diff options
Diffstat (limited to 'mozilla/security/nss/tests/chains')
24 files changed, 4058 insertions, 0 deletions
diff --git a/mozilla/security/nss/tests/chains/chains.sh b/mozilla/security/nss/tests/chains/chains.sh new file mode 100644 index 0000000..9ebc127 --- /dev/null +++ b/mozilla/security/nss/tests/chains/chains.sh @@ -0,0 +1,1081 @@ +#!/bin/bash +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2008-2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +######################################################################## +# +# mozilla/security/nss/tests/cert/chains.sh +# +# Script to test certificate chains validity. +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## + +############################# chains_init ############################## +# local shell function to initialize this script +######################################################################## +chains_init() +{ + if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for + CLEANUP="${SCRIPTNAME}" # cleaning this script will do it + fi + if [ -z "${INIT_SOURCED}" ] ; then + cd ../common + . ./init.sh + fi + + SCRIPTNAME="chains.sh" + + CHAINS_DIR="${HOSTDIR}/chains" + mkdir -p ${CHAINS_DIR} + cd ${CHAINS_DIR} + + CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios" + + CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//") + CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000) + + PK7_NONCE=${CERT_SN_CNT} + SCEN_CNT=${CERT_SN_CNT} + + AIA_FILES="${HOSTDIR}/aiafiles" + + CU_DATA=${HOSTDIR}/cu_data + CRL_DATA=${HOSTDIR}/crl_data + + html_head "Certificate Chains Tests" +} + +############################ chains_cleanup ############################ +# local shell function to finish this script (no exit since it might be +# sourced) +######################################################################## +chains_cleanup() +{ + html "</TABLE><BR>" + cd ${QADIR} + . common/cleanup.sh +} + +############################ print_cu_data ############################# +# local shell function to print certutil input data +######################################################################## +print_cu_data() +{ + echo "=== Certutil input data ===" + cat ${CU_DATA} + echo "===" +} + +set_cert_sn() +{ + if [ -z "${SERIAL}" ]; then + CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1) + CERT_SN=${CERT_SN_CNT} + else + echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null + if [ $? -eq 0 ]; then + CERT_SN=$(echo ${SERIAL} | cut -b 2-) + CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN}) + else + CERT_SN=${SERIAL} + fi + fi +} + +############################# create_db ################################ +# local shell function to create certificate database +######################################################################## +create_db() +{ + DB=$1 + + [ -d "${DB}" ] && rm -rf ${DB} + mkdir -p ${DB} + + echo "${DB}passwd" > ${DB}/dbpasswd + + TESTNAME="Creating DB ${DB}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -N -d ${DB} -f ${DB}/dbpasswd" + ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +########################### create_root_ca ############################# +# local shell function to generate self-signed root certificate +######################################################################## +create_root_ca() +{ + ENTITY=$1 + ENTITY_DB=${ENTITY}DB + + set_cert_sn + date >> ${NOISE_FILE} 2>&1 + + CTYPE_OPT= + if [ -n "${CTYPE}" ]; then + CTYPE_OPT="-k ${CTYPE}" + fi + + echo "5 +6 +9 +n +y +-1 +n +5 +6 +7 +9 +n +" > ${CU_DATA} + + TESTNAME="Creating Root CA ${ENTITY}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}" + print_cu_data + ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" + + TESTNAME="Exporting Root CA ${ENTITY}.der" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der" + ${BINDIR}/certutil -L -d ${ENTITY_DB} -r -n ${ENTITY} -o ${ENTITY}.der + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +########################### create_cert_req ############################ +# local shell function to generate certificate sign request +######################################################################## +create_cert_req() +{ + ENTITY=$1 + TYPE=$2 + + ENTITY_DB=${ENTITY}DB + + REQ=${ENTITY}Req.der + + date >> ${NOISE_FILE} 2>&1 + + CTYPE_OPT= + if [ -n "${CTYPE}" ]; then + CTYPE_OPT="-k ${CTYPE}" + fi + + CA_FLAG= + EXT_DATA= + OPTIONS= + + if [ "${TYPE}" != "EE" ]; then + CA_FLAG="-2" + EXT_DATA="y +-1 +y +" + fi + + process_crldp + + echo "${EXT_DATA}" > ${CU_DATA} + + TESTNAME="Creating ${TYPE} certifiate request ${REQ}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}" + print_cu_data + ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +############################ create_entity ############################# +# local shell function to create certificate chain entity +######################################################################## +create_entity() +{ + ENTITY=$1 + TYPE=$2 + + if [ -z "${ENTITY}" ]; then + echo "Configuration error: Unnamed entity" + exit 1 + fi + + DB=${ENTITY}DB + ENTITY_DB=${ENTITY}DB + + case "${TYPE}" in + "Root") + create_db "${DB}" + create_root_ca "${ENTITY}" + ;; + "Intermediate" | "Bridge" | "EE") + create_db "${DB}" + create_cert_req "${ENTITY}" "${TYPE}" + ;; + "*") + echo "Configuration error: Unknown type ${TYPE}" + exit 1 + ;; + esac +} + +######################################################################## +# List of global variables related to certificate extensions processing: +# +# Generated by process_extensions and functions called from it: +# OPTIONS - list of command line policy extensions +# DATA - list of inpud data related to policy extensions +# +# Generated by parse_config: +# POLICY - list of certificate policies +# MAPPING - list of policy mappings +# INHIBIT - inhibit flag +# AIA - AIA list +######################################################################## + +############################ process_policy ############################ +# local shell function to process policy extension parameters and +# generate input for certutil +######################################################################## +process_policy() +{ + if [ -n "${POLICY}" ]; then + OPTIONS="${OPTIONS} --extCP" + + NEXT= + for ITEM in ${POLICY}; do + if [ -n "${NEXT}" ]; then + DATA="${DATA}y +" + fi + + NEXT=1 + DATA="${DATA}${ITEM} +1 + +n +" + done + + DATA="${DATA}n +n +" + fi +} + +########################### process_mapping ############################ +# local shell function to process policy mapping parameters and +# generate input for certutil +######################################################################## +process_mapping() +{ + if [ -n "${MAPPING}" ]; then + OPTIONS="${OPTIONS} --extPM" + + NEXT= + for ITEM in ${MAPPING}; do + if [ -n "${NEXT}" ]; then + DATA="${DATA}y +" + fi + + NEXT=1 + IDP=`echo ${ITEM} | cut -d: -f1` + SDP=`echo ${ITEM} | cut -d: -f2` + DATA="${DATA}${IDP} +${SDP} +" + done + + DATA="${DATA}n +n +" + fi +} + +########################### process_inhibit############################# +# local shell function to process inhibit extension and generate input +# for certutil +######################################################################## +process_inhibit() +{ + if [ -n "${INHIBIT}" ]; then + OPTIONS="${OPTIONS} --extIA" + + DATA="${DATA}${INHIBIT} +n +" + fi +} + +############################# process_aia ############################## +# local shell function to process AIA extension parameters and +# generate input for certutil +######################################################################## +process_aia() +{ + if [ -n "${AIA}" ]; then + OPTIONS="${OPTIONS} --extAIA" + + DATA="${DATA}1 +" + + for ITEM in ${AIA}; do + PK7_NONCE=`expr $PK7_NONCE + 1` + + echo ${ITEM} | grep ":" > /dev/null + if [ $? -eq 0 ]; then + CERT_NICK=`echo ${ITEM} | cut -d: -f1` + CERT_ISSUER=`echo ${ITEM} | cut -d: -f2` + CERT_LOCAL="${CERT_NICK}${CERT_ISSUER}.der" + CERT_PUBLIC="${HOST}-$$-${CERT_NICK}${CERT_ISSUER}-${PK7_NONCE}.der" + else + CERT_LOCAL="${ITEM}.p7" + CERT_PUBLIC="${HOST}-$$-${ITEM}-${PK7_NONCE}.p7" + fi + + DATA="${DATA}7 +${NSS_AIA_HTTP}/${CERT_PUBLIC} +" + + if [ -n "${NSS_AIA_PATH}" ]; then + cp ${CERT_LOCAL} ${NSS_AIA_PATH}/${CERT_PUBLIC} 2> /dev/null + chmod a+r ${NSS_AIA_PATH}/${CERT_PUBLIC} + echo ${NSS_AIA_PATH}/${CERT_PUBLIC} >> ${AIA_FILES} + fi + done + + DATA="${DATA}0 +n +n" + fi +} + +process_ocsp() +{ + if [ -n "${OCSP}" ]; then + OPTIONS="${OPTIONS} --extAIA" + + DATA="${DATA}2 +7 +${NSS_AIA_OCSP}:${OCSP} +0 +n +n +" + fi +} + +process_crldp() +{ + if [ -n "${CRLDP}" ]; then + OPTIONS="${OPTIONS} -4" + + EXT_DATA="${EXT_DATA}1 +" + + for ITEM in ${CRLDP}; do + CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl" + + EXT_DATA="${EXT_DATA}7 +${NSS_AIA_HTTP}/${CRL_PUBLIC} +" + done + + EXT_DATA="${EXT_DATA}-1 +-1 +-1 +n +n +" + fi +} + +process_ku_ns_eku() +{ + if [ -n "${EXT_KU}" ]; then + OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}" + fi + if [ -n "${EXT_NS}" ]; then + EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1) + EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2) + + OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}" + DATA="${DATA}${EXT_NS_CODE} +-1 +n +" + fi + if [ -n "${EXT_EKU}" ]; then + OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}" + fi +} + +copy_crl() + +{ + if [ -z "${NSS_AIA_PATH}" ]; then + return; + fi + + CRL_LOCAL="${COPYCRL}.crl" + CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl" + + cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null + chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC} + echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES} +} + +########################## process_extension ########################### +# local shell function to process entity extension parameters and +# generate input for certutil +######################################################################## +process_extensions() +{ + OPTIONS= + DATA= + + process_policy + process_mapping + process_inhibit + process_aia + process_ocsp + process_ku_ns_eku +} + +############################## sign_cert ############################### +# local shell function to sign certificate sign reuqest +######################################################################## +sign_cert() +{ + ENTITY=$1 + ISSUER=$2 + TYPE=$3 + + [ -z "${ISSUER}" ] && return + + ENTITY_DB=${ENTITY}DB + ISSUER_DB=${ISSUER}DB + REQ=${ENTITY}Req.der + CERT=${ENTITY}${ISSUER}.der + + set_cert_sn + + EMAIL_OPT= + if [ "${TYPE}" = "Bridge" ]; then + EMAIL_OPT="-7 ${ENTITY}@${ISSUER}" + + [ -n "${EMAILS}" ] && EMAILS="${EMAILS}," + EMAILS="${EMAILS}${ENTITY}@${ISSUER}" + fi + + process_extensions + + echo "${DATA}" > ${CU_DATA} + + TESTNAME="Creating certficate ${CERT} signed by ${ISSUER}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA}" + print_cu_data + ${BINDIR}/certutil -C -c ${ISSUER} -v 60 -d ${ISSUER_DB} -i ${REQ} -o ${CERT} -f ${ISSUER_DB}/dbpasswd -m ${CERT_SN} ${EMAIL_OPT} ${OPTIONS} < ${CU_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" + + TESTNAME="Importing certificate ${CERT} to ${ENTITY_DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT}" + ${BINDIR}/certutil -A -n ${ENTITY} -t u,u,u -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -i ${CERT} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +############################# create_pkcs7############################## +# local shell function to package bridge certificates into pkcs7 +# package +######################################################################## +create_pkcs7() +{ + ENTITY=$1 + ENTITY_DB=${ENTITY}DB + + TESTNAME="Generating PKCS7 package from ${ENTITY_DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "cmsutil -O -r \"${EMAILS}\" -d ${ENTITY_DB} > ${ENTITY}.p7" + ${BINDIR}/cmsutil -O -r "${EMAILS}" -d ${ENTITY_DB} > ${ENTITY}.p7 + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +############################# import_key ############################### +# local shell function to import private key + cert into database +######################################################################## +import_key() +{ + KEY_NAME=$1.p12 + DB=$2 + + KEY_FILE=${QADIR}/libpkix/certs/${KEY_NAME} + + TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss" + ${BINDIR}/pk12util -d ${DB} -i ${KEY_FILE} -k ${DB}/dbpasswd -W nssnss + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + + +############################# import_cert ############################## +# local shell function to import certificate into database +######################################################################## +import_cert() +{ + IMPORT=$1 + DB=$2 + + CERT_NICK=`echo ${IMPORT} | cut -d: -f1` + CERT_ISSUER=`echo ${IMPORT} | cut -d: -f2` + CERT_TRUST=`echo ${IMPORT} | cut -d: -f3` + + if [ "${CERT_ISSUER}" = "x" ]; then + CERT_ISSUER= + CERT=${CERT_NICK}.cert + CERT_FILE="${QADIR}/libpkix/certs/${CERT}" + else + CERT=${CERT_NICK}${CERT_ISSUER}.der + CERT_FILE=${CERT} + fi + + IS_ASCII=`grep -c -- "-----BEGIN CERTIFICATE-----" ${CERT_FILE}` + + ASCII_OPT= + if [ "${IS_ASCII}" -gt 0 ]; then + ASCII_OPT="-a" + fi + + TESTNAME="Importing certificate ${CERT} to ${DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t \"${CERT_TRUST}\" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE}" + ${BINDIR}/certutil -A -n ${CERT_NICK} ${ASCII_OPT} -t "${CERT_TRUST}" -d ${DB} -f ${DB}/dbpasswd -i ${CERT_FILE} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +import_crl() +{ + IMPORT=$1 + DB=$2 + + CRL_NICK=`echo ${IMPORT} | cut -d: -f1` + CRL_FILE=${CRL_NICK}.crl + + if [ ! -f "${CRL_FILE}" ]; then + return + fi + + TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}" + ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +create_crl() +{ + ISSUER=$1 + ISSUER_DB=${ISSUER}DB + + CRL=${ISSUER}.crl + + DATE=$(date -u '+%Y%m%d%H%M%SZ') + DATE_LAST="${DATE}" + + UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ') + + echo "update=${DATE}" > ${CRL_DATA} + echo "nextupdate=${UPDATE}" >> ${CRL_DATA} + + TESTNAME="Create CRL for ${ISSUER_DB}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}" + echo "=== Crlutil input data ===" + cat ${CRL_DATA} + echo "===" + ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +revoke_cert() +{ + ISSUER=$1 + ISSUER_DB=${ISSUER}DB + + CRL=${ISSUER}.crl + + set_cert_sn + + DATE=$(date -u '+%Y%m%d%H%M%SZ') + while [ "${DATE}" = "${DATE_LAST}" ]; do + sleep 1 + DATE=$(date -u '+%Y%m%d%H%M%SZ') + done + DATE_LAST="${DATE}" + + echo "update=${DATE}" > ${CRL_DATA} + echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA} + + TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}" + echo "=== Crlutil input data ===" + cat ${CRL_DATA} + echo "===" + ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +######################################################################## +# List of global variables related to certificate verification: +# +# Generated by parse_config: +# DB - DB used for testing +# FETCH - fetch flag (used with AIA extension) +# POLICY - list of policies +# TRUST - trust anchor +# VERIFY - list of certificates to use as vfychain parameters +# EXP_RESULT - expected result +# REV_OPTS - revocation options +######################################################################## + +############################# verify_cert ############################## +# local