|
Packit |
40b132 |
#!/bin/bash
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
Packit |
40b132 |
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
Packit |
40b132 |
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
######################################################################################
|
|
Packit |
40b132 |
# Server and client certs and crl generator functions. Generated files placed in a <dir>
|
|
Packit |
40b132 |
# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
|
|
Packit |
40b132 |
# This functions is used for manual webserver configuration and it is not a part of
|
|
Packit |
40b132 |
# nss test run.
|
|
Packit |
40b132 |
# To create certs use the following command:
|
|
Packit |
40b132 |
# sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
|
|
Packit |
40b132 |
# Where:
|
|
Packit |
40b132 |
# dir - directory where to place created files
|
|
Packit |
40b132 |
# cert name - name of created server cert(FQDN)
|
|
Packit |
40b132 |
# cert req - cert request to be used for cert generation.
|
|
Packit |
40b132 |
#
|
|
Packit |
40b132 |
repAndExec() {
|
|
Packit |
40b132 |
echo
|
|
Packit |
40b132 |
if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
|
|
Packit |
40b132 |
shift
|
|
Packit |
40b132 |
echo certutil -s "$CU_SUBJECT" $@
|
|
Packit |
40b132 |
certutil -s "$CU_SUBJECT" $@
|
|
Packit |
40b132 |
RET=$?
|
|
Packit |
40b132 |
else
|
|
Packit |
40b132 |
echo $@
|
|
Packit |
40b132 |
$@
|
|
Packit |
40b132 |
RET=$?
|
|
Packit |
40b132 |
fi
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
return $RET
|
|
Packit |
40b132 |
}
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
setExtData() {
|
|
Packit |
40b132 |
extData=$1
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
fldNum=0
|
|
Packit |
40b132 |
extData=`echo $extData | sed 's/,/ /g'`
|
|
Packit |
40b132 |
for extDT in $extData; do
|
|
Packit |
40b132 |
if [ $fldNum -eq 0 ]; then
|
|
Packit |
40b132 |
eval extType=$extDT
|
|
Packit |
40b132 |
fldNum=1
|
|
Packit |
40b132 |
continue
|
|
Packit |
40b132 |
fi
|
|
Packit |
40b132 |
eval data${fldNum}=$extDT
|
|
Packit |
40b132 |
fldNum=`expr $fldNum + 1`
|
|
Packit |
40b132 |
done
|
|
Packit |
40b132 |
}
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
signCert() {
|
|
Packit |
40b132 |
dir=$1
|
|
Packit |
40b132 |
crtDir=$2
|
|
Packit |
40b132 |
crtName=$3
|
|
Packit |
40b132 |
crtSN=$4
|
|
Packit |
40b132 |
req=$5
|
|
Packit |
40b132 |
cuAddParam=$6
|
|
Packit |
40b132 |
extList=$7
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
if [ -z "$certSigner" ]; then
|
|
Packit |
40b132 |
certSigner=TestCA
|
|
Packit |
40b132 |
fi
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
extCmdLine=""
|
|
Packit |
40b132 |
extCmdFile=$dir/extInFile; rm -f $extCmdFile
|
|
Packit |
40b132 |
touch $extCmdFile
|
|
Packit |
40b132 |
extList=`echo $extList | sed 's/;/ /g'`
|
|
Packit |
40b132 |
for ext in $extList; do
|
|
Packit |
40b132 |
setExtData $ext
|
|
Packit |
40b132 |
[ -z "$extType" ] && echo "incorrect extention format" && return 1
|
|
Packit |
40b132 |
case $extType in
|
|
Packit |
40b132 |
ocspDR)
|
|
Packit |
40b132 |
extCmdLine="$extCmdLine -6"
|
|
Packit |
40b132 |
cat <<EOF >> $extCmdFile
|
|
Packit |
40b132 |
5
|
|
Packit |
40b132 |
9
|
|
Packit |
40b132 |
y
|
|
Packit |
40b132 |
EOF
|
|
Packit |
40b132 |
break
|
|
Packit |
40b132 |
exit 1
|
|
Packit |
40b132 |
;;
|
|
Packit |
40b132 |
AIA)
|
|
Packit |
40b132 |
extCmdLine="$extCmdLine -9"
|
|
Packit |
40b132 |
cat <<EOF >> $extCmdFile
|
|
Packit |
40b132 |
2
|
|
Packit |
40b132 |
7
|
|
Packit |
40b132 |
$data1
|
|
Packit |
40b132 |
0
|
|
Packit |
40b132 |
n
|
|
Packit |
40b132 |
n
|
|
Packit |
40b132 |
EOF
|
|
Packit |
40b132 |
break
|
|
Packit |
40b132 |
;;
|
|
Packit |
40b132 |
*)
|
|
Packit |
40b132 |
echo "Unsupported extension type: $extType"
|
|
Packit |
40b132 |
break
|
|
Packit |
40b132 |
;;
|
|
Packit |
40b132 |
esac
|
|
Packit |
40b132 |
done
|
|
Packit |
40b132 |
echo "cmdLine: $extCmdLine"
|
|
Packit |
40b132 |
echo "cmdFile: "`cat $extCmdFile`
|
|
Packit |
40b132 |
repAndExec \
|
|
Packit |
40b132 |
certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
|
|
Packit |
40b132 |
-i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
