зеркало из https://github.com/mozilla/pjs.git
367288 - write tests that covers existing OCSP functionality. r=nelson
This commit is contained in:
Родитель
21fae80273
Коммит
6e9d567666
|
@ -388,8 +388,9 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
|
|||
EXT_CLIENTDIR=${HOSTDIR}/ext_client
|
||||
|
||||
IOPR_CADIR=${HOSTDIR}/CA_iopr
|
||||
IOPR_SERVERDIR=${HOSTDIR}/server_iopr
|
||||
IOPR_CLIENTDIR=${HOSTDIR}/client_iopr
|
||||
IOPR_SSL_SERVERDIR=${HOSTDIR}/server_ssl_iopr
|
||||
IOPR_SSL_CLIENTDIR=${HOSTDIR}/client_ssl_iopr
|
||||
IOPR_OCSP_CLIENTDIR=${HOSTDIR}/client_ocsp_iopr
|
||||
|
||||
CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
|
||||
|
||||
|
@ -425,8 +426,9 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
|
|||
R_SERVERDIR=../server
|
||||
R_CLIENTDIR=../client
|
||||
R_IOPR_CADIR=../CA_iopr
|
||||
R_IOPR_SERVERDIR=../server_iopr
|
||||
R_IOPR_CLIENTDIR=../client_iopr
|
||||
R_IOPR_SSL_SERVERDIR=../server_ssl_iopr
|
||||
R_IOPR_SSL_CLIENTDIR=../client_ssl_iopr
|
||||
R_IOPR_OCSP_CLIENTDIR=../client_ocsp_iopr
|
||||
R_ALICEDIR=../alicedir
|
||||
R_BOBDIR=../bobdir
|
||||
R_DAVEDIR=../dave
|
||||
|
|
|
@ -179,16 +179,19 @@ importFile() {
|
|||
# $2 - directory at which CA cert will be installed and used for
|
||||
# signing a server cert.
|
||||
# $3 - path to a config file in webserver context.
|
||||
# $4 - server db location
|
||||
# $5 - client db location
|
||||
# $4 - ssl server db location
|
||||
# $5 - ssl client db location
|
||||
# $5 - ocsp client db location
|
||||
#
|
||||
# Returns 0 upon success, otherwise, failed command error code.
|
||||
#
|
||||
download_install_certs() {
|
||||
host=$1
|
||||
caDir=$2
|
||||
confPath=$3
|
||||
serverDir=$4
|
||||
clientDir=$5
|
||||
sslServerDir=$4
|
||||
sslClientDir=$5
|
||||
ocspClientDir=$6
|
||||
|
||||
[ ! -d "$caDir" ] && mkdir -p $caDir;
|
||||
|
||||
|
@ -239,88 +242,133 @@ download_install_certs() {
|
|||
Exit 7 "Fatal - failed to export $caCertName cert"
|
||||
fi
|
||||
|
||||
|
||||
if [ "$reverseRunCGIScript" ]; then
|
||||
[ ! -d "$serverDir" ] && mkdir -p $serverDir;
|
||||
#=======================================================
|
||||
# Import CA cert to server DB
|
||||
#
|
||||
importFile $serverDir $caDir/$caCertName.cert server-client-CA "TC,C,C"
|
||||
RET=$?
|
||||
if [ $RET -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to import server-client-CA cert to server DB(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
|
||||
#=======================================================
|
||||
# Creating server cert
|
||||
#
|
||||
CERTNAME=$HOSTADDR
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${serverDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o $serverDir/req 2>&1
|
||||
tmpFiles="$tmpFiles $serverDir/req"
|
||||
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
|
||||
certu -C -c "$caCertName" -m `date +"%s"` -v 60 -d "${caDir}" \
|
||||
-i ${serverDir}/req -o $caDir/${CERTNAME}.cert -f "${R_PWFILE}" 2>&1
|
||||
|
||||
importFile $serverDir $caDir/$CERTNAME.cert $CERTNAME ",,"
|
||||
RET=$?
|
||||
if [ $RET -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to import $CERTNAME cert to server DB(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
|
||||
|
||||
#=======================================================
|
||||
# Download and import CA crl to server DB
|
||||
#
|
||||
download_file $host "$certDir/$caCrlName.crl" $serverDir
|
||||
RET=$?
|
||||
if [ $? -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to download $caCertName crl(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
tmpFiles="$tmpFiles $serverDir/$caCrlName.crl"
|
||||
|
||||
importFile $serverDir $serverDir/TestCA.crl
|
||||
RET=$?
|
||||
if [ $RET -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to import TestCA crt to server DB(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
fi # if [ "$reverseRunCGIScript" ]
|
||||
|
||||
[ ! -d "$clientDir" ] && mkdir -p $clientDir;
|
||||
#=======================================================
|
||||
# Import CA cert to client DB
|
||||
# Check what tests we want to run
|
||||
#
|
||||
importFile $clientDir $caDir/$caCertName.cert server-client-CA "TC,C,C"
|
||||
RET=$?
