nss-3.41/nss/tests/iopr/server_scr/cert_gen.sh - manifest_repos/nss - Git at Google

 #!/bin/bash

 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

 ######################################################################################
 # Server and client certs and crl generator functions. Generated files placed in a <dir>
 # directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
 # This functions is used for manual webserver configuration and it is not a part of
 # nss test run.
 # To create certs use the following command:
 #       sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
 # Where:
 #       dir - directory where to place created files
 #       cert name - name of created server cert(FQDN)
 #       cert req  - cert request to be used for cert generation.
 #
 repAndExec() {
     echo
     if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
         shift
         echo certutil -s "$CU_SUBJECT" $@
         certutil -s "$CU_SUBJECT" $@
         RET=$?
     else
         echo $@
         $@
         RET=$?
     fi

     return $RET
 }

 setExtData() {
     extData=$1

     fldNum=0
     extData=`echo $extData | sed 's/,/ /g'`
     for extDT in $extData; do
         if [ $fldNum -eq 0 ]; then
             eval extType=$extDT
             fldNum=1
             continue
         fi
         eval data${fldNum}=$extDT
         fldNum=`expr $fldNum + 1`
     done
 }

 signCert() {
     dir=$1
     crtDir=$2
     crtName=$3
     crtSN=$4
     req=$5
     cuAddParam=$6
     extList=$7

     if [ -z "$certSigner" ]; then
         certSigner=TestCA
     fi

     extCmdLine=""
     extCmdFile=$dir/extInFile; rm -f $extCmdFile
     touch $extCmdFile
     extList=`echo $extList | sed 's/;/ /g'`
     for ext in $extList; do
         setExtData $ext
         [ -z "$extType" ] && echo "incorrect extention format" && return 1
         case $extType in
         ocspDR)
                 extCmdLine="$extCmdLine -6"
                 cat <<EOF >> $extCmdFile
 5
 9
 y
 EOF
                 break
                 exit 1
                 ;;
         AIA)
                 extCmdLine="$extCmdLine -9"
                 cat <<EOF >> $extCmdFile
 2
 7
 $data1
 0
 n
 n
 EOF
                 break
                 ;;
             *)
                 echo "Unsupported extension type: $extType"
                 break
                 ;;
         esac
     done
     echo "cmdLine: $extCmdLine"
     echo "cmdFile: "`cat $extCmdFile`
     repAndExec \
         certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
         -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
     return $RET
 }

 createSignedCert() {
     dir=$1
     certDir=$2
     certName=$3
     certSN=$4
     certSubj=$5
     keyType=$6
     extList=$7

     echo Creating cert $certName-$keyType with SN=$certSN

     CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     repAndExec \
         certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
                   -k $keyType -o $dir/req  2>&1
     [ "$RET" -ne 0 ] && return $RET

     signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     rm -f $dir/req

     repAndExec \
         certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
                     -i "$dir/${certName}-$keyType.crt" 2>&1
     [ "$RET" -ne 0 ] && return $RET

     cp "$dir/${certName}-$keyType.crt" $certDir

     repAndExec \
         pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
                      -k ${PW_FILE} -W iopr
     [ "$RET" -ne 0 ] && return $RET
     return 0
 }

 generateAndExportSSLCerts() {
     dir=$1
     certDir=$2
     serverName=$3
     servCertReq=$4

     if [ "$servCertReq" -a -f $servCertReq ]; then
         grep REQUEST $servCertReq >/dev/null 2>&1
         signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
         ret=$?
         [ "$ret" -ne 0 ] && return $ret
     fi

     certName=$serverName
     createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=TestUser510
     createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=TestUser511
     createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=TestUser512
     createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=TestUser513
     createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
     ret=$?
     [ "$ret" -ne 0 ] && return $ret
 }

 generateAndExportOCSPCerts() {
     dir=$1
     certDir=$2

     certName=ocspTrustedResponder
     createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=ocspDesignatedResponder
     createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=ocspTRTestUser514
     createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=ocspTRTestUser516
     createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=ocspRCATestUser518
     createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
         AIA,http://dochinups.red.iplanet.com:2561
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=ocspRCATestUser520
     createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
         AIA,http://dochinups.red.iplanet.com:2561
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=ocspDRTestUser522
     createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
         AIA,http://dochinups.red.iplanet.com:2562
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=ocspDRTestUser524
     createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
         AIA,http://dochinups.red.iplanet.com:2562
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     generateAndExportCACert $dir "" TestCA-unknown
     [ $? -ne 0 ] && return $ret

     certSigner=TestCA-unknown

     certName=ocspTRUnkownIssuerCert
     createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=ocspRCAUnkownIssuerCert
     createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
         AIA,http://dochinups.red.iplanet.com:2561
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certName=ocspDRUnkownIssuerCert
     createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
         AIA,http://dochinups.red.iplanet.com:2562
     ret=$?
     [ "$ret" -ne 0 ] && return $ret

     certSigner=""

     return 0
 }

 generateAndExportCACert() {
     dir=$1
     certDirL=$2
     caName=$3

     certName=TestCA
     [ "$caName" ] && certName=$caName
     CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     repAndExec \
         certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
         -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
 5
 6
 9
 n
 y
 -1
 n
 EOF

     if [ "$certDirL" ]; then
         repAndExec \
             certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
         [ "$RET" -ne 0 ] && return $RET

         repAndExec \
             pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
         [ "$RET" -ne 0 ] && return $RET
     fi
 }


 generateCerts() {
     certDir=$1
     serverName=$2
     reuseCACert=$3
     servCertReq=$4

