Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-25 22:01:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bugzilla Bug 324887: merged ECC and non-ECC QA test scripts and removed

Browse Source 
ECC QA test scripts.  The patch is written by Vipul Gupta and Christophe
Ravel of Sun. r=wtc,nelsonb,jpierre
Modified Files:
	cert/cert.sh smime/smime.sh ssl/ssl.sh ssl/sslauth.txt
	ssl/sslcov.txt ssl/sslstress.txt tools/tools.sh
Removed Files:
	fixtests.sh cert/eccert.sh smime/ecsmime.sh ssl/ecssl.sh
	ssl/ecsslauth.txt ssl/ecsslcov.txt ssl/ecsslstress.txt
	tools/ectools.sh
This commit is contained in:
wtchang%redhat.com 2006-03-03 20:06:03 +00:00
parent 7932c781db
commit f1ca8f1fd1
15 changed files with 684 additions and 2188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

324
security/nss/tests/cert/cert.sh
View File

@ -21,6 +21,7 @@
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
@ -75,7 +76,11 @@ cert_init()
fi
SCRIPTNAME="cert.sh"
CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"`
html_head "Certutil and Crlutil Tests"
if [ -n "$NSS_ENABLE_ECC" ] ; then
html_head "Certutil and Crlutil Tests with ECC"
else
html_head "Certutil and Crlutil Tests"
fi
################## Generate noise for our CA cert. ######################
# NOTE: these keys are only suitable for testing, as this whole thing
@ -140,7 +145,7 @@ certu()
return $RET
}
################################ certu #################################
################################ crlu #################################
# local shell function to call crlutil, also: writes action and options to
# stdout, sets variable RET and writes results to the html file results
########################################################################
@ -257,6 +262,14 @@ cert_create_cert()
if [ "$RET" -ne 0 ]; then
return $RET
fi
if [ -n "$NSS_ENABLE_ECC" ] ; then
CU_ACTION="Import EC Root CA for $CERTNAME"
certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
-d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
fi
cert_add_cert "$5"
return $?
}
@ -270,7 +283,6 @@ cert_create_cert()
########################################################################
cert_add_cert()
{
CU_ACTION="Generate Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
@ -293,6 +305,36 @@ cert_add_cert()
fi
cert_log "SUCCESS: $CERTNAME's Cert Created"
#
# Generate and add EC cert
#
if [ -n "$NSS_ENABLE_ECC" ] ; then
CURVE="secp384r1"
CU_ACTION="Generate EC Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-z "${R_NOISE_FILE}" -o req 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
CU_ACTION="Sign ${CERTNAME}'s EC Request"
certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
CU_ACTION="Import $CERTNAME's EC Cert"
certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
cert_log "SUCCESS: $CERTNAME's EC Cert Created"
fi
return 0
}
@ -325,8 +367,37 @@ cert_all_CA()
cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
# root.cert in $CLIENT_CADIR and in $SERVER_CADIR is the one of the last
# root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
if [ -n "$NSS_ENABLE_ECC" ] ; then
#
# Create EC version of TestCA
CA_CURVE="secp521r1"
ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
#
# Create EC versions of the intermediate CA certs
ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
fi
}
################################# cert_CA ################################
@ -400,6 +471,70 @@ CERTSCRIPT
cp root.cert ${NICKNAME}.ca.cert
}
################################ cert_ec_CA ##############################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
# This is the ECC version of cert_CA.
##########################################################################
cert_ec_CA()
{
CUR_CADIR=$1
NICKNAME=$2
SIGNER=$3
TRUSTARG=$4
DOMAIN=$5
CERTSERIAL=$6
CURVE=$7
echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
if [ ! -d "${CUR_CADIR}" ]; then
mkdir -p "${CUR_CADIR}"
fi
cd ${CUR_CADIR}
pwd
LPROFILE=.
if [ -n "${MULTIACCESS_DBM}" ]; then
LPROFILE="multiaccess:${DOMAIN}"
fi
################# Creating an EC CA Cert ################################
#
CU_ACTION="Creating EC CA Cert $NICKNAME "
CU_SUBJECT=$ALL_CU_SUBJECT
certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \
-d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
-m $CERTSERIAL 2>&1 <<CERTSCRIPT
5
6
9
n
y
-1
n
5
6
7
9
n
CERTSCRIPT
if [ "$RET" -ne 0 ]; then
echo "return value is $RET"
Exit 6 "Fatal - failed to create EC CA cert"
fi
################# Exporting EC Root Cert ################################
#
CU_ACTION="Exporting EC Root Cert"
certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert
if [ "$RET" -ne 0 ]; then
Exit 7 "Fatal - failed to export ec root cert"
fi
cp ecroot.cert ${NICKNAME}.ca.cert
}
############################## cert_smime_client #############################
# local shell function to create client Certificates for S/MIME tests
##############################################################################
@ -414,6 +549,17 @@ cert_smime_client()
echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
## XXX With this new script merging ECC and non-ECC tests, the
## call to cert_create_cert ends up creating two separate certs
## one for Eve and another for Eve-ec but they both end up with
## the same Subject Alt Name Extension, i.e., both the cert for
## Eve@bogus.com and the cert for Eve-ec@bogus.com end up
## listing eve@bogus.net in the Certificate Subject Alt Name extension.
## This can cause a problem later when cmsutil attempts to create
## enveloped data and accidently picks up the ECC cert (NSS currently
## does not support ECC for enveloped data creation). This script
## avoids the problem by ensuring that these conflicting certs are
## never added to the same cert database (see comment marked XXXX).
echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
@ -456,6 +602,32 @@ cert_smime_client()
certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
-i ${R_EVEDIR}/Eve.cert 2>&1
if [ -n "$NSS_ENABLE_ECC" ] ; then
echo "$SCRIPTNAME: Importing EC Certificates =============================="
CU_ACTION="Import Bob's EC cert into Alice's db"
certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
-i ${R_BOBDIR}/Bob-ec.cert 2>&1
CU_ACTION="Import Dave's EC cert into Alice's DB"
certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
-i ${R_DAVEDIR}/Dave-ec.cert 2>&1
CU_ACTION="Import Dave's EC cert into Bob's DB"
certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
-i ${R_DAVEDIR}/Dave-ec.cert 2>&1
## XXXX Do not import Eve's EC cert until we can make sure that
## the email addresses listed in the Subject Alt Name Extension
## inside Eve's ECC and non-ECC certs are different.
# CU_ACTION="Import Eve's EC cert into Alice's DB"
# certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
# CU_ACTION="Import Eve's EC cert into Bob's DB"
# certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
fi
if [ "$CERTFAILED" != 0 ] ; then
cert_log "ERROR: SMIME failed $RET"
else
@ -463,11 +635,12 @@ cert_smime_client()
fi
}
############################## cert_ssl ################################
############################## cert_extended_ssl #######################
# local shell function to create client + server certs for extended SSL test
########################################################################
cert_extended_ssl()
{
################# Creating Certs for extended SSL test ####################
#
CERTFAILED=0
@ -496,11 +669,39 @@ cert_extended_ssl()
CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
if [ -n "$NSS_ENABLE_ECC" ] ; then
#
# Repeat the above for EC certs
#
EC_CURVE="secp256r1"
CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
-z "${R_NOISE_FILE}" -o req 2>&1
CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
cp ${CERTDIR}/req ${SERVER_CADIR}
certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
#
# done with EC certs
#
fi
echo "Importing all the server's own CA chain into the servers DB"
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
do
N=`basename $CA | sed -e "s/.ca.cert//"`
if [ $N = "serverCA" ] ; then
if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then
T="-t C,C,C"
else
T="-t u,u,u"
@ -518,7 +719,8 @@ cert_extended_ssl()
CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
-o req 2>&1
CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
cp ${CERTDIR}/req ${CLIENT_CADIR}
@ -531,11 +733,38 @@ cert_extended_ssl()
CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
if [ -n "$NSS_ENABLE_ECC" ] ; then
#
# Repeat the above for EC certs
#
CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
-z "${R_NOISE_FILE}" -o req 2>&1
CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
cp ${CERTDIR}/req ${CLIENT_CADIR}
certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
-d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
#
# done with EC certs
#
fi
echo "Importing all the client's own CA chain into the servers DB"
for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
do
N=`basename $CA | sed -e "s/.ca.cert//"`
if [ $N = "clientCA" ] ; then
if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then
T="-t T,C,C"
else
T="-t u,u,u"
@ -565,7 +794,12 @@ cert_ssl()
echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
echo " ${HOSTADDR} ------------------------------------"
cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR}
if [ -n "$NSS_ENABLE_ECC" ] ; then
CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR}
fi
# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
# echo "************* Copying CA files to ${SERVERDIR}"
# cp ${CADIR}/*.db .
@ -759,7 +993,8 @@ cert_crl_ssl()
CRLUPDATE=`date +%Y%m%d%H%M%SZ`
CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority"
CRL_GRP_END_=`expr ${CRL_GRP_END} - 1`
crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \
-o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
addext reasonCode 0 4
@ -768,16 +1003,32 @@ EOF_CRLINI
# This extension should be added to the list, but currently nss has bug
#addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or
if [ -n "$NSS_ENABLE_ECC" ] ; then
CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
# Until Bug 292285 is resolved, do not encode x400 Addresses. After
# the bug is resolved, reintroduce "x400Address:x400Address" within
# addext issuerAltNames ...
crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
-o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
addext reasonCode 0 4
addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or-ec
fi
echo test > file
############################# Modification ##################################
echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
sleep 2
CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"`
CU_ACTION="Modification CRL by adding one more cert"
CU_ACTION="Modify CRL by adding one more cert"
crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \
-i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
addcert ${CRL_GRP_END} $CRL_GRP_DATE
@ -785,16 +1036,35 @@ EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or1
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
if [ -n "$NSS_ENABLE_ECC" ] ; then
CU_ACTION="Modify CRL (ECC) by adding one more cert"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
-o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
addcert ${CRL_GRP_END} $CRL_GRP_DATE
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or1-ec
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
fi
########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
CU_ACTION="Modification CRL by removing one cert"
CU_ACTION="Modify CRL by removing one cert"
crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
-i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
rmcert ${UNREVOKED_CERT_GRP_1}
EOF_CRLINI
chmod 600 ${CRL_FILE_GRP_1}
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
if [ -n "$NSS_ENABLE_ECC" ] ; then
CU_ACTION="Modify CRL (ECC) by removing one cert"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
-i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
rmcert ${UNREVOKED_CERT_GRP_1}
EOF_CRLINI
chmod 600 ${CRL_FILE_GRP_1}-ec
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
fi
########### Creating second CRL which includes groups 1 and 2 ##############
CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
@ -813,6 +1083,18 @@ rmcert ${UNREVOKED_CERT_GRP_2}
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_2}
if [ -n "$NSS_ENABLE_ECC" ] ; then
CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
-i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
addext invalidityDate 0 $CRLUPDATE
rmcert ${UNREVOKED_CERT_GRP_2}
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_2}-ec
fi
########### Creating second CRL which includes groups 1, 2 and 3 ##############
CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
@ -832,6 +1114,18 @@ addext crlNumber 0 2
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_3}
if [ -n "$NSS_ENABLE_ECC" ] ; then
CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
-i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
rmcert ${UNREVOKED_CERT_GRP_3}
addext crlNumber 0 2
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_3}-ec
fi
############ Importing Server CA Issued CRL for certs of first group #######
@ -839,6 +1133,12 @@ EOF_CRLINI
CU_ACTION="Importing CRL for groups 1"
crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
if [ -n "$NSS_ENABLE_ECC" ] ; then
CU_ACTION="Importing CRL (ECC) for groups 1"
crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
-d "${R_SERVERDIR}"
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
fi
if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"