|
||||
if [ $RET -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to import server-client-CA cert to server DB(ws: $host)"
|
||||
return $RET
|
||||
doSslTests=0; doOcspTests=0
|
||||
# XXX remove "_new" from variables below
|
||||
[ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
|
||||
[ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
|
||||
|
||||
if [ $doSslTests -eq 1 ]; then
|
||||
if [ "$reverseRunCGIScript" ]; then
|
||||
[ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
|
||||
#=======================================================
|
||||
# Import CA cert to server DB
|
||||
#
|
||||
importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
|
||||
"TC,C,C"
|
||||
RET=$?
|
||||
if [ $RET -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to import server-client-CA cert to \
|
||||
server DB(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
|
||||
#=======================================================
|
||||
# Creating server cert
|
||||
#
|
||||
CERTNAME=$HOSTADDR
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
|
||||
L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
|
||||
-o $sslServerDir/req 2>&1
|
||||
tmpFiles="$tmpFiles $sslServerDir/req"
|
||||
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
|
||||
certu -C -c "$caCertName" -m `date +"%s"` -v 60 -d "${caDir}" \
|
||||
-i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
|
||||
-f "${R_PWFILE}" 2>&1
|
||||
|
||||
importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
|
||||
RET=$?
|
||||
if [ $RET -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to import $CERTNAME cert to server\
|
||||
DB(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
|
||||
|
||||
#=======================================================
|
||||
# Download and import CA crl to server DB
|
||||
#
|
||||
download_file $host "$certDir/$caCrlName.crl" $sslServerDir
|
||||
RET=$?
|
||||
if [ $? -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to download $caCertName crl\
|
||||
(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
|
||||
|
||||
importFile $sslServerDir $sslServerDir/TestCA.crl
|
||||
RET=$?
|
||||
if [ $RET -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to import TestCA crt to server\
|
||||
DB(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
fi # if [ "$reverseRunCGIScript" ]
|
||||
|
||||
[ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
|
||||
#=======================================================
|
||||
# Import CA cert to ssl client DB
|
||||
#
|
||||
importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
|
||||
"TC,C,C"
|
||||
RET=$?
|
||||
if [ $RET -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to import server-client-CA cert to \
|
||||
server DB(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $doOcspTests -eq 1 ]; then
|
||||
[ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
|
||||
#=======================================================
|
||||
# Import CA cert to ocsp client DB
|
||||
#
|
||||
importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
|
||||
"TC,C,C"
|
||||
RET=$?
|
||||
if [ $RET -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to import server-client-CA cert to \
|
||||
server DB(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
fi
|
||||
|
||||
#=======================================================
|
||||
# Import client certs to client DB
|
||||
#
|
||||
for certName in $userCertNames; do
|
||||
download_file $host "$certDir/$certName.p12" $clientDir
|
||||
for fileName in $downloadFiles; do
|
||||
certName=`echo $fileName | sed 's/\..*//'`
|
||||
|
||||
if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
|
||||
clientDir=$ocspClientDir
|
||||
elif [ $doSslTests -eq 1 ]; then
|
||||
clientDir=$sslClientDir
|
||||
else
|
||||
continue
|
||||
fi
|
||||
|
||||
download_file $host "$certDir/$fileName" $clientDir
|
||||
RET=$?
|
||||
if [ $RET -ne 0 -o ! -f $clientDir/$certName.p12 ]; then
|
||||
if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
|
||||
html_failed "<TR><TD>Fail to download $certName cert(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
tmpFiles="$tmpFiles $clientDir/$certName.p12"
|
||||
tmpFiles="$tmpFiles $clientDir/$fileName"
|
||||
|
||||
importFile $clientDir $clientDir/$certName.p12 $certName ",,"
|
||||
importFile $clientDir $clientDir/$fileName $certName ",,"
|
||||
RET=$?
|
||||
if [ $RET -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to import $certName cert to client DB(ws: $host)"
|
||||
html_failed "<TR><TD>Fail to import $certName cert to client DB\
|
||||
(ws: $host)"
|
||||
return $RET
|
||||
fi
|
||||
done
|
||||
|
@ -353,11 +401,13 @@ cert_iopr_setup() {
|
|||
IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
|
||||
[ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
|
||||
|
||||
echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:$IOPR_CONF_PATH"
|
||||
echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
|
||||
$IOPR_CONF_PATH"
|
||||
|
||||
download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
|
||||
${IOPR_CONF_PATH} ${IOPR_SERVERDIR}_${IOPR_HOSTADDR} \
|
||||
${IOPR_CLIENTDIR}_${IOPR_HOSTADDR}
|
||||
${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
|
||||
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
|
||||
${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "wsFlags=\"NOIOPR $wsParam\"" >> \
