1 files changed, 398 insertions, 0 deletions
diff --git a/mozilla/security/nss/tests/iopr/server_scr/cert_gen.sh b/mozilla/security/nss/tests/iopr/server_scr/cert_gen.sh
new file mode 100644
index 0000000..9c0d0dc
--- /dev/null
+++ b/mozilla/security/nss/tests/iopr/server_scr/cert_gen.sh
@@ -0,0 +1,398 @@
+#!/bin/bash    
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Network Security Services (NSS)
+#
+# The Initial Developer of the Original Code is Sun Microsystems, Inc.
+# Portions created by the Initial Developer are Copyright (C) 2006-2009
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+######################################################################################
+# Server and client certs and crl generator functions. Generated files placed in a <dir>
+# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
+# This functions is used for manual webserver configuration and it is not a part of
+# nss test run.
+# To create certs use the following command:
+#       sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
+# Where:
+#       dir - directory where to place created files
+#       cert name - name of created server cert(FQDN)
+#       cert req  - cert request to be used for cert generation.
+#
+repAndExec() {
+    echo
+    if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
+        shift
+        echo certutil -s "$CU_SUBJECT" $@
+        certutil -s "$CU_SUBJECT" $@
+        RET=$?
+    else
+        echo $@
+        $@
+        RET=$?
+    fi
+
+    return $RET
+}
+
+setExtData() {
+    extData=$1
+
+    fldNum=0
+    extData=`echo $extData | sed 's/,/ /g'`
+    for extDT in $extData; do
+        if [ $fldNum -eq 0 ]; then
+            eval extType=$extDT
+            fldNum=1
+            continue
+        fi
+        eval data${fldNum}=$extDT
+        fldNum=`expr $fldNum + 1`
+    done
+}
+
+signCert() {
+    dir=$1
+    crtDir=$2
+    crtName=$3
+    crtSN=$4
+    req=$5
+    cuAddParam=$6
+    extList=$7
+
+    if [ -z "$certSigner" ]; then
+        certSigner=TestCA
+    fi
+
+    extCmdLine=""
+    extCmdFile=$dir/extInFile; rm -f $extCmdFile
+    touch $extCmdFile
+    extList=`echo $extList | sed 's/;/ /g'`
+    for ext in $extList; do
+        setExtData $ext
+        [ -z "$extType" ] && echo "incorrect extention format" && return 1
+        case $extType in
+        ocspDR)
+                extCmdLine="$extCmdLine -6"
+                cat <<EOF >> $extCmdFile
+5
+9
+y
+EOF
+                break
+                exit 1
+                ;;
+        AIA)    
+                extCmdLine="$extCmdLine -9"
+                cat <<EOF >> $extCmdFile
+2
+7
+$data1
+0
+n
+n
+EOF
+                break
+                ;;
+            *)
+                echo "Unsupported extension type: $extType"
+                break
+                ;;
+        esac
+    done
+    echo "cmdLine: $extCmdLine"
+    echo "cmdFile: "`cat $extCmdFile`
+    repAndExec \
+        certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
+        -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
+    return $RET
+}
+
+createSignedCert() {
+    dir=$1
+    certDir=$2
+    certName=$3
+    certSN=$4
+    certSubj=$5
+    keyType=$6
+    extList=$7
+
+    echo Creating cert $certName-$keyType with SN=$certSN
+
+    CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    repAndExec \
+        certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
+                  -k $keyType -o $dir/req  2>&1
+    [ "$RET" -ne 0 ] && return $RET
+
+    signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    rm -f $dir/req
+
+    repAndExec \
+        certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
+                    -i "$dir/${certName}-$keyType.crt" 2>&1
+    [ "$RET" -ne 0 ] && return $RET
+
+    cp "$dir/${certName}-$keyType.crt" $certDir
+
+    repAndExec \
+        pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
+                     -k ${PW_FILE} -W iopr
+    [ "$RET" -ne 0 ] && return $RET
+    return 0
+}
+
+generateAndExportSSLCerts() {
+    dir=$1
+    certDir=$2
+    serverName=$3
+    servCertReq=$4
+
+    if [ "$servCertReq" -a -f $servCertReq ]; then
+        grep REQUEST $servCertReq >/dev/null 2>&1
+        signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
+        ret=$?