886
security/nss/tests/cert/eccert.sh
View File

@ -1,886 +0,0 @@
#! /bin/sh
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
########################################################################
#
# mozilla/security/nss/tests/cert/rcert.sh
#
# Certificate generating and handeling for NSS QA, can be included
# multiple times from all.sh and the individual scripts
#
# needs to work on all Unix and Windows platforms
#
# included from (don't expect this to be up to date)
# --------------------------------------------------
# all.sh
# ssl.sh
# smime.sh
# tools.sh
#
# special strings
# ---------------
# FIXME ... known problems, search for this string
# NOTE .... unexpected behavior
#
# FIXME - Netscape - NSS
########################################################################
############################## cert_init ###############################
# local shell function to initialize this script
########################################################################
cert_init()
{
SCRIPTNAME="cert.sh"
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
fi
if [ -z "${INIT_SOURCED}" ] ; then
cd ../common
. ./init.sh
fi
SCRIPTNAME="cert.sh"
html_head "Certutil Tests"
################## Generate noise for our CA cert. ######################
# NOTE: these keys are only suitable for testing, as this whole thing
# bypasses the entropy gathering. Don't use this method to generate
# keys and certs for product use or deployment.
#
ps -efl > ${NOISE_FILE} 2>&1
ps aux >> ${NOISE_FILE} 2>&1
noise
}
cert_log() ###################### write the cert_status file
{
echo "$SCRIPTNAME $*"
echo $* >>${CERT_LOG_FILE}
}
################################ noise ##################################
# Generate noise for our certs
#
# NOTE: these keys are only suitable for testing, as this whole thing bypasses
# the entropy gathering. Don't use this method to generate keys and certs for
# product use or deployment.
#########################################################################
noise()
{
#netstat >> ${NOISE_FILE} 2>&1
date >> ${NOISE_FILE} 2>&1
}
################################ certu #################################
# local shell function to call certutil, also: writes action and options to
# stdout, sets variable RET and writes results to the html file results
########################################################################
certu()
{
echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
if [ -n "${CU_SUBJECT}" ]; then
#the subject of the cert contains blanks, and the shell
#will strip the quotes off the string, if called otherwise...
echo "certutil -s \"${CU_SUBJECT}\" $*"
certutil -s "${CU_SUBJECT}" $*
RET=$?
CU_SUBJECT=""
else
echo "certutil $*"
certutil $*
RET=$?
fi
if [ "$RET" -ne 0 ]; then
CERTFAILED=$RET
html_failed "<TR><TD>${CU_ACTION} ($RET) "
cert_log "ERROR: ${CU_ACTION} failed $RET"
else
html_passed "<TR><TD>${CU_ACTION}"
fi
# echo "Contine?"
# cat > /dev/null
return $RET
}
############################# cert_init_cert ##########################
# local shell function to initialize creation of client and server certs
########################################################################
cert_init_cert()
{
CERTDIR="$1"
CERTNAME="$2"
CERTSERIAL="$3"
DOMAIN="$4"
if [ ! -d "${CERTDIR}" ]; then
mkdir -p "${CERTDIR}"
else
echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
fi
cd "${CERTDIR}"
CERTDIR="."
PROFILEDIR=${CERTDIR}
if [ -n "${MULTIACCESS_DBM}" ]; then
PROFILEDIR="multiaccess:${DOMAIN}"
fi
noise
}
############################# hw_acc #################################
# local shell function to add hw accelerator modules to the db
########################################################################
hw_acc()
{
HW_ACC_RET=0
HW_ACC_ERR=""
if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
echo "creating $CERTNAME s cert with hwaccelerator..."
#case $ACCELERATOR in
#rainbow)
echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
echo " -dbdir ${PROFILEDIR} 2>&1 "
echo | modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
-dbdir ${PROFILEDIR} 2>&1
if [ "$?" -ne 0 ]; then
echo "modutil -add rainbow failed in `pwd`"
HW_ACC_RET=1
HW_ACC_ERR="modutil -add rainbow"
fi
echo "modutil -add ncipher "
echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so "
echo " -dbdir ${PROFILEDIR} 2>&1 "
echo | modutil -add ncipher \
-libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \
-dbdir ${PROFILEDIR} 2>&1
if [ "$?" -ne 0 ]; then
echo "modutil -add ncipher failed in `pwd`"
HW_ACC_RET=`expr $HW_ACC_RET + 2`
HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher"
fi
if [ "$HW_ACC_RET" -ne 0 ]; then
html_failed "<TR><TD>Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) "
else
html_passed "<TR><TD>Adding HW accelerators to certDB for ${CERTNAME}"
fi
fi
return $HW_ACC_RET
}
############################# cert_create_cert #########################
# local shell function to create client certs
# initialize DB, import
# root cert
# add cert to DB
########################################################################
cert_create_cert()
{
cert_init_cert "$1" "$2" "$3" "$4"
CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
hw_acc
CU_ACTION="Import Root CA for $CERTNAME"
certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${R_CADIR}/root.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
cert_add_cert "$5"
return $?
}
############################# cert_create_certs ########################
# local shell function to create client certs
# initialize DB, import
# root certs (RSA and EC)
# add certs (RSA and EC) to DB
########################################################################
cert_create_certs()
{
cert_init_cert "$1" "$2" "$3" "$4"
CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
hw_acc
CU_ACTION="Import Root CA for $CERTNAME"
certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${R_CADIR}/root.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
CU_ACTION="Import EC Root CA for $CERTNAME"
certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${R_CADIR}/ecroot.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
cert_add_certs "$5"
return $?
}
############################# cert_add_cert ############################
# local shell function to add client certs to an existing CERT DB
# generate request
# sign request
# import Cert
#
########################################################################
cert_add_cert()
{
CU_ACTION="Generate Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
CU_ACTION="Sign ${CERTNAME}'s Request"
certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
CU_ACTION="Import $CERTNAME's Cert"
certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${CERTNAME}.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
cert_log "SUCCESS: $CERTNAME's Cert Created"
return 0
}
############################# cert_add_certs ############################
# local shell function to add client certs to an existing CERT DB
# generate request
# sign request
# import Cert
#
# Do this for both RSA and EC certs
########################################################################
cert_add_certs()
{
CURVE="secp160r2"
CU_ACTION="Generate Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
CU_ACTION="Sign ${CERTNAME}'s Request"
certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
CU_ACTION="Import $CERTNAME's Cert"
certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${CERTNAME}.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
cert_log "SUCCESS: $CERTNAME's Cert Created"
#
# Generate and add EC cert
#
CU_ACTION="Generate EC Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
CU_ACTION="Sign ${CERTNAME}'s EC Request"
certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
CU_ACTION="Import $CERTNAME's EC Cert"
certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${CERTNAME}-ec.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
cert_log "SUCCESS: $CERTNAME's EC Cert Created"
return 0
}
################################# cert_all_CA ################################
# local shell function to build the additional Temp. Certificate Authority (CA)
# used for the "real life" ssl test with 2 different CA's in the
# client and in teh server's dir
##########################################################################
cert_all_CA()
{
CA_CURVE="secp160r1"
echo nss > ${PWFILE}
ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
# Create EC version of TestCA
ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3"
ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4"
#
# Create EC versions of the above CA certs
#
ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6"
ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
#
# Create EC versions of the above CA certs
#
ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
# root.cert in $CLIENT_CADIR and in $SERVER_CADIR is the one of the last
# in the chain
}
################################# cert_CA ################################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
##########################################################################
cert_CA()
{
CUR_CADIR=$1
NICKNAME=$2
SIGNER=$3
TRUSTARG=$4
DOMAIN=$5
CERTSERIAL=$6
echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
if [ ! -d "${CUR_CADIR}" ]; then
mkdir -p "${CUR_CADIR}"
fi
cd ${CUR_CADIR}
pwd
LPROFILE=.
if [ -n "${MULTIACCESS_DBM}" ]; then
LPROFILE="multiaccess:${DOMAIN}"
fi
if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
CU_ACTION="Creating CA Cert DB"
certu -N -d ${LPROFILE} -f ${R_PWFILE} 2>&1
if [ "$RET" -ne 0 ]; then
Exit 5 "Fatal - failed to create CA $NICKNAME "
fi
echo "$SCRIPTNAME: Certificate initialized ----------"
fi
################# Creating CA Cert ######################################
#
CU_ACTION="Creating CA Cert $NICKNAME "
CU_SUBJECT=$ALL_CU_SUBJECT
certu -S -n $NICKNAME -t $TRUSTARG -v 60 $SIGNER -d ${LPROFILE} -1 -2 -5 \
-f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
5
9
n
y
-1
n
5
6
7
9
n
CERTSCRIPT
if [ "$RET" -ne 0 ]; then
echo "return value is $RET"
Exit 6 "Fatal - failed to create CA cert"
fi
################# Exporting Root Cert ###################################
#
CU_ACTION="Exporting Root Cert"
certu -L -n $NICKNAME -r -d ${LPROFILE} -o root.cert
if [ "$RET" -ne 0 ]; then
Exit 7 "Fatal - failed to export root cert"
fi
cp root.cert ${NICKNAME}.ca.cert
}
################################ cert_ec_CA ##############################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
# This is the ECC version of cert_CA.
##########################################################################
cert_ec_CA()
{
CUR_CADIR=$1
NICKNAME=$2
SIGNER=$3
TRUSTARG=$4
DOMAIN=$5
CERTSERIAL=$6
CURVE=$7
echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
if [ ! -d "${CUR_CADIR}" ]; then
mkdir -p "${CUR_CADIR}"
fi
cd ${CUR_CADIR}
pwd
LPROFILE=.
if [ -n "${MULTIACCESS_DBM}" ]; then
LPROFILE="multiaccess:${DOMAIN}"
fi
################# Creating an EC CA Cert ################################
#
CU_ACTION="Creating EC CA Cert $NICKNAME "
CU_SUBJECT=$ALL_CU_SUBJECT
certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 60 $SIGNER \
-d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
-m $CERTSERIAL 2>&1 <<CERTSCRIPT
5
9
n
y
-1
n
5
6
7
9
n
CERTSCRIPT
if [ "$RET" -ne 0 ]; then
echo "return value is $RET"
Exit 6 "Fatal - failed to create EC CA cert"
fi
################# Exporting EC Root Cert ################################
#
CU_ACTION="Exporting EC Root Cert"
certu -L -n $NICKNAME -r -d ${LPROFILE} -o ecroot.cert
if [ "$RET" -ne 0 ]; then
Exit 7 "Fatal - failed to export ec root cert"
fi
cp ecroot.cert ${NICKNAME}.ca.cert
}
############################## cert_smime_client #############################
# local shell function to create client Certificates for S/MIME tests
##############################################################################
cert_smime_client()
{
CERTFAILED=0
echo "$SCRIPTNAME: Creating Client CA Issued Certificates =============="
cert_create_certs ${ALICEDIR} "Alice" 30 ${D_ALICE}
cert_create_certs ${BOBDIR} "Bob" 40 ${D_BOB}
echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
#echo "************* Copying CA files to ${SERVERDIR}"
#cp ${CADIR}/*.db .
#hw_acc
#########################################################################
#
#cd ${CERTDIR}
#CU_ACTION="Creating ${CERTNAME}'s Server Cert"
#CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
#certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
# -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
#CU_ACTION="Export Dave's Cert"
#cd ${DAVEDIR}
#certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
################# Importing Certificates for S/MIME tests ###############
#
echo "$SCRIPTNAME: Importing Certificates =============================="
CU_ACTION="Import Bob's cert into Alice's db"
certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
-i ${R_BOBDIR}/Bob.cert 2>&1
CU_ACTION="Import Dave's cert into Alice's DB"
certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
-i ${R_DAVEDIR}/Dave.cert 2>&1
CU_ACTION="Import Dave's cert into Bob's DB"
certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
-i ${R_DAVEDIR}/Dave.cert 2>&1
CU_ACTION="Import Eve's cert into Alice's DB"
certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
-i ${R_EVEDIR}/Eve.cert 2>&1
CU_ACTION="Import Eve's cert into Bob's DB"
certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
-i ${R_EVEDIR}/Eve.cert 2>&1
if [ "$CERTFAILED" != 0 ] ; then
cert_log "ERROR: SMIME failed $RET"
else
cert_log "SUCCESS: SMIME passed"
fi
}
############################## cert_ssl ################################
# local shell function to create client + server certs for extended SSL test
########################################################################
cert_extended_ssl()
{
EC_CURVE="sect163r1"
################# Creating Certs for extended SSL test ####################
#
CERTFAILED=0
echo "$SCRIPTNAME: Creating Certificates, issued by the last ==============="
echo " of a chain of CA's which are not in the same database============"
echo "Server Cert"
cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
cp ${CERTDIR}/req ${SERVER_CADIR}
certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${CERTNAME}.cert" 2>&1
CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
#
# Repeat the above for EC certs
#
CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
cp ${CERTDIR}/req ${SERVER_CADIR}
certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${CERTNAME}-ec.cert" 2>&1
CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
#
# done with EC certs
#
echo "Importing all the server's own CA chain into the servers DB"
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
do
N=`basename $CA | sed -e "s/.ca.cert//"`
if [ $N = "serverCA" ] ; then
T="-t C,C,C"
else
T="-t u,u,u"
fi
CU_ACTION="Import $N CA $T for $CERTNAME (ext.) "
certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${CA}" 2>&1
done
#============
echo "Client Cert"
cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
cp ${CERTDIR}/req ${CLIENT_CADIR}
certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${CERTNAME}.cert" 2>&1
CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
#
# Repeat the above for EC certs
#
CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
cp ${CERTDIR}/req ${CLIENT_CADIR}
certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${CERTNAME}-ec.cert" 2>&1
CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
#
# done with EC certs
#
echo "Importing all the client's own CA chain into the servers DB"
for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
do
N=`basename $CA | sed -e "s/.ca.cert//"`
if [ $N = "clientCA" ] ; then
T="-t T,C,C"
else
T="-t u,u,u"
fi
CU_ACTION="Import $N CA $T for $CERTNAME (ext.)"
certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${CA}" 2>&1
done
if [ "$CERTFAILED" != 0 ] ; then
cert_log "ERROR: EXT failed $RET"
else
cert_log "SUCCESS: EXT passed"
fi
}
############################## cert_ssl ################################
# local shell function to create client + server certs for SSL test
########################################################################
cert_ssl()
{
################# Creating Certs for SSL test ###########################
#
CERTFAILED=0
echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
cert_create_certs ${CLIENTDIR} "TestUser" 70 ${D_CLIENT}
echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
echo " ${HOSTADDR} ------------------------------------"
cert_create_certs ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR}
certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR}
# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
# echo "************* Copying CA files to ${SERVERDIR}"
# cp ${CADIR}/*.db .
# hw_acc
# CU_ACTION="Creating ${CERTNAME}'s Server Cert"
# CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
# certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
# -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
if [ "$CERTFAILED" != 0 ] ; then
cert_log "ERROR: SSL failed $RET"
else
cert_log "SUCCESS: SSL passed"
fi
}
############################## cert_stresscerts ################################
# local shell function to create client certs for SSL stresstest
########################################################################
cert_stresscerts()
{
############### Creating Certs for SSL stress test #######################
#
CERTDIR="$CLIENTDIR"
cd "${CERTDIR}"
PROFILEDIR=${CERTDIR}
if [ -n "${MULTIACCESS_DBM}" ]; then
PROFILEDIR="multiaccess:${D_CLIENT}"
fi
CERTFAILED=0
echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
CONTINUE=$GLOB_MAX_CERT
CERTSERIAL=10
while [ $CONTINUE -ge $GLOB_MIN_CERT ]
do
CERTNAME="TestUser$CONTINUE"
# cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL
cert_add_certs
CERTSERIAL=`expr $CERTSERIAL + 1 `
CONTINUE=`expr $CONTINUE - 1 `
done
if [ "$CERTFAILED" != 0 ] ; then
cert_log "ERROR: StressCert failed $RET"
else
cert_log "SUCCESS: StressCert passed"
fi
}
############################## cert_fips #####################################
# local shell function to create certificates for FIPS tests
##############################################################################
cert_fips()
{
CERTFAILED=0
echo "$SCRIPTNAME: Creating FIPS 140-1 DSA Certificates =============="
cert_init_cert "${FIPSDIR}" "FIPS PUB 140-1 Test Certificate" 1000 "${D_FIPS}"
CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
echo "modutil -dbdir ${PROFILEDIR} -fips true "
modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
y
MODSCRIPT
RET=$?
if [ "$RET" -ne 0 ]; then
html_failed "<TR><TD>${CU_ACTION} ($RET) "
cert_log "ERROR: ${CU_ACTION} failed $RET"
else
html_passed "<TR><TD>${CU_ACTION}"
fi
CU_ACTION="Generate Certificate for ${CERTNAME}"
CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140-1, L=Mountain View, ST=California, C=US"
certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -m 500 -z "${R_NOISE_FILE}" 2>&1
if [ "$RET" -eq 0 ]; then
cert_log "SUCCESS: FIPS passed"
fi
}
############################## cert_cleanup ############################
# local shell function to finish this script (no exit since it might be
# sourced)
########################################################################
cert_cleanup()
{
cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
html "</TABLE><BR>"
cd ${QADIR}
. common/cleanup.sh
}
################## main #################################################
cert_init
cert_all_CA
cert_extended_ssl
cert_ssl
cert_smime_client
cert_fips
if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
cert_stresscerts
#following lines to be used when databases are to be reused
#cp -r /u/sonmi/tmp/stress/kentuckyderby.13/* $HOSTDIR
#cp -r $HOSTDIR/../${HOST}.2/* $HOSTDIR
fi
cert_cleanup