shell function to verify certificate validity +######################################################################## +verify_cert() +{ + DB_OPT= + FETCH_OPT= + POLICY_OPT= + TRUST_OPT= + VFY_CERTS= + VFY_LIST= + + if [ -n "${DB}" ]; then + DB_OPT="-d ${DB}" + fi + + if [ -n "${FETCH}" ]; then + FETCH_OPT="-f" + if [ -z "${NSS_AIA_HTTP}" ]; then + echo "${SCRIPTNAME} Skipping test using AIA fetching, NSS_AIA_HTTP not defined" + return + fi + fi + + for ITEM in ${POLICY}; do + POLICY_OPT="${POLICY_OPT} -o ${ITEM}" + done + + for ITEM in ${TRUST}; do + echo ${ITEM} | grep ":" > /dev/null + if [ $? -eq 0 ]; then + CERT_NICK=`echo ${ITEM} | cut -d: -f1` + CERT_ISSUER=`echo ${ITEM} | cut -d: -f2` + CERT=${CERT_NICK}${CERT_ISSUER}.der + + TRUST_OPT="${TRUST_OPT} -t ${CERT}" + else + TRUST_OPT="${TRUST_OPT} -t ${ITEM}" + fi + done + + for ITEM in ${VERIFY}; do + CERT_NICK=`echo ${ITEM} | cut -d: -f1` + CERT_ISSUER=`echo ${ITEM} | cut -d: -f2` + + if [ "${CERT_ISSUER}" = "x" ]; then + CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert" + VFY_CERTS="${VFY_CERTS} ${CERT}" + VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert" + else + CERT=${CERT_NICK}${CERT_ISSUER}.der + VFY_CERTS="${VFY_CERTS} ${CERT}" + VFY_LIST="${VFY_LIST} ${CERT}" + fi + done + + VFY_OPTS_TNAME="${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}" + VFY_OPTS_ALL="${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" + + TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "vfychain ${VFY_OPTS_ALL}" + + if [ -z "${MEMLEAK_DBG}" ]; then + VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1) + RESULT=$? + echo "${VFY_OUT}" + else + VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE}) + RESULT=$? + echo "${VFY_OUT}" + fi + + echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null + E5990=$? + echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null + E8030=$? + + if [ $E5990 -eq 0 -o $E8030 -eq 0 ]; then + echo "Result of this test is not valid due to network time out." + html_unknown "${SCENARIO}${TESTNAME}" + return + fi + + echo "Returned value is ${RESULT}, expected result is ${EXP_RESULT}" + + if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then + html_passed "${SCENARIO}${TESTNAME}" + elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then + html_passed "${SCENARIO}${TESTNAME}" + else + html_failed "${SCENARIO}${TESTNAME}" + fi +} + +check_ocsp() +{ + OCSP_CERT=$1 + + CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1` + CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2` + + if [ "${CERT_ISSUER}" = "x" ]; then + CERT_ISSUER= + CERT=${CERT_NICK}.cert + CERT_FILE="${QADIR}/libpkix/certs/${CERT}" + else + CERT=${CERT_NICK}${CERT_ISSUER}.der + CERT_FILE=${CERT} + fi + + OCSP_HOST=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//") + + if [ "${OS_ARCH}" = "WINNT" ]; then + ping -n 1 ${OCSP_HOST} + return $? + elif [ "${OS_ARCH}" = "HP-UX" ]; then + ping ${OCSP_HOST} -n 1 + return $? + else + ping -c 1 ${OCSP_HOST} + return $? + fi +} + +############################ parse_result ############################## +# local shell function to process expected result value +# this function was created for case that expected result depends on +# some conditions - in our case type of cert DB +# +# default results are pass and fail +# this function added parsable values in format: +# type1:value1 type2:value2 .... typex:valuex +# +# allowed types are dbm, sql, all (all means all other cases) +# allowed values are pass and fail +# +# if this format is not used, EXP_RESULT will stay unchanged (this also +# covers pass and fail states) +######################################################################## +parse_result() +{ + for RES in ${EXP_RESULT} + do + RESTYPE=$(echo ${RES} | cut -d: -f1) + RESSTAT=$(echo ${RES} | cut -d: -f2) + + if [ "${RESTYPE}" = "${NSS_DEFAULT_DB_TYPE}" -o "${RESTYPE}" = "all" ]; then + EXP_RESULT=${RESSTAT} + break + fi + done +} + +############################ parse_config ############################## +# local shell function to parse and process file containing certificate +# chain configuration and list of tests +######################################################################## +parse_config() +{ + SCENARIO= + LOGNAME= + + while read KEY VALUE + do + case "${KEY}" in + "entity") + ENTITY="${VALUE}" + TYPE= + ISSUER= + CTYPE= + POLICY= + MAPPING= + INHIBIT= + AIA= + CRLDP= + OCSP= + DB= + EMAILS= + EXT_KU= + EXT_NS= + EXT_EKU= + SERIAL= + ;; + "type") + TYPE="${VALUE}" + ;; + "issuer") + if [ -n "${ISSUER}" ]; then + if [ -z "${DB}" ]; then + create_entity "${ENTITY}" "${TYPE}" + fi + sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}" + fi + + ISSUER="${VALUE}" + POLICY= + MAPPING= + INHIBIT= + AIA= + EXT_KU= + EXT_NS= + EXT_EKU= + ;; + "ctype") + CTYPE="${VALUE}" + ;; + "policy") + POLICY="${POLICY} ${VALUE}" + ;; + "mapping") + MAPPING="${MAPPING} ${VALUE}" + ;; + "inhibit") + INHIBIT="${VALUE}" + ;; + "aia") + AIA="${AIA} ${VALUE}" + ;; + "crldp") + CRLDP="${CRLDP} ${VALUE}" + ;; + "ocsp") + OCSP="${VALUE}" + ;; + "db") + DB="${VALUE}DB" + create_db "${DB}" + ;; + "import") + IMPORT="${VALUE}" + import_cert "${IMPORT}" "${DB}" + import_crl "${IMPORT}" "${DB}" + ;; + "import_key") + IMPORT="${VALUE}" + import_key "${IMPORT}" "${DB}" + ;; + "crl") + ISSUER="${VALUE}" + create_crl "${ISSUER}" + ;; + "revoke") + REVOKE="${VALUE}" + ;; + "serial") + SERIAL="${VALUE}" + ;; + "copycrl") + COPYCRL="${VALUE}" + copy_crl "${COPYCRL}" + ;; + "verify") + VERIFY="${VALUE}" + TRUST= + POLICY= + FETCH= + EXP_RESULT= + REV_OPTS= + USAGE_OPT= + ;; + "cert") + VERIFY="${VERIFY} ${VALUE}" + ;; + "testdb") + if [ -n "${VALUE}" ]; then + DB="${VALUE}DB" + else + DB= + fi + ;; + "trust") + TRUST="${TRUST} ${VALUE}" + ;; + "fetch") + FETCH=1 + ;; + "result") + EXP_RESULT="${VALUE}" + parse_result + ;; + "rev_type") + REV_OPTS="${REV_OPTS} -g ${VALUE}" + ;; + "rev_flags") + REV_OPTS="${REV_OPTS} -h ${VALUE}" + ;; + "rev_mtype") + REV_OPTS="${REV_OPTS} -m ${VALUE}" + ;; + "rev_mflags") + REV_OPTS="${REV_OPTS} -s ${VALUE}" + ;; + "scenario") + SCENARIO="${VALUE}: " + + CHAINS_DIR="${HOSTDIR}/chains/${VALUE}" + mkdir -p ${CHAINS_DIR} + cd ${CHAINS_DIR} + + if [ -n "${MEMLEAK_DBG}" ]; then + LOGNAME="libpkix-${VALUE}" + LOGFILE="${LOGDIR}/${LOGNAME}" + fi + + SCEN_CNT=$(expr ${SCEN_CNT} + 1) + ;; + "sleep") + sleep ${VALUE} + ;; + "break") + break + ;; + "check_ocsp") + check_ocsp ${VALUE} + if [ $? -ne 0 ]; then + echo "OCSP server not accessible, skipping OCSP tests" + break; + fi + ;; + "ku") + EXT_KU="${VALUE}" + ;; + "ns") + EXT_NS="${VALUE}" + ;; + "eku") + EXT_EKU="${VALUE}" + ;; + "usage") + USAGE_OPT="-u ${VALUE}" + ;; + "") + if [ -n "${ENTITY}" ]; then + if [ -z "${DB}" ]; then + create_entity "${ENTITY}" "${TYPE}" + fi + sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}" + if [ "${TYPE}" = "Bridge" ]; then + create_pkcs7 "${ENTITY}" + fi + ENTITY= + fi + + if [ -n "${VERIFY}" ]; then + verify_cert + VERIFY= + fi + + if [ -n "${REVOKE}" ]; then + revoke_cert "${REVOKE}" "${DB}" + REVOKE= + fi + ;; + *) + if [ `echo ${KEY} | cut -b 1` != "#" ]; then + echo "Configuration error: Unknown keyword ${KEY}" + exit 1 + fi + ;; + esac + done + + if [ -n "${MEMLEAK_DBG}" ]; then + log_parse + html_msg $? 