367288 - write tests that covers existing OCSP functionality. r=nelson

This commit is contained in:
alexei.volkov.bugs%sun.com 2007-03-02 23:13:32 +00:00
Родитель 21fae80273
Коммит 6e9d567666
7 изменённых файлов: 765 добавлений и 186 удалений

Просмотреть файл

@ -388,8 +388,9 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
EXT_CLIENTDIR=${HOSTDIR}/ext_client
IOPR_CADIR=${HOSTDIR}/CA_iopr
IOPR_SERVERDIR=${HOSTDIR}/server_iopr
IOPR_CLIENTDIR=${HOSTDIR}/client_iopr
IOPR_SSL_SERVERDIR=${HOSTDIR}/server_ssl_iopr
IOPR_SSL_CLIENTDIR=${HOSTDIR}/client_ssl_iopr
IOPR_OCSP_CLIENTDIR=${HOSTDIR}/client_ocsp_iopr
CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
@ -425,8 +426,9 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
R_SERVERDIR=../server
R_CLIENTDIR=../client
R_IOPR_CADIR=../CA_iopr
R_IOPR_SERVERDIR=../server_iopr
R_IOPR_CLIENTDIR=../client_iopr
R_IOPR_SSL_SERVERDIR=../server_ssl_iopr
R_IOPR_SSL_CLIENTDIR=../client_ssl_iopr
R_IOPR_OCSP_CLIENTDIR=../client_ocsp_iopr
R_ALICEDIR=../alicedir
R_BOBDIR=../bobdir
R_DAVEDIR=../dave