117
security/nss/tests/fixtests.sh
View File

@ -1,117 +0,0 @@
#!/bin/sh
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the elliptic curve test suite.
#
# The Initial Developer of the Original Code is
# Sun Microsystems, Inc.
# Portions created by the Initial Developer are Copyright (C) 2003
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
####################### fix_test_scripts #######################
#
# Depending on the argument either enable or disable EC based
# tests in the cert and ssl directories.
#
################################################################
fix_test_scripts()
{
FLAG=$1
CERT_DIR=cert
CERT_SCRIPT=cert.sh
SMIME_DIR=smime
SMIME_SCRIPT=smime.sh
SSL_DIR=ssl
SSLAUTH=sslauth.txt
SSLCOV=sslcov.txt
SSL_SCRIPT=ssl.sh
SSLSTRESS=sslstress.txt
TOOLS_DIR=tools
TOOLS_SCRIPT=tools.sh
EC_PREFIX=ec
NOEC_PREFIX=noec
if [ xx$FLAG = xx"enable_ecc" ]; then
if [ -f $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT -a \
-f $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT -a \
-f $SSL_DIR/$NOEC_PREFIX$SSLAUTH -a \
-f $SSL_DIR/$NOEC_PREFIX$SSLCOV -a \
-f $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT -a \
-f $SSL_DIR/$NOEC_PREFIX$SSLSTRESS -a \
-f $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT ]; then
echo "noecc files exist"
else
echo "noecc files are missing"
echo "Saving files as noec"
cp $CERT_DIR/$CERT_SCRIPT $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT
cp $SMIME_DIR/$SMIME_SCRIPT $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT
cp $SSL_DIR/$SSLAUTH $SSL_DIR/$NOEC_PREFIX$SSLAUTH
cp $SSL_DIR/$SSLCOV $SSL_DIR/$NOEC_PREFIX$SSLCOV
cp $SSL_DIR/$SSL_SCRIPT $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT
cp $SSL_DIR/$SSLSTRESS $SSL_DIR/$NOEC_PREFIX$SSLSTRESS
cp $TOOLS_DIR/$TOOLS_SCRIPT $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT
fi
echo "Overwriting with ec versions"
cp $CERT_DIR/$EC_PREFIX$CERT_SCRIPT $CERT_DIR/$CERT_SCRIPT
cp $SMIME_DIR/$EC_PREFIX$SMIME_SCRIPT $SMIME_DIR/$SMIME_SCRIPT
cp $SSL_DIR/$EC_PREFIX$SSLAUTH $SSL_DIR/$SSLAUTH
cp $SSL_DIR/$EC_PREFIX$SSLCOV $SSL_DIR/$SSLCOV
cp $SSL_DIR/$EC_PREFIX$SSL_SCRIPT $SSL_DIR/$SSL_SCRIPT
cp $SSL_DIR/$EC_PREFIX$SSLSTRESS $SSL_DIR/$SSLSTRESS
cp $TOOLS_DIR/$EC_PREFIX$TOOLS_SCRIPT $TOOLS_DIR/$TOOLS_SCRIPT
elif [ xx$FLAG = xx"disable_ecc" ]; then
if [ -f $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT -a \
-f $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT -a \
-f $SSL_DIR/$NOEC_PREFIX$SSLAUTH -a \
-f $SSL_DIR/$NOEC_PREFIX$SSLCOV -a \
-f $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT -a \
-f $SSL_DIR/$NOEC_PREFIX$SSLSTRESS -a \
-f $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT ]; then
echo "noecc files exist"
echo "Overwriting with noec versions"
cp $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT $CERT_DIR/$CERT_SCRIPT
cp $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT $SMIME_DIR/$SMIME_SCRIPT
cp $SSL_DIR/$NOEC_PREFIX$SSLAUTH $SSL_DIR/$SSLAUTH
cp $SSL_DIR/$NOEC_PREFIX$SSLCOV $SSL_DIR/$SSLCOV
cp $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT $SSL_DIR/$SSL_SCRIPT
cp $SSL_DIR/$NOEC_PREFIX$SSLSTRESS $SSL_DIR/$SSLSTRESS
cp $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT $TOOLS_DIR/$TOOLS_SCRIPT
else
echo "Already disabled."
fi
else
echo "Needs either \"enable_ecc\" or \"disable_ecc\" as argument."
fi
}
fix_test_scripts $1