|
||||
${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
|
||||
|
|
|
@ -0,0 +1,217 @@
|
|||
#! /bin/sh
|
||||
#
|
||||
# ***** BEGIN LICENSE BLOCK *****
|
||||
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
||||
#
|
||||
# The contents of this file are subject to the Mozilla Public License Version
|
||||
# 1.1 (the "License"); you may not use this file except in compliance with
|
||||
# the License. You may obtain a copy of the License at
|
||||
# http://www.mozilla.org/MPL/
|
||||
#
|
||||
# Software distributed under the License is distributed on an "AS IS" basis,
|
||||
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
||||
# for the specific language governing rights and limitations under the
|
||||
# License.
|
||||
#
|
||||
# The Original Code is the Netscape security libraries.
|
||||
#
|
||||
# The Initial Developer of the Original Code is
|
||||
# Netscape Communications Corporation.
|
||||
# Portions created by the Initial Developer are Copyright (C) 1994-2000
|
||||
# the Initial Developer. All Rights Reserved.
|
||||
#
|
||||
# Alternatively, the contents of this file may be used under the terms of
|
||||
# either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
||||
# in which case the provisions of the GPL or the LGPL are applicable instead
|
||||
# of those above. If you wish to allow use of your version of this file only
|
||||
# under the terms of either the GPL or the LGPL, and not to allow others to
|
||||
# use your version of this file under the terms of the MPL, indicate your
|
||||
# decision by deleting the provisions above and replace them with the notice
|
||||
# and other provisions required by the GPL or the LGPL. If you do not delete
|
||||
# the provisions above, a recipient may use your version of this file under
|
||||
# the terms of any one of the MPL, the GPL or the LGPL.
|
||||
#
|
||||
# ***** END LICENSE BLOCK *****
|
||||
|
||||
########################################################################
|
||||
#
|
||||
# mozilla/security/nss/tests/iopr/ocsp_iopr.sh
|
||||
#
|
||||
# NSS SSL interoperability QA. This file is included from ssl.sh
|
||||
#
|
||||
# needs to work on all Unix and Windows platforms
|
||||
#
|
||||
# special strings
|
||||
# ---------------
|
||||
# FIXME ... known problems, search for this string
|
||||
# NOTE .... unexpected behavior
|
||||
#
|
||||
# FIXME - Netscape - NSS
|
||||
########################################################################
|
||||
IOPR_OCSP_SOURCED=1
|
||||
|
||||
########################################################################
|
||||
# The funtion works with variables defined in interoperability
|
||||
# configuration file that gets downloaded from a webserver.
|
||||
# The function sets test parameters defind for a particular type
|
||||
# of testing.
|
||||
#
|
||||
# No return value
|
||||
#
|
||||
setTestParam() {
|
||||
type=$1
|
||||
testParam=`eval 'echo $'${type}Param`
|
||||
testDescription=`eval 'echo $'${type}Descr`
|
||||
testProto=`eval 'echo $'${type}Proto`
|
||||
testPort=`eval 'echo $'${type}Port`
|
||||
testResponder=`eval 'echo $'${type}ResponderCert`
|
||||
testValidCertNames=`eval 'echo $'${type}ValidCertNames`
|
||||
testRevokedCertNames=`eval 'echo $'${type}RevokedCertNames`
|
||||
testStatUnknownCertNames=`eval 'echo $'${type}StatUnknownCertNames`
|
||||
}
|
||||
|
||||
########################################################################
|
||||
# The funtion checks status of a cert using ocspclnt.
|
||||
# Params:
|
||||
# dbDir - nss cert db location
|
||||
# cert - cert in question
|
||||
# respUrl - responder url is available
|
||||
# defRespCert - trusted responder cert
|
||||
#
|
||||
# Return values:
|
||||
# 0 - test passed, 1 - otherwise.
|
||||
#
|
||||
ocsp_get_cert_status() {
|
||||
dbDir=$1
|
||||
cert=$2
|
||||
respUrl=$3
|
||||
defRespCert=$4
|
||||
|
||||
if [ -n "$respUrl" -o -n "$defRespCert" ]; then
|
||||
if [ -z "$respUrl" -o -z "$defRespCert" ]; then
|
||||
html_failed "<TR><TD>Incorrect test params"
|
||||
return 1
|
||||
fi
|
||||
clntParam="-l $respUrl -t $defRespCert"
|
||||
fi
|
||||
|
||||
outFile=$dbDir/ocsptest.out.$$
|
||||
ocspclnt -d $dbDir -S $cert $clntParam &> $outFile
|
||||
res=$?
|
||||
echo "ocspclnt output:"
