#! /bin/bash

#

# This Source Code Form is subject to the terms of the Mozilla Public

# License, v. 2.0. If a copy of the MPL was not distributed with this

# file, You can obtain one at http://mozilla.org/MPL/2.0/.

########################################################################

#

# mozilla/security/nss/tests/iopr/cert_iopr.sh

#

# Certificate generating and handeling for NSS interoperability QA. This file

# is included from cert.sh

#

# needs to work on all Unix and Windows platforms

#

# special strings

# ---------------

#   FIXME ... known problems, search for this string

#   NOTE .... unexpected behavior

########################################################################

IOPR_CERT_SOURCED=1

########################################################################

# function wraps calls to pk12util, also: writes action and options

# to stdout. 

# Params are the same as to pk12util.

# Returns pk12util status

#

pk12u()

{

    echo "${CU_ACTION} --------------------------"

    echo "pk12util $@"

    ${BINDIR}/pk12util $@

    RET=$?

    return $RET

}

########################################################################

# Initializes nss db directory and files if they don't exists

# Params:

#      $1 - directory location

#

createDBDir() {

    trgDir=$1

    if [ -z "`ls $trgDir | grep db`" ]; then

        trgDir=`cd ${trgDir}; pwd`

        if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then

			trgDir=`cygpath -m ${trgDir}`

        fi

        CU_ACTION="Initializing DB at ${trgDir}"

        certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1

        if [ "$RET" -ne 0 ]; then

            return $RET

        fi

        CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"

        modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1

        if [ "$RET" -ne 0 ]; then

            return $RET

        fi

    fi

}

########################################################################

# takes care of downloading config, cert and crl files from remote

# location. 

# Params:

#      $1 - name of the host file will be downloaded from

#      $2 - path to the file as it appeared in url

#      $3 - target directory the file will be saved at.

# Returns tstclnt status.

#

download_file() {

    host=$1

    filePath=$2

    trgDir=$3

    file=$trgDir/`basename $filePath`

    createDBDir $trgDir || return $RET

#    echo wget -O $file http://${host}${filePath}

#    wget -O $file http://${host}${filePath}

#    ret=$?

    req=$file.$$

    echo "GET $filePath HTTP/1.0" > $req

    echo >> $req

    echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \

        -v -w ${R_PWFILE} -o 

    ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \

        -v -w ${R_PWFILE} -o < $req > $file

    ret=$?

    rm -f $_tmp;

    return $ret

}

########################################################################

# Uses pk12util, certutil of cerlutil to import files to an nss db located

# at <dir>(the value of $1 parameter). Chooses a utility to use based on

# a file extension. Initializing a db if it does not exists.

# Params:

#      $1 - db location directory

#      $2 - file name to import

#      $3 - nick name an object in the file will be associated with

#      $4 - trust arguments 

# Returns status of import

#      

importFile() {

    dir=$1\

    file=$2

    certName=$3

    certTrust=$4

    [ ! -d $dir ] && mkdir -p $dir;

    createDBDir $dir || return $RET

    case `basename $file | sed 's/^.*\.//'` in

        p12)

            CU_ACTION="Importing p12 $file to DB at $dir"

            pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr

            [ $? -ne 0 ] && return 1

            CU_ACTION="Modifying trust for cert $certName at $dir"

            certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}"

            return $?

            ;;

        crl) 

            CU_ACTION="Importing crl $file to DB at $dir"

            crlu -d ${dir} -I -n TestCA -i $file

            return $?

            ;;

        crt | cert)

            CU_ACTION="Importing cert $certName with trust $certTrust to $dir"

            certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \

                -i "$file"

            return $?

            ;;

        *)

            echo "Unknown file extension: $file:"

            return 1

            ;;

    esac

}

#########################################################################

# Downloads and installs test certs and crl from a remote webserver.

# Generates server cert for reverse testing if reverse test run is turned on.

# Params:

#      $1 - host name to download files from.

#      $2 - directory at which CA cert will be installed and used for

#           signing a server cert.

#      $3 - path to a config file in webserver context.

#      $4 - ssl server db location

#      $5 - ssl client db location

#      $5 - ocsp client db location

#

# Returns 0 upon success, otherwise, failed command error code.

#

download_install_certs() {

    host=$1

    caDir=$2

    confPath=$3

    sslServerDir=$4

    sslClientDir=$5

    ocspClientDir=$6

    [ ! -d "$caDir" ] && mkdir -p $caDir;

    #=======================================================

    # Getting config file

    #

    download_file $host "$confPath/iopr_server.cfg" $caDir

    RET=$?

    if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then

        html_failed "Fail to download website config file(ws: $host)" 

        return 1

    fi

    . $caDir/iopr_server.cfg

    RET=$?

    if [ $RET -ne 0 ]; then

        html_failed "Fail to source config file(ws: $host)" 

        return $RET

    fi

    #=======================================================

    # Getting CA file

    #

    #----------------- !!!WARNING!!! -----------------------

    # Do NOT copy this scenario. CA should never accompany its

    # cert with the private key when deliver cert to a customer.

    #----------------- !!!WARNING!!! -----------------------

    download_file $host $certDir/$caCertName.p12 $caDir

    RET=$?