260
security/nss/tests/smime/ecsmime.sh
View File

@ -1,260 +0,0 @@
#! /bin/sh
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
########################################################################
#
# mozilla/security/nss/tests/smime/smime.sh
#
# Script to test NSS smime
#
# needs to work on all Unix and Windows platforms
#
# special strings
# ---------------
# FIXME ... known problems, search for this string
# NOTE .... unexpected behavior
#
########################################################################
############################## smime_init ##############################
# local shell function to initialize this script
########################################################################
smime_init()
{
SCRIPTNAME=smime.sh # sourced - $0 would point to all.sh
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
fi
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
cd ../common
. ./init.sh
fi
if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
cd ../cert
. ./cert.sh
fi
SCRIPTNAME=smime.sh
html_head "S/MIME Tests"
grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
}
SMIMEDIR=${HOSTDIR}/smime
R_SMIMEDIR=../smime
mkdir -p ${SMIMEDIR}
cd ${SMIMEDIR}
cp ${QADIR}/smime/alice.txt ${SMIMEDIR}
}
############################## smime_main ##############################
# local shell function to test basic signed and enveloped messages
# from 1 --> 2"
########################################################################
smime_main()
{
echo "$SCRIPTNAME: Signing Attached Message (ECDSA SHA1) ------------------"
echo "cmsutil -S -N Alice-ec -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.sig"
cmsutil -S -N Alice-ec -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.sig
html_msg $? 0 "Create Signature Alice (ECDSA SHA1)" "."
echo "cmsutil -D -i alice-ec.sig -d ${P_R_BOBDIR} -o alice-ec.data1"
cmsutil -D -i alice-ec.sig -d ${P_R_BOBDIR} -o alice-ec.data1
html_msg $? 0 "Decode Alice's Signature (ECDSA SHA1)" "."
echo "diff alice.txt alice-ec.data1"
diff alice.txt alice-ec.data1
html_msg $? 0 "Compare Decoded Signature and Original (ECDSA SHA1)" "."
echo "$SCRIPTNAME: Signing Attached Message (SHA1) ------------------"
echo "cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig"
cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig
html_msg $? 0 "Create Signature Alice (SHA1)" "."
echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1"
cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1
html_msg $? 0 "Decode Alice's Signature (SHA1)" "."
echo "diff alice.txt alice.data1"
diff alice.txt alice.data1
html_msg $? 0 "Compare Decoded Signature and Original (SHA1)" "."
echo "$SCRIPTNAME: Signing Attached Message (SHA256) ------------------"
echo "cmsutil -S -N Alice -H SHA256 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig"
cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig
html_msg $? 0 "Create Signature Alice (SHA256)" "."
echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1"
cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1
html_msg $? 0 "Decode Alice's Signature (SHA256)" "."
echo "diff alice.txt alice.data1"
diff alice.txt alice.data1
html_msg $? 0 "Compare Decoded Signature and Original (SHA256)" "."
echo "$SCRIPTNAME: Signing Attached Message (SHA384) ------------------"
echo "cmsutil -S -N Alice -H SHA384 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig"
cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig
html_msg $? 0 "Create Signature Alice (SHA384)" "."
echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1"
cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1
html_msg $? 0 "Decode Alice's Signature (SHA384)" "."
echo "diff alice.txt alice.data1"
diff alice.txt alice.data1
html_msg $? 0 "Compare Decoded Signature and Original (SHA384)" "."
echo "$SCRIPTNAME: Signing Attached Message (SHA512) ------------------"
echo "cmsutil -S -N Alice -H SHA512 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig"
cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig
html_msg $? 0 "Create Signature Alice (SHA512)" "."
echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1"
cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1
html_msg $? 0 "Decode Alice's Signature (SHA512)" "."
echo "diff alice.txt alice.data1"
diff alice.txt alice.data1
html_msg $? 0 "Compare Decoded Signature and Original (SHA512)" "."
echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------"
echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
echo " -o alice.env"
cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
html_msg $? 0 "Create Enveloped Data Alice" "."
echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1"
cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1
html_msg $? 0 "Decode Enveloped Data Alice" "."
echo "diff alice.txt alice.data1"
diff alice.txt alice.data1
html_msg $? 0 "Compare Decoded Enveloped Data and Original" "."
# multiple recip
echo "$SCRIPTNAME: Testing multiple recipients ------------------------------"
echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o alicecc.env \\"
echo " -r bob@bogus.com,dave@bogus.com"
cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \
-r bob@bogus.com,dave@bogus.com
ret=$?
html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "."
if [ $ret != 0 ] ; then
echo "certutil -L -d ${P_R_ALICEDIR}"
certutil -L -d ${P_R_ALICEDIR}
echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com"
certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com
fi
echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------"
echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o aliceve.env \\"
echo " -r eve@bogus.net"
cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \
-r eve@bogus.net
ret=$?
html_msg $ret 0 "Encrypt to a Multiple Email cert" "."
echo "cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2"
cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2
html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Bob" "."
echo "cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3"
cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3
html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Dave" "."
echo "cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4"
cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4
html_msg $? 0 "Decrypt with a Multiple Email cert" "."
diff alice.txt alice.data2
html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Bob" "."
diff alice.txt alice.data3
html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Dave" "."
diff alice.txt alice.data4
html_msg $? 0 "Compare Decoded with Multiple Email cert" "."
echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------"
echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\"
echo " -d ${P_R_ALICEDIR} > co.der"
cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der
html_msg $? 0 "Create Certs-Only Alice" "."
echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}"
cmsutil -D -i co.der -d ${P_R_BOBDIR}
html_msg $? 0 "Verify Certs-Only by CA" "."
echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------"
echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\"
echo " -r \"bob@bogus.com\" > alice.enc"
cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \
-r "bob@bogus.com" > alice.enc
html_msg $? 0 "Create Encrypted-Data" "."
echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\"
echo " -o alice.data2"
cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2
html_msg $? 0 "Decode Encrypted-Data" "."
diff alice.txt alice.data2
html_msg $? 0 "Compare Decoded and Original Data" "."
}
############################## smime_cleanup ###########################
# local shell function to finish this script (no exit since it might be
# sourced)
########################################################################
smime_cleanup()
{
html "</TABLE><BR>"
cd ${QADIR}
. common/cleanup.sh
}
################## main #################################################
smime_init
smime_main
smime_cleanup

38
security/nss/tests/smime/smime.sh
View File

@ -21,6 +21,7 @@
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
@ -71,7 +72,12 @@ smime_init()
. ./cert.sh
fi
SCRIPTNAME=smime.sh
html_head "S/MIME Tests"
if [ -n "$NSS_ENABLE_ECC" ] ; then
html_head "S/MIME Tests with ECC"
else
html_head "S/MIME Tests"
fi
grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
@ -110,6 +116,32 @@ smime_sign()
echo "diff alice.txt alice.data.${HASH}"
diff alice.txt alice.data.${HASH}
html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "."
# Test ECDSA signing for all hash algorithms.
if [ -n "$NSS_ENABLE_ECC" ] ; then
echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}
html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
echo "diff alice.txt alice-ec.data.${HASH}"
diff alice.txt alice-ec.data.${HASH}
html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
fi
}
@ -146,7 +178,7 @@ smime_main()
# multiple recip
echo "$SCRIPTNAME: Testing multiple recipients ------------------------------"
echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o alicecc.env \\"
echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\"
echo " -r bob@bogus.com,dave@bogus.com"
cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \
-r bob@bogus.com,dave@bogus.com
@ -160,7 +192,7 @@ smime_main()
fi
echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------"
echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o aliceve.env \\"
echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\"
echo " -r eve@bogus.net"
cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \
-r eve@bogus.net