|
||||
cat $outFile
|
||||
[ -z "`grep succeeded $outFile`" ] && res=1
|
||||
|
||||
rm -f $outFile
|
||||
return $res
|
||||
}
|
||||
|
||||
########################################################################
|
||||
# The funtion checks status of a cert using ocspclnt.
|
||||
# Params:
|
||||
# testType - type of the test based on type of used responder
|
||||
# servName - FQDM of the responder server
|
||||
# dbDir - nss cert db location
|
||||
#
|
||||
# No return value
|
||||
#
|
||||
ocsp_iopr() {
|
||||
testType=$1
|
||||
servName=$2
|
||||
dbDir=$3
|
||||
|
||||
setTestParam $testType
|
||||
if [ "`echo $testParam | grep NOCOV`" != "" ]; then
|
||||
echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
|
||||
"run by server configuration"
|
||||
return 0
|
||||
fi
|
||||
|
||||
html_head "OCSP testing with responder at $IOPR_HOSTADDR. <br>" \
|
||||
"Test Type: $testDescription"
|
||||
|
||||
if [ -n "$testResponder" ]; then
|
||||
responderUrl="$testProto://$servName:$testPort"
|
||||
else
|
||||
responderUrl=""
|
||||
fi
|
||||
|
||||
for certName in $testValidCertNames; do
|
||||
ocsp_get_cert_status $dbDir $certName "$responderUrl" "$testResponder"
|
||||
html_msg $? 0 "Getting status of a valid cert ($certName)" \
|
||||
"produced a returncode of $ret, expected is $value"
|
||||
done
|
||||
|
||||
for certName in $testRevokedCertNames; do
|
||||
ocsp_get_cert_status $dbDir $certName "$responderUrl" "$testResponder"
|
||||
html_msg $? 1 "Getting status of a unvalid cert ($certName)" \
|
||||
"produced a returncode of $ret, expected is $value"
|
||||
done
|
||||
|
||||
for certName in $testStatUnknownCertNames; do
|
||||
ocsp_get_cert_status $dbDir $certName "$responderUrl" "$testResponder"
|
||||
html_msg $? 1 "Getting status of a cert with unknown status ($certName)" \
|
||||
"produced a returncode of $ret, expected is $value"
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
#####################################################################
|
||||
# Initial point for running ocsp test againt multiple hosts involved in
|
||||
# interoperability testing. Called from nss/tests/ocsp/ocsp.sh
|
||||
# It will only proceed with test run for a specific host if environment variable
|
||||
# IOPR_HOSTADDR_LIST was set, had the host name in the list
|
||||
# and all needed file were successfully downloaded and installed for the host.
|
||||
#
|
||||
# Returns 1 if interoperability testing is off, 0 otherwise.
|
||||
#
|
||||
ocsp_iopr_run() {
|
||||
NO_ECC_CERTS=1 # disable ECC for interoperability tests
|
||||
|
||||
if [ "$IOPR" -ne 1 ]; then
|
||||
return 1
|
||||
fi
|
||||
cd ${CLIENTDIR}
|
||||
|
||||
num=1
|
||||
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
|
||||
while [ "$IOPR_HOST_PARAM" ]; do
|
||||
IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
|
||||
IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
|
||||
[ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
|
||||
|
||||
. ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
|
||||
RES=$?
|
||||
|
||||
num=`expr $num + 1`
|
||||
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
|
||||
|
||||
if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
#=======================================================
|
||||
# Check what server is configured to run ssl tests
|
||||
#
|
||||
[ -z "`echo ${supportedTests_new} | grep -i ocsp`" ] && continue;
|
||||
|
||||
# Testing directories defined by webserver.
|
||||
echo "Testing ocsp interoperability.
|
||||
Client: local(tstclnt).
|
||||
Responder: remote($IOPR_HOSTADDR)"
|
||||
|
||||
for ocspTestType in ${supportedTests_new}; do
|
||||
if [ -z "`echo $ocspTestType | grep -i ocsp`" ]; then
|
||||
continue
|
||||
fi
|
||||
ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
|
||||
${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
|
||||
done
|
||||
echo "================================================"
|
||||
echo "Done testing ocsp interoperability with $IOPR_HOSTADDR"
|
||||
done
|
||||
NO_ECC_CERTS=0
|
||||
return 0
|
||||
}
|
||||
|
|
@ -28,6 +28,22 @@ repAndExec() {
|
|||
return $RET
|
||||
}
|
||||
|
||||
setExtData() {
|
||||
extData=$1
|
||||
|
||||
fldNum=0
|
||||
extData=`echo $extData | sed 's/,/ /g'`
|
||||
for extDT in $extData; do
|
||||
if [ $fldNum -eq 0 ]; then
|
||||
eval extType=$extDT
|
||||
fldNum=1
|
||||
continue
|
||||
fi
|
||||
eval data${fldNum}=$extDT
|
||||
fldNum=`expr $fldNum + 1`
|
||||
done
|
||||
}
|
||||
|
||||
signCert() {
|
||||
dir=$1
|
||||
crtDir=$2
|
||||
|
@ -35,97 +51,98 @@ signCert() {
|
|||
crtSN=$4
|
||||
req=$5
|
||||
cuAddParam=$6
|
||||
extList=$7
|
||||
|
||||
if [ -z "$certSigner" ]; then
|
||||
certSigner=TestCA
|
||||
fi
|
||||
|
||||
extCmdLine=""
|
||||
extCmdFile=$dir/extInFile; rm -f $extCmdFile
|
||||
touch $extCmdFile
|
||||
extList=`echo $extList | sed 's/;/ /g'`
|
||||
for ext in $extList; do
|
||||
setExtData $ext
|
||||
[ -z "$extType" ] && echo "incorrect extention format" && return 1
|
||||
case $extType in
|
||||
ocspDR)
|
||||
extCmdLine="$extCmdLine -6"
|
||||
cat <<EOF >> $extCmdFile
|
||||
5
|
||||
9
|
||||
y
|
||||
EOF
|
||||
break
|
||||
exit 1
|
||||
;;
|
||||
AIA)
|
||||
extCmdLine="$extCmdLine -9"
|
||||
cat <<EOF >> $extCmdFile
|
||||
2
|
||||
7
|
||||
$data1
|
||||
0
|
||||
n
|
||||
n
|
||||
EOF
|
||||
break
|
||||
;;
|
||||
*)
|
||||
echo "Unsupported extension type: $extType"
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
echo "cmdLine: $extCmdLine"
|
||||
echo "cmdFile: "`cat $extCmdFile`
|
||||
repAndExec \
|
||||
certutil $cuAddParam -C -c "TestCA" -m $crtSN -v 599 -d "${dir}" \
|
||||
-i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" 2>&1
|
||||
certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
|
||||
-i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
|
||||
return $RET
|
||||
}
|
||||
|
||||
createSignedCert() {
|
||||
dir=$1
|
||||
certName=$2
|
||||
certSN=$3
|
||||
certSubj=$4
|
||||
keyType=$5
|
||||
exportFile=$6
|
||||
certDir=$2
|
||||
certName=$3
|
||||
certSN=$4
|
||||
certSubj=$5
|
||||
keyType=$6
|
||||
extList=$7
|
||||
|
||||