Просмотреть файл

@ -179,16 +179,19 @@ importFile() {
# $2 - directory at which CA cert will be installed and used for
# signing a server cert.
# $3 - path to a config file in webserver context.
# $4 - server db location
# $5 - client db location
# $4 - ssl server db location
# $5 - ssl client db location
# $5 - ocsp client db location
#
# Returns 0 upon success, otherwise, failed command error code.
#
download_install_certs() {
host=$1
caDir=$2
confPath=$3
serverDir=$4
clientDir=$5
sslServerDir=$4
sslClientDir=$5
ocspClientDir=$6
[ ! -d "$caDir" ] && mkdir -p $caDir;
@ -239,88 +242,133 @@ download_install_certs() {
Exit 7 "Fatal - failed to export $caCertName cert"
fi
if [ "$reverseRunCGIScript" ]; then
[ ! -d "$serverDir" ] && mkdir -p $serverDir;
#=======================================================
# Import CA cert to server DB
#
importFile $serverDir $caDir/$caCertName.cert server-client-CA "TC,C,C"
RET=$?
if [ $RET -ne 0 ]; then
html_failed "<TR><TD>Fail to import server-client-CA cert to server DB(ws: $host)"
return $RET
fi
#=======================================================
# Creating server cert
#
CERTNAME=$HOSTADDR
CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${serverDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o $serverDir/req 2>&1
tmpFiles="$tmpFiles $serverDir/req"
CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
certu -C -c "$caCertName" -m `date +"%s"` -v 60 -d "${caDir}" \
-i ${serverDir}/req -o $caDir/${CERTNAME}.cert -f "${R_PWFILE}" 2>&1
importFile $serverDir $caDir/$CERTNAME.cert $CERTNAME ",,"
RET=$?
if [ $RET -ne 0 ]; then
html_failed "<TR><TD>Fail to import $CERTNAME cert to server DB(ws: $host)"
return $RET
fi
tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
#=======================================================
# Download and import CA crl to server DB
#
download_file $host "$certDir/$caCrlName.crl" $serverDir
RET=$?
if [ $? -ne 0 ]; then
html_failed "<TR><TD>Fail to download $caCertName crl(ws: $host)"
return $RET
fi
tmpFiles="$tmpFiles $serverDir/$caCrlName.crl"
importFile $serverDir $serverDir/TestCA.crl
RET=$?
if [ $RET -ne 0 ]; then
html_failed "<TR><TD>Fail to import TestCA crt to server DB(ws: $host)"
return $RET
fi
fi # if [ "$reverseRunCGIScript" ]
[ ! -d "$clientDir" ] && mkdir -p $clientDir;
#=======================================================
# Import CA cert to client DB
# Check what tests we want to run
#
importFile $clientDir $caDir/$caCertName.cert server-client-CA "TC,C,C"
RET=$?
if [ $RET -ne 0 ]; then
html_failed "<TR><TD>Fail to import server-client-CA cert to server DB(ws: $host)"
return $RET
doSslTests=0; doOcspTests=0
# XXX remove "_new" from variables below
[ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
[ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
if [ $doSslTests -eq 1 ]; then
if [ "$reverseRunCGIScript" ]; then
[ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
#=======================================================
# Import CA cert to server DB
#
importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
"TC,C,C"
RET=$?
if [ $RET -ne 0 ]; then
html_failed "<TR><TD>Fail to import server-client-CA cert to \
server DB(ws: $host)"
return $RET
fi
#=======================================================
# Creating server cert
#
CERTNAME=$HOSTADDR
CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
L=Mountain View, ST=California, C=US"
certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
-o $sslServerDir/req 2>&1
tmpFiles="$tmpFiles $sslServerDir/req"
CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
certu -C -c "$caCertName" -m `date +"%s"` -v 60 -d "${caDir}" \
-i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
-f "${R_PWFILE}" 2>&1
importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
RET=$?
if [ $RET -ne 0 ]; then
html_failed "<TR><TD>Fail to import $CERTNAME cert to server\
DB(ws: $host)"
return $RET
fi
tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
#=======================================================
# Download and import CA crl to server DB
#
download_file $host "$certDir/$caCrlName.crl" $sslServerDir
RET=$?
if [ $? -ne 0 ]; then
html_failed "<TR><TD>Fail to download $caCertName crl\
(ws: $host)"
return $RET
fi
tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
importFile $sslServerDir $sslServerDir/TestCA.crl
RET=$?
if [ $RET -ne 0 ]; then
html_failed "<TR><TD>Fail to import TestCA crt to server\
DB(ws: $host)"
return $RET
fi
fi # if [ "$reverseRunCGIScript" ]
[ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
#=======================================================
# Import CA cert to ssl client DB
#
importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
"TC,C,C"
RET=$?
if [ $RET -ne 0 ]; then
html_failed "<TR><TD>Fail to import server-client-CA cert to \
server DB(ws: $host)"
return $RET
fi
fi
if [ $doOcspTests -eq 1 ]; then
[ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
#=======================================================
# Import CA cert to ocsp client DB
#
importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
"TC,C,C"
RET=$?
if [ $RET -ne 0 ]; then
html_failed "<TR><TD>Fail to import server-client-CA cert to \
server DB(ws: $host)"
return $RET
fi
fi
#=======================================================
# Import client certs to client DB
#
for certName in $userCertNames; do
download_file $host "$certDir/$certName.p12" $clientDir
for fileName in $downloadFiles; do
certName=`echo $fileName | sed 's/\..*//'`
if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
clientDir=$ocspClientDir
elif [ $doSslTests -eq 1 ]; then
clientDir=$sslClientDir
else
continue
fi
download_file $host "$certDir/$fileName" $clientDir
RET=$?
if [ $RET -ne 0 -o ! -f $clientDir/$certName.p12 ]; then
if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
html_failed "<TR><TD>Fail to download $certName cert(ws: $host)"
return $RET
fi
tmpFiles="$tmpFiles $clientDir/$certName.p12"
tmpFiles="$tmpFiles $clientDir/$fileName"
importFile $clientDir $clientDir/$certName.p12 $certName ",,"
importFile $clientDir $clientDir/$fileName $certName ",,"
RET=$?
if [ $RET -ne 0 ]; then
html_failed "<TR><TD>Fail to import $certName cert to client DB(ws: $host)"
html_failed "<TR><TD>Fail to import $certName cert to client DB\
(ws: $host)"
return $RET
fi
done
@ -353,11 +401,13 @@ cert_iopr_setup() {
IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
[ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:$IOPR_CONF_PATH"
echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
$IOPR_CONF_PATH"
download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
${IOPR_CONF_PATH} ${IOPR_SERVERDIR}_${IOPR_HOSTADDR} \
${IOPR_CLIENTDIR}_${IOPR_HOSTADDR}
${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
if [ $? -ne 0 ]; then
echo "wsFlags=\"NOIOPR $wsParam\"" >> \
${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg

Просмотреть файл

@ -0,0 +1,217 @@
#! /bin/sh
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
########################################################################
#
# mozilla/security/nss/tests/iopr/ocsp_iopr.sh
#
# NSS SSL interoperability QA. This file is included from ssl.sh
#
# needs to work on all Unix and Windows platforms
#
# special strings
# ---------------
# FIXME ... known problems, search for this string
# NOTE .... unexpected behavior
#
# FIXME - Netscape - NSS
########################################################################
IOPR_OCSP_SOURCED=1
########################################################################
# The funtion works with variables defined in interoperability
# configuration file that gets downloaded from a webserver.
# The function sets test parameters defind for a particular type
# of testing.
#
# No return value
#
setTestParam() {
type=$1
testParam=`eval 'echo $'${type}Param`
testDescription=`eval 'echo $'${type}Descr`
testProto=`eval 'echo $'${type}Proto`
testPort=`eval 'echo $'${type}Port`
testResponder=`eval 'echo $'${type}ResponderCert`
testValidCertNames=`eval 'echo $'${type}ValidCertNames`
testRevokedCertNames=`eval 'echo $'${type}RevokedCertNames`
testStatUnknownCertNames=`eval 'echo $'${type}StatUnknownCertNames`
}
########################################################################
# The funtion checks status of a cert using ocspclnt.
# Params:
# dbDir - nss cert db location
# cert - cert in question
# respUrl - responder url is available
# defRespCert - trusted responder cert
#
# Return values:
# 0 - test passed, 1 - otherwise.
#
ocsp_get_cert_status() {
dbDir=$1
cert=$2
respUrl=$3
defRespCert=$4
if [ -n "$respUrl" -o -n "$defRespCert" ]; then
if [ -z "$respUrl" -o -z "$defRespCert" ]; then
html_failed "<TR><TD>Incorrect test params"
return 1
fi
clntParam="-l $respUrl -t $defRespCert"
fi
outFile=$dbDir/ocsptest.out.$$
ocspclnt -d $dbDir -S $cert $clntParam &> $outFile
res=$?
echo "ocspclnt output:"
cat $outFile
[ -z "`grep succeeded $outFile`" ] && res=1
rm -f $outFile
return $res
}
########################################################################
# The funtion checks status of a cert using ocspclnt.
# Params:
# testType - type of the test based on type of used responder
# servName - FQDM of the responder server
# dbDir - nss cert db location
#
# No return value
#
ocsp_iopr() {
testType=$1
servName=$2
dbDir=$3
setTestParam $testType
if [ "`echo $testParam | grep NOCOV`" != "" ]; then
echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
"run by server configuration"
return 0
fi
html_head "OCSP testing with responder at $IOPR_HOSTADDR. <br>" \
"Test Type: $testDescription"
if [ -n "$testResponder" ]; then
responderUrl="$testProto://$servName:$testPort"
else
responderUrl=""
fi
for certName in $testValidCertNames; do
ocsp_get_cert_status $dbDir $certName "$responderUrl" "$testResponder"
html_msg $? 0 "Getting status of a valid cert ($certName)" \
"produced a returncode of $ret, expected is $value"
done
for certName in $testRevokedCertNames; do
ocsp_get_cert_status $dbDir $certName "$responderUrl" "$testResponder"
html_msg $? 1 "Getting status of a unvalid cert ($certName)" \
"produced a returncode of $ret, expected is $value"
done
for certName in $testStatUnknownCertNames; do
ocsp_get_cert_status $dbDir $certName "$responderUrl" "$testResponder"
html_msg $? 1 "Getting status of a cert with unknown status ($certName)" \
"produced a returncode of $ret, expected is $value"
done
}
#####################################################################
# Initial point for running ocsp test againt multiple hosts involved in
# interoperability testing. Called from nss/tests/ocsp/ocsp.sh
# It will only proceed with test run for a specific host if environment variable
# IOPR_HOSTADDR_LIST was set, had the host name in the list
# and all needed file were successfully downloaded and installed for the host.
#
# Returns 1 if interoperability testing is off, 0 otherwise.
#
ocsp_iopr_run() {
NO_ECC_CERTS=1 # disable ECC for interoperability tests
if [ "$IOPR" -ne 1 ]; then
return 1
fi
cd ${CLIENTDIR}
num=1
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
while [ "$IOPR_HOST_PARAM" ]; do
IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
[ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
. ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
RES=$?
num=`expr $num + 1`
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
continue
fi
#=======================================================
# Check what server is configured to run ssl tests
#
[ -z "`echo ${supportedTests_new} | grep -i ocsp`" ] && continue;
# Testing directories defined by webserver.
echo "Testing ocsp interoperability.
Client: local(tstclnt).
Responder: remote($IOPR_HOSTADDR)"
for ocspTestType in ${supportedTests_new}; do
if [ -z "`echo $ocspTestType | grep -i ocsp`" ]; then
continue
fi
ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
done
echo "================================================"
echo "Done testing ocsp interoperability with $IOPR_HOSTADDR"
done
NO_ECC_CERTS=0
return 0
}