|
|
Packit |
40b132 |
return $RET
|
|
Packit |
40b132 |
}
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
createSignedCert() {
|
|
Packit |
40b132 |
dir=$1
|
|
Packit |
40b132 |
certDir=$2
|
|
Packit |
40b132 |
certName=$3
|
|
Packit |
40b132 |
certSN=$4
|
|
Packit |
40b132 |
certSubj=$5
|
|
Packit |
40b132 |
keyType=$6
|
|
Packit |
40b132 |
extList=$7
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
echo Creating cert $certName-$keyType with SN=$certSN
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
|
Packit |
40b132 |
repAndExec \
|
|
Packit |
40b132 |
certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
|
|
Packit |
40b132 |
-k $keyType -o $dir/req 2>&1
|
|
Packit |
40b132 |
[ "$RET" -ne 0 ] && return $RET
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
rm -f $dir/req
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
repAndExec \
|
|
Packit |
40b132 |
certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
|
|
Packit |
40b132 |
-i "$dir/${certName}-$keyType.crt" 2>&1
|
|
Packit |
40b132 |
[ "$RET" -ne 0 ] && return $RET
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
cp "$dir/${certName}-$keyType.crt" $certDir
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
repAndExec \
|
|
Packit |
40b132 |
pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
|
|
Packit |
40b132 |
-k ${PW_FILE} -W iopr
|
|
Packit |
40b132 |
[ "$RET" -ne 0 ] && return $RET
|
|
Packit |
40b132 |
return 0
|
|
Packit |
40b132 |
}
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
generateAndExportSSLCerts() {
|
|
Packit |
40b132 |
dir=$1
|
|
Packit |
40b132 |
certDir=$2
|
|
Packit |
40b132 |
serverName=$3
|
|
Packit |
40b132 |
servCertReq=$4
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
if [ "$servCertReq" -a -f $servCertReq ]; then
|
|
Packit |
40b132 |
grep REQUEST $servCertReq >/dev/null 2>&1
|
|
Packit |
40b132 |
signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
fi
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=$serverName
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=TestUser510
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=TestUser511
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=TestUser512
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=TestUser513
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
}
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
generateAndExportOCSPCerts() {
|
|
Packit |
40b132 |
dir=$1
|
|
Packit |
40b132 |
certDir=$2
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspTrustedResponder
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspDesignatedResponder
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspTRTestUser514
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspTRTestUser516
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspRCATestUser518
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
|
|
Packit |
40b132 |
AIA,http://dochinups.red.iplanet.com:2561
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspRCATestUser520
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
|
|
Packit |
40b132 |
AIA,http://dochinups.red.iplanet.com:2561
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspDRTestUser522
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
|
|
Packit |
40b132 |
AIA,http://dochinups.red.iplanet.com:2562
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspDRTestUser524
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
|
|
Packit |
40b132 |
AIA,http://dochinups.red.iplanet.com:2562
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
generateAndExportCACert $dir "" TestCA-unknown
|
|
Packit |
40b132 |
[ $? -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certSigner=TestCA-unknown
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspTRUnkownIssuerCert
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspRCAUnkownIssuerCert
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
|
|
Packit |
40b132 |
AIA,http://dochinups.red.iplanet.com:2561
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=ocspDRUnkownIssuerCert
|
|
Packit |
40b132 |
createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
|
|
Packit |
40b132 |
AIA,http://dochinups.red.iplanet.com:2562
|
|
Packit |
40b132 |
ret=$?