350
security/nss/tests/ssl/ecssl.sh
View File

@ -1,350 +0,0 @@
#! /bin/sh
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
########################################################################
#
# mozilla/security/nss/tests/ssl/ecssl.sh
#
# Script to test NSS SSL
#
# needs to work on all Unix and Windows platforms
#
# special strings
# ---------------
# FIXME ... known problems, search for this string
# NOTE .... unexpected behavior
#
########################################################################
############################## ssl_init ################################
# local shell function to initialize this script
########################################################################
ssl_init()
{
SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
fi
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
cd ../common
. ./init.sh
fi
if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
cd ../cert
. ./cert.sh
fi
SCRIPTNAME=ssl.sh
echo "$SCRIPTNAME: SSL tests ==============================="
grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
html_head "SSL Test failure"
Exit 8 "Fatal - SSL of cert.sh needs to pass first"
}
PORT=${PORT-8443}
# Test case files
SSLCOV=${QADIR}/ssl/sslcov.txt
SSLAUTH=${QADIR}/ssl/sslauth.txt
SSLSTRESS=${QADIR}/ssl/sslstress.txt
REQUEST_FILE=${QADIR}/ssl/sslreq.txt
#temparary files
SERVEROUTFILE=${TMP}/tests_server.$$
SERVERPID=${TMP}/tests_pid.$$
R_SERVERPID=../tests_pid.$$
TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}"
fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
#fileout=1
#verbose="-v" #FIXME - see where this is usefull
USER_NICKNAME=TestUser
NORM_EXT=""
cd ${CLIENTDIR}
}
########################### is_selfserv_alive ##########################
# local shell function to exit with a fatal error if selfserver is not
# running
########################################################################
is_selfserv_alive()
{
if [ ! -f "${SERVERPID}" ]; then
echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
sleep 5
if [ ! -f "${SERVERPID}" ]; then
Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
fi
fi
PID=`cat ${SERVERPID}`
#if [ "${OS_ARCH}" = "Linux" ]; then
kill -0 $PID >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
#else
#$PS -e | grep $PID >/dev/null || \
#Exit 10 "Fatal - selfserv process not detectable"
#fi
}
########################### wait_for_selfserv ##########################
# local shell function to wait until selfserver is running and initialized
########################################################################
wait_for_selfserv()
{
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -q "
echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \\"
#echo "tstclnt -q started at `date`"
tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
if [ $? -ne 0 ]; then
html_failed "<TR><TD> Wait for Server "
echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} -q \\"
echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
elif [ sparam = "-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz" ] ; then # "$1" = "cov" ] ; then
html_passed "<TR><TD> Wait for Server"
fi
is_selfserv_alive
}
########################### kill_selfserv ##############################
# local shell function to kill the selfserver after the tests are done
########################################################################
kill_selfserv()
{
${KILL} `cat ${SERVERPID}`
wait `cat ${SERVERPID}`
if [ ${fileout} -eq 1 ]; then
cat ${SERVEROUTFILE}
fi
# On Linux selfserv needs up to 30 seconds to fully die and free
# the port. Wait until the port is free. (Bug 129701)
if [ "${OS_ARCH}" = "Linux" ]; then
until selfserv -b -p ${PORT} 2>/dev/null; do
sleep 1
done
fi
rm ${SERVERPID}
}
########################### start_selfserv #############################
# local shell function to start the selfserver with the parameters required
# for this test and log information (parameters, start time)
# also: wait until the server is up and running
########################################################################
start_selfserv()
{
if [ -n "$testname" ] ; then
echo "$SCRIPTNAME: $testname ----"
fi
sparam=`echo $sparam | sed -e 's;_; ;g'`
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \\"
echo " -e ${HOSTADDR}-ec \\"
echo " -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
echo "selfserv started at `date`"
if [ ${fileout} -eq 1 ]; then
selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \
-e ${HOSTADDR}-ec \
-w nss ${sparam} -i ${R_SERVERPID} $verbose \
> ${SERVEROUTFILE} 2>&1 &
else
selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \
-e ${HOSTADDR}-ec \
-w nss ${sparam} -i ${R_SERVERPID} $verbose &
fi
wait_for_selfserv
}
############################## ssl_cov #################################
# local shell function to perform SSL Cipher Coverage tests
########################################################################
ssl_cov()
{
html_head "SSL Cipher Coverage $NORM_EXT"
testname=""
sparam="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz"
start_selfserv # Launch the server
p=""
while read tls param testname
do
p=`echo "$testname" | sed -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS
if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
elif [ "$tls" != "#" ] ; then
echo "$SCRIPTNAME: running $testname ----------------------------"
TLS_FLAG=-T
if [ $tls = "TLS" ]; then
TLS_FLAG=""
fi
is_selfserv_alive
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} \\"
echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} -f \
-d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
html_msg $ret 0 "${testname}"
fi
done < ${SSLCOV}
kill_selfserv
html "</TABLE><BR>"
}
############################## ssl_auth ################################
# local shell function to perform SSL Client Authentication tests
########################################################################
ssl_auth()
{
html_head "SSL Client Authentication $NORM_EXT"
while read value sparam cparam testname
do
if [ $value != "#" ]; then
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
start_selfserv
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} \\"
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
html_msg $ret $value "${testname}" \
"produced a returncode of $ret, expected is $value"
kill_selfserv
fi
done < ${SSLAUTH}
html "</TABLE><BR>"
}
############################## ssl_stress ##############################
# local shell function to perform SSL stress test
########################################################################
ssl_stress()
{
html_head "SSL Stress Test $NORM_EXT"
while read value sparam cparam testname
do
p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS
if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
elif [ $value != "#" ]; then
cparam=`echo $cparam | sed -e 's;_; ;g'`
start_selfserv
if [ `uname -n` = "sjsu" ] ; then
echo "debugging disapering selfserv... ps -ef | grep selfserv"
ps -ef | grep selfserv
fi
echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \\"
echo " $verbose ${HOSTADDR}"
echo "strsclnt started at `date`"
strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \
$verbose ${HOSTADDR}
ret=$?
echo "strsclnt completed at `date`"
html_msg $ret $value "${testname}"
if [ `uname -n` = "sjsu" ] ; then
echo "debugging disapering selfserv... ps -ef | grep selfserv"
ps -ef | grep selfserv
fi
kill_selfserv
fi
done < ${SSLSTRESS}
html "</TABLE><BR>"
}
############################## ssl_cleanup #############################
# local shell function to finish this script (no exit since it might be
# sourced)
########################################################################
ssl_cleanup()
{
rm $SERVERPID 2>/dev/null
cd ${QADIR}
. common/cleanup.sh
}
################## main #################################################
#this script may be sourced from the distributed stress test - in this case do nothing...
if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then
ssl_init
ssl_cov
ssl_auth
ssl_stress
SERVERDIR=$EXT_SERVERDIR
CLIENTDIR=$EXT_CLIENTDIR
R_SERVERDIR=$R_EXT_SERVERDIR
R_CLIENTDIR=$R_EXT_CLIENTDIR
P_R_SERVERDIR=$P_R_EXT_SERVERDIR
P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
USER_NICKNAME=ExtendedSSLUser
NORM_EXT="Extended test"
cd ${CLIENTDIR}
ssl_cov
ssl_auth
ssl_stress
ssl_cleanup
fi

50
security/nss/tests/ssl/ecsslauth.txt
View File

@ -1,50 +0,0 @@
#
# This file defines the tests for client auth.
#
# expected
# return server client Test Case name
# value params params
# ------ ------ ------ ---------------
0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth)
254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth)
0 -r -T_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
0 -r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
0 -r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
254 -r_-r -T_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
254 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
0 -r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
0 -r_-r_-r -w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
0 -r_-r_-r -w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
0 -r_-r_-r -w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
1 -r_-r_-r_-r -w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth)
1 -r_-r_-r_-r -w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password)
0 -r_-r_-r_-r -w_nss_-n_TestUser_ TLS Require client auth on 2nd hs (client auth)
0 -r_-r_-r -T_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
0 -r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
0 -r_-r_-r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
1 -r_-r_-r_-r -T_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
1 -r_-r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
0 -r_-r_-r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
#
# Use EC cert for client authentication
#
0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password)
0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth)
254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth)
0 -r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password)
0 -r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth)
254 -r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
0 -r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth)
0 -r_-r_-r -w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password)
0 -r_-r_-r -w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth)
1 -r_-r_-r_-r -w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password)
0 -r_-r_-r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth)
0 -r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
0 -r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
1 -r_-r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
0 -r_-r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)

94
security/nss/tests/ssl/ecsslcov.txt
View File

@ -1,94 +0,0 @@
#
# This file enables test coverage of the various SSL ciphers
#
# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We
# mix up the enable functions so we can tests boths paths.
#
# Enable Cipher Test Name
# TLS
#
noTLS A SSL2 RC4 128 WITH MD5
TLS B SSL2 RC4 128 EXPORT40 WITH MD5
TLS C SSL2 RC2 128 CBC WITH MD5
noTLS D SSL2 RC2 128 CBC EXPORT40 WITH MD5
TLS E SSL2 DES 64 CBC WITH MD5
noTLS F SSL2 DES 192 EDE3 CBC WITH MD5
#
# ECC ciphers (SSL3)
#
noTLS :C001 SSL3 ECDH ECDSA WITH NULL SHA
noTLS :C002 SSL3 ECDH ECDSA WITH RC4 128 SHA
noTLS :C003 SSL3 ECDH ECDSA WITH 3DES EDE CBC SHA
noTLS :C004 SSL3 ECDH ECDSA WITH AES 128 CBC SHA
noTLS :C005 SSL3 ECDH ECDSA WITH AES 256 CBC SHA
noTLS :C006 SSL3 ECDHE ECDSA WITH NULL SHA
noTLS :C007 SSL3 ECDHE ECDSA WITH RC4 128 SHA
noTLS :C008 SSL3 ECDHE ECDSA WITH 3DES EDE CBC SHA
noTLS :C009 SSL3 ECDHE ECDSA WITH AES 128 CBC SHA
noTLS :C00A SSL3 ECDHE ECDSA WITH AES 256 CBC SHA
noTLS :C00B SSL3 ECDH RSA WITH NULL SHA
noTLS :C00C SSL3 ECDH RSA WITH RC4 128 SHA
noTLS :C00D SSL3 ECDH RSA WITH 3DES EDE CBC SHA
noTLS :C00E SSL3 ECDH RSA WITH AES 128 CBC SHA
noTLS :C00F SSL3 ECDH RSA WITH AES 256 CBC SHA
noTLS :C010 SSL3 ECDHE RSA WITH NULL SHA
noTLS :C011 SSL3 ECDHE RSA WITH RC4 128 SHA
noTLS :C012 SSL3 ECDHE RSA WITH 3DES EDE CBC SHA
noTLS :C013 SSL3 ECDHE RSA WITH AES 128 CBC SHA
noTLS :C014 SSL3 ECDHE RSA WITH AES 256 CBC SHA
#
# ECC ciphers (TLS)
#
TLS :C001 TLS ECDH ECDSA WITH NULL SHA
TLS :C002 TLS ECDH ECDSA WITH RC4 128 SHA
TLS :C003 TLS ECDH ECDSA WITH 3DES EDE CBC SHA
TLS :C004 TLS ECDH ECDSA WITH AES 128 CBC SHA
TLS :C005 TLS ECDH ECDSA WITH AES 256 CBC SHA
TLS :C006 TLS ECDHE ECDSA WITH NULL SHA
TLS :C007 TLS ECDHE ECDSA WITH RC4 128 SHA
TLS :C008 TLS ECDHE ECDSA WITH 3DES EDE CBC SHA
TLS :C009 TLS ECDHE ECDSA WITH AES 128 CBC SHA
TLS :C00A TLS ECDHE ECDSA WITH AES 256 CBC SHA
TLS :C00B TLS ECDH RSA WITH NULL SHA
TLS :C00C TLS ECDH RSA WITH RC4 128 SHA
TLS :C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
TLS :C00E TLS ECDH RSA WITH AES 128 CBC SHA
TLS :C00F TLS ECDH RSA WITH AES 256 CBC SHA
TLS :C010 TLS ECDHE RSA WITH NULL SHA
TLS :C011 TLS ECDHE RSA WITH RC4 128 SHA
TLS :C012 TLS ECDHE RSA WITH 3DES EDE CBC SHA
TLS :C013 TLS ECDHE RSA WITH AES 128 CBC SHA
TLS :C014 TLS ECDHE RSA WITH AES 256 CBC SHA
#
# noTLS a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA
# noTLS b SSL3 FORTEZZA DMS WITH RC4 128 SHA
noTLS c SSL3 RSA WITH RC4 128 MD5
noTLS d SSL3 RSA WITH 3DES EDE CBC SHA
noTLS e SSL3 RSA WITH DES CBC SHA
noTLS f SSL3 RSA EXPORT WITH RC4 40 MD5
noTLS g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5
# noTLS h SSL3 FORTEZZA DMS WITH NULL SHA
noTLS i SSL3 RSA WITH NULL MD5
noTLS j SSL3 RSA FIPS WITH 3DES EDE CBC SHA
noTLS k SSL3 RSA FIPS WITH DES CBC SHA
noTLS l SSL3 RSA EXPORT WITH DES CBC SHA (new)
noTLS m SSL3 RSA EXPORT WITH RC4 56 SHA (new)
noTLS n SSL3 RSA WITH RC4 128 SHA
noTLS v SSL3 RSA WITH AES 128 CBC SHA
noTLS y SSL3 RSA WITH AES 256 CBC SHA
noTLS z SSL3 RSA WITH NULL SHA
#
TLS c TLS RSA WITH RC4 128 MD5
TLS d TLS RSA WITH 3DES EDE CBC SHA
TLS e TLS RSA WITH DES CBC SHA
TLS f TLS RSA EXPORT WITH RC4 40 MD5
TLS g TLS RSA EXPORT WITH RC2 CBC 40 MD5
TLS i TLS RSA WITH NULL MD5
TLS j TLS RSA FIPS WITH 3DES EDE CBC SHA
TLS k TLS RSA FIPS WITH DES CBC SHA
TLS l TLS RSA EXPORT WITH DES CBC SHA (new)
TLS m TLS RSA EXPORT WITH RC4 56 SHA (new)
TLS n TLS RSA WITH RC4 128 SHA
TLS v TLS RSA WITH AES 128 CBC SHA
TLS y TLS RSA WITH AES 256 CBC SHA
TLS z TLS RSA WITH NULL SHA