     [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
     [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1

     mkdir -p $certDir
     [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1


     dir=/tmp/db.$$
     if [ -z "$reuseCACert" ]; then
         if [ -d "$dir" ]; then
             rm -f $dir
         fi

         PW_FILE=$dir/nss.pwd
         NOISE_FILE=$dir/nss.noise

         mkdir -p $dir
         [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1

         echo nss > $PW_FILE
         date >> ${NOISE_FILE} 2>&1

         repAndExec \
             certutil -d $dir -N -f $PW_FILE
         [ "$RET" -ne 0 ] && return $RET

         generateAndExportCACert $dir $certDir
         [ "$RET" -ne 0 ] && return $RET
     else
         dir=$reuseCACert
         PW_FILE=$dir/nss.pwd
         NOISE_FILE=$dir/nss.noise
         hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
         [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
             return $RET;
     fi

     generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
     [ "$RET" -ne 0 ] && return $RET

     generateAndExportOCSPCerts $dir $certDir
     [ "$RET" -ne 0 ] && return $RET

     crlUpdate=`date +%Y%m%d%H%M%SZ`
     crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
     repAndExec \
         crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
 update=$crlUpdate
 nextupdate=$crlNextUpdate
 addcert 509-511 $crlUpdate
 addcert 516 $crlUpdate
 addcert 520 $crlUpdate
 addcert 524 $crlUpdate
 EOF_CRLINI
     [ "$RET" -ne 0 ] && return $RET

     rm -rf $dir
     return 0
 }


 if [ -z "$1" -o -z "$2" ]; then
     echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
     exit 1
 fi
 generateCerts $1 $2 "$3" $4
 exit $?
	#!/bin/bash

	# This Source Code Form is subject to the terms of the Mozilla Public
	# License, v. 2.0. If a copy of the MPL was not distributed with this
	# file, You can obtain one at http://mozilla.org/MPL/2.0/.

	######################################################################################
	# Server and client certs and crl generator functions. Generated files placed in a <dir>
	# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
	# This functions is used for manual webserver configuration and it is not a part of
	# nss test run.
	# To create certs use the following command:
	# sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
	# Where:
	# dir - directory where to place created files
	# cert name - name of created server cert(FQDN)
	# cert req - cert request to be used for cert generation.
	#
	repAndExec() {
	echo
	if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
	shift
	echo certutil -s "$CU_SUBJECT" $@
	certutil -s "$CU_SUBJECT" $@
	RET=$?
	else
	echo $@
	$@
	RET=$?
	fi

	return $RET
	}

	setExtData() {
	extData=$1

	fldNum=0
	extData=`echo $extData \| sed 's/,/ /g'`
	for extDT in $extData; do
	if [ $fldNum -eq 0 ]; then
	eval extType=$extDT
	fldNum=1
	continue
	fi
	eval data${fldNum}=$extDT
	fldNum=`expr $fldNum + 1`
	done
	}

	signCert() {
	dir=$1
	crtDir=$2
	crtName=$3
	crtSN=$4
	req=$5
	cuAddParam=$6
	extList=$7

	if [ -z "$certSigner" ]; then
	certSigner=TestCA
	fi

	extCmdLine=""
	extCmdFile=$dir/extInFile; rm -f $extCmdFile
	touch $extCmdFile
	extList=`echo $extList \| sed 's/;/ /g'`
	for ext in $extList; do
	setExtData $ext
	[ -z "$extType" ] && echo "incorrect extention format" && return 1
	case $extType in
	ocspDR)
	extCmdLine="$extCmdLine -6"
	cat <<EOF >> $extCmdFile
	5
	9
	y
	EOF
	break
	exit 1
	;;
	AIA)
	extCmdLine="$extCmdLine -9"
	cat <<EOF >> $extCmdFile
	2
	7
	$data1
	0
	n
	n
	EOF
	break
	;;
	*)
	echo "Unsupported extension type: $extType"
	break
	;;
	esac
	done
	echo "cmdLine: $extCmdLine"
	echo "cmdFile: "`cat $extCmdFile`
	repAndExec \
	certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
	-i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
	return $RET
	}

	createSignedCert() {
	dir=$1
	certDir=$2
	certName=$3
	certSN=$4
	certSubj=$5
	keyType=$6
	extList=$7