Просмотреть файл

@ -28,6 +28,22 @@ repAndExec() {
return $RET
}
setExtData() {
extData=$1
fldNum=0
extData=`echo $extData | sed 's/,/ /g'`
for extDT in $extData; do
if [ $fldNum -eq 0 ]; then
eval extType=$extDT
fldNum=1
continue
fi
eval data${fldNum}=$extDT
fldNum=`expr $fldNum + 1`
done
}
signCert() {
dir=$1
crtDir=$2
@ -35,97 +51,98 @@ signCert() {
crtSN=$4
req=$5
cuAddParam=$6
extList=$7
if [ -z "$certSigner" ]; then
certSigner=TestCA
fi
extCmdLine=""
extCmdFile=$dir/extInFile; rm -f $extCmdFile
touch $extCmdFile
extList=`echo $extList | sed 's/;/ /g'`
for ext in $extList; do
setExtData $ext
[ -z "$extType" ] && echo "incorrect extention format" && return 1
case $extType in
ocspDR)
extCmdLine="$extCmdLine -6"
cat <<EOF >> $extCmdFile
5
9
y
EOF
break
exit 1
;;
AIA)
extCmdLine="$extCmdLine -9"
cat <<EOF >> $extCmdFile
2
7
$data1
0
n
n
EOF
break
;;
*)
echo "Unsupported extension type: $extType"
break
;;
esac
done
echo "cmdLine: $extCmdLine"
echo "cmdFile: "`cat $extCmdFile`
repAndExec \
certutil $cuAddParam -C -c "TestCA" -m $crtSN -v 599 -d "${dir}" \
-i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" 2>&1
certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
-i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
return $RET
}
createSignedCert() {
dir=$1
certName=$2
certSN=$3
certSubj=$4
keyType=$5
exportFile=$6
certDir=$2
certName=$3
certSN=$4
certSubj=$5
keyType=$6
extList=$7
echo Creating cert $certName with SN=$certSN
echo Creating cert $certName-$keyType with SN=$certSN
CU_SUBJECT="$certSubj"
CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
repAndExec \
certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
-k $keyType -o $dir/req 2>&1
[ "$RET" -ne 0 ] && return $RET
signCert $dir $dir $certName $certSN $dir/req
signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
ret=$?
[ "$ret" -ne 0 ] && return $ret
rm -f $dir/req
repAndExec \
certutil -A -n ${certName}-${keyType} -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
-i "$dir/${certName}.crt" 2>&1
certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
-i "$dir/${certName}-$keyType.crt" 2>&1
[ "$RET" -ne 0 ] && return $RET
cp "$dir/${certName}-$keyType.crt" $certDir
repAndExec \
pk12util -d $dir -o $exportFile -n ${certName}-${keyType} -k ${PW_FILE} -W iopr
pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
-k ${PW_FILE} -W iopr
[ "$RET" -ne 0 ] && return $RET
return 0
}
generateServerCerts() {
certDir=$1
serverName=$2
servCertReq=$3
[ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
[ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
mkdir -p $certDir
[ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
dir=/tmp/db.$$
if [ -d "$dir" ]; then
rm -f $dir
fi
mkdir -p $dir
[ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
PW_FILE=$dir/nss.pwd
NOISE_FILE=$dir/nss.noise
echo nss > $PW_FILE
date >> ${NOISE_FILE} 2>&1
repAndExec \
certutil -d $dir -N -f $PW_FILE
[ "$RET" -ne 0 ] && return $RET
certName=TestCA
CU_SUBJECT="CN=NSS IOPR Test CA $$, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
repAndExec \
certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
-f ${PW_FILE} -z ${NOISE_FILE} -m 10000 2>&1 <<EOF
5
6
9
n
y
-1
n
EOF
repAndExec \
certutil -L -n $certName -r -d ${dir} -o $certDir/$certName.crt
[ "$RET" -ne 0 ] && return $RET
repAndExec \
pk12util -d $dir -o $certDir/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
[ "$RET" -ne 0 ] && return $RET
generateAndExportSSLCerts() {
dir=$1
certDir=$2
serverName=$3
servCertReq=$4
if [ "$servCertReq" -a -f $servCertReq ]; then
grep REQUEST $servCertReq >/dev/null 2>&1
@ -135,41 +152,190 @@ EOF
fi
certName=$serverName
certSubj="CN=$certName, E=${certName}-rsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
createSignedCert $dir $certName 500 "$certSubj" rsa $certDir/${certName}-rsa.p12
createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=$serverName
certName=$serverName
certSubj="CN=$certName, E=${certName}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
createSignedCert $dir $certName 501 "$certSubj" dsa $certDir/${certName}-dsa.p12
createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=TestUser510
certSubj="CN=$certName, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
createSignedCert $dir $certName 510 "$certSubj" rsa $certDir/${certName}-rsa.p12
createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=TestUser511