25
security/nss/tests/ssl/ecsslstress.txt
View File

@ -1,25 +0,0 @@
#
# This file defines the tests for client auth.
#
# expected
# return server client Test Case name
# value params params
# ------ ------ ------ ---------------
0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
0 _ -c_1000_-C_c_-T Stress SSL3 RC4 128 with MD5
0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
#
# ECC ciphers
# XXX Session reuse does not seem to work for ECDH-ECDSA, ECDHE-ECDSA ciphers
# but works ok for ECDHE-RSA ciphers. With session reuse turned off
# setting up 1000 connections would take too long so use only 10 connections
#
0 -c_:C009 -c_10_-C_:C009_-N_-T Stress SSL3 ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
0 -c_:C013 -c_100_-C_:C013_-T Stress SSL3 ECDHE-RSA AES 128 CBC with SHA
0 -c_:C004 -c_10_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse)
0 -c_:C00E -c_10_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
0 -c_:C013 -c_100_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA
#
# add client auth versions here...
#
# 0 -r -w_bogus_-n_"Test_User" TLS Request don't require client auth (bad password)

250
security/nss/tests/ssl/ssl.sh
View File

@ -21,6 +21,7 @@
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
@ -102,6 +103,12 @@ ssl_init()
USER_NICKNAME=TestUser
NORM_EXT=""
if [ -n "$NSS_ENABLE_ECC" ] ; then
ECC_STRING=" - with ECC"
else
ECC_STRING=""
fi
cd ${CLIENTDIR}
}
@ -147,7 +154,7 @@ wait_for_selfserv()
echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
elif [ sparam = "-c ABCDEFcdefgijklmnvyz" ] ; then # "$1" = "cov" ] ; then
elif [ "$sparam" = "$CSHORT" -o "$sparam" = "$CLONG" ] ; then
html_passed "<TR><TD> Wait for Server"
fi
is_selfserv_alive
@ -189,16 +196,21 @@ start_selfserv()
echo "$SCRIPTNAME: $testname ----"
fi
sparam=`echo $sparam | sed -e 's;_; ;g'`
if [ -n "$NSS_ENABLE_ECC" ] ; then
ECC_OPTIONS="-e ${HOSTADDR}-ec"
else
ECC_OPTIONS=""
fi
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
echo " -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
echo "selfserv started at `date`"
if [ ${fileout} -eq 1 ]; then
selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-w nss ${sparam} -i ${R_SERVERPID} $verbose \
${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
> ${SERVEROUTFILE} 2>&1 &
else
selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-w nss ${sparam} -i ${R_SERVERPID} $verbose &
${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
fi
# The PID $! returned by the MKS or Cygwin shell is not the PID of
# the real background process, but rather the PID of a helper
@ -221,24 +233,30 @@ start_selfserv()
########################################################################
ssl_cov()
{
html_head "SSL Cipher Coverage $NORM_EXT - $BYPASS_STRING"
html_head "SSL Cipher Coverage $NORM_EXT - $BYPASS_STRING $ECC_STRING"
testname=""
sparam="-c ABCDEFcdefgijklmnvyz"
if [ -n "$NSS_ENABLE_ECC" ] ; then
sparam="$CLONG"
else
sparam="$CSHORT"
fi
start_selfserv # Launch the server
p=""
while read tls param testname
while read ectype tls param testname
do
p=`echo "$testname" | sed -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS
if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
elif [ "$tls" != "#" ] ; then
elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "$ectype" != "#" ] ; then
echo "$SCRIPTNAME: running $testname ----------------------------"
TLS_FLAG=-T
if [ $tls = "TLS" ]; then
if [ "$tls" = "TLS" ]; then
TLS_FLAG=""
fi
@ -266,11 +284,13 @@ ssl_cov()
########################################################################
ssl_auth()
{
html_head "SSL Client Authentication $NORM_EXT - $BYPASS_STRING"
html_head "SSL Client Authentication $NORM_EXT - $BYPASS_STRING $ECC_STRING"
while read value sparam cparam testname
while read ectype value sparam cparam testname
do
if [ $value != "#" ]; then
if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "$ectype" != "#" ]; then
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
start_selfserv
@ -299,17 +319,19 @@ ssl_auth()
########################################################################
ssl_stress()
{
html_head "SSL Stress Test $NORM_EXT - $BYPASS_STRING"
html_head "SSL Stress Test $NORM_EXT - $BYPASS_STRING $ECC_STRING"
while read value sparam cparam testname
while read ectype value sparam cparam testname
do
p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS
if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
elif [ $value != "#" ]; then
elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "$ectype" != "#" ]; then
cparam=`echo $cparam | sed -e 's;_; ;g'`
start_selfserv
if [ `uname -n` = "sjsu" ] ; then
if [ "`uname -n`" = "sjsu" ] ; then
echo "debugging disapering selfserv... ps -ef | grep selfserv"
ps -ef | grep selfserv
fi
@ -322,7 +344,7 @@ ssl_stress()
ret=$?
echo "strsclnt completed at `date`"
html_msg $ret $value "${testname}"
if [ `uname -n` = "sjsu" ] ; then
if [ "`uname -n`" = "sjsu" ] ; then
echo "debugging disapering selfserv... ps -ef | grep selfserv"
ps -ef | grep selfserv
fi
@ -339,7 +361,7 @@ ssl_stress()
ssl_crl_ssl()
{
html_head "CRL SSL Client Tests $NORM_EXT"
html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
# Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
# Cert number $UNREVOKED_CERT_GRP_1 was not revoked
@ -347,9 +369,11 @@ ssl_crl_ssl()
CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
while read value sparam cparam testname
while read ectype value sparam cparam testname
do
if [ $value != "#" ]; then
if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "$ectype" != "#" ]; then
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
pwd=`echo $cparam | grep nss`
user=`echo $cparam | grep TestUser`
@ -443,6 +467,7 @@ is_revoked() {
load_group_crl() {
group=$1
ectype=$2
OUTFILE_TMP=${TMP}/$HOST.tmp.$$
grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
@ -454,6 +479,15 @@ load_group_crl() {
return 1;
fi
# Add -ec suffix for ECC
if [ "$ectype" = "ECC" ] ; then
ecsuffix="-ec"
eccomment="ECC "
else
ecsuffix=""
eccomment=""
fi
if [ "$RELOAD_CRL" != "" ]; then
if [ $group -eq 1 ]; then
echo "==================== Resetting to group 1 crl ==================="
@ -461,18 +495,18 @@ load_group_crl() {
start_selfserv
is_selfserv_alive
fi
echo "================= Reloading CRL for group $grpBegin - $grpEnd ============="
echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
echo " -w nss -n TestUser${UNREVOKED_CERT_GRP_1}"
echo " -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
echo "Request:"
echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}"
echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
echo ""
echo "RELOAD time $i"
tstclnt -p ${PORT} -h ${HOSTADDR} -f \
-d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1} \
<<_EOF_REQUEST_ >${OUTFILE_TMP} 2>&1
GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}
-d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
>${OUTFILE_TMP} 2>&1 <<_EOF_REQUEST_
GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
_EOF_REQUEST_
cat ${OUTFILE_TMP}
@ -485,11 +519,12 @@ _EOF_REQUEST_
echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
kill_selfserv
CU_ACTION="Importing CRL for groups $grpBegin - $grpEnd"
crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd} \
CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
-p ../tests.pw.928
ret=$?
if [ "$ret" -eq 0 ]; then
html_passed "<TR><TD> ${CU_ACTION}"
return 1
fi
start_selfserv
@ -502,7 +537,7 @@ _EOF_REQUEST_
ssl_crl_cache()
{
html_head "Cache CRL SSL Client Tests $NORM_EXT"
html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
SSLAUTH_TMP=${TMP}/authin.tl.tmp
SERV_ARG=-r_-r
rm -f ${SSLAUTH_TMP}
@ -514,82 +549,89 @@ ssl_crl_cache()
do
sparam=$SERV_ARG
start_selfserv
while read value sparam cparam testname
while read ectype value sparam cparam testname
do
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
pwd=`echo $cparam | grep nss`
user=`echo $cparam | grep TestUser`
_cparam=$cparam
case $servarg in
1) if [ -z "$pwd" -o -z "$user" ]; then
rev_modvalue=0
else
rev_modvalue=254
fi
;;
2) rev_modvalue=254 ;;
if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
else
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
pwd=`echo $cparam | grep nss`
user=`echo $cparam | grep TestUser`
_cparam=$cparam
case $servarg in
1) if [ -z "$pwd" -o -z "$user" ]; then
rev_modvalue=0
else
rev_modvalue=254
fi
;;
2) rev_modvalue=254 ;;
3) if [ -z "$pwd" -o -z "$user" ]; then
rev_modvalue=0
else
rev_modvalue=1
fi
;;
4) rev_modvalue=1 ;;
esac
TEMP_NUM=0
LOADED_GRP=1
while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
do
while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
3) if [ -z "$pwd" -o -z "$user" ]; then
rev_modvalue=0
else
rev_modvalue=1
fi
;;
4) rev_modvalue=1 ;;
esac
TEMP_NUM=0
LOADED_GRP=1
while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
do
CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
TEMP_NUM=`expr $TEMP_NUM + 1`
USER_NICKNAME="TestUser${CURR_SER_NUM}"
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
echo "Server Args: $SERV_ARG"
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-d ${R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
isRevoked=$?
if [ $isRevoked -eq 0 ]; then
modvalue=$rev_modvalue
testAddMsg="revoked"
else
modvalue=$value
testAddMsg="not revoked"
fi
is_selfserv_alive
ss_status=$?
if [ "$ss_status" -ne 0 ]; then
html_msg $ret $modvalue \
"${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
"produced a returncode of $ret, expected is $modvalue. " \
"selfserv is not alive!"
else
html_msg $ret $modvalue \
"${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
"produced a returncode of $ret, expected is $modvalue"
while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
do
CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
TEMP_NUM=`expr $TEMP_NUM + 1`
USER_NICKNAME="TestUser${CURR_SER_NUM}"
cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
echo "Server Args: $SERV_ARG"
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
echo " ${cparam} < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-d ${R_CLIENTDIR} < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
isRevoked=$?
if [ $isRevoked -eq 0 ]; then
modvalue=$rev_modvalue
testAddMsg="revoked"
else
modvalue=$value
testAddMsg="not revoked"
fi
is_selfserv_alive
ss_status=$?
if [ "$ss_status" -ne 0 ]; then
html_msg $ret $modvalue \
"${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
"produced a returncode of $ret, expected is $modvalue. " \
"selfserv is not alive!"
else
html_msg $ret $modvalue \
"${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
"produced a returncode of $ret, expected is $modvalue"
fi
done
LOADED_GRP=`expr $LOADED_GRP + 1`
TEMP_NUM=0
if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
load_group_crl $LOADED_GRP $ectype
html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
"produced a returncode of $ret, expected is 0"
fi
done
LOADED_GRP=`expr $LOADED_GRP + 1`
TEMP_NUM=0
if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
load_group_crl $LOADED_GRP
html_msg $ret 0 "Load group $LOADED_GRP crl " \
"produced a returncode of $ret, expected is 0"
fi
done
load_group_crl 1
# Restart selfserv to roll back to two initial group 1 crls
# TestCA CRL and TestCA-ec CRL
kill_selfserv
start_selfserv
fi
done < ${SSLAUTH_TMP}
kill_selfserv
SERV_ARG="${SERV_ARG}_-r"
@ -637,7 +679,7 @@ ssl_run()
ssl_auth
ssl_stress
# the next round off ssl tests will only run if these vars are reset
# the next round of ssl tests will only run if these vars are reset
SERVERDIR=$ORIG_SERVERDIR
CLIENTDIR=$ORIG_CLIENTDIR
R_SERVERDIR=$ORIG_R_SERVERDIR
@ -647,13 +689,15 @@ ssl_run()
USER_NICKNAME=TestUser
NORM_EXT=
cd ${QADIR}/ssl
ssl_cleanup
}
################## main #################################################
#this script may be sourced from the distributed stress test - in this case do nothing...
CSHORT="-c ABCDEFcdefgijklmnvyz"
CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz"
if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then
ssl_init
@ -668,7 +712,6 @@ if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then
ssl_crl_ssl
ssl_crl_cache
ssl_cleanup
# Test all combinations of server bypass and client bypass
CLIENT_OPTIONS="-B -s"
@ -680,4 +723,5 @@ if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then
BYPASS_STRING="Server Bypass"
ssl_run
ssl_cleanup
fi