	echo Creating cert $certName-$keyType with SN=$certSN

	CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
	repAndExec \
	certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
	-k $keyType -o $dir/req 2>&1
	[ "$RET" -ne 0 ] && return $RET

	signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	rm -f $dir/req

	repAndExec \
	certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
	-i "$dir/${certName}-$keyType.crt" 2>&1
	[ "$RET" -ne 0 ] && return $RET

	cp "$dir/${certName}-$keyType.crt" $certDir

	repAndExec \
	pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
	-k ${PW_FILE} -W iopr
	[ "$RET" -ne 0 ] && return $RET
	return 0
	}

	generateAndExportSSLCerts() {
	dir=$1
	certDir=$2
	serverName=$3
	servCertReq=$4

	if [ "$servCertReq" -a -f $servCertReq ]; then
	grep REQUEST $servCertReq >/dev/null 2>&1
	signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
	ret=$?
	[ "$ret" -ne 0 ] && return $ret
	fi

	certName=$serverName
	createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=TestUser510
	createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=TestUser511
	createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=TestUser512
	createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=TestUser513
	createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
	ret=$?
	[ "$ret" -ne 0 ] && return $ret
	}

	generateAndExportOCSPCerts() {
	dir=$1
	certDir=$2

	certName=ocspTrustedResponder
	createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=ocspDesignatedResponder
	createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=ocspTRTestUser514
	createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=ocspTRTestUser516
	createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=ocspRCATestUser518
	createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
	AIA,http://dochinups.red.iplanet.com:2561
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=ocspRCATestUser520
	createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
	AIA,http://dochinups.red.iplanet.com:2561
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=ocspDRTestUser522
	createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
	AIA,http://dochinups.red.iplanet.com:2562
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=ocspDRTestUser524
	createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
	AIA,http://dochinups.red.iplanet.com:2562
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	generateAndExportCACert $dir "" TestCA-unknown
	[ $? -ne 0 ] && return $ret

	certSigner=TestCA-unknown

	certName=ocspTRUnkownIssuerCert
	createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=ocspRCAUnkownIssuerCert
	createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
	AIA,http://dochinups.red.iplanet.com:2561
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certName=ocspDRUnkownIssuerCert
	createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
	AIA,http://dochinups.red.iplanet.com:2562
	ret=$?
	[ "$ret" -ne 0 ] && return $ret

	certSigner=""

	return 0
	}

	generateAndExportCACert() {
	dir=$1
	certDirL=$2
	caName=$3

	certName=TestCA
	[ "$caName" ] && certName=$caName
	CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
	repAndExec \
	certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
	-f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
	5
	6
	9
	n
	y
	-1
	n
	EOF

	if [ "$certDirL" ]; then
	repAndExec \
	certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
	[ "$RET" -ne 0 ] && return $RET

	repAndExec \
	pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
	[ "$RET" -ne 0 ] && return $RET
	fi
	}


	generateCerts() {
	certDir=$1
	serverName=$2
	reuseCACert=$3
	servCertReq=$4

	[ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
	[ -z "$serverName" ] && echo "Server name should not be empty" && exit 1

	mkdir -p $certDir
	[ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1


	dir=/tmp/db.$$
	if [ -z "$reuseCACert" ]; then
	if [ -d "$dir" ]; then
	rm -f $dir
	fi

	PW_FILE=$dir/nss.pwd
	NOISE_FILE=$dir/nss.noise

	mkdir -p $dir
	[ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1

	echo nss > $PW_FILE
	date >> ${NOISE_FILE} 2>&1

	repAndExec \
	certutil -d $dir -N -f $PW_FILE
	[ "$RET" -ne 0 ] && return $RET

	generateAndExportCACert $dir $certDir
	[ "$RET" -ne 0 ] && return $RET
	else
	dir=$reuseCACert
	PW_FILE=$dir/nss.pwd
	NOISE_FILE=$dir/nss.noise
	hasKey=`repAndExec certutil -d $dir -L \| grep TestCA \| grep CTu`
	[ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
	return $RET;
	fi

	generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
	[ "$RET" -ne 0 ] && return $RET

	generateAndExportOCSPCerts $dir $certDir
	[ "$RET" -ne 0 ] && return $RET

	crlUpdate=`date +%Y%m%d%H%M%SZ`
	crlNextUpdate=`echo $crlUpdate \| sed 's/20/21/'`
	repAndExec \
	crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
	update=$crlUpdate
	nextupdate=$crlNextUpdate
	addcert 509-511 $crlUpdate
	addcert 516 $crlUpdate
	addcert 520 $crlUpdate
	addcert 524 $crlUpdate
	EOF_CRLINI
	[ "$RET" -ne 0 ] && return $RET

	rm -rf $dir
	return 0
	}


	if [ -z "$1" -o -z "$2" ]; then
	echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
	exit 1
	fi
	generateCerts $1 $2 "$3" $4
	exit $?