echo Creating cert $certName with SN=$certSN
|
||||
echo Creating cert $certName-$keyType with SN=$certSN
|
||||
|
||||
CU_SUBJECT="$certSubj"
|
||||
CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
repAndExec \
|
||||
certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
|
||||
-k $keyType -o $dir/req 2>&1
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
|
||||
signCert $dir $dir $certName $certSN $dir/req
|
||||
signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
rm -f $dir/req
|
||||
|
||||
repAndExec \
|
||||
certutil -A -n ${certName}-${keyType} -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
|
||||
-i "$dir/${certName}.crt" 2>&1
|
||||
certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
|
||||
-i "$dir/${certName}-$keyType.crt" 2>&1
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
|
||||
cp "$dir/${certName}-$keyType.crt" $certDir
|
||||
|
||||
repAndExec \
|
||||
pk12util -d $dir -o $exportFile -n ${certName}-${keyType} -k ${PW_FILE} -W iopr
|
||||
pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
|
||||
-k ${PW_FILE} -W iopr
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
return 0
|
||||
}
|
||||
|
||||
generateServerCerts() {
|
||||
certDir=$1
|
||||
serverName=$2
|
||||
servCertReq=$3
|
||||
|
||||
[ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
|
||||
[ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
|
||||
|
||||
mkdir -p $certDir
|
||||
[ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
|
||||
|
||||
|
||||
dir=/tmp/db.$$
|
||||
if [ -d "$dir" ]; then
|
||||
rm -f $dir
|
||||
fi
|
||||
mkdir -p $dir
|
||||
[ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
|
||||
|
||||
PW_FILE=$dir/nss.pwd
|
||||
NOISE_FILE=$dir/nss.noise
|
||||
echo nss > $PW_FILE
|
||||
|
||||
date >> ${NOISE_FILE} 2>&1
|
||||
|
||||
repAndExec \
|
||||
certutil -d $dir -N -f $PW_FILE
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
|
||||
|
||||
certName=TestCA
|
||||
CU_SUBJECT="CN=NSS IOPR Test CA $$, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
repAndExec \
|
||||
certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
|
||||
-f ${PW_FILE} -z ${NOISE_FILE} -m 10000 2>&1 <<EOF
|
||||
5
|
||||
6
|
||||
9
|
||||
n
|
||||
y
|
||||
-1
|
||||
n
|
||||
EOF
|
||||
|
||||
repAndExec \
|
||||
certutil -L -n $certName -r -d ${dir} -o $certDir/$certName.crt
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
|
||||
repAndExec \
|
||||
pk12util -d $dir -o $certDir/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
generateAndExportSSLCerts() {
|
||||
dir=$1
|
||||
certDir=$2
|
||||
serverName=$3
|
||||
servCertReq=$4
|
||||
|
||||
if [ "$servCertReq" -a -f $servCertReq ]; then
|
||||
grep REQUEST $servCertReq >/dev/null 2>&1
|
||||
|
@ -135,41 +152,190 @@ EOF
|
|||
fi
|
||||
|
||||
certName=$serverName
|
||||
certSubj="CN=$certName, E=${certName}-rsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
createSignedCert $dir $certName 500 "$certSubj" rsa $certDir/${certName}-rsa.p12
|
||||
createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
certName=$serverName
|
||||
|
||||
certName=$serverName
|
||||
certSubj="CN=$certName, E=${certName}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
createSignedCert $dir $certName 501 "$certSubj" dsa $certDir/${certName}-dsa.p12
|
||||
createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=TestUser510
|
||||
certSubj="CN=$certName, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
createSignedCert $dir $certName 510 "$certSubj" rsa $certDir/${certName}-rsa.p12
|
||||
createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=TestUser511
|
||||
certSubj="CN=$certName, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
createSignedCert $dir $certName 511 "$certSubj" dsa $certDir/${certName}-dsa.p12
|
||||
createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=TestUser512
|
||||
certSubj="CN=$certName, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
createSignedCert $dir $certName 512 "$certSubj" rsa $certDir/${certName}-rsa.p12
|
||||
createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=TestUser513
|
||||
certSubj="CN=$certName, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
createSignedCert $dir $certName 513 "$certSubj" dsa $certDir/${certName}-dsa.p12
|
||||
createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
}
|
||||
|
||||
generateAndExportOCSPCerts() {
|
||||
dir=$1
|
||||
certDir=$2
|
||||
|
||||
certName=ocspTrustedResponder
|
||||
createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=ocspDesignatedResponder
|
||||
createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=ocspTRTestUser514
|
||||
createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=ocspTRTestUser516
|
||||
createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=ocspRCATestUser518
|
||||
createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
|
||||
AIA,http://dochinups.red.iplanet.com:2561
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=ocspRCATestUser520
|
||||
createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
|
||||
AIA,http://dochinups.red.iplanet.com:2561
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=ocspDRTestUser522
|
||||
createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
|
||||
AIA,http://dochinups.red.iplanet.com:2562
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=ocspDRTestUser524
|
||||
createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
|
||||
AIA,http://dochinups.red.iplanet.com:2562
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
generateAndExportCACert $dir "" TestCA-unknown
|
||||
[ $? -ne 0 ] && return $ret
|
||||
|
||||
certSigner=TestCA-unknown
|
||||
|
||||
certName=ocspTRUnkownIssuerCert
|
||||
createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=ocspRCAUnkownIssuerCert
|
||||
createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
|
||||
AIA,http://dochinups.red.iplanet.com:2561
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certName=ocspDRUnkownIssuerCert
|
||||
createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
|
||||
AIA,http://dochinups.red.iplanet.com:2562
|
||||
ret=$?
