dbtests.sh (22472B)
1 #! /bin/bash 2 # 3 # This Source Code Form is subject to the terms of the Mozilla Public 4 # License, v. 2.0. If a copy of the MPL was not distributed with this 5 # file, You can obtain one at http://mozilla.org/MPL/2.0/. 6 7 ######################################################################## 8 # 9 # mozilla/security/nss/tests/dbtest/dbtest.sh 10 # 11 # Certificate generating and handeling for NSS QA, can be included 12 # multiple times from all.sh and the individual scripts 13 # 14 # needs to work on all Unix and Windows platforms 15 # 16 # included from (don't expect this to be up to date) 17 # -------------------------------------------------- 18 # all.sh 19 # ssl.sh 20 # smime.sh 21 # tools.sh 22 # 23 # special strings 24 # --------------- 25 # FIXME ... known problems, search for this string 26 # NOTE .... unexpected behavior 27 # 28 # FIXME - Netscape - NSS 29 ######################################################################## 30 31 ############################## dbtest_init ############################### 32 # local shell function to initialize this script 33 ######################################################################## 34 dbtest_init() 35 { 36 SCRIPTNAME="dbtests.sh" 37 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for 38 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it 39 fi 40 if [ -z "${INIT_SOURCED}" ] ; then 41 cd ../common 42 . ./init.sh 43 fi 44 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here 45 cd ../cert 46 . ./cert.sh 47 fi 48 49 # normally we inherit this environment variable from cert.sh, but in the CI 50 # tests, we run cert.sh once in a different test and then copy the results 51 # for dbtests, so we try to get the ROOTCERTSFILE ourself if it doesn't exits 52 if [ ! "${ROOTCERTSFILE}" ] ; then 53 ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi.* | head -1` 54 fi 55 56 SCRIPTNAME="dbtests.sh" 57 RONLY_DIR=${HOSTDIR}/ronlydir 58 EMPTY_DIR=${HOSTDIR}/emptydir 59 CONFLICT_DIR=${HOSTDIR}/conflictdir 60 THREAD_DIR=${HOSTDIR}/threadir 61 BIG_DIR=${HOSTDIR}/bigdir 62 TRUST1_DIR=${HOSTDIR}/trust1dir 63 R_TRUST1_DIR=../trust1dir 64 TRUST2_DIR=${HOSTDIR}/trust2dir 65 R_TRUST2_DIR=../trust2dir 66 TRUST3_DIR=${HOSTDIR}/trust3dir 67 R_TRUST3_DIR=../trust3dir 68 TRUST4_DIR=${HOSTDIR}/trust4dir 69 R_TRUST4_DIR=../trust4dir 70 TRUST5_DIR=${HOSTDIR}/trust5dir 71 R_TRUST5_DIR=../trust5dir 72 mkdir -p $TRUST1_DIR 73 mkdir -p $TRUST2_DIR 74 mkdir -p $TRUST3_DIR 75 mkdir -p $TRUST4_DIR 76 mkdir -p $TRUST5_DIR 77 78 cd ${TRUST1_DIR} 79 certutil -N -d ${R_TRUST1_DIR} -f ${R_PWFILE} 80 certutil -N -d ${R_TRUST2_DIR} -f ${R_PWFILE} 81 certutil -N -d ${R_TRUST3_DIR} -f ${R_PWFILE} 82 certutil -N -d ${R_TRUST4_DIR} -f ${R_PWFILE} 83 certutil -N -d ${R_TRUST5_DIR} -f ${R_PWFILE} 84 85 html_head "CERT and Key DB Tests" 86 87 } 88 89 ############################## dbtest_cleanup ############################ 90 # local shell function to finish this script (no exit since it might be 91 # sourced) 92 ######################################################################## 93 dbtest_cleanup() 94 { 95 html "</TABLE><BR>" 96 cd ${QADIR} 97 chmod a+rw $RONLY_DIR 98 . common/cleanup.sh 99 } 100 101 Echo() 102 { 103 echo 104 echo "---------------------------------------------------------------" 105 echo "| $*" 106 echo "---------------------------------------------------------------" 107 } 108 109 dbtest_trust() 110 { 111 Echo "Create an old-style trust database" 112 cd ${TRUST1_DIR} 113 export NSS_TRUST_TYPE="NSS" 114 certutil -A -n "TestCA" -t "TC,C,C" -f "$R_PWFILE" -d ${R_TRUST1_DIR} -i ${R_CADIR}/TestCA.ca.cert 115 certutil -A -n "Alice" -t ",," -f "$R_PWFILE" -d ${R_TRUST1_DIR} -i ${R_ALICEDIR}/Alice.cert 116 unset NSS_TRUST_TYPE 117 dbtool -d ${R_TRUST1_DIR} | grep CKO_NSS_TRUST 118 ret=$? 119 html_msg $ret 0 "Create and old-style trust database" 120 121 # make sure we can verify an old-style database still 122 certutil -V -n "Alice" -u R -d ${R_TRUST1_DIR} -f "$R_PWFILE" 123 ret=$? 124 html_msg $ret 0 "Verify cert from and old-style DB" 125 126 # create an override record that will superceed the old style record 127 Echo "Create an new-style trust database" 128 export NSS_TRUST_TYPE="PKCS" 129 echo certutil -A -n "TestCA" -t "T,," -f "$R_PWFILE" -d ${R_TRUST2_DIR} -i ${R_CADIR}/TestCA.ca.cert 130 certutil -A -n "TestCA" -t "T,," -f "$R_PWFILE" -d ${R_TRUST2_DIR} -i ${R_CADIR}/TestCA.ca.cert 131 unset NSS_TRUST_TYPE 132 dbtool -d ${R_TRUST2_DIR} | grep CKO_TRUST 133 ret=$? 134 html_msg $ret 0 "Create and newstyle trust database" 135 136 # arrange to load both databases at the same time 137 cat >> ${R_TRUST2_DIR}/pkcs11.txt << __EOF__ 138 139 library= 140 name="Alice lib" 141 parameters="configdir='${R_TRUST1_DIR}'" 142 NSS=flags=internal,readonly trustOrder=80 143 __EOF__ 144 cat ${R_TRUST2_DIR}/pkcs11.txt 145 # trust 1's token name once they are both loaded, use to to find the Alice cert to verify 146 Trust1_Token="NSS Application Token 00000004" 147 echo certutil -V -n "${Trust1_Token}:Alice" -u R -d ${R_TRUST2_DIR} -f "$R_PWFILE" 148 certutil -V -n "${Trust1_Token}:Alice" -u R -d ${R_TRUST2_DIR} -f "$R_PWFILE" 149 ret=$? 150 html_msg $ret 255 "Verify cert should fail from and old-style DB with new style override" 151 152 # modify the trust to the original db was untrusted and the new one is trusted 153 export NSS_TRUST_TYPE="NSS" 154 certutil -M -n "TestCA" -t "T,," -f "$R_PWFILE" -d ${R_TRUST1_DIR} 155 # make sure we don't have any new style records in this databse 156 dbtool -d ${R_TRUST1_DIR} | grep CKO_TRUST 157 ret=$? 158 html_msg $ret 1 "Modify and old-style trust database" 159 160 export NSS_TRUST_TYPE="PKCS" 161 certutil -M -n "TestCA" -t "TC,C,C" -f "$R_PWFILE" -d ${R_TRUST2_DIR} 162 # make sure we don't have any old style records in this databse 163 dbtool -d ${R_TRUST2_DIR} | grep CKO_NSS_TRUST 164 ret=$? 165 html_msg $ret 1 "Modify and new-style trust database" 166 unset NSS_TRUST_TYPE 167 168 # now test the we now fail without the override 169 echo certutil -V -n "Alice" -u R -d ${R_TRUST1_DIR} -f "$R_PWFILE" 170 certutil -V -n "Alice" -u R -d ${R_TRUST1_DIR} -f "$R_PWFILE" 171 ret=$? 172 html_msg $ret 255 "Verify cert correctly fails from and old-style DB" 173 174 # and the we succeed with the override 175 echo certutil -V -n "${Trust1_Token}:Alice" -u R -d ${R_TRUST2_DIR} -f "$R_PWFILE" 176 certutil -V -n "${Trust1_Token}:Alice" -u R -d ${R_TRUST2_DIR} -f "$R_PWFILE" 177 ret=$? 