0 "${SCENARIO}Memory leak checking" + fi +} + +############################# chains_main ############################## +# local shell function to process all testing scenarios +######################################################################## +chains_main() +{ + while read LINE + do + [ `echo ${LINE} | cut -b 1` != "#" ] || continue + + > ${AIA_FILES} + + parse_config < "${QADIR}/chains/scenarios/${LINE}" + + while read AIA_FILE + do + rm ${AIA_FILE} 2> /dev/null + done < ${AIA_FILES} + rm ${AIA_FILES} + done < "${CHAINS_SCENARIOS}" +} + +################################ main ################################## + +chains_init +chains_main +chains_cleanup + diff --git a/mozilla/security/nss/tests/chains/ocspd-config/ocspd-certs.sh b/mozilla/security/nss/tests/chains/ocspd-config/ocspd-certs.sh new file mode 100755 index 0000000..ccba63c --- /dev/null +++ b/mozilla/security/nss/tests/chains/ocspd-config/ocspd-certs.sh @@ -0,0 +1,116 @@ +#!/bin/bash + +DATA_DIR=$1 +OCSP_DIR=$2 +CERT_DIR=$3 + +TEST_PWD="nssnss" +CONF_TEMPLATE="ocspd.conf.template" + +convert_cert() +{ + CERT_NAME=$1 + CERT_SIGNER=$2 + + openssl x509 -in ${DATA_DIR}/${CERT_NAME}${CERT_SIGNER}.der -inform DER -out ${DATA_DIR}/${CERT_NAME}.pem -outform PEM +} + +convert_crl() +{ + CRL_NAME=$1 + + openssl crl -in ${DATA_DIR}/${CRL_NAME}.crl -inform DER -out ${DATA_DIR}/${CRL_NAME}crl.pem -outform PEM +} + +convert_key() +{ + KEY_NAME=$1 + + pk12util -o ${DATA_DIR}/${KEY_NAME}.p12 -n ${KEY_NAME} -d ${DATA_DIR}/${KEY_NAME}DB -k ${DATA_DIR}/${KEY_NAME}DB/dbpasswd -W ${TEST_PWD} + openssl pkcs12 -in ${DATA_DIR}/${KEY_NAME}.p12 -out ${DATA_DIR}/${KEY_NAME}.key.tmp -passin pass:${TEST_PWD} -passout pass:${TEST_PWD} + + STATUS=0 + cat ${DATA_DIR}/${KEY_NAME}.key.tmp | while read LINE; do + echo "${LINE}" | grep "BEGIN RSA PRIVATE KEY" > /dev/null && STATUS=1 + [ ${STATUS} -eq 1 ] && echo "${LINE}" + echo "${LINE}" | grep "END RSA PRIVATE KEY" > /dev/null && break + done > ${DATA_DIR}/${KEY_NAME}.key + + rm ${DATA_DIR}/${KEY_NAME}.key.tmp +} + +create_conf() +{ + CONF_FILE=$1 + CA=$2 + OCSP=$3 + PORT=$4 + + cat ${CONF_TEMPLATE} | \ + sed "s:@DIR@:${OCSP_DIR}:" | \ + sed "s:@CA_CERT@:${DATA_DIR}/${CA}.pem:" | \ + sed "s:@CA_CRL@:${DATA_DIR}/${CA}crl.pem:" | \ + sed "s:@CA_KEY@:${DATA_DIR}/${CA}.key:" | \ + sed "s:@OCSP_PID@:${OCSP}.pid:" | \ + sed "s:@PORT@:${PORT}:" \ + > ${CONF_FILE} +} + +copy_cert() +{ + CERT_NAME=$1 + CERT_SIGNER=$2 + + cp ${DATA_DIR}/${CERT_NAME}${CERT_SIGNER}.der ${CERT_DIR}/${CERT_NAME}.cert +} + + +copy_key() +{ + KEY_NAME=$1 + + cp ${DATA_DIR}/${KEY_NAME}.p12 ${CERT_DIR}/${KEY_NAME}.p12 +} + +convert_cert OCSPRoot +convert_crl OCSPRoot +convert_key OCSPRoot + +convert_cert OCSPCA1 OCSPRoot +convert_crl OCSPCA1 +convert_key OCSPCA1 + +convert_cert OCSPCA2 OCSPRoot +convert_crl OCSPCA2 +convert_key OCSPCA2 + +convert_cert OCSPCA3 OCSPRoot +convert_crl OCSPCA3 +convert_key OCSPCA3 + +create_conf ocspd0.conf OCSPRoot ocspd0 2600 +create_conf ocspd1.conf OCSPCA1 ocspd1 2601 +create_conf ocspd2.conf OCSPCA2 ocspd2 2602 +create_conf ocspd3.conf OCSPCA3 ocspd3 2603 + +copy_cert OCSPRoot +copy_cert OCSPCA1 OCSPRoot +copy_cert OCSPCA2 OCSPRoot +copy_cert OCSPCA3 OCSPRoot +copy_cert OCSPEE11 OCSPCA1 +copy_cert OCSPEE12 OCSPCA1 +copy_cert OCSPEE13 OCSPCA1 +copy_cert OCSPEE14 OCSPCA1 +copy_cert OCSPEE15 OCSPCA1 +copy_cert OCSPEE21 OCSPCA2 +copy_cert OCSPEE22 OCSPCA2 +copy_cert OCSPEE23 OCSPCA2 +copy_cert OCSPEE31 OCSPCA3 +copy_cert OCSPEE32 OCSPCA3 +copy_cert OCSPEE33 OCSPCA3 + +copy_key OCSPRoot +copy_key OCSPCA1 +copy_key OCSPCA2 +copy_key OCSPCA3 + diff --git a/mozilla/security/nss/tests/chains/ocspd-config/ocspd.conf.template b/mozilla/security/nss/tests/chains/ocspd-config/ocspd.conf.template new file mode 100644 index 0000000..a33fed2 --- /dev/null +++ b/mozilla/security/nss/tests/chains/ocspd-config/ocspd.conf.template @@ -0,0 +1,45 @@ +[ ocspd ] + +default_ocspd = OCSPD_default + +[ OCSPD_default ] + +dir = @DIR@ +db = $dir/index.txt +md = sha1 + +ca_certificate = $dir/@CA_CERT@ +ocspd_certificate = $dir/@CA_CERT@ +ocspd_key = $dir/@CA_KEY@ +pidfile = $dir/@OCSP_PID@ + +user = nobody +group = nobody + +bind = * +port = @PORT@ + +max_req_size = 8192 +threads_num = 150 +max_timeout_secs = 5 +crl_auto_reload = 3600 +crl_check_validity = 600 +crl_reload_expired = yes +response = ocsp_response +dbms = dbms_file + +[ ocsp_response ] + +dir = @DIR@ +next_update_days = 0 +next_update_mins = 5 + +[ dbms_file ] + +0.ca = @first_ca + +[ first_ca ] + +crl_url = file:///@DIR@/@CA_CRL@ +ca_url = file:///@DIR@/@CA_CERT@ + diff --git a/mozilla/security/nss/tests/chains/ocspd-config/readme b/mozilla/security/nss/tests/chains/ocspd-config/readme new file mode 100644 index 0000000..87a3594 --- /dev/null +++ b/mozilla/security/nss/tests/chains/ocspd-config/readme @@ -0,0 +1,18 @@ +This script is used to generate certificates used by ocspd. + +Some steps to run (only once - before all OCSP testing): +1. Edit security/nss/tests/chains/scenarios/scenarios to have there only ocspd.cfg +2. Set environment variable to run only chains tests: export NSS_TESTS=chains.sh +3. Set environment variable to have the correct URI in the certificates: export NSS_AIA_OCSP=http://dochinups.us.oracle.com +4. Run tests: ./all.sh +5. Go to results directory: cd tests_results/security/${HOST}.${ID}/chains +6. Copy ocspd-certs.sh and ocspd.conf.template to this directory +7. Run: ./ocspd-certs.sh OCSPD ${OCSPD_ETC_DIR} ${LIBPKIX_CERTS_DIR}: + Example: ./ocspd-certs.sh OCSPD /export/iopr/openca-ocsp-responder/etc/ocspdPKIX \ + ~/nss/securitytip/mozilla/security/nss/tests/libpkix/certs +8. Commit the new certificates that have been generated under ~/nss/securitytip/mozilla/security/nss/tests/libpkix/certs +9. Copy config files and keys/certs/crls to ocspd etc directory: + cp *.conf /Volumes/dochinups.red.iplanet.com/openca-ocsp-responder/etc/ocspdPKIX + cp *.pem *.key /Volumes/dochinups.red.iplanet.com/openca-ocsp-responder/etc/ocspdPKIX/OCSPD +10. Start ocsp deamons on dochinups (for all configs). + diff --git a/mozilla/security/nss/tests/chains/scenarios/aia.cfg b/mozilla/security/nss/tests/chains/scenarios/aia.cfg new file mode 100644 index 0000000..000e000 --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/aia.cfg @@ -0,0 +1,67 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario AIA + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + +entity CA2 + type Intermediate + issuer CA1 + aia CA1:Root + +entity User + type EE + issuer CA2 + +testdb User + +verify User:CA2 + cert CA2:CA1 + trust Root: + result fail + +verify User:CA2 + cert CA2:CA1 + trust Root: + fetch + result pass + diff --git a/mozilla/security/nss/tests/chains/scenarios/anypolicy.cfg b/mozilla/security/nss/tests/chains/scenarios/anypolicy.cfg new file mode 100644 index 0000000..c6a989f --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/anypolicy.cfg @@ -0,0 +1,109 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario AnyPolicy + +entity RootCA + type Root + +entity CA1 + type Intermediate + issuer RootCA + policy any + +entity CA2 + type Intermediate + issuer CA1 + policy OID.1.0 + inhibit 0 + +entity CA3 + type Intermediate + issuer CA1 + policy OID.1.0 + +entity User1 + type EE + issuer CA2 + policy OID.1.0 + +entity User2 + type EE + issuer CA2 + policy any + +entity User3 + type EE + issuer CA3 + policy any + +db All + +import RootCA:: +import CA1:RootCA: +import CA2:CA1: +import CA3:CA1: + +verify User1:CA2 + trust RootCA + policy OID.1.0 + result pass + +verify User1:CA2 + trust RootCA + policy OID.2.0 + result fail + +verify User2:CA2 + trust RootCA + policy OID.1.0 + result fail + +verify User2:CA2 + trust RootCA + policy OID.2.0 + result fail + +verify User3:CA3 + trust RootCA + policy OID.1.0 + result pass + +verify User3:CA3 + trust RootCA + policy OID.2.0 + result fail + diff --git a/mozilla/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg b/mozilla/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg new file mode 100644 index 0000000..d5e5d57 --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg @@ -0,0 +1,431 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario AnyPolicyWithLevel + +entity RootCA + type Root + +entity CA1 + type Intermediate + issuer RootCA + policy any + inhibit 1 + +entity CA12 + type Intermediate + issuer CA1 + policy any + +entity CA13 + type Intermediate + issuer CA12 + policy OID.1.0 + +entity EE1 + type EE + issuer CA13 + policy OID.1.0 + +entity CA22 + type Intermediate + issuer CA1 + policy any + +entity CA23 + type Intermediate + issuer CA22 + policy any + +entity EE2 + type EE + issuer CA23 + policy OID.1.0 + +entity CA32 + type Intermediate + issuer CA1 + policy any + inhibit 1 + +entity CA33 + type Intermediate + issuer CA32 + policy any + +entity EE3 + type EE + issuer CA33 + policy OID.1.0 + +entity CA42 + type Intermediate + issuer CA1 + policy any + policy OID.1.0 + +entity CA43 + type Intermediate + issuer CA42 + policy any + policy OID.1.0 + +entity EE4 + type EE + issuer CA43 + policy OID.1.0 + +entity CA52 + type Intermediate + issuer CA1 + policy any + policy OID.1.0 + +entity CA53 + type Intermediate + issuer CA52 + policy any + +entity EE5 + type EE + issuer CA53 + policy OID.1.0 + +entity CA61 + type Intermediate + issuer RootCA + policy any + inhibit 5 + +entity CA62 + type Intermediate + issuer CA61 + policy any + +entity EE62 + type EE + issuer CA62 + policy OID.1.0 + +entity CA63 + type Intermediate + issuer CA62 + policy any + +entity EE63 + type EE + issuer CA63 + policy OID.1.0 + +entity CA64 + type Intermediate + issuer CA63 + policy any + +entity EE64 + type EE + issuer CA64 + policy OID.1.0 + +entity CA65 + type Intermediate + issuer CA64 + policy any + +entity EE65 + type EE + issuer CA65 + policy OID.1.0 + +entity CA66 + type Intermediate + issuer CA65 + policy any + +entity EE66 + type EE + issuer CA66 + policy OID.1.0 + +entity CA67 + type Intermediate + issuer CA66 + policy any + +entity EE67 + type EE + issuer CA67 + policy OID.1.0 + +db All + +verify EE1:CA13 + cert RootCA: + cert CA1:RootCA + cert CA12:CA1 + cert CA13:CA12 + trust RootCA: + policy OID.1.0 + result pass + +verify EE1:CA13 + cert RootCA: + cert CA1:RootCA + cert CA12:CA1 + cert CA13:CA12 + trust RootCA: + policy OID.2.0 + result fail + +verify EE1:CA13 + cert RootCA: + cert CA1:RootCA + cert CA12:CA1 + cert CA13:CA12 + trust RootCA: + policy OID.2.5.29.32.0 + result pass + +verify EE2:CA23 + cert RootCA: + cert CA1:RootCA + cert CA22:CA1 + cert CA23:CA22 + trust RootCA: + policy OID.1.0 + result fail + +verify EE2:CA23 + cert RootCA: + cert CA1:RootCA + cert CA22:CA1 + cert CA23:CA22 + trust RootCA: + policy OID.2.0 + result fail + +verify EE2:CA23 + cert RootCA: + cert CA1:RootCA + cert CA22:CA1 + cert CA23:CA22 + trust RootCA: + policy OID.2.5.29.32.0 + result fail + +verify EE2:CA23 + cert RootCA: + cert CA1:RootCA + cert CA22:CA1 + cert CA23:CA22 + trust RootCA: + result pass + +verify EE3:CA33 + cert RootCA: + cert CA1:RootCA + cert CA32:CA1 + cert CA33:CA32 + trust RootCA: + policy OID.1.0 + result fail + +verify EE3:CA33 + cert RootCA: + cert CA1:RootCA + cert CA32:CA1 + cert CA33:CA32 + trust RootCA: + policy OID.2.0 + result fail + +verify EE3:CA33 + cert RootCA: + cert CA1:RootCA + cert CA32:CA1 + cert CA33:CA32 + trust RootCA: + policy OID.2.5.29.32.0 + result fail + +verify EE3:CA33 + cert RootCA: + cert CA1:RootCA + cert CA32:CA1 + cert CA33:CA32 + trust RootCA: + result pass + +verify EE4:CA43 + cert RootCA: + cert CA1:RootCA + cert CA42:CA1 + cert CA43:CA42 + trust RootCA: + policy OID.1.0 + result pass + +verify EE4:CA43 + cert RootCA: + cert CA1:RootCA + cert CA42:CA1 + cert CA43:CA42 + trust RootCA: + policy OID.2.0 + result fail + +verify EE4:CA43 + cert RootCA: + cert CA1:RootCA + cert CA42:CA1 + cert CA43:CA42 + trust RootCA: + policy OID.2.5.29.32.0 + result pass + +verify EE5:CA53 + cert RootCA: + cert CA1:RootCA + cert CA52:CA1 + cert CA53:CA52 + trust RootCA: + policy OID.1.0 + result fail + +verify EE5:CA53 + cert RootCA: + cert CA1:RootCA + cert CA52:CA1 + cert CA53:CA52 + trust RootCA: + policy OID.2.0 + result fail + +verify EE5:CA53 + cert RootCA: + cert CA1:RootCA + cert CA52:CA1 + cert CA53:CA52 + trust RootCA: + policy OID.2.5.29.32.0 + result fail + +verify EE5:CA53 + cert RootCA: + cert CA1:RootCA + cert CA52:CA1 + cert CA53:CA52 + trust RootCA: + result pass + +verify EE62:CA62 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result pass + +verify EE63:CA63 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result pass + +verify EE64:CA64 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result pass + +verify EE65:CA65 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result pass + +verify EE66:CA66 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result pass + +verify EE67:CA67 + cert RootCA: + cert CA61:RootCA + cert CA62:CA61 + cert CA63:CA62 + cert CA64:CA63 + cert CA65:CA64 + cert CA66:CA65 + cert CA67:CA66 + trust RootCA: + policy OID.1.0 + result fail + diff --git a/mozilla/security/nss/tests/chains/scenarios/bridge.cfg b/mozilla/security/nss/tests/chains/scenarios/bridge.cfg new file mode 100644 index 0000000..172b1a0 --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/bridge.cfg @@ -0,0 +1,138 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario Bridge + +entity Army + type Root + +entity Navy + type Root + +entity Bridge + type Bridge + issuer Army + issuer Navy + +entity User + type EE + issuer Bridge + +db All + +import Army:: +import Navy:: + +verify User:Bridge + cert Bridge:Navy + trust Navy + result pass + +verify User:Bridge + cert Bridge:Army + trust Army + result pass + +verify User:Bridge + cert Bridge:Navy + trust Army + result fail + +import Bridge:Army: +import Bridge:Navy: + +verify User:Bridge + trust Army + result pass + +verify User:Bridge + trust Navy + result pass + +db ArmyOnly + +import Army::C,, + +verify User:Bridge + result fail + +verify User:Bridge + cert Bridge:Navy + result fail + +verify User:Bridge + cert Bridge:Navy + cert Navy: + result fail + +verify User:Bridge + cert Bridge:Navy + cert Navy: + trust Navy: + result pass + +verify User:Bridge + cert Bridge:Navy + trust Navy: + result pass + +db NavyOnly + +import Navy::C,, + +verify User:Bridge + result fail + +verify User:Bridge + cert Bridge:Army + result fail + +verify User:Bridge + cert Bridge:Army + cert Army: + result fail + +verify User:Bridge + cert Bridge:Army + cert Army: + trust Army: + result pass + +verify User:Bridge + cert Bridge:Army + trust Army: + result pass + diff --git a/mozilla/security/nss/tests/chains/scenarios/bridgewithaia.cfg b/mozilla/security/nss/tests/chains/scenarios/bridgewithaia.cfg new file mode 100644 index 0000000..94a634f --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/bridgewithaia.cfg @@ -0,0 +1,86 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario BridgeWithAIA + +entity Army + type Root + +entity Navy + type Root + +entity Bridge + type Bridge + issuer Army + issuer Navy + +entity CA1 + type Intermediate + issuer Bridge + aia Bridge + +entity EE1 + type EE + issuer CA1 + +testdb EE1 + +verify EE1:CA1 + cert CA1:Bridge + trust Army: + result fail + +verify EE1:CA1 + cert CA1:Bridge + trust Army: + fetch +# should pass, bug 435314 +# temporary result - test fails only with dbm cert db + result dbm:fail all:pass + +verify EE1:CA1 + cert CA1:Bridge + trust Navy: + fetch + result pass + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:Army + trust Navy: + fetch + result pass + diff --git a/mozilla/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg b/mozilla/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg new file mode 100644 index 0000000..5d1a7ee --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg @@ -0,0 +1,121 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario BridgeWithHalfAIA + +entity Army + type Root + +entity Navy + type Root + +entity Bridge + type Bridge + issuer Army + issuer Navy + +entity CA1 + type Intermediate + issuer Bridge + aia Bridge + +entity EE1 + type EE + issuer CA1 + +entity CA2 + type Intermediate + issuer Bridge + aia Bridge:Navy + +entity EE2 + type EE + issuer CA2 + +testdb EE1 + +verify EE1:CA1 + cert CA1:Bridge + trust Army: + result fail + +verify EE1:CA1 + cert CA1:Bridge + trust Army: + fetch +# should pass, bug 435314 +# temporary result - test fails only with dbm cert db + result dbm:fail all:pass + +verify EE1:CA1 + cert CA1:Bridge + trust Navy: + fetch + result pass + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:Army + trust Navy: + fetch + result pass + +verify EE2:CA2 + cert Bridge:Army + trust Army: + fetch + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:Army + trust Army: + fetch + result pass + +verify EE2:CA2 + cert CA2:Bridge + trust Navy: + fetch + result pass + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:Army + trust Navy: + fetch + result pass + diff --git a/mozilla/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg b/mozilla/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg new file mode 100644 index 0000000..cd5cd52 --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg @@ -0,0 +1,219 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario BridgeWithPolicyExtensionAndMapping + +entity Army + type Root + +entity Navy + type Root + +entity CAArmy + type Intermediate + issuer Army + policy OID.1.0 + policy OID.1.1 + +entity CANavy + type Intermediate + issuer Navy + policy OID.2.0 + policy OID.2.1 + +entity Bridge + type Bridge + issuer CAArmy + policy OID.1.0 + policy OID.1.1 + mapping OID.1.1:OID.2.1 + issuer CANavy + policy OID.2.0 + policy OID.2.1 + mapping OID.2.1:OID.1.1 + +entity CA1 + type Intermediate + issuer Bridge + policy OID.1.1 + policy OID.2.1 + +entity CA2 + type Intermediate + issuer Bridge + policy OID.1.0 + policy OID.2.0 + +entity EE1 + type EE + issuer CA1 + policy OID.2.1 + +entity EE2 + type EE + issuer CA2 + policy OID.2.0 + +testdb + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.1.0 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.1.1 + result pass + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.2.0 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.2.1 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.1.0 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.1.1 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.2.0 + result fail + +verify EE1:CA1 + cert CA1:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.2.1 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.1.0 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.1.1 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.2.0 + result pass + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CANavy + cert CANavy:Navy + trust Navy: + policy OID.2.1 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.1.0 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.1.1 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.2.0 + result fail + +verify EE2:CA2 + cert CA2:Bridge + cert Bridge:CAArmy + cert CAArmy:Army + trust Army: + policy OID.2.1 + result fail + diff --git a/mozilla/security/nss/tests/chains/scenarios/crldp.cfg b/mozilla/security/nss/tests/chains/scenarios/crldp.cfg new file mode 100644 index 0000000..a86b18a --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/crldp.cfg @@ -0,0 +1,137 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario CRLDP + +entity Root + type Root + +entity CA0 + type Intermediate + issuer Root + +entity CA1 + type Intermediate + crldp CA0 + issuer CA0 + serial 10 + aia CA0:Root + +entity EE11 + type EE + crldp CA0 + issuer CA1 + +entity CA2 + type Intermediate + crldp CA0 + issuer CA0 + serial 20 + aia CA0:Root + +entity EE21 + type EE + issuer CA2 + +entity EE1 + type EE + crldp CA0 + issuer CA0 + serial 30 + aia CA0:Root + +entity EE2 + type EE + crldp CA0 + issuer CA0 + serial 40 + aia CA0:Root + +crl Root +crl CA0 +crl CA1 +crl CA2 + +revoke CA0 + serial 20 + +revoke CA0 + serial 40 + +copycrl CA0 + +db All + +import Root::CTu,CTu,CTu + +# intermediate CA - OK, EE - OK +verify EE11:CA1 + cert CA1:CA0 + trust Root: + fetch + rev_type chain + rev_flags requireFreshInfo + rev_mtype crl + result pass + +# intermediate CA - revoked, EE - OK +verify EE21:CA2 + cert CA2:CA0 + trust Root: + fetch + rev_type chain + rev_flags requireFreshInfo + rev_mtype crl + result fail + +# direct EE - OK +verify EE1:CA0 + trust Root: + fetch + rev_type leaf + rev_flags requireFreshInfo + rev_mtype crl + result pass + +# direct EE - revoked +verify EE2:CA0 + trust Root: + fetch + rev_type leaf + rev_flags requireFreshInfo + rev_mtype crl + result fail + diff --git a/mozilla/security/nss/tests/chains/scenarios/dsa.cfg b/mozilla/security/nss/tests/chains/scenarios/dsa.cfg new file mode 100644 index 0000000..6348a2a --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/dsa.cfg @@ -0,0 +1,104 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario DSA + +entity Root + type Root + ctype dsa + +entity CA1 + type Intermediate + issuer Root + ctype dsa + +entity EE1 + type EE + issuer CA1 + ctype dsa + +entity CA2 + type Intermediate + issuer Root + ctype dsa + +entity EE2 + type EE + issuer CA2 + ctype rsa + +entity CA3 + type Intermediate + issuer Root + ctype rsa + +entity EE3 + type EE + issuer CA3 + ctype dsa + +entity CA4 + type Intermediate + issuer Root + ctype rsa + +entity EE4 + type EE + issuer CA4 + ctype rsa + +db All + +verify EE1:CA1 + cert CA1:Root + trust Root: + result pass + +verify EE2:CA2 + cert CA2:Root + trust Root: + result pass + +verify EE3:CA3 + cert CA3:Root + trust Root: + result pass + +verify EE4:CA4 + cert CA4:Root + trust Root: + result pass + diff --git a/mozilla/security/nss/tests/chains/scenarios/explicitPolicy.cfg b/mozilla/security/nss/tests/chains/scenarios/explicitPolicy.cfg new file mode 100644 index 0000000..4b6ea22 --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/explicitPolicy.cfg @@ -0,0 +1,110 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario explicitPolicy + +entity Root + type Root + +entity nonEVCA + type Intermediate + issuer Root + +entity EVCA + type Intermediate + issuer Root + policy OID.1.0 + +entity otherEVCA + type Intermediate + issuer Root + policy OID.2.0 + +entity validEV + type EE + issuer EVCA + policy OID.1.0 + +entity invalidEV + type EE + issuer nonEVCA + policy OID.1.0 + +entity wrongEVOID + type EE + issuer otherEVCA + policy OID.1.0 + +db All + +verify validEV:EVCA + cert EVCA:Root + cert Root: + trust Root: + policy OID.1.0 + result pass + +verify invalidEV:nonEVCA + cert nonEVCA:Root + cert Root: + trust Root: + policy OID.1.0 + result fail + +verify wrongEVOID:otherEVCA + cert otherEVCA:Root + cert Root: + trust Root: + policy OID.1.0 + result fail + +import Root::C,C,C + +verify validEV:EVCA + cert EVCA:Root + policy OID.1.0 + result pass + +verify invalidEV:nonEVCA + cert nonEVCA:Root + policy OID.1.0 + result fail + +verify wrongEVOID:otherEVCA + cert otherEVCA:Root + policy OID.1.0 + result fail + diff --git a/mozilla/security/nss/tests/chains/scenarios/extension.cfg b/mozilla/security/nss/tests/chains/scenarios/extension.cfg new file mode 100644 index 0000000..bc476fe --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/extension.cfg @@ -0,0 +1,134 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario Extension + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + policy OID.1.0 + +entity CA2 + type Intermediate + issuer CA1 + policy OID.1.0 + +entity User + type EE + issuer CA2 + policy OID.1.0 + +db All + +verify User:CA2 + cert CA2:CA1 + cert CA1:Root + cert Root: + trust Root: + policy OID.1.0 + result pass + +verify User:CA2 + cert CA2:CA1 + cert CA1:Root + cert Root: + trust Root: + policy OID.2.0 + result fail + +verify User:CA2 + cert CA2:CA1 + cert CA1:Root + trust CA1:Root + policy OID.1.0 + result pass + +verify User:CA2 + cert CA2:CA1 + cert CA1:Root + trust CA1:Root + policy OID.2.0 + result fail + +verify User:CA2 + cert CA2:CA1 + trust CA2:CA1 + policy OID.1.0 + result pass + +verify User:CA2 + cert CA2:CA1 + trust CA2:CA1 + policy OID.2.0 + result fail + +import Root:: +import CA1:Root: +import CA2:CA1: + +verify User:CA2 + trust Root + policy OID.1.0 + result pass + +verify User:CA2 + trust Root + policy OID.2.0 + result fail + +verify User:CA2 + trust CA1 + policy OID.1.0 + result pass + +verify User:CA2 + trust CA1 + policy OID.2.0 + result fail + +verify User:CA2 + trust CA2 + policy OID.1.0 + result pass + +verify User:CA2 + trust CA2 + policy OID.2.0 + result fail + diff --git a/mozilla/security/nss/tests/chains/scenarios/extension2.cfg b/mozilla/security/nss/tests/chains/scenarios/extension2.cfg new file mode 100644 index 0000000..0de74a8 --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/extension2.cfg @@ -0,0 +1,172 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario Extension2 + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + policy OID.1.0 + policy OID.2.0 + +entity CA2 + type Intermediate + issuer CA1 + policy OID.1.0 + policy OID.2.0 + +entity User1 + type EE + issuer CA2 + policy OID.1.0 + +entity User2 + type EE + issuer CA2 + policy OID.1.0 + policy OID.2.0 + +db All + +verify User1:CA2 + cert CA2:CA1 + cert CA1:Root + cert Root: + trust Root: + policy OID.1.0 + result pass + +verify User1:CA2 + cert CA2:CA1 + cert CA1:Root + cert Root: + trust Root: + policy OID.2.0 + result fail + +verify User1:CA2 + cert CA2:CA1 + cert CA1:Root + trust CA1:Root + policy OID.1.0 + result pass + +verify User1:CA2 + cert CA2:CA1 + cert CA1:Root + trust CA1:Root + policy OID.2.0 + result fail + +verify User1:CA2 + cert CA2:CA1 + trust CA2:CA1 + policy OID.1.0 + result pass + +verify User1:CA2 + cert CA2:CA1 + trust CA2:CA1 + policy OID.2.0 + result fail + +import Root:: +import CA1:Root: +import CA2:CA1: + +verify User1:CA2 + trust Root + policy OID.1.0 + result pass + +verify User1:CA2 + trust Root + policy OID.2.0 + result fail + +verify User1:CA2 + trust CA1 + policy OID.1.0 + result pass + +verify User1:CA2 + trust CA1 + policy OID.2.0 + result fail + +verify User1:CA2 + trust CA2 + policy OID.1.0 + result pass + +verify User1:CA2 + trust CA2 + policy OID.2.0 + result fail + +verify User2:CA2 + trust Root + policy OID.1.0 + result pass + +verify User2:CA2 + trust Root + policy OID.2.0 + result pass + +verify User2:CA2 + trust CA1 + policy OID.1.0 + result pass + +verify User2:CA2 + trust CA1 + policy OID.2.0 + result pass + +verify User2:CA2 + trust CA2 + policy OID.1.0 + result pass + +verify User2:CA2 + trust CA2 + policy OID.2.0 + result pass + diff --git a/mozilla/security/nss/tests/chains/scenarios/mapping.cfg b/mozilla/security/nss/tests/chains/scenarios/mapping.cfg new file mode 100644 index 0000000..ab58ee5 --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/mapping.cfg @@ -0,0 +1,95 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario Mapping + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + policy OID.1.0 + mapping OID.1.0:OID.1.1 + +entity CA2 + type Intermediate + issuer CA1 + policy OID.1.1 + +entity User + type EE + issuer CA2 + policy OID.1.1 + +db All + +import Root:: +import CA1:Root: +import CA2:CA1: + +verify User:CA2 + trust Root + policy OID.1.0 +# should fail, bug 430859 + result pass + +verify User:CA2 + trust Root + policy OID.1.1 +# should pass, bug 430859 + result fail + +verify User:CA2 + trust CA1 + policy OID.1.0 + result fail + +verify User:CA2 + trust CA1 + policy OID.1.1 + result pass + +verify User:CA2 + trust CA2 + policy OID.1.0 + result fail + +verify User:CA2 + trust CA2 + policy OID.1.1 + result pass + diff --git a/mozilla/security/nss/tests/chains/scenarios/mapping2.cfg b/mozilla/security/nss/tests/chains/scenarios/mapping2.cfg new file mode 100644 index 0000000..6f99c87 --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/mapping2.cfg @@ -0,0 +1,103 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario Mapping2 + +entity Root + type Root + +entity CA1 + type Intermediate + issuer Root + policy OID.1.0 + +entity CA2 + type Intermediate + issuer CA1 + policy OID.1.0 + mapping OID.1.0:OID.1.1 + +entity CA3 + type Intermediate + issuer CA2 + policy OID.1.1 + +entity User + type EE + issuer CA3 + policy OID.1.1 + +db All + +import Root:: +import CA1:Root: +import CA2:CA1: +import CA3:CA2: + +verify User:CA3 + trust Root + policy OID.1.0 +# should fail, bug 430859 + result pass + +verify User:CA3 + trust Root + policy OID.1.1 +# should pass, bug 430859 + result fail + +verify User:CA3 + trust CA1 + policy OID.1.0 +# should fail, bug 430859 + result pass + +verify User:CA3 + trust CA1 + policy OID.1.1 +# should pass, bug 430859 + result fail + +verify User:CA3 + trust CA2 + policy OID.1.0 + result fail + +verify User:CA3 + trust CA2 + policy OID.1.1 + result pass + diff --git a/mozilla/security/nss/tests/chains/scenarios/megabridge_3_2.cfg b/mozilla/security/nss/tests/chains/scenarios/megabridge_3_2.cfg new file mode 100644 index 0000000..08268cb --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/megabridge_3_2.cfg @@ -0,0 +1,162 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario MegaBridge_3_2 + +entity Root1 + type Root + +entity Root2 + type Root + +entity Root3 + type Root + +entity Root4 + type Root + +entity Root5 + type Root + +entity Root6 + type Root + +entity Root7 + type Root + +entity Root8 + type Root + +entity Root9 + type Root + +entity Bridge11 + type Bridge + issuer Root1 + issuer Root2 + issuer Root3 + +entity Bridge12 + type Bridge + issuer Root4 + issuer Root5 + issuer Root6 + +entity Bridge13 + type Bridge + issuer Root7 + issuer Root8 + issuer Root9 + +entity Bridge21 + type Bridge + issuer Bridge11 + issuer Bridge12 + issuer Bridge13 + +entity CA1 + type Intermediate + issuer Bridge21 + +entity EE1 + type EE + issuer CA1 + +testdb EE1 + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge11 + cert Bridge11:Root1 + trust Root1: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge11 + cert Bridge11:Root2 + trust Root2: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge11 + cert Bridge11:Root3 + trust Root3: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge12 + cert Bridge12:Root4 + trust Root4: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge12 + cert Bridge12:Root5 + trust Root5: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge12 + cert Bridge12:Root6 + trust Root6: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge13 + cert Bridge13:Root7 + trust Root7: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge13 + cert Bridge13:Root8 + trust Root8: + result pass + +verify EE1:CA1 + cert CA1:Bridge21 + cert Bridge21:Bridge13 + cert Bridge13:Root9 + trust Root9: + result pass + diff --git a/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg b/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg new file mode 100644 index 0000000..f70f8b6 --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg @@ -0,0 +1,209 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario OCSP + +check_ocsp OCSPEE11:x + +db OCSPRoot +import OCSPRoot:x:CT,C,C + +db OCSPCA1 +import_key