tor-browser

cert_iopr.sh (13461B)

---

#! /bin/bash
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

########################################################################
#
# mozilla/security/nss/tests/iopr/cert_iopr.sh
#
# Certificate generating and handeling for NSS interoperability QA. This file
# is included from cert.sh
#
# needs to work on all Unix and Windows platforms
#
# special strings
# ---------------
#   FIXME ... known problems, search for this string
#   NOTE .... unexpected behavior
########################################################################

IOPR_CERT_SOURCED=1

########################################################################
# function wraps calls to pk12util, also: writes action and options
# to stdout. 
# Params are the same as to pk12util.
# Returns pk12util status
#
pk12u()
{
   echo "${CU_ACTION} --------------------------"

   echo "pk12util $@"
   ${BINDIR}/pk12util $@
   RET=$?

   return $RET
}

########################################################################
# Initializes nss db directory and files if they don't exists
# Params:
#      $1 - directory location
#
createDBDir() {
   trgDir=$1

   if [ -z "`ls $trgDir | grep db`" ]; then
       trgDir=`cd ${trgDir}; pwd`
       if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
		trgDir=`cygpath -m ${trgDir}`
       fi

       CU_ACTION="Initializing DB at ${trgDir}"
       certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1
       if [ "$RET" -ne 0 ]; then
           return $RET
       fi

       CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"
       modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1
       if [ "$RET" -ne 0 ]; then
           return $RET
       fi
   fi
}
########################################################################
# takes care of downloading config, cert and crl files from remote
# location. 
# Params:
#      $1 - name of the host file will be downloaded from
#      $2 - path to the file as it appeared in url
#      $3 - target directory the file will be saved at.
# Returns tstclnt status.
#
download_file() {
   host=$1
   filePath=$2
   trgDir=$3

   file=$trgDir/`basename $filePath`

   createDBDir $trgDir || return $RET

#    echo wget -O $file http://${host}${filePath}
#    wget -O $file http://${host}${filePath}
#    ret=$?

   req=$file.$$
   echo "GET $filePath HTTP/1.0" > $req
   echo >> $req

   echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
       -v -w ${R_PWFILE} -o 
   ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
       -v -w ${R_PWFILE} -o < $req > $file
   ret=$?
   rm -f $_tmp;
   return $ret
}

########################################################################
# Uses pk12util, certutil of cerlutil to import files to an nss db located
# at <dir>(the value of $1 parameter). Chooses a utility to use based on
# a file extension. Initializing a db if it does not exists.
# Params:
#      $1 - db location directory
#      $2 - file name to import
#      $3 - nick name an object in the file will be associated with
#      $4 - trust arguments 
# Returns status of import
#      
importFile() {
   dir=$1\
   file=$2
   certName=$3
   certTrust=$4

   [ ! -d $dir ] && mkdir -p $dir;

   createDBDir $dir || return $RET
           
   case `basename $file | sed 's/^.*\.//'` in
       p12)
           CU_ACTION="Importing p12 $file to DB at $dir"
           pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr
           [ $? -ne 0 ] && return 1
           CU_ACTION="Modifying trust for cert $certName at $dir"
           certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}"
           return $?
           ;;
       
       crl) 
           CU_ACTION="Importing crl $file to DB at $dir"
           crlu -d ${dir} -I -n TestCA -i $file
           return $?
           ;;

       crt | cert)
           CU_ACTION="Importing cert $certName with trust $certTrust to $dir"
           certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \
               -i "$file"
           return $?
           ;;

       *)
           echo "Unknown file extension: $file:"
           return 1
           ;;
   esac
}


#########################################################################
# Downloads and installs test certs and crl from a remote webserver.
# Generates server cert for reverse testing if reverse test run is turned on.
# Params:
#      $1 - host name to download files from.
#      $2 - directory at which CA cert will be installed and used for
#           signing a server cert.
#      $3 - path to a config file in webserver context.
#      $4 - ssl server db location
#      $5 - ssl client db location
#      $5 - ocsp client db location
#
# Returns 0 upon success, otherwise, failed command error code.
#
download_install_certs() {
   host=$1
   caDir=$2
   confPath=$3
   sslServerDir=$4
   sslClientDir=$5
   ocspClientDir=$6

   [ ! -d "$caDir" ] && mkdir -p $caDir;

   #=======================================================
   # Getting config file
   #
   download_file $host "$confPath/iopr_server.cfg" $caDir
   RET=$?
   if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then
       html_failed "Fail to download website config file(ws: $host)" 
       return 1
   fi

   . $caDir/iopr_server.cfg
   RET=$?
   if [ $RET -ne 0 ]; then
       html_failed "Fail to source config file(ws: $host)" 
       return $RET
   fi

   #=======================================================
   # Getting CA file
   #