178 html_msg $ret 0 "Verify cert succeeds with new style override" 179 180 # we can only run these tests if we have our builtins file 181 if [ -n "${ROOTCERTSFILE}" ] ; then 182 # Test overriding the built-ins 183 # built-ins still use NSS trust, so we will try to override them with 184 # PKCS trust we pick a cert we expect will be in builtins for a while. 185 # If it's ever removed, pick a different one. 186 CATestCert="Amazon Root CA 1" 187 TestToken="Builtin Object Token" 188 OverrideTrust="T,,C" 189 CATestCertName="${TestToken}:${CATestCert}" 190 echo modutil -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${R_TRUST3_DIR}" 191 echo | modutil -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${R_TRUST3_DIR}" 192 certutil -L -h "$TestToken" -d "${R_TRUST3_DIR}" | grep "${CATestCert}" 193 ret=$? 194 html_msg $ret 0 "Load Builtins and list $CATestCert" 195 196 # create the override 197 export NSS_TRUST_TYPE="PKCS" 198 echo certutil -M -n "${CATestCertName}" -t "$OverrideTrust" -d "${R_TRUST3_DIR}" -f "$R_PWFILE" 199 certutil -M -n "${CATestCertName}" -t "$OverrideTrust" -d "${R_TRUST3_DIR}" -f "$R_PWFILE" 200 ret=$? 201 html_msg $ret 0 "Modify trust on $CATestCert to '$OverrideTrust'" 202 unset NSS_TRUST_TYPE 203 204 # verify the override 205 certutil -L -h all -d "${R_TRUST3_DIR}" -f "${R_PWFILE}" | grep "${CATestCert}" 206 cert=$(certutil -L -h "$TestToken" -d "${R_TRUST3_DIR}" -f "${R_PWFILE}" | grep "${CATestCert}") 207 cert="${cert%"${cert##*[![:space:]]}"}" 208 trust=${cert##* } 209 echo "cert = |$cert| trust = |$trust|" 210 test "$trust" = "$OverrideTrust" 211 ret=$? 212 html_msg $ret 0 "Verify trust on $CATestCert is '$OverrideTrust'" 213 214 # finagle the token order so that the builtins are processed before 215 # the new token 216 echo modutil -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${R_TRUST4_DIR}" 217 echo | modutil -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${R_TRUST4_DIR}" 218 certutil -L -h "$TestToken" -d "${R_TRUST4_DIR}" | grep "${CATestCert}" 219 ret=$? 220 html_msg $ret 0 "Load Builtins for trust4 and list $CATestCert" 221 222 # use trust3 as an override 223 cat >> ${R_TRUST4_DIR}/pkcs11.txt << __EOF__ 224 225 library= 226 name="external trust" 227 parameters="configdir='${R_TRUST3_DIR}'" 228 NSS=flags=internal,readonly trustOrder=80 229 __EOF__ 230 certutil -L -h all -d "${R_TRUST4_DIR}" -f "${R_PWFILE}" | grep "${CATestCert}" 231 cert=$(certutil -L -h "$TestToken" -d "${R_TRUST4_DIR}" -f "${R_PWFILE}" | grep "${CATestCert}") 232 cert="${cert%"${cert##*[![:space:]]}"}" 233 trust=${cert##* } 234 echo "cert = |$cert| trust = |$trust|" 235 test "$trust" = "$OverrideTrust" 236 ret=$? 