log "SUCCESS: SSL CRL prep passed" 1793 fi 1794 } 1795 1796 ################# 1797 # Verify the we can successfully change the password on the database 1798 # 1799 cert_test_password() 1800 { 1801 CERTFAILED=0 1802 echo "$SCRIPTNAME: Create A Password Test Cert ==============" 1803 cert_init_cert "${DBPASSDIR}" "Password Test Cert" 1000 "${D_DBPASSDIR}" 1804 1805 echo "$SCRIPTNAME: Create A Password Test Ca --------" 1806 ALL_CU_SUBJECT="CN=NSS Password Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1807 cert_CA RSA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1" 1808 1809 # now change the password 1810 CU_ACTION="Changing password on ${CERTNAME}'s Cert DB" 1811 certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1 1812 1813 # finally make sure we can use the old key with the new password 1814 CU_ACTION="Generate Certificate for ${CERTNAME} with new password" 1815 CU_SUBJECT="CN=${CERTNAME}, E=password@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1816 certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1 1817 if [ "$RET" -eq 0 ]; then 1818 cert_log "SUCCESS: PASSWORD passed" 1819 fi 1820 CU_ACTION="Verify Certificate for ${CERTNAME} with new password" 1821 certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 1822 } 1823 1824 ############################### 1825 # test if we can distrust a certificate. 1826 # 1827 # we create 3 new certs: 1828 # 1 leaf signed by the trusted root. 1829 # 1 intermediate signed by the trusted root. 1830 # 1 leaf signed by the intermediate. 1831 # 1832 # we mark the first leaf and the intermediate as explicitly untrusted. 1833 # we then try to verify the two leaf certs for our possible usages. 1834 # All verification should fail. 1835 # 1836 cert_test_distrust() 1837 { 1838 echo "$SCRIPTNAME: Creating Distrusted Certificate" 1839 cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST} 1840 CU_ACTION="Mark CERT as unstrusted" 1841 certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1 1842 echo "$SCRIPTNAME: Creating Distrusted Intermediate" 1843 CERTNAME="DistrustedCA" 1844 ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1845 cert_CA RSA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1 1846 CU_ACTION="Import Distrusted Intermediate" 1847 certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ 1848 -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1 1849 1850 # now create the last leaf signed by our distrusted CA 1851 # since it's not signed by TestCA it requires more steps. 1852 CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA" 1853 CERTNAME="LeafChainedToDistrustedCA" 1854 CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1855 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 1856 1857 CU_ACTION="Sign ${CERTNAME}'s Request" 1858 cp ${CERTDIR}/req ${CADIR} 1859 certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \ 1860 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 1861 1862 CU_ACTION="Import $CERTNAME's Cert -t u,u,u" 1863 certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 1864 -i "${CERTNAME}.cert" 2>&1 1865 1866 RETEXPECTED=255 1867 CU_ACTION="Verify ${CERTNAME} Cert for SSL Server" 1868 certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1869 CU_ACTION="Verify ${CERTNAME} Cert for SSL Client" 1870 certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1871 CU_ACTION="Verify ${CERTNAME} Cert for Email signer" 1872 certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1873 CU_ACTION="Verify ${CERTNAME} Cert for Email recipient" 1874 certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1875 CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder" 1876 certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1877 CU_ACTION="Verify ${CERTNAME} Cert for Object Signer" 1878 certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1879 1880 CERTNAME="Distrusted" 1881 CU_ACTION="Verify ${CERTNAME} Cert for SSL Server" 1882 certu -V -n ${CERTNAME} -u V -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1883 CU_ACTION="Verify ${CERTNAME} Cert for