|
||||
[ "$ret" -ne 0 ] && return $ret
|
||||
|
||||
certSigner=""
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
generateAndExportCACert() {
|
||||
dir=$1
|
||||
certDirL=$2
|
||||
caName=$3
|
||||
|
||||
certName=TestCA
|
||||
[ "$caName" ] && certName=$caName
|
||||
CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
repAndExec \
|
||||
certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
|
||||
-f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
|
||||
5
|
||||
6
|
||||
9
|
||||
n
|
||||
y
|
||||
-1
|
||||
n
|
||||
EOF
|
||||
|
||||
if [ "$certDirL" ]; then
|
||||
repAndExec \
|
||||
certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
|
||||
repAndExec \
|
||||
pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
generateCerts() {
|
||||
certDir=$1
|
||||
serverName=$2
|
||||
reuseCACert=$3
|
||||
servCertReq=$4
|
||||
|
||||
[ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
|
||||
[ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
|
||||
|
||||
mkdir -p $certDir
|
||||
[ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
|
||||
|
||||
|
||||
dir=/tmp/db.$$
|
||||
if [ -z "$reuseCACert" ]; then
|
||||
if [ -d "$dir" ]; then
|
||||
rm -f $dir
|
||||
fi
|
||||
|
||||
PW_FILE=$dir/nss.pwd
|
||||
NOISE_FILE=$dir/nss.noise
|
||||
|
||||
mkdir -p $dir
|
||||
[ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
|
||||
|
||||
echo nss > $PW_FILE
|
||||
date >> ${NOISE_FILE} 2>&1
|
||||
|
||||
repAndExec \
|
||||
certutil -d $dir -N -f $PW_FILE
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
|
||||
generateAndExportCACert $dir $certDir
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
else
|
||||
dir=$reuseCACert
|
||||
PW_FILE=$dir/nss.pwd
|
||||
NOISE_FILE=$dir/nss.noise
|
||||
hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
|
||||
[ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
|
||||
return $RET;
|
||||
fi
|
||||
|
||||
generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
|
||||
generateAndExportOCSPCerts $dir $certDir
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
|
||||
crlUpdate=`date +%Y%m%d%H%M%SZ`
|
||||
crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
|
||||
|
@ -178,6 +344,9 @@ EOF
|
|||
update=$crlUpdate
|
||||
nextupdate=$crlNextUpdate
|
||||
addcert 509-511 $crlUpdate
|
||||
addcert 516 $crlUpdate
|
||||
addcert 520 $crlUpdate
|
||||
addcert 524 $crlUpdate
|
||||
EOF_CRLINI
|
||||
[ "$RET" -ne 0 ] && return $RET
|
||||
|
||||
|
@ -187,8 +356,8 @@ EOF_CRLINI
|
|||
|
||||
|
||||
if [ -z "$1" -o -z "$2" ]; then
|
||||
echo "$0 <dest dir> <cert name> [cert req]"
|
||||
echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
|
||||
exit 1
|
||||
fi
|
||||
generateServerCerts $1 $2 $3
|
||||
generateCerts $1 $2 "$3" $4
|
||||
exit $?