237 html_msg $ret 0 "Verify trust on $CATestCert is '$OverrideTrust' in trust4 db" 238 239 # reproduce the steps in Bug 1984165 240 export NSS_TRUST_TYPE="NSS" 241 echo modutil -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${R_TRUST5_DIR}" 242 echo | modutil -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${R_TRUST5_DIR}" 243 244 echo certutil -M -n "${CATestCertName}" -t "" -d "${R_TRUST5_DIR}" -f "$R_PWFILE" 245 certutil -M -n "${CATestCertName}" -t ",C," -d "${R_TRUST5_DIR}" -f "$R_PWFILE" 246 certutil -L -h "$TestToken" -d "${R_TRUST5_DIR}" | grep "${CATestCert}" 247 certutil -M -n "${CATestCertName}" -t "C,C," -d "${R_TRUST5_DIR}" -f "$R_PWFILE" 248 unset NSS_TRUST_TYPE 249 certutil -L -h "$TestToken" -d "${R_TRUST5_DIR}" | grep "${CATestCert}" 250 cert=$(certutil -L -h "$TestToken" -d "${R_TRUST5_DIR}" -f "${R_PWFILE}" | grep "${CATestCert}") 251 cert="${cert%"${cert##*[![:space:]]}"}" 252 trust=${cert##* } 253 echo "cert = |$cert| trust = |$trust|" 254 test "$trust" = "C,C," 255 ret=$? 256 html_msg $ret 0 "Verify trust on $CATestCert is 'C,C,'" 257 fi 258 } 259 260 dbtest_main() 261 { 262 cd ${HOSTDIR} 263 264 Echo "test opening the database read/write in a nonexisting directory" 265 ${BINDIR}/certutil -L -X -d ./non_existent_dir 266 ret=$? 267 if [ $ret -ne 255 ]; then 268 html_failed "Certutil succeeded in a nonexisting directory $ret" 269 else 270 html_passed "Certutil didn't work in a nonexisting dir $ret" 271 fi 272 ${BINDIR}/dbtest -r -d ./non_existent_dir 273 ret=$? 274 if [ $ret -ne 46 ]; then 275 html_failed "Dbtest readonly succeeded in a nonexisting directory $ret" 276 else 277 html_passed "Dbtest readonly didn't work in a nonexisting dir $ret" 278 fi 279 280 Echo "test force opening the database in a nonexisting directory" 281 ${BINDIR}/dbtest -f -d ./non_existent_dir 282 ret=$? 283 if [ $ret -ne 0 ]; then 284 html_failed "Dbtest force failed in a nonexisting directory $ret" 285 else 286 html_passed "Dbtest force succeeded in a nonexisting dir $ret" 287 fi 288 289 Echo "test opening the database readonly in an empty directory" 290 mkdir $EMPTY_DIR 291 ${BINDIR}/tstclnt -h ${HOST} -d $EMPTY_DIR 292 ret=$? 293 if [ $ret -ne 1 ]; then 294 html_failed "Tstclnt succeded in an empty directory $ret" 295 else 296 html_passed "Tstclnt didn't work in an empty dir $ret" 297 fi 298 ${BINDIR}/dbtest -r -d $EMPTY_DIR 299 ret=$? 300 if [ $ret -ne 46 ]; then 301 html_failed "Dbtest readonly succeeded in an empty directory $ret" 302 else 303 html_passed "Dbtest readonly didn't work in an empty dir $ret" 304 fi 305 rm -rf $EMPTY_DIR/* 2>/dev/null 306 ${BINDIR}/dbtest -i -d $EMPTY_DIR 307 ret=$? 308 if [ $ret -ne 0 ]; then 309 html_failed "Dbtest logout after empty DB Init loses key $ret" 310 else 311 html_passed "Dbtest logout after empty DB Init has key" 312 fi 313 rm -rf $EMPTY_DIR/* 2>/dev/null 314 ${BINDIR}/dbtest -i -p pass -d $EMPTY_DIR 315 ret=$? 316 if [ $ret -ne 0 ]; then 317 html_failed "Dbtest password DB Init loses needlogin state $ret" 318 else 319 html_passed "Dbtest password DB Init maintains needlogin state" 320 fi 321 rm -rf $EMPTY_DIR/* 2>/dev/null 322 ${BINDIR}/certutil -D -n xxxx -d $EMPTY_DIR #created DB 323 ret=$? 324 if [ $ret -ne 255 ]; then 325 html_failed "Certutil succeeded in deleting a cert in an empty directory $ret" 326 else 327 html_passed "Certutil didn't work in an empty dir $ret" 328 fi 329 rm -rf $EMPTY_DIR/* 2>/dev/null 330 Echo "test force opening the database readonly in a empty directory" 331 ${BINDIR}/dbtest -r -f -d $EMPTY_DIR 332 ret=$? 