| #! /bin/bash |
| # |
| # This Source Code Form is subject to the terms of the Mozilla Public |
| # License, v. 2.0. If a copy of the MPL was not distributed with this |
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. |
| |
| ######################################################################## |
| # |
| # mozilla/security/nss/tests/merge/merge.sh |
| # |
| # Script to test NSS merge |
| # |
| # needs to work on all Unix and Windows platforms |
| # |
| # special strings |
| # --------------- |
| # FIXME ... known problems, search for this string |
| # NOTE .... unexpected behavior |
| # |
| ######################################################################## |
| |
| ############################## merge_init ############################## |
| # local shell function to initialize this script |
| ######################################################################## |
| merge_init() |
| { |
| SCRIPTNAME=merge.sh # sourced - $0 would point to all.sh |
| HAS_EXPLICIT_DB=0 |
| if [ ! -z "${NSS_DEFAULT_DB_TYPE}" ]; then |
| HAS_EXPLICIT_DB=1 |
| fi |
| |
| |
| if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for |
| CLEANUP="${SCRIPTNAME}" # cleaning this script will do it |
| fi |
| |
| if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then |
| cd ../common |
| . ./init.sh |
| fi |
| if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here |
| cd ${QADIR}/cert |
| . ./cert.sh |
| fi |
| |
| if [ ! -d ${HOSTDIR}/SDR ]; then |
| cd ${QADIR}/sdr |
| . ./sdr.sh |
| fi |
| SCRIPTNAME=merge.sh |
| |
| html_head "Merge Tests" |
| |
| # need the SSL & SMIME directories from cert.sh |
| grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { |
| Exit 11 "Fatal - S/MIME of cert.sh needs to pass first" |
| } |
| grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { |
| Exit 8 "Fatal - SSL of cert.sh needs to pass first" |
| } |
| |
| #temporary files for SDR tests |
| VALUE1=$HOSTDIR/tests.v1.$$ |
| VALUE3=$HOSTDIR/tests.v3.$$ |
| |
| # local directories used in this test. |
| MERGEDIR=${HOSTDIR}/merge |
| R_MERGEDIR=../merge |
| D_MERGE="merge.$version" |
| # SDR not initialized in common/init |
| P_R_SDR=../SDR |
| D_SDR="SDR.$version" |
| mkdir -p ${MERGEDIR} |
| |
| PROFILE=. |
| if [ -n "${MULTIACCESS_DBM}" ]; then |
| PROFILE="multiaccess:${D_MERGE}" |
| P_R_SDR="multiaccess:${D_SDR}" |
| fi |
| |
| cd ${MERGEDIR} |
| |
| # clear out any existing databases, potentially from a previous run. |
| rm -f *.db |
| |
| # copy alicedir over as a seed database. |
| cp ${R_ALICEDIR}/* . |
| # copy the smime text samples |
| cp ${QADIR}/smime/*.txt . |
| |
| # create a set of conflicting names. |
| CONFLICT1DIR=conflict1 |
| CONFLICT2DIR=conflict2 |
| mkdir ${CONFLICT1DIR} |
| mkdir ${CONFLICT2DIR} |
| # in the upgrade mode (dbm->sql), make sure our test databases |
| # are dbm databases. |
| if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then |
| save=${NSS_DEFAULT_DB_TYPE} |
| NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE |
| fi |
| |
| certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE} |
| certutil -N -d ${CONFLICT2DIR} -f ${R_PWFILE} |
| certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser41.cert -d ${CONFLICT1DIR} |
| # modify CONFLICTDIR potentially corrupting the database |
| certutil -A -n "Alice #1" -t C,, -i ${R_CADIR}/TestUser42.cert -d ${CONFLICT1DIR} -f ${R_PWFILE} |
| certutil -M -n "Alice #1" -t ,, -d ${CONFLICT1DIR} -f ${R_PWFILE} |
| certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser43.cert -d ${CONFLICT1DIR} |
| certutil -A -n Alice -t ,, -i ${R_CADIR}/TestUser44.cert -d ${CONFLICT2DIR} |
| certutil -A -n "Alice #1" -t ,, -i ${R_CADIR}/TestUser45.cert -d ${CONFLICT2DIR} |
| certutil -A -n "Alice #99" -t ,, -i ${R_CADIR}/TestUser46.cert -d ${CONFLICT2DIR} |
| if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then |
| NSS_DEFAULT_DB_TYPE=${save}; export NSS_DEFAULT_DB_TYPE |
| fi |
| |
| # |
| # allow all the tests to run in standalone mode. |
| # in standalone mode, TEST_MODE is not set. |
| # if NSS_DEFAULT_DB_TYPE is dbm, then test merge with dbm |
| # if NSS_DEFAULT_DB_TYPE is sql, then test merge with sql |
| # if NSS_DEFAULT_DB_TYPE is not set, then test database upgrade merge |
| # from dbm databases (created above) into a new sql db. |
| if [ -z "${TEST_MODE}" ] && [ ${HAS_EXPLICIT_DB} -eq 0 ]; then |
| echo "*** Using Standalone Upgrade DB mode" |
| NSS_DEFAULT_DB_TYPE=sql; export NSS_DEFAULT_DB_TYPE |
| echo certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} |
| ${BINDIR}/certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} |
| TEST_MODE=UPGRADE_DB |
| |
| fi |
| |
| } |
| |
| # |
| # this allows us to run this test for both merge and upgrade-merge cases. |
| # merge_cmd takes the potential upgrade-id and the rest of the certutil |
| # arguments. |
| # |
| merge_cmd() |
| { |
| MERGE_CMD=--merge |
| if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then |
| MERGE_CMD="--upgrade-merge --upgrade-token-name OldDB --upgrade-id ${1}" |
| fi |
| shift |
| echo certutil ${MERGE_CMD} $* |
| ${PROFTOOL} ${BINDIR}/certutil ${MERGE_CMD} $* |
| } |
| |
| |
| merge_main() |
| { |
| # first create a local sdr key and encrypt some data with it |