|
|
Packit |
40b132 |
[ "$ret" -ne 0 ] && return $ret
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certSigner=""
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
return 0
|
|
Packit |
40b132 |
}
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
generateAndExportCACert() {
|
|
Packit |
40b132 |
dir=$1
|
|
Packit |
40b132 |
certDirL=$2
|
|
Packit |
40b132 |
caName=$3
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
certName=TestCA
|
|
Packit |
40b132 |
[ "$caName" ] && certName=$caName
|
|
Packit |
40b132 |
CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
|
Packit |
40b132 |
repAndExec \
|
|
Packit |
40b132 |
certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
|
|
Packit |
40b132 |
-f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <
|
|
Packit |
40b132 |
5
|
|
Packit |
40b132 |
6
|
|
Packit |
40b132 |
9
|
|
Packit |
40b132 |
n
|
|
Packit |
40b132 |
y
|
|
Packit |
40b132 |
-1
|
|
Packit |
40b132 |
n
|
|
Packit |
40b132 |
EOF
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
if [ "$certDirL" ]; then
|
|
Packit |
40b132 |
repAndExec \
|
|
Packit |
40b132 |
certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt
|
|
Packit |
40b132 |
[ "$RET" -ne 0 ] && return $RET
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
repAndExec \
|
|
Packit |
40b132 |
pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
|
|
Packit |
40b132 |
[ "$RET" -ne 0 ] && return $RET
|
|
Packit |
40b132 |
fi
|
|
Packit |
40b132 |
}
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
generateCerts() {
|
|
Packit |
40b132 |
certDir=$1
|
|
Packit |
40b132 |
serverName=$2
|
|
Packit |
40b132 |
reuseCACert=$3
|
|
Packit |
40b132 |
servCertReq=$4
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
[ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
|
|
Packit |
40b132 |
[ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
mkdir -p $certDir
|
|
Packit |
40b132 |
[ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
dir=/tmp/db.$$
|
|
Packit |
40b132 |
if [ -z "$reuseCACert" ]; then
|
|
Packit |
40b132 |
if [ -d "$dir" ]; then
|
|
Packit |
40b132 |
rm -f $dir
|
|
Packit |
40b132 |
fi
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
PW_FILE=$dir/nss.pwd
|
|
Packit |
40b132 |
NOISE_FILE=$dir/nss.noise
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
mkdir -p $dir
|
|
Packit |
40b132 |
[ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
echo nss > $PW_FILE
|
|
Packit |
40b132 |
date >> ${NOISE_FILE} 2>&1
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
repAndExec \
|
|
Packit |
40b132 |
certutil -d $dir -N -f $PW_FILE
|
|
Packit |
40b132 |
[ "$RET" -ne 0 ] && return $RET
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
generateAndExportCACert $dir $certDir
|
|
Packit |
40b132 |
[ "$RET" -ne 0 ] && return $RET
|
|
Packit |
40b132 |
else
|
|
Packit |
40b132 |
dir=$reuseCACert
|
|
Packit |
40b132 |
PW_FILE=$dir/nss.pwd
|
|
Packit |
40b132 |
NOISE_FILE=$dir/nss.noise
|
|
Packit |
40b132 |
hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
|
|
Packit |
40b132 |
[ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
|
|
Packit |
40b132 |
return $RET;
|
|
Packit |
40b132 |
fi
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
|
|
Packit |
40b132 |
[ "$RET" -ne 0 ] && return $RET
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
generateAndExportOCSPCerts $dir $certDir
|
|
Packit |
40b132 |
[ "$RET" -ne 0 ] && return $RET
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
crlUpdate=`date +%Y%m%d%H%M%SZ`
|
|
Packit |
40b132 |
crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
|
|
Packit |
40b132 |
repAndExec \
|
|
Packit |
40b132 |
crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <
|
|
Packit |
40b132 |
update=$crlUpdate
|
|
Packit |
40b132 |
nextupdate=$crlNextUpdate
|
|
Packit |
40b132 |
addcert 509-511 $crlUpdate
|
|
Packit |
40b132 |
addcert 516 $crlUpdate
|
|
Packit |
40b132 |
addcert 520 $crlUpdate
|
|
Packit |
40b132 |
addcert 524 $crlUpdate
|
|
Packit |
40b132 |
EOF_CRLINI
|
|
Packit |
40b132 |
[ "$RET" -ne 0 ] && return $RET
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
rm -rf $dir
|
|
Packit |
40b132 |
return 0
|
|
Packit |
40b132 |
}
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
if [ -z "$1" -o -z "$2" ]; then
|
|
Packit |
40b132 |
echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
|
|
Packit |
40b132 |
exit 1
|
|
Packit |
40b132 |
fi
|
|
Packit |
40b132 |
generateCerts $1 $2 "$3" $4
|
|
Packit |
40b132 |
exit $?
|