|
||||
|
|
|
@ -0,0 +1,63 @@
|
|||
certDir=/iopr
|
||||
caCertName=TestCA
|
||||
caCrlName=TestCA
|
||||
|
||||
#old values
|
||||
userCertNames="TestUser510-rsa TestUser512-rsa"
|
||||
userRevokedCertNames="TestUser510-rsa"
|
||||
reverseRunCGIScript="/cgi-bin/client.cgi"
|
||||
#reverseTestParam=NOREVALL
|
||||
supportedTests="SslSingleHs SslSecondHs"
|
||||
#supportedTests="SslSecondHs"
|
||||
|
||||
|
||||
downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt"
|
||||
# Keep a space at the end of
|
||||
SslClntValidCertName="TestUser512-rsa"
|
||||
SslClntRevokedCertName="TestUser510-rsa"
|
||||
reverseRunCGIScript="/cgi-bin/client.cgi"
|
||||
#reverseTestParam=NOREVALL
|
||||
|
||||
supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder"
|
||||
|
||||
#
|
||||
# SslSingleHs: ssl single handshake with out client cert auth
|
||||
SslSingleHsDescr="ssl with single handshake without client cert auth"
|
||||
SslSingleHsPort=443
|
||||
SslSingleHsUrl=/iopr_test/test_pg.html
|
||||
SslSingleHsParam=NOAUTH
|
||||
|
||||
#
|
||||
# SslSecondHs: ssl with secondary hs when accessing direcory
|
||||
# that requires cert verification
|
||||
SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification"
|
||||
SslSecondHsPort=443
|
||||
SslSecondHsUrl=/iopr_test_2hs/test_pg.html
|
||||
SslSecondHsParam=NOCOV
|
||||
|
||||
#
|
||||
# OcspTrustedResponder - trusted responder key is used to sign OCSP response
|
||||
#
|
||||
OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response"
|
||||
OcspTrustedResponderProto=http
|
||||
OcspTrustedResponderPort=2560
|
||||
OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa
|
||||
OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa"
|
||||
OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa"
|
||||
OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa"
|
||||
|
||||
#
|
||||
# OcspResponderCA - CA key is used to sign OCSP response
|
||||
#
|
||||
OcspResponderCADescr="CA key is used to sign OCSP response"
|
||||
OcspResponderCAValidCertNames="ocspRCATestUser518-rsa"
|
||||
OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa"
|
||||
OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa"
|
||||
|
||||
#
|
||||
# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response
|
||||
#
|
||||
OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response"
|
||||
OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa"
|
||||
OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa"
|
||||
OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa"
|
|
@ -55,19 +55,14 @@ IOPR_SSL_SOURCED=1
|
|||
# The functions works with variables defined in interoperability
|
||||
# configuration file that was downloaded from a webserver.
|
||||
# It tries to find unrevoked cert based on value of variable
|
||||
# "userRevokedCertNames" defined in the configuration file.
|
||||
# "SslClntValidCertName" defined in the configuration file.
|
||||
# Params NONE.
|
||||
# Returns 0 if found, 1 otherwise.
|
||||
#
|
||||
setValidCert() {
|
||||
testUser=
|
||||
for user in $userCertNames; do
|
||||
if [ "`echo $userRevokedCertNames | grep -v $user`" != "" ]; then
|
||||
testUser=$user
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
return 1
|
||||
testUser=$SslClntValidCertName
|
||||
[ -z "$testUser" ] && return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
########################################################################
|
||||
|
@ -253,12 +248,6 @@ ssl_iopr_crl_ext_server()
|
|||
|
||||
html_head "CRL SSL Client Tests of WebServer($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): $testDescription"
|
||||
|
||||
setValidCert; ret=$?
|
||||
if [ $ret -ne 0 ]; then
|
||||
html_failed "<TR><TD>Fail to find valid test cert(ws: $host)"
|
||||
return $ret
|
||||
fi
|
||||
|
||||
SSL_REQ_FILE=${TMP}/sslreq.dat.$$
|
||||
echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
|
||||
echo >> $SSL_REQ_FILE
|
||||
|
@ -271,7 +260,7 @@ ssl_iopr_crl_ext_server()
|
|||
[ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
|
||||
|
||||
rev_modvalue=254
|
||||
for testUser in $userCertNames; do
|
||||
for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
|
||||
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
|
||||
|
||||
echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} \\"
|
||||
|
@ -289,7 +278,7 @@ ssl_iopr_crl_ext_server()
|
|||
[ $ret -ne 0 ] && cat $resFile
|
||||
rm -f $resFile 2>/dev/null
|
||||
|
||||
if [ "`echo $userRevokedCertNames | grep $testUser`" != "" ]; then
|
||||
if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
|
||||
modvalue=$rev_modvalue
|
||||
testAddMsg="revoked"
|
||||
else
|
||||
|
@ -539,7 +528,7 @@ ssl_iopr_crl_ext_client()
|
|||
sparam="$sparam -vvvc ABCDEFcdefgijklmnvyz"
|
||||
start_selfserv
|
||||
|
||||
for testUser in $userCertNames; do
|
||||
for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
|
||||
|
||||
is_selfserv_alive
|
||||
|
||||
|
@ -580,7 +569,7 @@ ssl_iopr_crl_ext_client()
|
|||
ret=11
|
||||
fi
|
||||
|
||||
if [ "`echo $userRevokedCertNames | grep $testUser`" != "" ]; then
|
||||
if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
|
||||
modvalue=1
|
||||
testAddMsg="revoked"
|
||||
else
|
||||
|
@ -633,19 +622,26 @@ ssl_iopr_run() {
|
|||
continue
|
||||
fi
|
||||
|
||||
#=======================================================
|
||||
# Check if server is capable to run ssl tests
|
||||
#
|
||||
[ -z "`echo ${supportedTests_new} | grep -i ssl`" ] && continue;
|
||||
|
||||
# Testing directories defined by webserver.
|
||||
echo "Testing ssl interoperability.
|
||||
Client: local(tstclnt).