OCSPCA1 + +crl OCSPCA1 + +revoke OCSPCA1 + serial 3 + +revoke OCSPCA1 + serial 4 + +testdb OCSPRoot + +#EE - OK, CA - OK +verify OCSPEE11:x + cert OCSPCA1:x + trust OCSPRoot + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result pass + +#EE - revoked, CA - OK +verify OCSPEE12:x + cert OCSPCA1:x + trust OCSPRoot + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result fail + +#EE - unknown +verify OCSPEE15:x + cert OCSPCA1:x + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + result pass + +#EE - unknown, requireFreshInfo +verify OCSPEE15:x + cert OCSPCA1:x + trust OCSPRoot + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result fail + +#EE - OK, CA - revoked, leaf, no fresh info +verify OCSPEE21:x + cert OCSPCA2:x + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + result pass + +#EE - OK, CA - revoked, leaf, requireFreshInfo +verify OCSPEE21:x + cert OCSPCA2:x + trust OCSPRoot + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result fail + +#EE - OK, CA - revoked, chain, requireFreshInfo +verify OCSPEE21:x + cert OCSPCA2:x + trust OCSPRoot + rev_type chain + rev_flags requireFreshInfo + rev_mtype ocsp + result fail + +#EE - OK, CA - unknown +verify OCSPEE31:x + cert OCSPCA3:x + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + result pass + +#EE - OK, CA - unknown, requireFreshInfo +verify OCSPEE31:x + cert OCSPCA3:x + trust OCSPRoot + rev_type leaf + rev_flags requireFreshInfo + rev_mtype ocsp + result fail + +#EE - revoked, doNotUse +verify OCSPEE12:x + cert OCSPCA1:x + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + rev_mflags doNotUse + result pass + +#EE - revoked, forbidFetching +verify OCSPEE12:x + cert OCSPCA1:x + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + rev_mflags forbidFetching + result pass + +#EE - unknown status, failIfNoInfo +verify OCSPEE15:x + cert OCSPCA1:x + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + rev_mflags failIfNoInfo + result fail + +#EE - OK, CA - revoked, leaf, failIfNoInfo +verify OCSPEE21:x + cert OCSPCA2:x + trust OCSPRoot + rev_type leaf + rev_mtype ocsp + rev_mflags failIfNoInfo + result fail + +testdb OCSPCA1 + +#EE - OK on OCSP, revoked locally - should fail ?? +# two things about this test: crl is not imported into the db and +# cert 13 is not revoked by crl. +verify OCSPEE13:x + cert OCSPCA1:x + trust OCSPCA1 + rev_type leaf + rev_flags testLocalInfoFirst + rev_mtype ocsp + result pass + +db OCSPRoot1 +import OCSPRoot:x:CT,C,C + +verify OCSPEE23:x + cert OCSPCA2:x + trust OCSPRoot + rev_type chain + rev_mtype ocsp + rev_type leaf + rev_mtype ocsp + result fail + +db OCSPRoot2 +import OCSPRoot:x:T,, + +# bug 527438 +# expected result of this test is FAIL +verify OCSPEE23:x + cert OCSPCA2:x + trust OCSPRoot + rev_type chain + rev_mtype ocsp + rev_type leaf + rev_mtype ocsp + result pass + diff --git a/mozilla/security/nss/tests/chains/scenarios/ocspd.cfg b/mozilla/security/nss/tests/chains/scenarios/ocspd.cfg new file mode 100644 index 0000000..c089405 --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/ocspd.cfg @@ -0,0 +1,169 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario OCSPD + +#root CA +entity OCSPRoot + type Root + +#CA - OK +entity OCSPCA1 + type Intermediate + issuer OCSPRoot + serial 1 + ocsp 2600 + +#CA - revoked +entity OCSPCA2 + type Intermediate + issuer OCSPRoot + serial 2 + ocsp 2600 + +#CA - unknown status +entity OCSPCA3 + type Intermediate + issuer OCSPRoot + serial 3 + ocsp 2599 + +#EE - OK +entity OCSPEE11 + type EE + issuer OCSPCA1 + serial 1 + ocsp 2601 + +#EE - revoked on OCSP +entity OCSPEE12 + type EE + issuer OCSPCA1 + serial 2 + ocsp 2601 + +#EE - revoked on CRL +entity OCSPEE13 + type EE + issuer OCSPCA1 + serial 3 + ocsp 2601 + +#EE - revoked on OCSP and CRL +entity OCSPEE14 + type EE + issuer OCSPCA1 + serial 4 + ocsp 2601 + +#EE - unknown status +entity OCSPEE15 + type EE + issuer OCSPCA1 + serial 5 + ocsp 2599 + +#EE - valid EE, revoked CA +entity OCSPEE21 + type EE + issuer OCSPCA2 + serial 1 + ocsp 2602 + +#EE - revoked EE, revoked CA +entity OCSPEE22 + type EE + issuer OCSPCA2 + serial 2 + ocsp 2602 + +#EE - revoked EE, CA pointing to invalid OCSP +entity OCSPEE23 + type EE + issuer OCSPCA2 + serial 3 + ocsp 2599 + +#EE - valid EE, CA pointing to invalid OCSP +entity OCSPEE31 + type EE + issuer OCSPCA3 + serial 1 + ocsp 2603 + +#EE - revoked EE, CA pointing to invalid OCSP +entity OCSPEE32 + type EE + issuer OCSPCA3 + serial 2 + ocsp 2603 + +#EE - EE pointing to invalid OCSP, CA pointing to invalid OCSP +entity OCSPEE33 + type EE + issuer OCSPCA3 + serial 3 + ocsp 2599 + +crl OCSPRoot + +revoke OCSPRoot + serial 2 + +crl OCSPCA1 + +revoke OCSPCA1 + serial 2 + +revoke OCSPCA1 + serial 4 + +crl OCSPCA2 + +revoke OCSPCA2 + serial 2 + +revoke OCSPCA2 + serial 3 + +crl OCSPCA3 + +revoke OCSPCA3 + serial 2 + +revoke OCSPCA3 + serial 3 + diff --git a/mozilla/security/nss/tests/chains/scenarios/realcerts.cfg b/mozilla/security/nss/tests/chains/scenarios/realcerts.cfg new file mode 100644 index 0000000..124befb --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/realcerts.cfg @@ -0,0 +1,61 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario RealCerts + +db All + +import TestCA.ca:x:CT,C,C +import TestUser50:x: +import TestUser51:x: +import PayPalRootCA:x:CT,C,C +import PayPalICA:x: +import PayPalEE:x: +import BrAirWaysBadSig:x: + +verify TestUser50:x + result pass + +verify TestUser51:x + result pass + +verify PayPalEE:x + policy OID.2.16.840.1.113733.1.7.23.6 + result pass + +verify BrAirWaysBadSig:x + result fail + diff --git a/mozilla/security/nss/tests/chains/scenarios/revoc.cfg b/mozilla/security/nss/tests/chains/scenarios/revoc.cfg new file mode 100644 index 0000000..6e6ea8e --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/revoc.cfg @@ -0,0 +1,118 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +scenario Revocation + +entity Root + type Root + serial 10 + +entity CA0 + type Intermediate + issuer Root + serial 11 + +entity CA1 + type Intermediate + issuer CA0 + serial 12 + +entity EE11 + type EE + issuer CA1 + serial 13 + +entity EE12 + type EE + issuer CA1 + serial 14 + +entity CA2 + type Intermediate + issuer CA0 + serial 15 + +entity EE21 + type EE + issuer CA2 + serial 16 + +crl Root +crl CA0 +crl CA1 +crl CA2 + +revoke CA1 + serial 14 + +revoke CA0 + serial 15 + +db All + +import Root::CTu,CTu,CTu +import CA0:Root: +import CA1:CA0: +import CA2:CA0: + +# EE11 - not revoked +verify EE11:CA1 + trust Root: + rev_type leaf + rev_mtype crl + result pass + +# EE12 - revoked +verify EE12:CA1 + trust Root: + rev_type leaf + rev_mtype crl + result fail + +# EE11 - CA1 not revoked +verify EE11:CA1 + trust Root: + rev_type chain + rev_mtype crl + result pass + +# EE21 - CA2 revoked +verify EE21:CA2 + trust Root: + rev_type chain + rev_mtype crl + result fail + diff --git a/mozilla/security/nss/tests/chains/scenarios/scenarios b/mozilla/security/nss/tests/chains/scenarios/scenarios new file mode 100644 index 0000000..f3cd2be --- /dev/null +++ b/mozilla/security/nss/tests/chains/scenarios/scenarios @@ -0,0 +1,53 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Network Security Services (NSS) +# +# The Initial Developer of the Original Code is Sun Microsystems, Inc. +# Portions created by the Initial Developer are Copyright (C) 2009 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** +bridge.cfg +megabridge_3_2.cfg +extension.cfg +extension2.cfg +anypolicy.cfg +anypolicywithlevel.cfg +explicitPolicy.cfg +mapping.cfg +mapping2.cfg +aia.cfg +bridgewithaia.cfg +bridgewithhalfaia.cfg +bridgewithpolicyextensionandmapping.cfg +realcerts.cfg +dsa.cfg +revoc.cfg +ocsp.cfg +crldp.cfg |