SSL Client" 1884 certu -V -n ${CERTNAME} -u C -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1885 CU_ACTION="Verify ${CERTNAME} Cert for Email signer" 1886 certu -V -n ${CERTNAME} -u S -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1887 CU_ACTION="Verify ${CERTNAME} Cert for Email recipient" 1888 certu -V -n ${CERTNAME} -u R -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1889 CU_ACTION="Verify ${CERTNAME} Cert for OCSP responder" 1890 certu -V -n ${CERTNAME} -u O -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1891 CU_ACTION="Verify ${CERTNAME} Cert for Object Signer" 1892 certu -V -n ${CERTNAME} -u J -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1893 RETEXPECTED=0 1894 } 1895 1896 cert_test_ocspresp() 1897 { 1898 echo "$SCRIPTNAME: OCSP response creation selftest" 1899 OR_ACTION="perform selftest" 1900 RETEXPECTED=0 1901 ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1 1902 } 1903 1904 cert_test_implicit_db_init() 1905 { 1906 echo "$SCRIPTNAME: test implicit database init" 1907 1908 CU_ACTION="Add cert with trust flags to db with implicit init" 1909 mkdir ${IMPLICIT_INIT_DIR} 1910 certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert" 1911 } 1912 1913 cert_test_token_uri() 1914 { 1915 echo "$SCRIPTNAME: specify token with PKCS#11 URI" 1916 1917 CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'` 1918 BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'` 1919 1920 CU_ACTION="List keys in NSS Certificate DB" 1921 certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI} 1922 1923 # This token shouldn't have any keys 1924 CU_ACTION="List keys in NSS Builtin Objects" 1925 RETEXPECTED=255 1926 certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI} 1927 RETEXPECTED=0 1928 } 1929 1930 check_sign_algo() 1931 { 1932 certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ 1933 sed -n '/^ *Data:/,/^$/{ 1934 /^ Signature Algorithm/,/^ *Salt length/s/^ //p 1935 }' > ${TMP}/signalgo.txt 1936 1937 diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt 1938 RET=$? 1939 if [ "$RET" -ne 0 ]; then 1940 CERTFAILED=$RET 1941 html_failed "${CU_ACTION} ($RET) " 1942 cert_log "ERROR: ${CU_ACTION} failed $RET" 1943 else 1944 html_passed "${CU_ACTION}" 1945 fi 1946 } 1947 1948 cert_test_rsapss() 1949 { 1950 TEMPFILES="$TEMPFILES ${TMP}/signalgo.exp ${TMP}/signalgo.txt" 1951 1952 cert_init_cert "${RSAPSSDIR}" "RSA-PSS Test Cert" 1000 "${D_RSAPSS}" 1953 1954 CU_ACTION="Initialize Cert DB" 1955 certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1956 1957 CU_ACTION="Import RSA CA Cert" 1958 certu -A -n "TestCA" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 1959 -i "${R_CADIR}/TestCA.ca.cert" 2>&1 1960 1961 CU_ACTION="Import RSA-PSS CA Cert" 1962 certu -A -n "TestCA-rsa-pss" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 1963 -i "${R_CADIR}/TestCA-rsa-pss.ca.cert" 2>&1 1964 1965 CU_ACTION="Verify RSA-PSS CA Cert" 1966 certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}" 1967 1968 CU_ACTION="Import RSA-PSS CA Cert (SHA1)" 1969 certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 1970 -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 1971 1972 CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)" 1973 certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 1974 -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1 1975 RETEXPECTED=255 1976 certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1977 RETEXPECTED=0 1978 1979 CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)" 1980 certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 1981 -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1 1982 RETEXPECTED=255 1983 certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 1984 RETEXPECTED=0 1985 1986 CERTSERIAL=200 1987 1988 # Subject certificate: RSA 1989 # Issuer certificate: RSA 1990 # Signature: RSA-PSS (explicit, with --pss-sign) 1991 CERTNAME="TestUser-rsa-pss1" 1992 1993 CU_ACTION="Generate Cert Request for $CERTNAME" 1994 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 