75
security/nss/tests/ssl/sslauth.txt
View File

@ -1,31 +1,50 @@
#
# This file defines the tests for client auth.
#
# expected
# return server client Test Case name
# value params params
# ------ ------ ------ ---------------
0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth)
254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth)
0 -r -T_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
0 -r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
0 -r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
254 -r_-r -T_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
254 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
0 -r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
0 -r_-r_-r -w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
0 -r_-r_-r -w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
0 -r_-r_-r -w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
1 -r_-r_-r_-r -w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth)
1 -r_-r_-r_-r -w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password)
0 -r_-r_-r_-r -w_nss_-n_TestUser_ TLS Require client auth on 2nd hs (client auth)
0 -r_-r_-r -T_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
0 -r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
0 -r_-r_-r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
1 -r_-r_-r_-r -T_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
1 -r_-r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
0 -r_-r_-r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
# expected
# Enable return server client Test Case name
# ECC value params params
# ------- ------ ------ ------ ---------------
noECC 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
noECC 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
noECC 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth)
noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth)
noECC 0 -r -T_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
noECC 0 -r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
noECC 0 -r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
noECC 254 -r_-r -T_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
noECC 254 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
noECC 0 -r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
noECC 0 -r_-r_-r -w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
noECC 0 -r_-r_-r -w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
noECC 0 -r_-r_-r -w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
noECC 1 -r_-r_-r_-r -w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth)
noECC 1 -r_-r_-r_-r -w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password)
noECC 0 -r_-r_-r_-r -w_nss_-n_TestUser_ TLS Require client auth on 2nd hs (client auth)
noECC 0 -r_-r_-r -T_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
noECC 0 -r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
noECC 0 -r_-r_-r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
noECC 1 -r_-r_-r_-r -T_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
noECC 1 -r_-r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
noECC 0 -r_-r_-r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
#
# Use EC cert for client authentication
#
ECC 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password)
ECC 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth)
ECC 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
ECC 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth)
ECC 0 -r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password)
ECC 0 -r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth)
ECC 254 -r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
ECC 0 -r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth)
ECC 0 -r_-r_-r -w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password)
ECC 0 -r_-r_-r -w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth)
ECC 1 -r_-r_-r_-r -w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password)
ECC 0 -r_-r_-r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth)
ECC 0 -r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
ECC 0 -r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
ECC 1 -r_-r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
ECC 0 -r_-r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)

124
security/nss/tests/ssl/sslcov.txt
View File

@ -4,45 +4,91 @@
# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We
# mix up the enable functions so we can tests boths paths.
#
# Enable Cipher Test Name
# TLS
# Enable Enable Cipher Test Name
# EC TLS
#
noTLS A SSL2 RC4 128 WITH MD5
TLS B SSL2 RC4 128 EXPORT40 WITH MD5
TLS C SSL2 RC2 128 CBC WITH MD5
noTLS D SSL2 RC2 128 CBC EXPORT40 WITH MD5
TLS E SSL2 DES 64 CBC WITH MD5
noTLS F SSL2 DES 192 EDE3 CBC WITH MD5
noECC noTLS A SSL2 RC4 128 WITH MD5
noECC TLS B SSL2 RC4 128 EXPORT40 WITH MD5
noECC TLS C SSL2 RC2 128 CBC WITH MD5
noECC noTLS D SSL2 RC2 128 CBC EXPORT40 WITH MD5
noECC TLS E SSL2 DES 64 CBC WITH MD5
noECC noTLS F SSL2 DES 192 EDE3 CBC WITH MD5
#
# noTLS a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA
# noTLS b SSL3 FORTEZZA DMS WITH RC4 128 SHA
noTLS c SSL3 RSA WITH RC4 128 MD5
noTLS d SSL3 RSA WITH 3DES EDE CBC SHA
noTLS e SSL3 RSA WITH DES CBC SHA
noTLS f SSL3 RSA EXPORT WITH RC4 40 MD5
noTLS g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5
# noTLS h SSL3 FORTEZZA DMS WITH NULL SHA
noTLS i SSL3 RSA WITH NULL MD5
noTLS j SSL3 RSA FIPS WITH 3DES EDE CBC SHA
noTLS k SSL3 RSA FIPS WITH DES CBC SHA
noTLS l SSL3 RSA EXPORT WITH DES CBC SHA (new)
noTLS m SSL3 RSA EXPORT WITH RC4 56 SHA (new)
noTLS n SSL3 RSA WITH RC4 128 SHA
noTLS v SSL3 RSA WITH AES 128 CBC SHA
noTLS y SSL3 RSA WITH AES 256 CBC SHA
noTLS z SSL3 RSA WITH NULL SHA
# noECC noTLS a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA
# noECC noTLS b SSL3 FORTEZZA DMS WITH RC4 128 SHA
noECC noTLS c SSL3 RSA WITH RC4 128 MD5
noECC noTLS d SSL3 RSA WITH 3DES EDE CBC SHA
noECC noTLS e SSL3 RSA WITH DES CBC SHA
noECC noTLS f SSL3 RSA EXPORT WITH RC4 40 MD5
noECC noTLS g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5
# noECC noTLS h SSL3 FORTEZZA DMS WITH NULL SHA
noECC noTLS i SSL3 RSA WITH NULL MD5
noECC noTLS j SSL3 RSA FIPS WITH 3DES EDE CBC SHA
noECC noTLS k SSL3 RSA FIPS WITH DES CBC SHA
noECC noTLS l SSL3 RSA EXPORT WITH DES CBC SHA (new)
noECC noTLS m SSL3 RSA EXPORT WITH RC4 56 SHA (new)
noECC noTLS n SSL3 RSA WITH RC4 128 SHA
noECC noTLS v SSL3 RSA WITH AES 128 CBC SHA
noECC noTLS y SSL3 RSA WITH AES 256 CBC SHA
noECC noTLS z SSL3 RSA WITH NULL SHA
#
TLS c TLS RSA WITH RC4 128 MD5
TLS d TLS RSA WITH 3DES EDE CBC SHA
TLS e TLS RSA WITH DES CBC SHA
TLS f TLS RSA EXPORT WITH RC4 40 MD5
TLS g TLS RSA EXPORT WITH RC2 CBC 40 MD5
TLS i TLS RSA WITH NULL MD5
TLS j TLS RSA FIPS WITH 3DES EDE CBC SHA
TLS k TLS RSA FIPS WITH DES CBC SHA
TLS l TLS RSA EXPORT WITH DES CBC SHA (new)
TLS m TLS RSA EXPORT WITH RC4 56 SHA (new)
TLS n TLS RSA WITH RC4 128 SHA
TLS v TLS RSA WITH AES 128 CBC SHA
TLS y TLS RSA WITH AES 256 CBC SHA
TLS z TLS RSA WITH NULL SHA
noECC TLS c TLS RSA WITH RC4 128 MD5
noECC TLS d TLS RSA WITH 3DES EDE CBC SHA
noECC TLS e TLS RSA WITH DES CBC SHA
noECC TLS f TLS RSA EXPORT WITH RC4 40 MD5
noECC TLS g TLS RSA EXPORT WITH RC2 CBC 40 MD5
noECC TLS i TLS RSA WITH NULL MD5
noECC TLS j TLS RSA FIPS WITH 3DES EDE CBC SHA
noECC TLS k TLS RSA FIPS WITH DES CBC SHA
noECC TLS l TLS RSA EXPORT WITH DES CBC SHA (new)
noECC TLS m TLS RSA EXPORT WITH RC4 56 SHA (new)
noECC TLS n TLS RSA WITH RC4 128 SHA
noECC TLS v TLS RSA WITH AES 128 CBC SHA
noECC TLS y TLS RSA WITH AES 256 CBC SHA
noECC TLS z TLS RSA WITH NULL SHA
#
# ECC ciphers (SSL3)
#
ECC noTLS :C001 SSL3 ECDH ECDSA WITH NULL SHA
ECC noTLS :C002 SSL3 ECDH ECDSA WITH RC4 128 SHA
ECC noTLS :C003 SSL3 ECDH ECDSA WITH 3DES EDE CBC SHA
ECC noTLS :C004 SSL3 ECDH ECDSA WITH AES 128 CBC SHA
ECC noTLS :C005 SSL3 ECDH ECDSA WITH AES 256 CBC SHA
ECC noTLS :C006 SSL3 ECDHE ECDSA WITH NULL SHA
ECC noTLS :C007 SSL3 ECDHE ECDSA WITH RC4 128 SHA
ECC noTLS :C008 SSL3 ECDHE ECDSA WITH 3DES EDE CBC SHA
ECC noTLS :C009 SSL3 ECDHE ECDSA WITH AES 128 CBC SHA
ECC noTLS :C00A SSL3 ECDHE ECDSA WITH AES 256 CBC SHA
ECC noTLS :C00B SSL3 ECDH RSA WITH NULL SHA
ECC noTLS :C00C SSL3 ECDH RSA WITH RC4 128 SHA
ECC noTLS :C00D SSL3 ECDH RSA WITH 3DES EDE CBC SHA
ECC noTLS :C00E SSL3 ECDH RSA WITH AES 128 CBC SHA
ECC noTLS :C00F SSL3 ECDH RSA WITH AES 256 CBC SHA
ECC noTLS :C010 SSL3 ECDHE RSA WITH NULL SHA
ECC noTLS :C011 SSL3 ECDHE RSA WITH RC4 128 SHA
ECC noTLS :C012 SSL3 ECDHE RSA WITH 3DES EDE CBC SHA
ECC noTLS :C013 SSL3 ECDHE RSA WITH AES 128 CBC SHA
ECC noTLS :C014 SSL3 ECDHE RSA WITH AES 256 CBC SHA
#
# ECC ciphers (TLS)
#
ECC TLS :C001 TLS ECDH ECDSA WITH NULL SHA
ECC TLS :C002 TLS ECDH ECDSA WITH RC4 128 SHA
ECC TLS :C003 TLS ECDH ECDSA WITH 3DES EDE CBC SHA
ECC TLS :C004 TLS ECDH ECDSA WITH AES 128 CBC SHA
ECC TLS :C005 TLS ECDH ECDSA WITH AES 256 CBC SHA
ECC TLS :C006 TLS ECDHE ECDSA WITH NULL SHA
ECC TLS :C007 TLS ECDHE ECDSA WITH RC4 128 SHA
ECC TLS :C008 TLS ECDHE ECDSA WITH 3DES EDE CBC SHA
ECC TLS :C009 TLS ECDHE ECDSA WITH AES 128 CBC SHA
ECC TLS :C00A TLS ECDHE ECDSA WITH AES 256 CBC SHA
ECC TLS :C00B TLS ECDH RSA WITH NULL SHA
ECC TLS :C00C TLS ECDH RSA WITH RC4 128 SHA
ECC TLS :C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
ECC TLS :C00E TLS ECDH RSA WITH AES 128 CBC SHA
ECC TLS :C00F TLS ECDH RSA WITH AES 256 CBC SHA
ECC TLS :C010 TLS ECDHE RSA WITH NULL SHA
ECC TLS :C011 TLS ECDHE RSA WITH RC4 128 SHA
ECC TLS :C012 TLS ECDHE RSA WITH 3DES EDE CBC SHA
ECC TLS :C013 TLS ECDHE RSA WITH AES 128 CBC SHA
ECC TLS :C014 TLS ECDHE RSA WITH AES 256 CBC SHA