|
||||
Server: remote($IOPR_HOSTADDR:$IOPR_OPEN_PORT)"
|
||||
|
||||
for sslTestType in $supportedTests; do
|
||||
for sslTestType in ${supportedTests_new}; do
|
||||
if [ -z "`echo $sslTestType | grep -i ssl`" ]; then
|
||||
continue
|
||||
fi
|
||||
ssl_iopr_cov_ext_server $sslTestType ${IOPR_HOSTADDR} \
|
||||
${IOPR_CLIENTDIR}_${IOPR_HOSTADDR}
|
||||
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
|
||||
ssl_iopr_auth_ext_server $sslTestType ${IOPR_HOSTADDR} \
|
||||
${IOPR_CLIENTDIR}_${IOPR_HOSTADDR}
|
||||
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
|
||||
ssl_iopr_crl_ext_server $sslTestType ${IOPR_HOSTADDR} \
|
||||
${IOPR_CLIENTDIR}_${IOPR_HOSTADDR}
|
||||
${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
|
||||
done
|
||||
|
||||
|
||||
|
@ -654,17 +650,17 @@ ssl_iopr_run() {
|
|||
Client: remote($IOPR_HOSTADDR:$PORT)
|
||||
Server: local(selfserv)"
|
||||
ssl_iopr_cov_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
|
||||
${HOSTADDR} ${PORT} ${R_IOPR_SERVERDIR}_${IOPR_HOSTADDR}
|
||||
${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
|
||||
ssl_iopr_auth_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
|
||||
${HOSTADDR} ${PORT} ${R_IOPR_SERVERDIR}_${IOPR_HOSTADDR}
|
||||
${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
|
||||
ssl_iopr_crl_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
|
||||
${HOSTADDR} ${PORT} ${R_IOPR_SERVERDIR}_${IOPR_HOSTADDR}
|
||||
${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
|
||||
echo "================================================"
|
||||
echo "Done testing interoperability with $IOPR_HOSTADDR"
|
||||
num=`expr $num + 1`
|
||||
IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
|
||||
done
|
||||
NO_ECC_CERTS=0 #disable ECC for interoperability
|
||||
NO_ECC_CERTS=0
|
||||
return 0
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,82 @@
|
|||
#! /bin/sh
|
||||
#
|
||||
# ***** BEGIN LICENSE BLOCK *****
|
||||
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
||||
#
|
||||
# The contents of this file are subject to the Mozilla Public License Version
|
||||
# 1.1 (the "License"); you may not use this file except in compliance with
|
||||
# the License. You may obtain a copy of the License at
|
||||
# http://www.mozilla.org/MPL/
|
||||
#
|
||||
# Software distributed under the License is distributed on an "AS IS" basis,
|
||||
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
||||
# for the specific language governing rights and limitations under the
|
||||
# License.
|
||||
#
|
||||
# The Original Code is the Netscape security libraries.
|
||||
#
|
||||
# The Initial Developer of the Original Code is
|
||||
# Netscape Communications Corporation.
|
||||
# Portions created by the Initial Developer are Copyright (C) 1994-2000
|
||||
# the Initial Developer. All Rights Reserved.
|
||||
#
|
||||
# Alternatively, the contents of this file may be used under the terms of
|
||||
# either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
||||
# in which case the provisions of the GPL or the LGPL are applicable instead
|
||||
# of those above. If you wish to allow use of your version of this file only
|
||||
# under the terms of either the GPL or the LGPL, and not to allow others to
|
||||
# use your version of this file under the terms of the MPL, indicate your
|
||||
# decision by deleting the provisions above and replace them with the notice
|
||||
# and other provisions required by the GPL or the LGPL. If you do not delete
|
||||
# the provisions above, a recipient may use your version of this file under
|
||||
# the terms of any one of the MPL, the GPL or the LGPL.
|
||||
#
|
||||
# ***** END LICENSE BLOCK *****
|
||||
|
||||
########################################################################
|
||||
#
|
||||
# mozilla/security/nss/tests/ocsp/ocsp.sh
|
||||
#
|
||||
# Script to test NSS OCSP
|
||||
#
|
||||
# needs to work on all Unix and Windows platforms
|
||||
#
|
||||
# special strings
|
||||
# ---------------
|
||||
# FIXME ... known problems, search for this string
|
||||
# NOTE .... unexpected behavior
|
||||
#
|
||||
########################################################################
|
||||
|
||||
############################## ssl_init ################################
|
||||
# local shell function to initialize this script
|
||||
########################################################################
|
||||
ocsp_init()
|
||||
{
|
||||
SCRIPTNAME=ocsp.sh # sourced - $0 would point to all.sh
|
||||
|
||||
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
|
||||
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
|
||||
fi
|
||||
|
||||
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
|
||||
cd ../common
|
||||
. ./init.sh
|
||||
fi
|
||||
if [ -z "${IOPR_OCSP_SOURCED}" ]; then
|
||||
. ../iopr/ocsp_iopr.sh
|
||||
fi
|
||||
if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
|
||||
cd ../cert
|
||||
. ./cert.sh
|
||||
fi
|
||||
SCRIPTNAME=ocsp.sh
|
||||
echo "$SCRIPTNAME: OCSP tests ==============================="
|
||||
|
||||
cd ${CLIENTDIR}
|
||||
}
|
||||
|
||||
################## main #################################################
|
||||
ocsp_init
|
||||
ocsp_iopr_run
|
Загрузка…
Ссылка в новой задаче