1995 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 1996 1997 CU_ACTION="Sign ${CERTNAME}'s Request" 1998 certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 1999 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2000 2001 CU_ACTION="Import $CERTNAME's Cert" 2002 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2003 -i "${CERTNAME}.cert" 2>&1 2004 2005 CU_ACTION="Verify $CERTNAME's Cert" 2006 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2007 cat > ${TMP}/signalgo.exp <<EOF 2008 Signature Algorithm: PKCS #1 RSA-PSS Signature 2009 Parameters: 2010 Hash algorithm: SHA-256 2011 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2012 Mask hash algorithm: SHA-256 2013 Salt length: 32 (0x20) 2014 EOF 2015 check_sign_algo 2016 2017 CERTSERIAL=`expr $CERTSERIAL + 1` 2018 2019 # Subject certificate: RSA 2020 # Issuer certificate: RSA 2021 # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512) 2022 CERTNAME="TestUser-rsa-pss2" 2023 2024 CU_ACTION="Generate Cert Request for $CERTNAME" 2025 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2026 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 2027 2028 CU_ACTION="Sign ${CERTNAME}'s Request" 2029 certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2030 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2031 2032 CU_ACTION="Import $CERTNAME's Cert" 2033 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2034 -i "${CERTNAME}.cert" 2>&1 2035 2036 CU_ACTION="Verify $CERTNAME's Cert" 2037 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2038 cat > ${TMP}/signalgo.exp <<EOF 2039 Signature Algorithm: PKCS #1 RSA-PSS Signature 2040 Parameters: 2041 Hash algorithm: SHA-512 2042 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2043 Mask hash algorithm: SHA-512 2044 Salt length: 64 (0x40) 2045 EOF 2046 check_sign_algo 2047 2048 CERTSERIAL=`expr $CERTSERIAL + 1` 2049 2050 # Subject certificate: RSA 2051 # Issuer certificate: RSA-PSS 2052 # Signature: RSA-PSS 2053 CERTNAME="TestUser-rsa-pss3" 2054 2055 CU_ACTION="Generate Cert Request for $CERTNAME" 2056 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2057 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 2058 2059 CU_ACTION="Sign ${CERTNAME}'s Request" 2060 certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2061 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2062 2063 CU_ACTION="Import $CERTNAME's Cert" 2064 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2065 -i "${CERTNAME}.cert" 2>&1 2066 2067 CU_ACTION="Verify $CERTNAME's Cert" 2068 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2069 cat > ${TMP}/signalgo.exp <<EOF 2070 Signature Algorithm: PKCS #1 RSA-PSS Signature 2071 Parameters: 2072 Hash algorithm: SHA-256 2073 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2074 Mask hash algorithm: SHA-256 2075 Salt length: 32 (0x20) 2076 EOF 2077 check_sign_algo 2078 2079 CERTSERIAL=`expr $CERTSERIAL + 1` 2080 2081 # Subject certificate: RSA-PSS 2082 # Issuer certificate: RSA 2083 # Signature: RSA-PSS (explicit, with --pss-sign) 2084 CERTNAME="TestUser-rsa-pss4" 2085 2086 CU_ACTION="Generate Cert Request for $CERTNAME" 2087 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2088 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2089 2090 CU_ACTION="Sign ${CERTNAME}'s Request" 2091 certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2092 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2093 2094 CU_ACTION="Import $CERTNAME's Cert" 2095 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2096 -i "${CERTNAME}.cert" 2>&1 2097 2098 CU_ACTION="Verify $CERTNAME's Cert" 2099 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2100 cat > ${TMP}/signalgo.exp <<EOF 2101 Signature Algorithm: PKCS #1 RSA-PSS Signature 2102 Parameters: 2103 Hash algorithm: SHA-256 2104 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2105 Mask hash algorithm: SHA-256 2106 Salt length: 32 (0x20) 2107 EOF 2108 check_sign_algo 2109 2110 CERTSERIAL=`expr $CERTSERIAL + 1` 2111 2112 # Subject certificate: RSA-PSS 2113 # Issuer