333 if [ $ret -ne 0 ]; then 334 html_failed "Dbtest force readonly failed in an empty directory $ret" 335 else 336 html_passed "Dbtest force readonly succeeded in an empty dir $ret" 337 fi 338 339 Echo "test opening the database r/w in a readonly directory" 340 mkdir $RONLY_DIR 341 cp -r ${CLIENTDIR}/* $RONLY_DIR 342 chmod -w $RONLY_DIR $RONLY_DIR/* 343 344 # On Mac OS X 10.1, if we do a "chmod -w" on files in an 345 # NFS-mounted directory, it takes several seconds for the 346 # first open to see the files are readonly, but subsequent 347 # opens immediately see the files are readonly. As a 348 # workaround we open the files once first. (Bug 185074) 349 if [ "${OS_ARCH}" = "Darwin" ]; then 350 cat $RONLY_DIR/* > /dev/null 351 fi 352 353 # skipping the next two tests when user is root, 354 # otherwise they would fail due to rooty powers 355 if [ $UID -ne 0 ]; then 356 ${BINDIR}/dbtest -d $RONLY_DIR 357 ret=$? 358 if [ $ret -ne 46 ]; then 359 html_failed "Dbtest r/w succeeded in a readonly directory $ret" 360 else 361 html_passed "Dbtest r/w didn't work in an readonly dir $ret" 362 fi 363 else 364 html_passed "Skipping Dbtest r/w in a readonly dir because user is root" 365 fi 366 if [ $UID -ne 0 ]; then 367 ${BINDIR}/certutil -D -n "TestUser" -d . 368 ret=$? 369 if [ $ret -ne 255 ]; then 370 html_failed "Certutil succeeded in deleting a cert in a readonly directory $ret" 371 else 372 html_passed "Certutil didn't work in an readonly dir $ret" 373 fi 374 else 375 html_passed "Skipping Certutil delete cert in a readonly directory test because user is root" 376 fi 377 378 Echo "test opening the database ronly in a readonly directory" 379 380 ${BINDIR}/dbtest -d $RONLY_DIR -r 381 ret=$? 382 if [ $ret -ne 0 ]; then 383 html_failed "Dbtest readonly failed in a readonly directory $ret" 384 else 385 html_passed "Dbtest readonly succeeded in a readonly dir $ret" 386 fi 387 388 Echo "test force opening the database r/w in a readonly directory" 389 ${BINDIR}/dbtest -d $RONLY_DIR -f 390 ret=$? 391 if [ $ret -ne 0 ]; then 392 html_failed "Dbtest force failed in a readonly directory $ret" 393 else 394 html_passed "Dbtest force succeeded in a readonly dir $ret" 395 fi 396 397 Echo "ls -l $RONLY_DIR" 398 ls -ld $RONLY_DIR $RONLY_DIR/* 399 400 mkdir ${CONFLICT_DIR} 401 Echo "test creating a new cert with a conflicting nickname" 402 cd ${CONFLICT_DIR} 403 pwd 404 ${BINDIR}/certutil -N -d ${CONFLICT_DIR} -f ${R_PWFILE} 405 ret=$? 406 if [ $ret -ne 0 ]; then 407 html_failed "Nicknane conflict test failed, couldn't create database $ret" 408 else 409 ${BINDIR}/certutil -A -n alice -t ,, -i ${R_ALICEDIR}/Alice.cert -d ${CONFLICT_DIR} 410 ret=$? 411 if [ $ret -ne 0 ]; then 412 html_failed "Nicknane conflict test failed, couldn't import alice cert $ret" 413 else 414 ${BINDIR}/certutil -A -n alice -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR} 415 ret=$? 