tests/iopr/server_scr/cert_gen.sh
author Martin Thomson <martin.thomson@gmail.com>
Thu, 06 Oct 2016 00:00:32 +1100
changeset 12685 2d463826e09ac3cd8dafc4c9510c1bd81b16b115
parent 10685 6c43fe3ab5dd41803bbd6705979f73275d7668f6
child 15070 7bef9ff6567073902f6b234c30c2c623d10ad659
permissions -rw-r--r--
Bug 1307772 - Require that the server use the draft version, r=ekr

#!/bin/bash    

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

######################################################################################
# Server and client certs and crl generator functions. Generated files placed in a <dir>
# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
# This functions is used for manual webserver configuration and it is not a part of
# nss test run.
# To create certs use the following command:
#       sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
# Where:
#       dir - directory where to place created files
#       cert name - name of created server cert(FQDN)
#       cert req  - cert request to be used for cert generation.
#
repAndExec() {
    echo
    if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
        shift
        echo certutil -s "$CU_SUBJECT" $@
        certutil -s "$CU_SUBJECT" $@
        RET=$?
    else
        echo $@
        $@
        RET=$?
    fi

    return $RET
}

setExtData() {
    extData=$1

    fldNum=0
    extData=`echo $extData | sed 's/,/ /g'`
    for extDT in $extData; do
        if [ $fldNum -eq 0 ]; then
            eval extType=$extDT
            fldNum=1
            continue
        fi
        eval data${fldNum}=$extDT
        fldNum=`expr $fldNum + 1`
    done
}

signCert() {
    dir=$1
    crtDir=$2
    crtName=$3
    crtSN=$4
    req=$5
    cuAddParam=$6
    extList=$7

    if [ -z "$certSigner" ]; then
        certSigner=TestCA
    fi

    extCmdLine=""
    extCmdFile=$dir/extInFile; rm -f $extCmdFile
    touch $extCmdFile
    extList=`echo $extList | sed 's/;/ /g'`
    for ext in $extList; do
        setExtData $ext
        [ -z "$extType" ] && echo "incorrect extention format" && return 1
        case $extType in
        ocspDR)
                extCmdLine="$extCmdLine -6"
                cat <<EOF >> $extCmdFile
5
9
y
EOF
                break
                exit 1
                ;;
        AIA)    
                extCmdLine="$extCmdLine -9"
                cat <<EOF >> $extCmdFile
2
7
$data1
0
n
n
EOF
                break
                ;;
            *)
                echo "Unsupported extension type: $extType"
                break
                ;;
        esac
    done
    echo "cmdLine: $extCmdLine"
    echo "cmdFile: "`cat $extCmdFile`
    repAndExec \
        certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
        -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
    return $RET
}

createSignedCert() {
    dir=$1
    certDir=$2
    certName=$3
    certSN=$4
    certSubj=$5
    keyType=$6
    extList=$7

    echo Creating cert $certName-$keyType with SN=$certSN

    CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
    repAndExec \
        certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
                  -k $keyType -o $dir/req  2>&1
    [ "$RET" -ne 0 ] && return $RET

    signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    rm -f $dir/req

    repAndExec \
        certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
                    -i "$dir/${certName}-$keyType.crt" 2>&1
    [ "$RET" -ne 0 ] && return $RET

    cp "$dir/${certName}-$keyType.crt" $certDir

    repAndExec \
        pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
                     -k ${PW_FILE} -W iopr
    [ "$RET" -ne 0 ] && return $RET
    return 0
}

generateAndExportSSLCerts() {
    dir=$1
    certDir=$2
    serverName=$3
    servCertReq=$4

    if [ "$servCertReq" -a -f $servCertReq ]; then
        grep REQUEST $servCertReq >/dev/null 2>&1
        signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
        ret=$?
        [ "$ret" -ne 0 ] && return $ret
    fi

    certName=$serverName
    createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
    ret=$?
    [ "$ret" -ne 0 ] && return $ret
   
    certName=TestUser510
    createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=TestUser511
    createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=TestUser512
    createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=TestUser513
    createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
    ret=$?
    [ "$ret" -ne 0 ] && return $ret
}

generateAndExportOCSPCerts() {
    dir=$1
    certDir=$2

    certName=ocspTrustedResponder
    createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=ocspDesignatedResponder
    createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=ocspTRTestUser514
    createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=ocspTRTestUser516
    createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=ocspRCATestUser518
    createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
        AIA,http://dochinups.red.iplanet.com:2561
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=ocspRCATestUser520
    createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
        AIA,http://dochinups.red.iplanet.com:2561
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=ocspDRTestUser522
    createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
        AIA,http://dochinups.red.iplanet.com:2562
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=ocspDRTestUser524
    createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
        AIA,http://dochinups.red.iplanet.com:2562
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    generateAndExportCACert $dir "" TestCA-unknown
    [ $? -ne 0 ] && return $ret
    
    certSigner=TestCA-unknown
    
    certName=ocspTRUnkownIssuerCert
    createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=ocspRCAUnkownIssuerCert
    createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
        AIA,http://dochinups.red.iplanet.com:2561
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certName=ocspDRUnkownIssuerCert
    createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
        AIA,http://dochinups.red.iplanet.com:2562
    ret=$?
    [ "$ret" -ne 0 ] && return $ret

    certSigner=""
    
    return 0
}

generateAndExportCACert() {
    dir=$1
    certDirL=$2
    caName=$3

    certName=TestCA
    [ "$caName" ] && certName=$caName
    CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
    repAndExec \
        certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
        -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
5
6
9
n
y
-1
n
EOF

    if [ "$certDirL" ]; then
        repAndExec \
            certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt 
        [ "$RET" -ne 0 ] && return $RET
        
        repAndExec \
            pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
        [ "$RET" -ne 0 ] && return $RET
    fi
}


generateCerts() {
    certDir=$1
    serverName=$2
    reuseCACert=$3
    servCertReq=$4
    
    [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
    [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1

    mkdir -p $certDir
    [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
    

    dir=/tmp/db.$$
    if [ -z "$reuseCACert" ]; then
        if [ -d "$dir" ]; then
            rm -f $dir
        fi
   
        PW_FILE=$dir/nss.pwd
        NOISE_FILE=$dir/nss.noise

        mkdir -p $dir
        [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
        
        echo nss > $PW_FILE
        date >> ${NOISE_FILE} 2>&1
        
        repAndExec \
            certutil -d $dir -N -f $PW_FILE
        [ "$RET" -ne 0 ] && return $RET
        
        generateAndExportCACert $dir $certDir
        [ "$RET" -ne 0 ] && return $RET
    else
        dir=$reuseCACert
        PW_FILE=$dir/nss.pwd
        NOISE_FILE=$dir/nss.noise
        hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
        [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
            return $RET;
    fi

    generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
    [ "$RET" -ne 0 ] && return $RET

    generateAndExportOCSPCerts $dir $certDir
    [ "$RET" -ne 0 ] && return $RET

    crlUpdate=`date +%Y%m%d%H%M%SZ`
    crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
    repAndExec \
        crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
update=$crlUpdate
nextupdate=$crlNextUpdate
addcert 509-511 $crlUpdate
addcert 516 $crlUpdate
addcert 520 $crlUpdate
addcert 524 $crlUpdate
EOF_CRLINI
    [ "$RET" -ne 0 ] && return $RET

    rm -rf $dir
    return 0
}


if [ -z "$1" -o -z "$2" ]; then
    echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
    exit 1
fi
generateCerts $1 $2 "$3" $4
exit $?