certificate: RSA-PSS 2114 # Signature: RSA-PSS (explicit, with --pss-sign) 2115 CERTNAME="TestUser-rsa-pss5" 2116 2117 CU_ACTION="Generate Cert Request for $CERTNAME" 2118 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2119 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2120 2121 CU_ACTION="Sign ${CERTNAME}'s Request" 2122 certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2123 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2124 2125 CU_ACTION="Import $CERTNAME's Cert" 2126 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2127 -i "${CERTNAME}.cert" 2>&1 2128 2129 CU_ACTION="Verify $CERTNAME's Cert" 2130 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2131 cat > ${TMP}/signalgo.exp <<EOF 2132 Signature Algorithm: PKCS #1 RSA-PSS Signature 2133 Parameters: 2134 Hash algorithm: SHA-256 2135 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2136 Mask hash algorithm: SHA-256 2137 Salt length: 32 (0x20) 2138 EOF 2139 check_sign_algo 2140 2141 CERTSERIAL=`expr $CERTSERIAL + 1` 2142 2143 # Subject certificate: RSA-PSS 2144 # Issuer certificate: RSA-PSS 2145 # Signature: RSA-PSS (implicit, without --pss-sign) 2146 CERTNAME="TestUser-rsa-pss6" 2147 2148 CU_ACTION="Generate Cert Request for $CERTNAME" 2149 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2150 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2151 2152 CU_ACTION="Sign ${CERTNAME}'s Request" 2153 # Sign without --pss-sign nor -Z option 2154 certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2155 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2156 2157 CU_ACTION="Import $CERTNAME's Cert" 2158 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2159 -i "${CERTNAME}.cert" 2>&1 2160 2161 CU_ACTION="Verify $CERTNAME's Cert" 2162 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2163 cat > ${TMP}/signalgo.exp <<EOF 2164 Signature Algorithm: PKCS #1 RSA-PSS Signature 2165 Parameters: 2166 Hash algorithm: SHA-256 2167 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2168 Mask hash algorithm: SHA-256 2169 Salt length: 32 (0x20) 2170 EOF 2171 check_sign_algo 2172 2173 CERTSERIAL=`expr $CERTSERIAL + 1` 2174 2175 # Subject certificate: RSA-PSS 2176 # Issuer certificate: RSA-PSS 2177 # Signature: RSA-PSS (with conflicting hash algorithm) 2178 CERTNAME="TestUser-rsa-pss7" 2179 2180 CU_ACTION="Generate Cert Request for $CERTNAME" 2181 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2182 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2183 2184 CU_ACTION="Sign ${CERTNAME}'s Request" 2185 RETEXPECTED=255 2186 certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2187 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2188 RETEXPECTED=0 2189 2190 CERTSERIAL=`expr $CERTSERIAL + 1` 2191 2192 # Subject certificate: RSA-PSS 2193 # Issuer certificate: RSA-PSS 2194 # Signature: RSA-PSS (with compatible hash algorithm) 2195 CERTNAME="TestUser-rsa-pss8" 2196 2197 CU_ACTION="Generate Cert Request for $CERTNAME" 2198 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2199 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2200 2201 CU_ACTION="Sign ${CERTNAME}'s Request" 2202 certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2203 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2204 2205 CU_ACTION="Import $CERTNAME's Cert" 2206 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2207 -i "${CERTNAME}.cert" 2>&1 2208 2209 CU_ACTION="Verify $CERTNAME's Cert" 2210 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2211 cat > ${TMP}/signalgo.exp <<EOF 2212 Signature Algorithm: PKCS #1 RSA-PSS Signature 2213 Parameters: 2214 Hash algorithm: SHA-256 2215 Mask algorithm: PKCS #1 MGF1 Mask Generation Function 2216 Mask hash algorithm: SHA-256 2217 Salt length: 32 (0x20) 2218 EOF 2219 check_sign_algo 2220 2221 CERTSERIAL=`expr $CERTSERIAL + 1` 2222 2223 # Subject certificate: RSA 2224 # Issuer certificate: RSA 2225 # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1) 2226 CERTNAME="TestUser-rsa-pss9" 2227 2228 CU_ACTION="Generate Cert Request for $CERTNAME" 2229 