416 if [ $ret -eq 0 ]; then 417 html_failed "Nicknane conflict test failed, could import conflict nickname $ret" 418 else 419 html_passed "Nicknane conflict test, could not import conflict nickname $ret" 420 fi 421 fi 422 fi 423 424 Echo "test importing an old cert to a conflicting nickname" 425 # first, import the certificate 426 ${BINDIR}/certutil -A -n bob -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR} 427 # now import with a different nickname 428 ${BINDIR}/certutil -A -n alice -t ,, -i ${R_BOBDIR}/Bob.cert -d ${CONFLICT_DIR} 429 # the old one should still be there... 430 ${BINDIR}/certutil -L -n bob -d ${CONFLICT_DIR} 431 ret=$? 432 if [ $ret -ne 0 ]; then 433 html_failed "Nickname conflict test-setting nickname conflict incorrectly worked" 434 else 435 html_passed "Nickname conflict test-setting nickname conflict was correctly rejected" 436 fi 437 # import a token private key and make sure the corresponding public key is 438 # created 439 IMPORT_OPTIONS="" 440 if [ -n "$NSS_DISABLE_DSA" ]; then 441 IMPORT_OPTIONS="-D noDSA" 442 fi 443 Echo "Importing Token Private Key" 444 echo "pk11importtest ${IMPORT_OPTIONS} -d ${CONFLICT_DIR} -f ${R_PWFILE}" 445 ${BINDIR}/pk11importtest ${IMPORT_OPTIONS} -d ${CONFLICT_DIR} -f ${R_PWFILE} 446 ret=$? 447 if [ $ret -ne 0 ]; then 448 html_failed "Importing Token Private Key does not create the corrresponding Public Key" 449 else 450 html_passed "Importing Token Private Key correctly creates the corrresponding Public Key" 451 fi 452 # 453 # If we are testing an sqlite db, make sure we detect corrupted attributes. 454 # This test only runs if 1) we have sqlite3 (the command line sqlite diagnostic 455 # tool) and 2) we are using the sql database (rather than the dbm). 456 # 457 which sqlite3 458 ret=$? 459 KEYDB=${CONFLICT_DIR}/key4.db 460 # make sure sql database is bing used. 461 if [ ! -f ${KEYDB} ]; then 462 Echo "skipping key corruption test: requires sql database" 463 # make sure sqlite3 is installed. 464 elif [ $ret -ne 0 ]; then 465 Echo "skipping key corruption test: sqlite3 command not installed" 466 else 467 # we are going to mangle this key database in multiple tests, save a copy 468 # so that we can restore it later. 469 cp ${KEYDB} ${KEYDB}.save 470 # dump the keys in the log for diagnostic purposes 471 ${BINDIR}/certutil -K -d ${CONFLICT_DIR} -f ${R_PWFILE} 472 # fetch the rsa and ec key ids 473 rsa_id=$(${BINDIR}/certutil -K -d ${CONFLICT_DIR} -f ${R_PWFILE} | grep rsa | awk '{ print $4}') 474 ec_id=$(${BINDIR}/certutil -K -d ${CONFLICT_DIR} -f ${R_PWFILE} | grep ' ec ' | awk '{ print $4}') 475 # now loop through all the private attributes and mangle them one at a time 476 for i in 120 122 123 124 125 126 127 128 011 477 do 478 Echo "testing if key corruption is detected in attribute $i" 479 cp ${KEYDB}.save ${KEYDB} # restore the saved keydb 480 # find all the hmacs for this key attribute and mangle each entry 481 sqlite3 ${KEYDB} ".dump metadata" | sed -e "/sig_key_.*_00000$i/{s/.*VALUES('\\(.*\\)',X'\\(.*\\)',NULL.