certSubj="CN=$certName, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
createSignedCert $dir $certName 511 "$certSubj" dsa $certDir/${certName}-dsa.p12
createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=TestUser512
certSubj="CN=$certName, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
createSignedCert $dir $certName 512 "$certSubj" rsa $certDir/${certName}-rsa.p12
createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=TestUser513
certSubj="CN=$certName, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
createSignedCert $dir $certName 513 "$certSubj" dsa $certDir/${certName}-dsa.p12
createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
ret=$?
[ "$ret" -ne 0 ] && return $ret
}
generateAndExportOCSPCerts() {
dir=$1
certDir=$2
certName=ocspTrustedResponder
createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=ocspDesignatedResponder
createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=ocspTRTestUser514
createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=ocspTRTestUser516
createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=ocspRCATestUser518
createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
AIA,http://dochinups.red.iplanet.com:2561
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=ocspRCATestUser520
createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
AIA,http://dochinups.red.iplanet.com:2561
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=ocspDRTestUser522
createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
AIA,http://dochinups.red.iplanet.com:2562
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=ocspDRTestUser524
createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
AIA,http://dochinups.red.iplanet.com:2562
ret=$?
[ "$ret" -ne 0 ] && return $ret
generateAndExportCACert $dir "" TestCA-unknown
[ $? -ne 0 ] && return $ret
certSigner=TestCA-unknown
certName=ocspTRUnkownIssuerCert
createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=ocspRCAUnkownIssuerCert
createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
AIA,http://dochinups.red.iplanet.com:2561
ret=$?
[ "$ret" -ne 0 ] && return $ret
certName=ocspDRUnkownIssuerCert
createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
AIA,http://dochinups.red.iplanet.com:2562
ret=$?
[ "$ret" -ne 0 ] && return $ret
certSigner=""
return 0
}
generateAndExportCACert() {
dir=$1
certDirL=$2
caName=$3
certName=TestCA
[ "$caName" ] && certName=$caName
CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
repAndExec \
certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
-f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
5
6
9
n
y
-1
n
EOF
if [ "$certDirL" ]; then
repAndExec \
certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
[ "$RET" -ne 0 ] && return $RET
repAndExec \
pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
[ "$RET" -ne 0 ] && return $RET
fi
}
generateCerts() {
certDir=$1
serverName=$2
reuseCACert=$3
servCertReq=$4
[ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
[ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
mkdir -p $certDir
[ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
dir=/tmp/db.$$
if [ -z "$reuseCACert" ]; then
if [ -d "$dir" ]; then
rm -f $dir
fi
PW_FILE=$dir/nss.pwd
NOISE_FILE=$dir/nss.noise
mkdir -p $dir
[ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
echo nss > $PW_FILE
date >> ${NOISE_FILE} 2>&1
repAndExec \
certutil -d $dir -N -f $PW_FILE
[ "$RET" -ne 0 ] && return $RET
generateAndExportCACert $dir $certDir
[ "$RET" -ne 0 ] && return $RET
else
dir=$reuseCACert
PW_FILE=$dir/nss.pwd
NOISE_FILE=$dir/nss.noise
hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
[ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
return $RET;
fi
generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
[ "$RET" -ne 0 ] && return $RET
generateAndExportOCSPCerts $dir $certDir
[ "$RET" -ne 0 ] && return $RET
crlUpdate=`date +%Y%m%d%H%M%SZ`
crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
@ -178,6 +344,9 @@ EOF
update=$crlUpdate
nextupdate=$crlNextUpdate
addcert 509-511 $crlUpdate
addcert 516 $crlUpdate
addcert 520 $crlUpdate
addcert 524 $crlUpdate
EOF_CRLINI
[ "$RET" -ne 0 ] && return $RET
@ -187,8 +356,8 @@ EOF_CRLINI
if [ -z "$1" -o -z "$2" ]; then
echo "$0 <dest dir> <cert name> [cert req]"
echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
exit 1
fi
generateServerCerts $1 $2 $3
generateCerts $1 $2 "$3" $4
exit $?