   #----------------- !!!WARNING!!! -----------------------
   # Do NOT copy this scenario. CA should never accompany its
   # cert with the private key when deliver cert to a customer.
   #----------------- !!!WARNING!!! -----------------------

   download_file $host $certDir/$caCertName.p12 $caDir
   RET=$?
   if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then
       html_failed "Fail to download $caCertName cert(ws: $host)" 
       return 1
   fi
   tmpFiles="$caDir/$caCertName.p12"

   importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C"
   RET=$?
   if [ $RET -ne 0 ]; then
       html_failed "Fail to import $caCertName cert to CA DB(ws: $host)" 
       return $RET
   fi

   CU_ACTION="Exporting Root CA cert(ws: $host)"
   certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert 
   if [ "$RET" -ne 0 ]; then
       Exit 7 "Fatal - failed to export $caCertName cert"
   fi

   #=======================================================
   # Check what tests we want to run
   #
   doSslTests=0; doOcspTests=0
   # XXX remove "_new" from variables below
   [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
   [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1

   if [ $doSslTests -eq 1 ]; then
       if [ "$reverseRunCGIScript" ]; then
           [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
           #=======================================================
           # Import CA cert to server DB
           #
           importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
                       "TC,C,C"
           RET=$?
           if [ $RET -ne 0 ]; then
               html_failed "Fail to import server-client-CA cert to \
                            server DB(ws: $host)" 
               return $RET
           fi
           
           #=======================================================
           # Creating server cert
           #
           CERTNAME=$HOSTADDR
           
           CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
           CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, \
                       L=Mountain View, ST=California, C=US"
           certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
               -o $sslServerDir/req 2>&1
           tmpFiles="$tmpFiles $sslServerDir/req"

           # NOTE:
           # For possible time synchronization problems (bug 444308) we generate
           # certificates valid also some time in past (-w -1)

           CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
           certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \
               -d "${caDir}" \
               -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
               -f "${R_PWFILE}" 2>&1
           
           importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
           RET=$?
           if [ $RET -ne 0 ]; then
               html_failed "Fail to import $CERTNAME cert to server\
                            DB(ws: $host)" 
               return $RET
           fi
           tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
           
           #=======================================================
           # Download and import CA crl to server DB
           #
           download_file $host "$certDir/$caCrlName.crl" $sslServerDir
           RET=$?
           if [ $? -ne 0 ]; then
               html_failed "Fail to download $caCertName crl\
                            (ws: $host)" 
               return $RET
           fi
           tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
           
           importFile $sslServerDir $sslServerDir/TestCA.crl
           RET=$?
           if [ $RET -ne 0 ]; then
               html_failed "Fail to import TestCA crt to server\
                            DB(ws: $host)" 
               return $RET
           fi
       fi # if [ "$reverseRunCGIScript" ]
       
       [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
       #=======================================================
       # Import CA cert to ssl client DB
       #
       importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
                  "TC,C,C"
       RET=$?
       if [ $RET -ne 0 ]; then
           html_failed "Fail to import server-client-CA cert to \
                        server DB(ws: $host)" 
           return $RET
       fi
   fi

   if [ $doOcspTests -eq 1 ]; then
       [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
       #=======================================================
       # Import CA cert to ocsp client DB
       #
       importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
                  "TC,C,C"
       RET=$?
       if [ $RET -ne 0 ]; then
           html_failed "Fail to import server-client-CA cert to \
                        server DB(ws: $host)" 
           return $RET
       fi
   fi

   #=======================================================
   # Import client certs to client DB
   #
   for fileName in $downloadFiles; do
       certName=`echo $fileName | sed 's/\..*//'`

       if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
           clientDir=$ocspClientDir
       elif [ $doSslTests -eq 1 ]; then
           clientDir=$sslClientDir
       else
           continue
       fi

       download_file $host "$certDir/$fileName" $clientDir
       RET=$?
       if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
           html_failed "Fail to download $certName cert(ws: $host)" 
           return $RET
       fi
       tmpFiles="$tmpFiles $clientDir/$fileName"
       
       importFile $clientDir $clientDir/$fileName $certName ",,"
       RET=$?
       if [ $RET -ne 0 ]; then
           html_failed "Fail to import $certName cert to client DB\
                       (ws: $host)" 
           return $RET
       fi
   done

   rm -f $tmpFiles

   return 0
}


#########################################################################
# Initial point for downloading config, cert, crl files for multiple hosts
# involved in interoperability testing. Called from nss/tests/cert/cert.sh
# It will only proceed with downloading if environment variable 
# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.
#
# Returns 1 if interoperability testing is off, 0 otherwise. 
#
cert_iopr_setup() {

   if [ "$IOPR" -ne 1 ]; then
       return 1
   fi
   num=1
   IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '`
   while [ "$IOPR_HOST_PARAM" ]; do
       IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
       IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
       [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443
       IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
       [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
       
       echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
             $IOPR_CONF_PATH"
       
       download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
           ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
           ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
           ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
       if [ $? -ne 0 ]; then
           echo "wsFlags=\"NOIOPR $wsParam\"" >> \
               ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
       fi
       num=`expr $num + 1`
       IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
   done
   
   return 0
}