Bug 1057128 - Add --clobber to generate_certs.sh, disabled by default (don't unnecessarily regenerate all certificates). r=rbarnes, a=sledru
authorDavid Keeler <dkeeler@mozilla.com>
Fri, 22 Aug 2014 10:25:46 -0700
changeset 216657 3f1e228fac54
parent 216656 292839cc6594
child 216658 03029d16e697
push id3864
push userryanvm@gmail.com
push date2014-09-04 13:00 +0000
treeherdermozilla-beta@e47ff024eec1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersrbarnes, sledru
bugs1057128
milestone33.0
Bug 1057128 - Add --clobber to generate_certs.sh, disabled by default (don't unnecessarily regenerate all certificates). r=rbarnes, a=sledru
security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ -1,36 +1,46 @@
 #!/bin/bash
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 #
-# Usage: ./generate_certs.sh <path to objdir> <output directory>
+# Usage: ./generate_certs.sh <path to objdir> <output directory> [--clobber]
 # e.g. (from the root of mozilla-central)
 # `./security/manager/ssl/tests/unit/tlsserver/generate_certs.sh \
 #  obj-x86_64-unknown-linux-gnu/ \
 #  security/manager/ssl/tests/unit/tlsserver/`
 #
-# NB: This will cause the following files to be overwritten if they are in
-# the output directory:
+# The --clobber switch is optional. If specified, the existing database of
+# keys and certificates is removed and repopulated. By default, existing
+# databases are preserved and only keys and certificates that don't already
+# exist in the database are added.
+# NB: If --clobber is specified, the following files to be overwritten if they
+# are in the output directory:
 #  cert9.db, key4.db, pkcs11.txt, test-ca.der, other-test-ca.der, default-ee.der
-# NB: You must run genHPKPStaticPins.js after running this file, since its
-# output (StaticHPKPins.h) depends on default-ee.der
+# (if --clobber is not specified, then only cert9.db and key4.db are modified)
+# NB: If --clobber is specified, you must run genHPKPStaticPins.js after
+# running this file, since its output (StaticHPKPins.h) depends on
+# default-ee.der
 
 set -x
 set -e
 
-if [ $# -ne 2 ]; then
-  echo "Usage: `basename ${0}` <path to objdir> <output directory>"
+if [ $# -lt 2 ]; then
+  echo "Usage: `basename ${0}` <path to objdir> <output directory> [--clobber]"
   exit $E_BADARGS
 fi
 
 OBJDIR=${1}
 OUTPUT_DIR=${2}
+CLOBBER=0
+if [ "${3}" == "--clobber" ]; then
+  CLOBBER=1
+fi
 # Use the SQL DB so we can run tests on Android.
 DB_ARGUMENT="sql:$OUTPUT_DIR"
 RUN_MOZILLA="$OBJDIR/dist/bin/run-mozilla.sh"
 CERTUTIL="$OBJDIR/dist/bin/certutil"
 # On BSD, mktemp requires either a template or a prefix.
 MKTEMP="mktemp temp.XXXX"
 
 NOISE_FILE=`$MKTEMP`
@@ -53,46 +63,74 @@ if [ ! -f "$CERTUTIL" ]; then
 fi
 
 if [ ! -d "$OUTPUT_DIR" ]; then
   echo "Could not find output directory at \'$OUTPUT_DIR\'"
   exit $E_BADARGS
 fi
 
 if [ -f "$OUTPUT_DIR/cert9.db" -o -f "$OUTPUT_DIR/key4.db" -o -f "$OUTPUT_DIR/pkcs11.txt" ]; then
-  echo "Found pre-existing NSS DBs. Clobbering old OCSP certs."
-  rm -f "$OUTPUT_DIR/cert9.db" "$OUTPUT_DIR/key4.db" "$OUTPUT_DIR/pkcs11.txt"
+  if [ $CLOBBER -eq 1 ]; then
+    echo "Found pre-existing NSS DBs. Clobbering old certificates."
+    rm -f "$OUTPUT_DIR/cert9.db" "$OUTPUT_DIR/key4.db" "$OUTPUT_DIR/pkcs11.txt"
+    $RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -N -f $PASSWORD_FILE
+  else
+    echo "Found pre-existing NSS DBs. Only generating newly added certificates."
+    echo "(re-run with --clobber to remove and regenerate old certificates)"
+  fi
+else
+  echo "No pre-existing NSS DBs found. Creating new ones."
+  $RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -N -f $PASSWORD_FILE
 fi
-$RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -N -f $PASSWORD_FILE
 
 COMMON_ARGS="-v 360 -w -1 -2 -z $NOISE_FILE"
 
+# Bash doesn't actually allow return values in a sane way, so just use a
+# global variable.
+function cert_already_exists {
+  NICKNAME="${1}"
+  ALREADY_EXISTS=1
+  $RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -L -n $NICKNAME || ALREADY_EXISTS=0
+}
+
 function make_CA {
   CA_RESPONSES="y\n1\ny"
   NICKNAME="${1}"
   SUBJECT="${2}"
   DERFILE="${3}"
 
