Bug 297738 - Patch to load root certs module. r=julien, sr=nelson NSS_3_11_BRANCH
authorslavomir.katuscak%sun.com
Wed, 04 Jul 2007 10:13:59 +0000
branchNSS_3_11_BRANCH
changeset 7910 dd8874bf199818aa2c6b2213947c2ae4984d2e61
parent 7906 835a4163fd57b2b1fe95390deba4f04617960943
child 7911 ecb81fb33ead4bb58b0b83b7f448f0466c34e588
push idunknown
push userunknown
push dateunknown
reviewersjulien, nelson
bugs297738
Bug 297738 - Patch to load root certs module. r=julien, sr=nelson
security/nss/tests/cert/cert.sh
security/nss/tests/iopr/cert_iopr.sh
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -70,27 +70,38 @@ cert_init()
   SCRIPTNAME="cert.sh"
   if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
       CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
   fi
   if [ -z "${INIT_SOURCED}" ] ; then
       cd ../common
       . ./init.sh
   fi
-  if [ -z "${IOPR_CERT_SOURCED}" ]; then                                        
-      . ../iopr/cert_iopr.sh                                                   
-  fi                                                                            
+  if [ -z "${IOPR_CERT_SOURCED}" ]; then
+       . ../iopr/cert_iopr.sh
+  fi
   SCRIPTNAME="cert.sh"
   CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"`
   if [ -n "$NSS_ENABLE_ECC" ] ; then
       html_head "Certutil and Crlutil Tests with ECC"
   else
       html_head "Certutil and Crlutil Tests"
   fi
 
+  LIBDIR="${DIST}/${OBJDIR}/lib"
+
+  ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
+  if [ ! "${ROOTCERTSFILE}" ] ; then
+      html_failed "<TR><TD>Looking for root certs module." 
+      cert_log "ERROR: Root certs module not found."
+      Exit 5 "Fatal - Root certs module not found."
+  else
+      html_passed "<TR><TD>Looking for root certs module."
+  fi
+
   ################## Generate noise for our CA cert. ######################
   # NOTE: these keys are only suitable for testing, as this whole thing 
   # bypasses the entropy gathering. Don't use this method to generate 
   # keys and certs for product use or deployment.
   #
   ps -efl > ${NOISE_FILE} 2>&1
   ps aux >> ${NOISE_FILE} 2>&1
   noise
@@ -139,18 +150,16 @@ certu()
     if [ "$RET" -ne 0 ]; then
         CERTFAILED=$RET
         html_failed "<TR><TD>${CU_ACTION} ($RET) " 
         cert_log "ERROR: ${CU_ACTION} failed $RET"
     else
         html_passed "<TR><TD>${CU_ACTION}"
     fi
 
-    # echo "Contine?"
-    # cat > /dev/null
     return $RET
 }
 
 ################################ crlu #################################
 # local shell function to call crlutil, also: writes action and options to
 # stdout, sets variable RET and writes results to the html file results
 ########################################################################
 crlu()
@@ -164,18 +173,36 @@ crlu()
     if [ "$RET" -ne 0 ]; then
         CRLFAILED=$RET
         html_failed "<TR><TD>${CU_ACTION} ($RET) " 
         cert_log "ERROR: ${CU_ACTION} failed $RET"
     else
         html_passed "<TR><TD>${CU_ACTION}"
     fi
 
-    # echo "Contine?"
-    # cat > /dev/null
+    return $RET
+}
+
+modu()
+{
+    echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+
+    MODUTIL="modutil"
+    echo "$MODUTIL $*"
+    # echo is used to press Enter expected by modutil
+    echo | $MODUTIL $*
+    RET=$?
+    if [ "$RET" -ne 0 ]; then
+        MODFAILED=$RET
+        html_failed "<TR><TD>${CU_ACTION} ($RET) " 
+        cert_log "ERROR: ${CU_ACTION} failed $RET"
+    else
+        html_passed "<TR><TD>${CU_ACTION}"
+    fi
+
     return $RET
 }
 
 ############################# cert_init_cert ##########################
 # local shell function to initialize creation of client and server certs
 ########################################################################
 cert_init_cert()
 {
@@ -185,19 +212,19 @@ cert_init_cert()
     DOMAIN="$4"
 
     if [ ! -d "${CERTDIR}" ]; then
         mkdir -p "${CERTDIR}"
     else
         echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
     fi
     cd "${CERTDIR}"
-    CERTDIR="." 
+    CERTDIR="."
 