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2230 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 2231 2232 CU_ACTION="Sign ${CERTNAME}'s Request" 2233 certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2234 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2235 2236 CU_ACTION="Import $CERTNAME's Cert" 2237 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2238 -i "${CERTNAME}.cert" 2>&1 2239 2240 CU_ACTION="Verify $CERTNAME's Cert" 2241 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2242 cat > ${TMP}/signalgo.exp <<EOF 2243 Signature Algorithm: PKCS #1 RSA-PSS Signature 2244 Parameters: 2245 Hash algorithm: default, SHA-1 2246 Mask algorithm: default, MGF1 2247 Mask hash algorithm: default, SHA-1 2248 Salt length: default, 20 (0x14) 2249 EOF 2250 check_sign_algo 2251 2252 CERTSERIAL=`expr $CERTSERIAL + 1` 2253 2254 # Subject certificate: RSA-PSS 2255 # Issuer certificate: RSA-PSS 2256 # Signature: RSA-PSS (implicit, without --pss-sign, default parameters) 2257 CERTNAME="TestUser-rsa-pss10" 2258 2259 CU_ACTION="Generate Cert Request for $CERTNAME" 2260 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2261 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 2262 2263 CU_ACTION="Sign ${CERTNAME}'s Request" 2264 # Sign without --pss-sign nor -Z option 2265 certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2266 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2267 2268 CU_ACTION="Import $CERTNAME's Cert" 2269 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2270 -i "${CERTNAME}.cert" 2>&1 2271 2272 CU_ACTION="Verify $CERTNAME's Cert" 2273 certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" 2274 cat > ${TMP}/signalgo.exp <<EOF 2275 Signature Algorithm: PKCS #1 RSA-PSS Signature 2276 Parameters: 2277 Hash algorithm: default, SHA-1 2278 Mask algorithm: default, MGF1 2279 Mask hash algorithm: default, SHA-1 2280 Salt length: default, 20 (0x14) 2281 EOF 2282 check_sign_algo 2283 2284 CERTSERIAL=`expr $CERTSERIAL + 1` 2285 2286 # Subject certificate: RSA-PSS 2287 # Issuer certificate: RSA-PSS 2288 # Signature: RSA-PSS (with conflicting hash algorithm, default parameters) 2289 CERTNAME="TestUser-rsa-pss11" 2290 2291 CU_ACTION="Generate Cert Request for $CERTNAME" 2292 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2293 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2294 2295 CU_ACTION="Sign ${CERTNAME}'s Request" 2296 RETEXPECTED=255 2297 certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2298 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2299 RETEXPECTED=0 2300 } 2301 2302 cert_test_orphan_key_delete() 2303 { 2304 CU_ACTION="Create orphan key in serverdir" 2305 certu -G -k ec -q nistp256 -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR} 2306 # Let's get the key ID of the first orphan key. 2307 # The output of certutil -K (list keys) isn't well formatted. 2308 # The initial <key-number> part may or may not contain white space, which 2309 # makes the use of awk to filter the column unreliable. 2310 # To fix that, we remove the initial <number> field using sed, then select the 2311 # column that contains the key ID. 2312 ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \ 2313 sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'` 2314 CU_ACTION="Delete orphan key" 2315 certu -F -f "${R_PWFILE}" -k ${ORPHAN} -d ${PROFILEDIR} 2316 # Ensure that the key is removed 2317 certu -K -f "${R_PWFILE}" -d ${PROFILEDIR} | grep ${ORPHAN} 2318 RET=$? 2319 if [ "$RET" -eq 0 ]; then 2320 html_failed "Deleting orphan key ($RET)" 2321 cert_log "ERROR: Deleting orphan key failed $RET" 2322 fi 2323 } 2324 2325 cert_test_orphan_key_reuse() 2326 { 2327 CU_ACTION="Create orphan key in serverdir" 2328 certu -G -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR} 2329 # Let's get the key ID of the first orphan key. 2330 # The output of certutil -K (list keys) isn't well formatted. 2331 # The initial <key-number> part may or may not contain white space, which 2332 # makes the use of awk to filter the column unreliable. 