Просмотреть файл

@ -0,0 +1,63 @@
certDir=/iopr
caCertName=TestCA
caCrlName=TestCA
#old values
userCertNames="TestUser510-rsa TestUser512-rsa"
userRevokedCertNames="TestUser510-rsa"
reverseRunCGIScript="/cgi-bin/client.cgi"
#reverseTestParam=NOREVALL
supportedTests="SslSingleHs SslSecondHs"
#supportedTests="SslSecondHs"
downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt"
# Keep a space at the end of
SslClntValidCertName="TestUser512-rsa"
SslClntRevokedCertName="TestUser510-rsa"
reverseRunCGIScript="/cgi-bin/client.cgi"
#reverseTestParam=NOREVALL
supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder"
#
# SslSingleHs: ssl single handshake with out client cert auth
SslSingleHsDescr="ssl with single handshake without client cert auth"
SslSingleHsPort=443
SslSingleHsUrl=/iopr_test/test_pg.html
SslSingleHsParam=NOAUTH
#
# SslSecondHs: ssl with secondary hs when accessing direcory
# that requires cert verification
SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification"
SslSecondHsPort=443
SslSecondHsUrl=/iopr_test_2hs/test_pg.html
SslSecondHsParam=NOCOV
#
# OcspTrustedResponder - trusted responder key is used to sign OCSP response
#
OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response"
OcspTrustedResponderProto=http
OcspTrustedResponderPort=2560
OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa
OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa"
OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa"
OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa"
#
# OcspResponderCA - CA key is used to sign OCSP response
#
OcspResponderCADescr="CA key is used to sign OCSP response"
OcspResponderCAValidCertNames="ocspRCATestUser518-rsa"
OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa"
OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa"
#
# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response
#
OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response"
OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa"
OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa"
OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa"