| # This will cause a colision with the SDR key in ../SDR. |
| echo "$SCRIPTNAME: Creating an SDR key & Encrypt" |
| echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}" |
| ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE} |
| html_msg $? 0 "Creating SDR Key" |
| |
| # Now merge in Dave |
| # Dave's cert is already in alicedir, but his key isn't. This will make |
| # sure we are updating the keys and CKA_ID's on the certificate properly. |
| MERGE_ID=dave |
| echo "$SCRIPTNAME: Merging in Key for Existing user" |
| merge_cmd dave --source-dir ${P_R_DAVEDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} |
| html_msg $? 0 "Merging Dave" |
| |
| # Merge in server |
| # contains a CRL and new user certs |
| MERGE_ID=server |
| echo "$SCRIPTNAME: Merging in new user " |
| merge_cmd server --source-dir ${P_R_SERVERDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} |
| html_msg $? 0 "Merging server" |
| |
| # Merge in ext_client |
| # contains a new certificate chain and additional trust flags |
| MERGE_ID=ext_client |
| echo "$SCRIPTNAME: Merging in new chain " |
| merge_cmd ext_client --source-dir ${P_R_EXT_CLIENTDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} |
| html_msg $? 0 "Merging ext_client" |
| |
| # Merge conflicting nicknames in conflict1dir |
| # contains several certificates with nicknames that conflict with the target |
| # database |
| MERGE_ID=conflict1 |
| echo "$SCRIPTNAME: Merging in conflicting nicknames 1" |
| merge_cmd conflict1 --source-dir ${CONFLICT1DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} |
| |
| html_msg $? 0 "Merging conflicting nicknames 1" |
| |
| # Merge conflicting nicknames in conflict2dir |
| # contains several certificates with nicknames that conflict with the target |
| # database |
| MERGE_ID=conflict2 |
| echo "$SCRIPTNAME: Merging in conflicting nicknames 1" |
| merge_cmd conflict2 --source-dir ${CONFLICT2DIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} |
| html_msg $? 0 "Merging conflicting nicknames 2" |
| |
| # Make sure conflicted names were properly sorted out. |
| echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #4)" |
| certutil -L -n "Alice #4" -d ${PROFILE} |
| html_msg $? 0 "Verify nicknames were deconflicted (Alice #4)" |
| |
| # Make sure conflicted names were properly sorted out. |
| echo "$SCRIPTNAME: Verify nicknames were deconflicted (Alice #100)" |
| certutil -L -n "Alice #100" -d ${PROFILE} |
| html_msg $? 0 "Verify nicknames were deconflicted (Alice #100)" |
| |
| # Merge in SDR |
| # contains a secret SDR key |
| MERGE_ID=SDR |
| echo "$SCRIPTNAME: Merging in SDR " |
| merge_cmd sdr --source-dir ${P_R_SDR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE} |
| html_msg $? 0 "Merging SDR" |
| |
| # insert a listing of the database into the log for diagonic purposes |
| ${BINDIR}/certutil -L -d ${PROFILE} |
| ${BINDIR}/crlutil -L -d ${PROFILE} |
| |
| # Make sure we can decrypt with our original SDR key generated above |
| echo "$SCRIPTNAME: Decrypt - With Original SDR Key" |
| echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}" |
| ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE} |
| html_msg $? 0 "Decrypt - Value 3" |
| |
| # Make sure we can decrypt with our the SDR key merged in from ../SDR |
| echo "$SCRIPTNAME: Decrypt - With Merged SDR Key" |
| echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}" |
| ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE} |
| html_msg $? 0 "Decrypt - Value 1" |
| |
| # Make sure we can sign with merge certificate |
| echo "$SCRIPTNAME: Signing with merged key ------------------" |
| echo "cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig" |
| ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig |
| html_msg $? 0 "Create Detached Signature Dave" "." |
| |
| echo "cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} " |
| ${PROFTOOL} ${BINDIR}/cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} |
| html_msg $? 0 "Verifying Dave's Detached Signature" |
| |
| # Make sure that trust objects were properly merged |
| echo "$SCRIPTNAME: verifying merged cert ------------------" |
| echo "certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}" |
| ${PROFTOOL} ${BINDIR}/certutil -V -n ExtendedSSLUser -u C -d ${PROFILE} |
| html_msg $? 0 "Verifying ExtendedSSL User Cert" |
| |
| # Make sure that the crl got properly copied in |
| echo "$SCRIPTNAME: verifying merged crl ------------------" |
| echo "crlutil -L -n TestCA -d ${PROFILE}" |
| ${PROFTOOL} ${BINDIR}/crlutil -L -n TestCA -d ${PROFILE} |
| html_msg $? 0 "Verifying TestCA CRL" |
| |
| } |
| |
| ############################## smime_cleanup ########################### |
| # local shell function to finish this script (no exit since it might be |
| # sourced) |
| ######################################################################## |
| merge_cleanup() |
| { |
| html "</TABLE><BR>" |
| cd ${QADIR} |
| . common/cleanup.sh |
| } |
| |
| ################## main ################################################# |
| |
| merge_init |
| merge_main |
| echo "TEST_MODE=${TEST_MODE}" |
| echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}" |
| merge_cleanup |
| |
| |