    if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then

        html_failed "Fail to download $caCertName cert(ws: $host)" 

        return 1

    fi

    tmpFiles="$caDir/$caCertName.p12"

    importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C"

    RET=$?

    if [ $RET -ne 0 ]; then

        html_failed "Fail to import $caCertName cert to CA DB(ws: $host)" 

        return $RET

    fi

    CU_ACTION="Exporting Root CA cert(ws: $host)"

    certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert 

    if [ "$RET" -ne 0 ]; then

        Exit 7 "Fatal - failed to export $caCertName cert"

    fi

    #=======================================================

    # Check what tests we want to run

    #

    doSslTests=0; doOcspTests=0

    # XXX remove "_new" from variables below

    [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1

    [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1

    if [ $doSslTests -eq 1 ]; then

        if [ "$reverseRunCGIScript" ]; then

            [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;

            #=======================================================

            # Import CA cert to server DB

            #

            importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \

                        "TC,C,C"

            RET=$?

            if [ $RET -ne 0 ]; then

                html_failed "Fail to import server-client-CA cert to \

                             server DB(ws: $host)" 

                return $RET

            fi

            #=======================================================

            # Creating server cert

            #

            CERTNAME=$HOSTADDR

            CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"

            CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \

                        L=Mountain View, ST=California, C=US"

            certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\

                -o $sslServerDir/req 2>&1

            tmpFiles="$tmpFiles $sslServerDir/req"

            # NOTE:

            # For possible time synchronization problems (bug 444308) we generate

            # certificates valid also some time in past (-w -1)

            CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"

            certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \

                -d "${caDir}" \

                -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \

                -f "${R_PWFILE}" 2>&1

            importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"

            RET=$?

            if [ $RET -ne 0 ]; then

                html_failed "Fail to import $CERTNAME cert to server\

                             DB(ws: $host)" 

                return $RET

            fi

            tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"

            #=======================================================

            # Download and import CA crl to server DB

            #

            download_file $host "$certDir/$caCrlName.crl" $sslServerDir

            RET=$?

            if [ $? -ne 0 ]; then

                html_failed "Fail to download $caCertName crl\

                             (ws: $host)" 

                return $RET

            fi

            tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"

            importFile $sslServerDir $sslServerDir/TestCA.crl

            RET=$?

            if [ $RET -ne 0 ]; then

                html_failed "Fail to import TestCA crt to server\

                             DB(ws: $host)" 

                return $RET

            fi

        fi # if [ "$reverseRunCGIScript" ]

        [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;

        #=======================================================

        # Import CA cert to ssl client DB

        #

        importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \

                   "TC,C,C"

        RET=$?

        if [ $RET -ne 0 ]; then

            html_failed "Fail to import server-client-CA cert to \

                         server DB(ws: $host)" 

            return $RET

        fi

    fi

    if [ $doOcspTests -eq 1 ]; then

        [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;

        #=======================================================

        # Import CA cert to ocsp client DB

        #

        importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \

                   "TC,C,C"

        RET=$?

        if [ $RET -ne 0 ]; then

            html_failed "Fail to import server-client-CA cert to \

                         server DB(ws: $host)" 

            return $RET

        fi

    fi

    #=======================================================

    # Import client certs to client DB

    #

    for fileName in $downloadFiles; do

        certName=`echo $fileName | sed 's/\..*//'`

        if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then

            clientDir=$ocspClientDir

        elif [ $doSslTests -eq 1 ]; then

            clientDir=$sslClientDir

        else

            continue

        fi

        download_file $host "$certDir/$fileName" $clientDir

        RET=$?

        if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then

            html_failed "Fail to download $certName cert(ws: $host)" 

            return $RET

        fi

        tmpFiles="$tmpFiles $clientDir/$fileName"

        importFile $clientDir $clientDir/$fileName $certName ",,"

        RET=$?

        if [ $RET -ne 0 ]; then

            html_failed "Fail to import $certName cert to client DB\

                        (ws: $host)" 

            return $RET

        fi

    done

    rm -f $tmpFiles

    return 0

}

#########################################################################

# Initial point for downloading config, cert, crl files for multiple hosts

# involved in interoperability testing. Called from nss/tests/cert/cert.sh

# It will only proceed with downloading if environment variable 

# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.

#

# Returns 1 if interoperability testing is off, 0 otherwise. 

#

cert_iopr_setup() {

    if [ "$IOPR" -ne 1 ]; then

        return 1

    fi

    num=1

    IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '`

    while [ "$IOPR_HOST_PARAM" ]; do

        IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`

        IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`

        [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443

        IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`

        [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"

        echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\

              $IOPR_CONF_PATH"

        download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \

            ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \

            ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \

            ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}

        if [ $? -ne 0 ]; then

            echo "wsFlags=\"NOIOPR $wsParam\"" >> \

                ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg

        fi

        num=`expr $num + 1`

        IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`

    done

    return 0

}