+  cert_already_exists $NICKNAME
+  if [ $ALREADY_EXISTS -eq 1 ]; then
+    echo "cert \"$NICKNAME\" already exists - not regenerating it (use --clobber to force regeneration)"
+    return
+  fi
+
   echo -e "$CA_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -S \
                                                    -n $NICKNAME \
                                                    -s "$SUBJECT" \
                                                    -t "CT,," \
                                                    -x $COMMON_ARGS
   $RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -L -n $NICKNAME -r > $OUTPUT_DIR/$DERFILE
 }
 
-SERIALNO=1
+SERIALNO=$RANDOM
 
 function make_INT {
   INT_RESPONSES="y\n0\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
   NICKNAME="${1}"
   SUBJECT="${2}"
   CA="${3}"
   EXTRA_ARGS="${4}"
 
+  cert_already_exists $NICKNAME
+  if [ $ALREADY_EXISTS -eq 1 ]; then
+    echo "cert \"$NICKNAME\" already exists - not regenerating it (use --clobber to force regeneration)"
+    return
+  fi
+
   echo -e "$INT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -S \
                                                     -n $NICKNAME \
                                                     -s "$SUBJECT" \
                                                     -c $CA \
                                                     -t ",," \
                                                     -m $SERIALNO \
                                                     --extAIA \
                                                     $COMMON_ARGS \
@@ -103,16 +141,22 @@ function make_INT {
 function make_EE {
   CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
   NICKNAME="${1}"
   SUBJECT="${2}"
   CA="${3}"
   SUBJECT_ALT_NAME="${4}"
   EXTRA_ARGS="${5} ${6}"
 
+  cert_already_exists $NICKNAME
+  if [ $ALREADY_EXISTS -eq 1 ]; then
+    echo "cert \"$NICKNAME\" already exists - not regenerating it (use --clobber to force regeneration)"
+    return
+  fi
+
   echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -S \
                                                      -n $NICKNAME \
                                                      -s "$SUBJECT" \
                                                      -8 $SUBJECT_ALT_NAME \
                                                      -c $CA \
                                                      -t ",," \
                                                      -m $SERIALNO \
                                                      --extAIA \
@@ -123,16 +167,22 @@ function make_EE {
 
 function make_delegated {
   CERT_RESPONSES="n\n\ny\n"
   NICKNAME="${1}"
   SUBJECT="${2}"
   CA="${3}"
   EXTRA_ARGS="${4}"
 
+  cert_already_exists $NICKNAME
+  if [ $ALREADY_EXISTS -eq 1 ]; then
+    echo "cert \"$NICKNAME\" already exists - not regenerating it (use --clobber to force regeneration)"
+    return
+  fi
+
   echo -e "$CERT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -S \
                                                      -n $NICKNAME \
                                                      -s "$SUBJECT" \
                                                      -c $CA \
                                                      -t ",," \
                                                      -m $SERIALNO \
                                                      $COMMON_ARGS \
                                                      $EXTRA_ARGS
@@ -154,19 +204,24 @@ make_EE ocspOtherEndEntity 'CN=Other Cer
 
 make_INT testINT 'CN=Test Intermediate' testCA
 make_EE ocspEEWithIntermediate 'CN=Test End-entity with Intermediate' testINT "localhost,*.example.com"
 make_EE expired 'CN=Expired Test End-entity' testCA "expired.example.com" "-w -400"
 make_EE mismatch 'CN=Mismatch Test End-entity' testCA "doesntmatch.example.com"
 make_EE selfsigned 'CN=Self-signed Test End-entity' testCA "selfsigned.example.com" "-x"
 # If the certificate 'CN=Test Intermediate' isn't loaded into memory,
 # this certificate will have an unknown issuer.
+# deletedINT is never kept in the database, so it always gets regenerated.
+# That's ok, because if unknownissuer was already in the database, it won't
+# get regenerated. Either way, deletedINT will then be removed again.
 make_INT deletedINT 'CN=Test Intermediate to delete' testCA
 make_EE unknownissuer 'CN=Test End-entity from unknown issuer' deletedINT "unknownissuer.example.com"
+
 $RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -D -n deletedINT
+
 make_INT expiredINT 'CN=Expired Test Intermediate' testCA "-w -400"
 make_EE expiredissuer 'CN=Test End-entity with expired issuer' expiredINT "expiredissuer.example.com"
 NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature 'CN=Test End-entity with MD5 signature' testCA "md5signature.example.com" "-Z MD5"
 make_EE untrustedissuer 'CN=Test End-entity with untrusted issuer' otherCA "untrustedissuer.example.com"
 
 make_EE mismatch-expired 'CN=Mismatch-Expired Test End-entity' testCA "doesntmatch.example.com" "-w -400"
 make_EE mismatch-untrusted 'CN=Mismatch-Untrusted Test End-entity' otherCA "doesntmatch.example.com"
 make_EE untrusted-expired 'CN=Untrusted-Expired Test End-entity' otherCA "untrusted-expired.example.com" "-w -400"