-    PROFILEDIR=${CERTDIR}
+    PROFILEDIR=`cd ${CERTDIR}; pwd`
     if [ -n "${MULTIACCESS_DBM}" ]; then
 	PROFILEDIR="multiaccess:${DOMAIN}"
     fi
 
     noise
 }
 
 ############################# hw_acc #################################
@@ -206,17 +233,16 @@ cert_init_cert()
 hw_acc()
 {
     HW_ACC_RET=0
     HW_ACC_ERR=""
     if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
         echo "creating $CERTNAME s cert with hwaccelerator..."
         #case $ACCELERATOR in
         #rainbow)
-   
 
         echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
         echo "         -dbdir ${PROFILEDIR} 2>&1 "
         echo | modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
             -dbdir ${PROFILEDIR} 2>&1 
         if [ "$?" -ne 0 ]; then
             echo "modutil -add rainbow failed in `pwd`"
             HW_ACC_RET=1
@@ -254,31 +280,41 @@ cert_create_cert()
 {
     cert_init_cert "$1" "$2" "$3" "$4"
 
     CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
     certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
     if [ "$RET" -ne 0 ]; then
         return $RET
     fi
+
+    CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB"
+    modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1   
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
     hw_acc
+
     CU_ACTION="Import Root CA for $CERTNAME"
     certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${R_CADIR}/root.cert" 2>&1
     if [ "$RET" -ne 0 ]; then
         return $RET
     fi
+
     if [ -n "$NSS_ENABLE_ECC" ] ; then
 	CU_ACTION="Import EC Root CA for $CERTNAME"
 	certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
 	    -d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
     fi
+
     cert_add_cert "$5"
     return $?
 }
 
 ############################# cert_add_cert ############################
 # local shell function to add client certs to an existing CERT DB
 #     generate request
 #     sign request
@@ -448,27 +484,34 @@ cert_CA()
   echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
 
   if [ ! -d "${CUR_CADIR}" ]; then
       mkdir -p "${CUR_CADIR}"
   fi
   cd ${CUR_CADIR}
   pwd
 
-  LPROFILE=.
+  LPROFILE=`pwd`
   if [ -n "${MULTIACCESS_DBM}" ]; then
 	LPROFILE="multiaccess:${DOMAIN}"
   fi
 
   if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
       CU_ACTION="Creating CA Cert DB"
-      certu -N -d ${LPROFILE} -f ${R_PWFILE} 2>&1
+      certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1
       if [ "$RET" -ne 0 ]; then
           Exit 5 "Fatal - failed to create CA $NICKNAME "
       fi
+
+      CU_ACTION="Loading root cert module to CA Cert DB"
+      modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1   
+      if [ "$RET" -ne 0 ]; then
+          return $RET
+      fi
+
       echo "$SCRIPTNAME: Certificate initialized ----------"
   fi
 
 
   ################# Creating CA Cert ######################################
   #
   CU_ACTION="Creating CA Cert $NICKNAME "
   CU_SUBJECT=$ALL_CU_SUBJECT
@@ -680,16 +723,19 @@ cert_extended_ssl()
   echo "     of a chain of CA's which are not in the same database============"
 
   echo "Server Cert"
   cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
 
   CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
   certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
 
+  CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+  modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
   CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
   CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
   cp ${CERTDIR}/req ${SERVER_CADIR}
   certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
@@ -765,16 +811,19 @@ cert_extended_ssl()
   done
 #============
   echo "Client Cert"
   cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
 
   CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
   certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
 
+  CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+  modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
   CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
   CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
       -o req 2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
   cp ${CERTDIR}/req ${CLIENT_CADIR}
   certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
@@ -897,17 +946,17 @@ cert_ssl()
 cert_stresscerts()
 {
 
   ############### Creating Certs for SSL stress test #######################
   #
   CERTDIR="$CLIENTDIR"
   cd "${CERTDIR}"
 
-  PROFILEDIR=${CERTDIR}
+  PROFILEDIR=`cd ${CERTDIR}; pwd`
   if [ -n "${MULTIACCESS_DBM}" ]; then
      PROFILEDIR="multiaccess:${D_CLIENT}"
   fi
   CERTFAILED=0
   echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
 
   CONTINUE=$GLOB_MAX_CERT
   CERTSERIAL=10
@@ -934,16 +983,19 @@ cert_fips()
 {
   CERTFAILED=0
   echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
   cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
 
   CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
   certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
 