Просмотреть файл

@ -55,19 +55,14 @@ IOPR_SSL_SOURCED=1
# The functions works with variables defined in interoperability
# configuration file that was downloaded from a webserver.
# It tries to find unrevoked cert based on value of variable
# "userRevokedCertNames" defined in the configuration file.
# "SslClntValidCertName" defined in the configuration file.
# Params NONE.
# Returns 0 if found, 1 otherwise.
#
setValidCert() {
testUser=
for user in $userCertNames; do
if [ "`echo $userRevokedCertNames | grep -v $user`" != "" ]; then
testUser=$user
return 0
fi
done
return 1
testUser=$SslClntValidCertName
[ -z "$testUser" ] && return 1
return 0
}
########################################################################
@ -253,12 +248,6 @@ ssl_iopr_crl_ext_server()
html_head "CRL SSL Client Tests of WebServer($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): $testDescription"
setValidCert; ret=$?
if [ $ret -ne 0 ]; then
html_failed "<TR><TD>Fail to find valid test cert(ws: $host)"
return $ret
fi
SSL_REQ_FILE=${TMP}/sslreq.dat.$$
echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
echo >> $SSL_REQ_FILE
@ -271,7 +260,7 @@ ssl_iopr_crl_ext_server()
[ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
rev_modvalue=254
for testUser in $userCertNames; do
for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} \\"
@ -289,7 +278,7 @@ ssl_iopr_crl_ext_server()
[ $ret -ne 0 ] && cat $resFile
rm -f $resFile 2>/dev/null
if [ "`echo $userRevokedCertNames | grep $testUser`" != "" ]; then
if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
modvalue=$rev_modvalue
testAddMsg="revoked"
else
@ -539,7 +528,7 @@ ssl_iopr_crl_ext_client()
sparam="$sparam -vvvc ABCDEFcdefgijklmnvyz"
start_selfserv
for testUser in $userCertNames; do
for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
is_selfserv_alive
@ -580,7 +569,7 @@ ssl_iopr_crl_ext_client()
ret=11
fi
if [ "`echo $userRevokedCertNames | grep $testUser`" != "" ]; then
if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
modvalue=1
testAddMsg="revoked"
else
@ -633,19 +622,26 @@ ssl_iopr_run() {
continue
fi
#=======================================================
# Check if server is capable to run ssl tests
#
[ -z "`echo ${supportedTests_new} | grep -i ssl`" ] && continue;
# Testing directories defined by webserver.
echo "Testing ssl interoperability.
Client: local(tstclnt).
Server: remote($IOPR_HOSTADDR:$IOPR_OPEN_PORT)"
for sslTestType in $supportedTests; do
for sslTestType in ${supportedTests_new}; do
if [ -z "`echo $sslTestType | grep -i ssl`" ]; then
continue
fi
ssl_iopr_cov_ext_server $sslTestType ${IOPR_HOSTADDR} \
${IOPR_CLIENTDIR}_${IOPR_HOSTADDR}
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
ssl_iopr_auth_ext_server $sslTestType ${IOPR_HOSTADDR} \
${IOPR_CLIENTDIR}_${IOPR_HOSTADDR}
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
ssl_iopr_crl_ext_server $sslTestType ${IOPR_HOSTADDR} \
${IOPR_CLIENTDIR}_${IOPR_HOSTADDR}
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
done
@ -654,17 +650,17 @@ ssl_iopr_run() {
Client: remote($IOPR_HOSTADDR:$PORT)
Server: local(selfserv)"
ssl_iopr_cov_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
${HOSTADDR} ${PORT} ${R_IOPR_SERVERDIR}_${IOPR_HOSTADDR}
${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
ssl_iopr_auth_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
${HOSTADDR} ${PORT} ${R_IOPR_SERVERDIR}_${IOPR_HOSTADDR}
${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
ssl_iopr_crl_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
${HOSTADDR} ${PORT} ${R_IOPR_SERVERDIR}_${IOPR_HOSTADDR}
${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
echo "================================================"
echo "Done testing interoperability with $IOPR_HOSTADDR"
num=`expr $num + 1`
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
done
NO_ECC_CERTS=0 #disable ECC for interoperability
NO_ECC_CERTS=0
return 0
}

Просмотреть файл

@ -0,0 +1,82 @@
#! /bin/sh
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
########################################################################
#
# mozilla/security/nss/tests/ocsp/ocsp.sh
#
# Script to test NSS OCSP
#
# needs to work on all Unix and Windows platforms
#
# special strings
# ---------------
# FIXME ... known problems, search for this string
# NOTE .... unexpected behavior
#
########################################################################
############################## ssl_init ################################
# local shell function to initialize this script
########################################################################
ocsp_init()
{
SCRIPTNAME=ocsp.sh # sourced - $0 would point to all.sh
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
fi
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
cd ../common
. ./init.sh
fi
if [ -z "${IOPR_OCSP_SOURCED}" ]; then
. ../iopr/ocsp_iopr.sh
fi
if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
cd ../cert
. ./cert.sh
fi
SCRIPTNAME=ocsp.sh
echo "$SCRIPTNAME: OCSP tests ==============================="
cd ${CLIENTDIR}
}
################## main #################################################
ocsp_init
ocsp_iopr_run