33
security/nss/tests/ssl/sslstress.txt
View File

@ -1,14 +1,29 @@
#
# This file defines the tests for client auth.
# This file defines the stress tests for ssl/tls
#
# expected
# return server client Test Case name
# value params params
# ------ ------ ------ ---------------
0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
0 _ -c_1000_-C_c_-T Stress SSL3 RC4 128 with MD5
0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
# expected
# Enable return server client Test Case name
# ECC value params params
# ------- ------ ------ ------ ---------------
noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
noECC 0 _ -c_1000_-C_c_-T Stress SSL3 RC4 128 with MD5
noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
#
# add client auth versions here...
#
# 0 -r -w_bogus_-n_"Test_User" TLS Request don't require client auth (bad password)
# noECC 0 -r -w_bogus_-n_"Test_User" TLS Request don't require client auth (bad password)
#
########################## ECC ciphers ##############################
# Currently, session reuse does not work for ECDH-ECDSA and ECDHE-ECDSA
# ciphers (see Bug 238051). Setting up 1000 connections without session
# reuse would take too long, so use only 10 connections
#
ECC 0 -c_:C009 -c_10_-C_:C009_-N_-T Stress SSL3 ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
ECC 0 -c_:C013 -c_100_-C_:C013_-T Stress SSL3 ECDHE-RSA AES 128 CBC with SHA
ECC 0 -c_:C004 -c_10_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse)
ECC 0 -c_:C00E -c_10_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
ECC 0 -c_:C013 -c_100_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA
#
# add client auth versions here...
#
# ECC 0 -r -w_bogus_-n_"Test_User-ec" TLS Request don't require client auth (bad password)

210
security/nss/tests/tools/ectools.sh
View File

@ -1,210 +0,0 @@
#! /bin/sh
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
########################################################################
#
# mozilla/security/nss/tests/tools/tools.sh
#
# Script to test basic functionallity of NSS tools
#
# needs to work on all Unix and Windows platforms
#
# tests implemented:
# pk12util
# signtool
#
# special strings
# ---------------
# FIXME ... known problems, search for this string
# NOTE .... unexpected behavior
########################################################################
############################## tools_init ##############################
# local shell function to initialize this script
########################################################################
tools_init()
{
SCRIPTNAME=tools.sh # sourced - $0 would point to all.sh
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
fi
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
cd ../common
. ./init.sh
fi
if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
cd ../cert
. ./cert.sh
fi
SCRIPTNAME=tools.sh
html_head "Tools Tests"
grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
}
TOOLSDIR=${HOSTDIR}/tools
COPYDIR=${TOOLSDIR}/copydir
R_TOOLSDIR=../tools
R_COPYDIR=../tools/copydir
P_R_COPYDIR=${R_COPYDIR}
if [ -n "${MULTIACCESS_DBM}" ]; then
P_R_COPYDIR="multiaccess:Tools.$version"
fi
mkdir -p ${TOOLSDIR}
mkdir -p ${COPYDIR}
mkdir -p ${TOOLSDIR}/html
cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
cd ${TOOLSDIR}
}
############################## tools_p12 ###############################
# local shell function to test basic functionality of pk12util
########################################################################
tools_p12()
{
echo "$SCRIPTNAME: Exporting Alice's email cert & key------------------"
echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
echo " -w ${R_PWFILE}"
pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
-w ${R_PWFILE} 2>&1
ret=$?
html_msg $ret 0 "Exporting Alice's email cert & key (pk12util -o)"
check_tmpfile
echo "$SCRIPTNAME: Importing Alice's email cert & key -----------------"
echo "pk12util -i Alice.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
pk12util -i Alice.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
ret=$?
html_msg $ret 0 "Importing Alice's email cert & key (pk12util -i)"
check_tmpfile
echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
echo " -w ${R_PWFILE}"
pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
-w ${R_PWFILE} 2>&1
ret=$?
html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
check_tmpfile
echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
ret=$?
html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
check_tmpfile
}
############################## tools_sign ##############################
# local shell function pk12util uses a hardcoded tmp file, if this exists
# and is owned by another user we don't get reasonable errormessages
########################################################################
check_tmpfile()
{
if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then
echo "Error: pk12util temp file exists. Please remove this file and"
echo " rerun the test (/tmp/Pk12uTemp) "
fi
}
############################## tools_sign ##############################
# local shell function to test basic functionality of signtool
########################################################################
tools_sign()
{
echo "$SCRIPTNAME: Create objsign cert -------------------------------"
echo "signtool -G \"objectsigner\" -d ${P_R_ALICEDIR} -p \"nss\""
signtool -G "objsigner" -d ${P_R_ALICEDIR} -p "nss" 2>&1 <<SIGNSCRIPT
y
TEST
MOZ
NSS
NY
US
liz
liz@moz.org
SIGNSCRIPT
html_msg $? 0 "Create objsign cert (signtool -G)"
echo "$SCRIPTNAME: Signing a set of files ----------------------------"
echo "signtool -Z nojs.jar -d ${P_R_ALICEDIR} -p \"nss\" -k objsigner \\"
echo " ${R_TOOLSDIR}/html"
signtool -Z nojs.jar -d ${P_R_ALICEDIR} -p "nss" -k objsigner \
${R_TOOLSDIR}/html
html_msg $? 0 "Signing a set of files (signtool -Z)"
echo "$SCRIPTNAME: Listing signed files in jar ----------------------"
echo "signtool -v nojs.jar -d ${P_R_ALICEDIR} -p nss -k objsigner"
signtool -v nojs.jar -d ${P_R_ALICEDIR} -p nss -k objsigner
html_msg $? 0 "Listing signed files in jar (signtool -v)"
echo "$SCRIPTNAME: Show who signed jar ------------------------------"
echo "signtool -w nojs.jar -d ${P_R_ALICEDIR}"
signtool -w nojs.jar -d ${P_R_ALICEDIR}
html_msg $? 0 "Show who signed jar (signtool -w)"
}
############################## tools_cleanup ###########################
# local shell function to finish this script (no exit since it might be
# sourced)
########################################################################
tools_cleanup()
{
html "</TABLE><BR>"
cd ${QADIR}
. common/cleanup.sh
}
################## main #################################################
tools_init
tools_p12
tools_sign
tools_cleanup

36
security/nss/tests/tools/tools.sh
View File

@ -21,6 +21,7 @@
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
@ -74,7 +75,12 @@ tools_init()
. ./cert.sh
fi
SCRIPTNAME=tools.sh
html_head "Tools Tests"
if [ -n "$NSS_ENABLE_ECC" ] ; then
html_head "Tools Tests with ECC"
else
html_head "Tools Tests"
fi
grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
@ -87,7 +93,7 @@ tools_init()
R_COPYDIR=../tools/copydir
P_R_COPYDIR=${R_COPYDIR}
if [ -n "${MULTIACCESS_DBM}" ]; then
P_R_COPYDIR="multiaccess:Tools.$version"
P_R_COPYDIR="multiaccess:Tools.$version"
fi
mkdir -p ${TOOLSDIR}
@ -125,6 +131,32 @@ tools_p12()
ret=$?
html_msg $ret 0 "Listing Alice's pk12 file (pk12util -l)"
check_tmpfile
if [ -n "$NSS_ENABLE_ECC" ] ; then
echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
echo " -w ${R_PWFILE}"
pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
-w ${R_PWFILE} 2>&1
ret=$?
html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
check_tmpfile
echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
ret=$?
html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
check_tmpfile
echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
ret=$?
html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
check_tmpfile
fi
}
############################## tools_sign ##############################