+        [ "$ret" -ne 0 ] && return $ret
+    fi
+
+    certName=$serverName
+    createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+   
+    certName=TestUser510
+    createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=TestUser511
+    createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=TestUser512
+    createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=TestUser513
+    createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+}
+
+generateAndExportOCSPCerts() {
+    dir=$1
+    certDir=$2
+
+    certName=ocspTrustedResponder
+    createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDesignatedResponder
+    createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspTRTestUser514
+    createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspTRTestUser516
+    createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspRCATestUser518
+    createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2561
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspRCATestUser520
+    createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2561
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDRTestUser522
+    createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2562
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDRTestUser524
+    createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2562
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    generateAndExportCACert $dir "" TestCA-unknown
+    [ $? -ne 0 ] && return $ret
+    
+    certSigner=TestCA-unknown
+    
+    certName=ocspTRUnkownIssuerCert
+    createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspRCAUnkownIssuerCert
+    createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2561
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDRUnkownIssuerCert
+    createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2562
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certSigner=""
+    
+    return 0
+}
+
+generateAndExportCACert() {
+    dir=$1
+    certDirL=$2
+    caName=$3
+
+    certName=TestCA
+    [ "$caName" ] && certName=$caName
+    CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    repAndExec \
+        certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
+        -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
+5
+6
+9
+n
+y
+-1
+n
+EOF
+
+    if [ "$certDirL" ]; then
+        repAndExec \
+            certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt 
+        [ "$RET" -ne 0 ] && return $RET
+        
+        repAndExec \
+            pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
+        [ "$RET" -ne 0 ] && return $RET
+    fi
+}
+
+
+generateCerts() {
+    certDir=$1
+    serverName=$2
+    reuseCACert=$3
+    servCertReq=$4
+    
+    [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
+    [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
+
+    mkdir -p $certDir
+    [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
+    
+
+    dir=/tmp/db.$$
+    if [ -z "$reuseCACert" ]; then
+        if [ -d "$dir" ]; then
+            rm -f $dir
+        fi
+   
+        PW_FILE=$dir/nss.pwd
+        NOISE_FILE=$dir/nss.noise
+
+        mkdir -p $dir
+        [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
+        
+        echo nss > $PW_FILE
+        date >> ${NOISE_FILE} 2>&1
+        
+        repAndExec \
+            certutil -d $dir -N -f $PW_FILE
+        [ "$RET" -ne 0 ] && return $RET
+        
+        generateAndExportCACert $dir $certDir
+        [ "$RET" -ne 0 ] && return $RET
+    else
+        dir=$reuseCACert
+        PW_FILE=$dir/nss.pwd
+        NOISE_FILE=$dir/nss.noise
+        hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
+        [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
+            return $RET;
+    fi
+
+    generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
+    [ "$RET" -ne 0 ] && return $RET
+
+    generateAndExportOCSPCerts $dir $certDir
+    [ "$RET" -ne 0 ] && return $RET
+
+    crlUpdate=`date +%Y%m%d%H%M%SZ`
+    crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
+    repAndExec \
+        crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
+update=$crlUpdate
+nextupdate=$crlNextUpdate
+addcert 509-511 $crlUpdate
+addcert 516 $crlUpdate
+addcert 520 $crlUpdate
+addcert 524 $crlUpdate
+EOF_CRLINI
+    [ "$RET" -ne 0 ] && return $RET
+
+    rm -rf $dir
+    return 0
+}
+
+
+if [ -z "$1" -o -z "$2" ]; then
+    echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
+    exit 1
+fi
+generateCerts $1 $2 "$3" $4
+exit $?