+  CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+  modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
   echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
   CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
   echo "modutil -dbdir ${PROFILEDIR} -fips true "
   modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
 y
 MODSCRIPT
   RET=$?
   if [ "$RET" -ne 0 ]; then
@@ -966,22 +1018,28 @@ MODSCRIPT
 ########################################################################
 cert_eccurves()
 {
   ################# Creating Certs for EC curves test ########################
   #
   if [ -n "$NSS_ENABLE_ECC" ] ; then
     echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
     echo "             EC Curves Test Certificates ------------------------------------"
-    cert_init_cert ${ECCURVES_DIR} "EC Curves Test Certificates" 1 ${D_ECCURVES}
+
+    cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
+
     CU_ACTION="Initializing EC Curve's Cert DB"
-    certu -N -d "${ECCURVES_DIR}" -f "${R_PWFILE}" 2>&1
-	CU_ACTION="Import EC Root CA for $CERTNAME"
-	certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
-	    -d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1
+    certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+    CU_ACTION="Loading root cert module to EC Curve's Cert DB"
+    modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+    CU_ACTION="Import EC Root CA for $CERTNAME"
+    certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
+        -d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1
 
     if [ -n "${NSS_ECC_MORE_THAN_SUITE_B}" ] ; then
       CURVE_LIST="c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 \
 	c2pnb208w1 c2pnb272w1 c2pnb304w1 c2pnb368w1 \
 	c2tnb191v1 c2tnb191v2 c2tnb191v3 c2tnb239v1 \
 	c2tnb239v2 c2tnb239v3 c2tnb359v1 c2tnb431r1 \
 	nistb163 nistb233 nistb283 nistb409 nistb571 \
 	nistk163 nistk233 nistk283 nistk409 nistk571 \
@@ -1001,28 +1059,28 @@ cert_eccurves()
 
     for CURVE in ${CURVE_LIST}
     do
 	CERTFAILED=0
 	CERTNAME="Curve-${CURVE}"
 	CERTSERIAL=`expr $CERTSERIAL + 1 `
 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
 	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
-	certu -R -k ec -q "${CURVE}" -d "${ECCURVES_DIR}" -f "${R_PWFILE}" \
+	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 		-z "${R_NOISE_FILE}" -o req  2>&1
 	
 	if [ $RET -eq 0 ] ; then
 	  CU_ACTION="Sign ${CERTNAME}'s EC Request"
 	  certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
 		-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
 	fi
 	
 	if [ $RET -eq 0 ] ; then
 	  CU_ACTION="Import $CERTNAME's EC Cert"
-	  certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${ECCURVES_DIR}" \
+	  certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
 		-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
 	fi
     done
 
   fi # if NSS_ENABLE_ECC=1
 }
 ############################## cert_extensions ###############################
 # local shell function to test cert extensions generation.
@@ -1106,17 +1164,17 @@ cert_crl_ssl()
     
   ################# Creating Certs ###################################
   #
   CERTFAILED=0
   CERTSERIAL=${CRL_GRP_1_BEGIN}
 
   cd $CADIR
   
-  PROFILEDIR=${CLIENTDIR}
+  PROFILEDIR=`cd ${CLIENTDIR}; pwd`
   CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1`
   echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ==="
   CU_ACTION="Creating client test certs"
 
   while [ $CERTSERIAL -le $CRL_GRPS_END ]
   do
       CERTNAME="TestUser$CERTSERIAL"
       cert_add_cert 
--- a/security/nss/tests/iopr/cert_iopr.sh
+++ b/security/nss/tests/iopr/cert_iopr.sh
@@ -74,21 +74,29 @@ pk12u()
 # Initializes nss db directory and files if they don't exists
 # Params:
 #      $1 - directory location
 #
 createDBDir() {
     trgDir=$1
 
     if [ -z "`ls $trgDir | grep db`" ]; then
-        CU_ACTION="Initializing DB at $dir"
+        trgDir=`cd ${trgDir}; pwd`
+
+        CU_ACTION="Initializing DB at ${trgDir}"
         certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1
         if [ "$RET" -ne 0 ]; then
             return $RET
         fi
+
+        CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"
+        modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1
+        if [ "$RET" -ne 0 ]; then
+            return $RET
+        fi
     fi
 }
 ########################################################################
 # takes care of downloading config, cert and crl files from remote
 # location. 
 # Params:
 #      $1 - name of the host file will be downloaded from
 #      $2 - path to the file as it appeared in url