*/\\1 \\2/;p;};d" | while read sig data 482 do 483 # mangle the last byte of the hmac 484 # The following increments the last nibble by 1 with both F and f 485 # mapping to 0. This mangles both upper and lower case results, so 486 # it will work on the mac. 487 last=$((${#data}-1)) 488 newbyte=$(echo "${data:${last}}" | tr A-Fa-f0-9 B-F0b-f0-9a) 489 mangle=${data::${last}}${newbyte} 490 echo " amending ${sig} from ${data} to ${mangle}" 491 # write the mangled entry, inserting with a key matching an existing 492 # entry will overwrite the existing entry with the same key (${sig}) 493 sqlite3 ${KEYDB} "BEGIN TRANSACTION; INSERT INTO metaData VALUES('${sig}',X'${mangle}',NULL); COMMIT" 494 done 495 # pick the key based on the attribute we are mangling, 496 # only CKA_VALUE (0x011) is not an RSA attribute, so we choose 497 # ec for 0x011 and rsa for all the rest. We could use the dsa 498 # key here, both CKA_VALUE attributes will be modifed in the loop above, but 499 # ec is more common than dsa these days. 500 if [ "$i" = "011" ]; then 501 key_id=$ec_id 502 else 503 key_id=$rsa_id 504 fi 505 # now try to use the mangled key (try to create a cert request with the key). 506 echo "${BINDIR}/certutil -R -k ${key_id} -s 'CN=BadTest, E=bad@mozilla.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US' -d ${CONFLICT_DIR} -f ${R_PWFILE} -a" 507 ${BINDIR}/certutil -R -k ${key_id} -s 'CN=BadTest, E=bad@mozilla.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US' -d ${CONFLICT_DIR} -f ${R_PWFILE} -a 508 ret=$? 509 if [ ${ret} -eq 0 ]; then 510 html_failed "Key attribute $i corruption not detected" 511 else 512 html_passed "Corrupted key attribute $i correctly disabled key" 513 fi 514 done 515 cp ${KEYDB}.save ${KEYDB} # restore the saved keydb 516 fi 517 518 519 if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then 520 LOOPS=${NSS_SDB_THREAD_LOOPS-7} 521 THREADS=${NSS_SDB_THREAD_THREADS-30} 522 mkdir -p ${THREAD_DIR} 523 Echo "testing for thread starvation while creating keys" 524 ${BINDIR}/certutil -N -d ${THREAD_DIR} --empty-password 525 ${BINDIR}/sdbthreadtst -l ${LOOPS} -t ${THREADS} -d ${THREAD_DIR} 526 ret=$? 527 case "$ret" in 528 "0") 529 html_passed "Successfully completed ${LOOPS} loops in ${THREADS} threads without failure." 530 ;; 531 "2") 532 html_failed "sdbthreadtst failed for some environment reason (like lack of memory)" 533 ;; 534 "1") 535 html_failed "sdbthreadtst failed do to starvation using ${LOOPS} loops and ${THREADS} threads." 536 ;; 537 *) 538 html_failed "sdbthreadtst failed with an unrecognized error code." 539 esac 540 541 # now verify that we can quickly dump a database that has explicit 542 # default trust values (generated by updating a dbm database with 543 # to a sql database with and older version of NSS). 544 mkdir -p ${BIG_DIR} 545 cp ${QADIR}/dbtests/bigdb/* ${BIG_DIR}/ 546 echo "time certutil -K -d ${BIG_DIR} -f ${R_PWFILE}" 547 dtime=$(time -p (certutil -K -d ${BIG_DIR} -f ${R_PWFILE}) 2>&1 1>/dev/null) 548 echo "------------- time ----------------------" 549 echo $dtime 550 # now parse the real time to make sure it's subsecond 551 RARRAY=($dtime) 552 TIMEARRAY=(${RARRAY[1]//./ }) 553 echo "${TIMEARRAY[0]} seconds" 554 test ${TIMEARRAY[0]} -lt 5 555 ret=$? 556 html_msg ${ret} 0 "certutil dump keys with explicit default trust flags" 557 fi 558 } 559 560 ################## main ################################################# 561 562 dbtest_init 563 dbtest_main 2>&1 564 if using_sql; then 565 dbtest_trust 566 fi 567 dbtest_cleanup