2333 # To fix that, we remove the initial <number> field using sed, then select the 2334 # column that contains the key ID. 2335 ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \ 2336 sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'` 2337 CU_ACTION="Create cert request for orphan key" 2338 certu -R -f "${R_PWFILE}" -k ${ORPHAN} -s "CN=orphan" -d ${PROFILEDIR} \ 2339 -o ${SERVERDIR}/orphan.req 2340 # Ensure that creating the request really works by listing it, and check 2341 # if listing was successful. 2342 ${BINDIR}/pp -t certificate-request -i ${SERVERDIR}/orphan.req 2343 RET=$? 2344 if [ "$RET" -ne 0 ]; then 2345 html_failed "Listing cert request for orphan key ($RET)" 2346 cert_log "ERROR: Listing cert request for orphan key failed $RET" 2347 fi 2348 } 2349 2350 cert_test_rsapss_policy() 2351 { 2352 CERTSERIAL=`expr $CERTSERIAL + 1` 2353 2354 CERTNAME="TestUser-rsa-pss-policy" 2355 2356 # Subject certificate: RSA-PSS 2357 # Issuer certificate: RSA 2358 # Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1) 2359 CU_ACTION="Generate Cert Request for $CERTNAME" 2360 CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" 2361 certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 2362 2363 CU_ACTION="Sign ${CERTNAME}'s Request" 2364 certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ 2365 -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 2366 2367 CU_ACTION="Import $CERTNAME's Cert" 2368 certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ 2369 -i "${CERTNAME}.cert" 2>&1 2370 2371 CU_ACTION="Verify $CERTNAME's Cert" 2372 certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2373 2374 CU_ACTION="Verify $CERTNAME's Cert with Policy" 2375 cp ${PROFILEDIR}/pkcs11.txt pkcs11.txt.orig 2376 cat >> ${PROFILEDIR}/pkcs11.txt << ++EOF++ 2377 library= 2378 name=Policy 2379 config="disallow=SHA1" 2380 ++EOF++ 2381 RETEXPECTED=255 2382 certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2383 RETEXPECTED=0 2384 cp pkcs11.txt.orig ${PROFILEDIR}/pkcs11.txt 2385 } 2386 2387 ############################## cert_cleanup ############################ 2388 # local shell function to finish this script (no exit since it might be 2389 # sourced) 2390 ######################################################################## 2391 cert_cleanup() 2392 { 2393 cert_log "$SCRIPTNAME: finished $SCRIPTNAME" 2394 html "</TABLE><BR>" 2395 cd ${QADIR} 2396 . common/cleanup.sh 2397 } 2398 2399 CERTCACHE=${TESTDIR}/${HOST}.${TEST_MODE}.cert.cache.tar.gz 2400 2401 cert_make_cache() 2402 { 2403 if [ -n "${NSS_USE_CERT_CACHE}" ] ; then 2404 pushd ${HOSTDIR} 2405 tar czf "${CERTCACHE}" . 2406 popd 2407 fi 2408 } 2409 2410 cert_use_cache() 2411 { 2412 if [ -n "${NSS_USE_CERT_CACHE}" ] ; then 2413 pushd ${HOSTDIR} 2414 if [ -r "${CERTCACHE}" ]; then 2415 tar xzf "${CERTCACHE}" 2416 return 1; 2417 fi 2418 popd 2419 fi 2420 2421 rm "${CERTCACHE}" 2422 return 0; 2423 } 2424 2425 ################## main ################################################# 2426 2427 cert_use_cache 2428 USING_CACHE=$? 2429 if [[ $USING_CACHE -eq 1 ]]; then 2430 return 0; 2431 fi 2432 2433 cert_init 2434 cert_all_CA 2435 cert_test_implicit_db_init 2436 cert_extended_ssl 2437 cert_ssl 2438 cert_test_orphan_key_delete 2439 cert_test_orphan_key_reuse 2440 cert_smime_client 2441 IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED` 2442 if [ $IS_FIPS_DISABLED -ne 0 ]; then 2443 cert_rsa_exponent_nonfips 2444 else 2445 cert_fips 2446 fi 2447 cert_eccurves 2448 cert_extensions 2449 cert_san_and_generic_extensions 2450 cert_test_password 2451 cert_test_distrust 2452 cert_test_ocspresp 2453 cert_test_rsapss 2454 if using_sql ; then 2455 cert_test_rsapss_policy 2456 fi 2457 cert_test_token_uri 2458 2459 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then 2460 cert_crl_ssl 2461 else 2462 echo "$SCRIPTNAME: Skipping CRL Tests" 2463 fi 2464 2465 if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then 2466 cert_stresscerts 2467 fi 2468 2469 cert_iopr_setup 2470 2471 cert_cleanup 2472 cert_make_cache