From f1ca8f1fd1ae3fb2085230f6d1329f8ff217da8e Mon Sep 17 00:00:00 2001 From: "wtchang%redhat.com" Date: Fri, 3 Mar 2006 20:06:03 +0000 Subject: [PATCH] Bugzilla Bug 324887: merged ECC and non-ECC QA test scripts and removed ECC QA test scripts. The patch is written by Vipul Gupta and Christophe Ravel of Sun. r=wtc,nelsonb,jpierre Modified Files: cert/cert.sh smime/smime.sh ssl/ssl.sh ssl/sslauth.txt ssl/sslcov.txt ssl/sslstress.txt tools/tools.sh Removed Files: fixtests.sh cert/eccert.sh smime/ecsmime.sh ssl/ecssl.sh ssl/ecsslauth.txt ssl/ecsslcov.txt ssl/ecsslstress.txt tools/ectools.sh --- security/nss/tests/cert/cert.sh | 324 ++++++++- security/nss/tests/cert/eccert.sh | 886 ------------------------- security/nss/tests/fixtests.sh | 117 ---- security/nss/tests/smime/ecsmime.sh | 260 -------- security/nss/tests/smime/smime.sh | 38 +- security/nss/tests/ssl/ecssl.sh | 350 ---------- security/nss/tests/ssl/ecsslauth.txt | 50 -- security/nss/tests/ssl/ecsslcov.txt | 94 --- security/nss/tests/ssl/ecsslstress.txt | 25 - security/nss/tests/ssl/ssl.sh | 250 ++++--- security/nss/tests/ssl/sslauth.txt | 75 ++- security/nss/tests/ssl/sslcov.txt | 124 ++-- security/nss/tests/ssl/sslstress.txt | 33 +- security/nss/tests/tools/ectools.sh | 210 ------ security/nss/tests/tools/tools.sh | 36 +- 15 files changed, 684 insertions(+), 2188 deletions(-) delete mode 100644 security/nss/tests/cert/eccert.sh delete mode 100755 security/nss/tests/fixtests.sh delete mode 100644 security/nss/tests/smime/ecsmime.sh delete mode 100644 security/nss/tests/ssl/ecssl.sh delete mode 100644 security/nss/tests/ssl/ecsslauth.txt delete mode 100644 security/nss/tests/ssl/ecsslcov.txt delete mode 100644 security/nss/tests/ssl/ecsslstress.txt delete mode 100644 security/nss/tests/tools/ectools.sh diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh index 920a8c711bf2..8e0e44f891ea 100755 --- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -21,6 +21,7 @@ # the Initial Developer. All Rights Reserved. # # Contributor(s): +# Dr Vipul Gupta , Sun Microsystems Laboratories # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or @@ -75,7 +76,11 @@ cert_init() fi SCRIPTNAME="cert.sh" CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"` - html_head "Certutil and Crlutil Tests" + if [ -n "$NSS_ENABLE_ECC" ] ; then + html_head "Certutil and Crlutil Tests with ECC" + else + html_head "Certutil and Crlutil Tests" + fi ################## Generate noise for our CA cert. ###################### # NOTE: these keys are only suitable for testing, as this whole thing @@ -140,7 +145,7 @@ certu() return $RET } -################################ certu ################################# +################################ crlu ################################# # local shell function to call crlutil, also: writes action and options to # stdout, sets variable RET and writes results to the html file results ######################################################################## @@ -257,6 +262,14 @@ cert_create_cert() if [ "$RET" -ne 0 ]; then return $RET fi + if [ -n "$NSS_ENABLE_ECC" ] ; then + CU_ACTION="Import EC Root CA for $CERTNAME" + certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \ + -d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + fi cert_add_cert "$5" return $? } @@ -270,7 +283,6 @@ cert_create_cert() ######################################################################## cert_add_cert() { - CU_ACTION="Generate Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 @@ -293,6 +305,36 @@ cert_add_cert() fi cert_log "SUCCESS: $CERTNAME's Cert Created" + +# +# Generate and add EC cert +# + if [ -n "$NSS_ENABLE_ECC" ] ; then + CURVE="secp384r1" + CU_ACTION="Generate EC Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Sign ${CERTNAME}'s EC Request" + certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + + CU_ACTION="Import $CERTNAME's EC Cert" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + if [ "$RET" -ne 0 ]; then + return $RET + fi + cert_log "SUCCESS: $CERTNAME's EC Cert Created" + fi + return 0 } @@ -325,8 +367,37 @@ cert_all_CA() cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7" rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert - # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is the one of the last + + # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last # in the chain + + if [ -n "$NSS_ENABLE_ECC" ] ; then +# +# Create EC version of TestCA + CA_CURVE="secp521r1" + ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US" + cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE} +# +# Create EC versions of the intermediate CA certs + ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE} + + ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE} + ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" + cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE} + + rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert +# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last +# in the chain + + fi } ################################# cert_CA ################################ @@ -400,6 +471,70 @@ CERTSCRIPT cp root.cert ${NICKNAME}.ca.cert } +################################ cert_ec_CA ############################## +# local shell function to build the Temp. Certificate Authority (CA) +# used for testing purposes, creating a CA Certificate and a root cert +# This is the ECC version of cert_CA. +########################################################################## +cert_ec_CA() +{ + CUR_CADIR=$1 + NICKNAME=$2 + SIGNER=$3 + TRUSTARG=$4 + DOMAIN=$5 + CERTSERIAL=$6 + CURVE=$7 + + echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME ==========================" + + if [ ! -d "${CUR_CADIR}" ]; then + mkdir -p "${CUR_CADIR}" + fi + cd ${CUR_CADIR} + pwd + + LPROFILE=. + if [ -n "${MULTIACCESS_DBM}" ]; then + LPROFILE="multiaccess:${DOMAIN}" + fi + + ################# Creating an EC CA Cert ################################ + # + CU_ACTION="Creating EC CA Cert $NICKNAME " + CU_SUBJECT=$ALL_CU_SUBJECT + certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \ + -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ + -m $CERTSERIAL 2>&1 <&1 + if [ -n "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: Importing EC Certificates ==============================" + CU_ACTION="Import Bob's EC cert into Alice's db" + certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + -i ${R_BOBDIR}/Bob-ec.cert 2>&1 + + CU_ACTION="Import Dave's EC cert into Alice's DB" + certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 + + CU_ACTION="Import Dave's EC cert into Bob's DB" + certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ + -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 + +## XXXX Do not import Eve's EC cert until we can make sure that +## the email addresses listed in the Subject Alt Name Extension +## inside Eve's ECC and non-ECC certs are different. +# CU_ACTION="Import Eve's EC cert into Alice's DB" +# certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ +# -i ${R_EVEDIR}/Eve-ec.cert 2>&1 + +# CU_ACTION="Import Eve's EC cert into Bob's DB" +# certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ +# -i ${R_EVEDIR}/Eve-ec.cert 2>&1 + fi + if [ "$CERTFAILED" != 0 ] ; then cert_log "ERROR: SMIME failed $RET" else @@ -463,11 +635,12 @@ cert_smime_client() fi } -############################## cert_ssl ################################ +############################## cert_extended_ssl ####################### # local shell function to create client + server certs for extended SSL test ######################################################################## cert_extended_ssl() { + ################# Creating Certs for extended SSL test #################### # CERTFAILED=0 @@ -496,11 +669,39 @@ cert_extended_ssl() CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)" certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1 + + if [ -n "$NSS_ENABLE_ECC" ] ; then +# +# Repeat the above for EC certs +# + EC_CURVE="secp256r1" + CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" + cp ${CERTDIR}/req ${SERVER_CADIR} + certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + + CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)" + certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ + -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1 +# +# done with EC certs +# + fi + echo "Importing all the server's own CA chain into the servers DB" for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; do N=`basename $CA | sed -e "s/.ca.cert//"` - if [ $N = "serverCA" ] ; then + if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then T="-t C,C,C" else T="-t u,u,u" @@ -518,7 +719,8 @@ cert_extended_ssl() CU_ACTION="Generate Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \ + -o req 2>&1 CU_ACTION="Sign ${CERTNAME}'s Request (ext)" cp ${CERTDIR}/req ${CLIENT_CADIR} @@ -531,11 +733,38 @@ cert_extended_ssl() CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)" certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1 + + if [ -n "$NSS_ENABLE_ECC" ] ; then +# +# Repeat the above for EC certs +# + CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" + cp ${CERTDIR}/req ${CLIENT_CADIR} + certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ + -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 + + CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" + certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1 + + CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" + certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \ + -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 +# +# done with EC certs +# + fi + echo "Importing all the client's own CA chain into the servers DB" for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ; do N=`basename $CA | sed -e "s/.ca.cert//"` - if [ $N = "clientCA" ] ; then + if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then T="-t T,C,C" else T="-t u,u,u" @@ -565,7 +794,12 @@ cert_ssl() echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" echo " ${HOSTADDR} ------------------------------------" cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER} + CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC" certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} + if [ -n "$NSS_ENABLE_ECC" ] ; then + CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC" + certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} + fi # cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER} # echo "************* Copying CA files to ${SERVERDIR}" # cp ${CADIR}/*.db . @@ -759,7 +993,8 @@ cert_crl_ssl() CRLUPDATE=`date +%Y%m%d%H%M%SZ` CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority" CRL_GRP_END_=`expr ${CRL_GRP_END} - 1` - crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or < file ############################# Modification ################################## echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============" sleep 2 CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"` - CU_ACTION="Modification CRL by adding one more cert" + CU_ACTION="Modify CRL by adding one more cert" crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \ -i ${CRL_FILE_GRP_1}_or <, Sun Microsystems Laboratories -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -######################################################################## -# -# mozilla/security/nss/tests/cert/rcert.sh -# -# Certificate generating and handeling for NSS QA, can be included -# multiple times from all.sh and the individual scripts -# -# needs to work on all Unix and Windows platforms -# -# included from (don't expect this to be up to date) -# -------------------------------------------------- -# all.sh -# ssl.sh -# smime.sh -# tools.sh -# -# special strings -# --------------- -# FIXME ... known problems, search for this string -# NOTE .... unexpected behavior -# -# FIXME - Netscape - NSS -######################################################################## - -############################## cert_init ############################### -# local shell function to initialize this script -######################################################################## -cert_init() -{ - SCRIPTNAME="cert.sh" - if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for - CLEANUP="${SCRIPTNAME}" # cleaning this script will do it - fi - if [ -z "${INIT_SOURCED}" ] ; then - cd ../common - . ./init.sh - fi - SCRIPTNAME="cert.sh" - html_head "Certutil Tests" - - ################## Generate noise for our CA cert. ###################### - # NOTE: these keys are only suitable for testing, as this whole thing - # bypasses the entropy gathering. Don't use this method to generate - # keys and certs for product use or deployment. - # - ps -efl > ${NOISE_FILE} 2>&1 - ps aux >> ${NOISE_FILE} 2>&1 - noise - -} - -cert_log() ###################### write the cert_status file -{ - echo "$SCRIPTNAME $*" - echo $* >>${CERT_LOG_FILE} -} - -################################ noise ################################## -# Generate noise for our certs -# -# NOTE: these keys are only suitable for testing, as this whole thing bypasses -# the entropy gathering. Don't use this method to generate keys and certs for -# product use or deployment. -######################################################################### -noise() -{ - #netstat >> ${NOISE_FILE} 2>&1 - date >> ${NOISE_FILE} 2>&1 -} - -################################ certu ################################# -# local shell function to call certutil, also: writes action and options to -# stdout, sets variable RET and writes results to the html file results -######################################################################## -certu() -{ - echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" - - if [ -n "${CU_SUBJECT}" ]; then - #the subject of the cert contains blanks, and the shell - #will strip the quotes off the string, if called otherwise... - echo "certutil -s \"${CU_SUBJECT}\" $*" - certutil -s "${CU_SUBJECT}" $* - RET=$? - CU_SUBJECT="" - else - echo "certutil $*" - certutil $* - RET=$? - fi - if [ "$RET" -ne 0 ]; then - CERTFAILED=$RET - html_failed "${CU_ACTION} ($RET) " - cert_log "ERROR: ${CU_ACTION} failed $RET" - else - html_passed "${CU_ACTION}" - fi - - # echo "Contine?" - # cat > /dev/null - return $RET -} - -############################# cert_init_cert ########################## -# local shell function to initialize creation of client and server certs -######################################################################## -cert_init_cert() -{ - CERTDIR="$1" - CERTNAME="$2" - CERTSERIAL="$3" - DOMAIN="$4" - - if [ ! -d "${CERTDIR}" ]; then - mkdir -p "${CERTDIR}" - else - echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists" - fi - cd "${CERTDIR}" - CERTDIR="." - - PROFILEDIR=${CERTDIR} - if [ -n "${MULTIACCESS_DBM}" ]; then - PROFILEDIR="multiaccess:${DOMAIN}" - fi - - noise -} - -############################# hw_acc ################################# -# local shell function to add hw accelerator modules to the db -######################################################################## -hw_acc() -{ - HW_ACC_RET=0 - HW_ACC_ERR="" - if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then - echo "creating $CERTNAME s cert with hwaccelerator..." - #case $ACCELERATOR in - #rainbow) - - - echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so " - echo " -dbdir ${PROFILEDIR} 2>&1 " - echo | modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \ - -dbdir ${PROFILEDIR} 2>&1 - if [ "$?" -ne 0 ]; then - echo "modutil -add rainbow failed in `pwd`" - HW_ACC_RET=1 - HW_ACC_ERR="modutil -add rainbow" - fi - - echo "modutil -add ncipher " - echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so " - echo " -dbdir ${PROFILEDIR} 2>&1 " - echo | modutil -add ncipher \ - -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \ - -dbdir ${PROFILEDIR} 2>&1 - if [ "$?" -ne 0 ]; then - echo "modutil -add ncipher failed in `pwd`" - HW_ACC_RET=`expr $HW_ACC_RET + 2` - HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher" - fi - if [ "$HW_ACC_RET" -ne 0 ]; then - html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) " - else - html_passed "Adding HW accelerators to certDB for ${CERTNAME}" - fi - - fi - return $HW_ACC_RET -} - -############################# cert_create_cert ######################### -# local shell function to create client certs -# initialize DB, import -# root cert -# add cert to DB -######################################################################## -cert_create_cert() -{ - cert_init_cert "$1" "$2" "$3" "$4" - - CU_ACTION="Initializing ${CERTNAME}'s Cert DB" - certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - hw_acc - CU_ACTION="Import Root CA for $CERTNAME" - certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${R_CADIR}/root.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - cert_add_cert "$5" - return $? -} - -############################# cert_create_certs ######################## -# local shell function to create client certs -# initialize DB, import -# root certs (RSA and EC) -# add certs (RSA and EC) to DB -######################################################################## -cert_create_certs() -{ - cert_init_cert "$1" "$2" "$3" "$4" - - CU_ACTION="Initializing ${CERTNAME}'s Cert DB" - certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - hw_acc - CU_ACTION="Import Root CA for $CERTNAME" - certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${R_CADIR}/root.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - CU_ACTION="Import EC Root CA for $CERTNAME" - certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${R_CADIR}/ecroot.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - cert_add_certs "$5" - return $? -} - -############################# cert_add_cert ############################ -# local shell function to add client certs to an existing CERT DB -# generate request -# sign request -# import Cert -# -######################################################################## -cert_add_cert() -{ - - CU_ACTION="Generate Cert Request for $CERTNAME" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Import $CERTNAME's Cert" - certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - cert_log "SUCCESS: $CERTNAME's Cert Created" - return 0 -} - -############################# cert_add_certs ############################ -# local shell function to add client certs to an existing CERT DB -# generate request -# sign request -# import Cert -# -# Do this for both RSA and EC certs -######################################################################## -cert_add_certs() -{ - CURVE="secp160r2" - - CU_ACTION="Generate Cert Request for $CERTNAME" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Sign ${CERTNAME}'s Request" - certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Import $CERTNAME's Cert" - certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - cert_log "SUCCESS: $CERTNAME's Cert Created" - -# -# Generate and add EC cert -# - CU_ACTION="Generate EC Cert Request for $CERTNAME" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Sign ${CERTNAME}'s EC Request" - certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - CU_ACTION="Import $CERTNAME's EC Cert" - certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}-ec.cert" 2>&1 - if [ "$RET" -ne 0 ]; then - return $RET - fi - - cert_log "SUCCESS: $CERTNAME's EC Cert Created" - - return 0 -} - -################################# cert_all_CA ################################ -# local shell function to build the additional Temp. Certificate Authority (CA) -# used for the "real life" ssl test with 2 different CA's in the -# client and in teh server's dir -########################################################################## -cert_all_CA() -{ - CA_CURVE="secp160r1" - - echo nss > ${PWFILE} - - ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1" - -# Create EC version of TestCA - ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US" - cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE} - - ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" - ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3" - ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4" - -# -# Create EC versions of the above CA certs -# - ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE} - ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE} - ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE} - - - ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" - ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6" - ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7" - -# -# Create EC versions of the above CA certs -# - ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE} - ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE} - ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" - cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE} - - rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert - rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert - # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is the one of the last - # in the chain -} - -################################# cert_CA ################################ -# local shell function to build the Temp. Certificate Authority (CA) -# used for testing purposes, creating a CA Certificate and a root cert -########################################################################## -cert_CA() -{ - CUR_CADIR=$1 - NICKNAME=$2 - SIGNER=$3 - TRUSTARG=$4 - DOMAIN=$5 - CERTSERIAL=$6 - - echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME ==========================" - - if [ ! -d "${CUR_CADIR}" ]; then - mkdir -p "${CUR_CADIR}" - fi - cd ${CUR_CADIR} - pwd - - LPROFILE=. - if [ -n "${MULTIACCESS_DBM}" ]; then - LPROFILE="multiaccess:${DOMAIN}" - fi - - if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB - CU_ACTION="Creating CA Cert DB" - certu -N -d ${LPROFILE} -f ${R_PWFILE} 2>&1 - if [ "$RET" -ne 0 ]; then - Exit 5 "Fatal - failed to create CA $NICKNAME " - fi - echo "$SCRIPTNAME: Certificate initialized ----------" - fi - - - ################# Creating CA Cert ###################################### - # - CU_ACTION="Creating CA Cert $NICKNAME " - CU_SUBJECT=$ALL_CU_SUBJECT - certu -S -n $NICKNAME -t $TRUSTARG -v 60 $SIGNER -d ${LPROFILE} -1 -2 -5 \ - -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <&1 <&1 - - #CU_ACTION="Export Dave's Cert" - #cd ${DAVEDIR} - #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert - - ################# Importing Certificates for S/MIME tests ############### - # - echo "$SCRIPTNAME: Importing Certificates ==============================" - CU_ACTION="Import Bob's cert into Alice's db" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ - -i ${R_BOBDIR}/Bob.cert 2>&1 - - CU_ACTION="Import Dave's cert into Alice's DB" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ - -i ${R_DAVEDIR}/Dave.cert 2>&1 - - CU_ACTION="Import Dave's cert into Bob's DB" - certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ - -i ${R_DAVEDIR}/Dave.cert 2>&1 - - CU_ACTION="Import Eve's cert into Alice's DB" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ - -i ${R_EVEDIR}/Eve.cert 2>&1 - - CU_ACTION="Import Eve's cert into Bob's DB" - certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ - -i ${R_EVEDIR}/Eve.cert 2>&1 - - if [ "$CERTFAILED" != 0 ] ; then - cert_log "ERROR: SMIME failed $RET" - else - cert_log "SUCCESS: SMIME passed" - fi -} - -############################## cert_ssl ################################ -# local shell function to create client + server certs for extended SSL test -######################################################################## -cert_extended_ssl() -{ - EC_CURVE="sect163r1" - - ################# Creating Certs for extended SSL test #################### - # - CERTFAILED=0 - echo "$SCRIPTNAME: Creating Certificates, issued by the last ===============" - echo " of a chain of CA's which are not in the same database============" - - echo "Server Cert" - cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER} - - CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" - certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Generate Cert Request for $CERTNAME (ext)" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request (ext)" - cp ${CERTDIR}/req ${SERVER_CADIR} - certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)" - certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}.cert" 2>&1 - - CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)" - certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1 -# -# Repeat the above for EC certs -# - CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" - cp ${CERTDIR}/req ${SERVER_CADIR} - certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \ - -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" - certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}-ec.cert" 2>&1 - - CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)" - certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1 -# -# done with EC certs -# - echo "Importing all the server's own CA chain into the servers DB" - for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; - do - N=`basename $CA | sed -e "s/.ca.cert//"` - if [ $N = "serverCA" ] ; then - T="-t C,C,C" - else - T="-t u,u,u" - fi - CU_ACTION="Import $N CA $T for $CERTNAME (ext.) " - certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${CA}" 2>&1 - done -#============ - echo "Client Cert" - cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT} - - CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)" - certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Generate Cert Request for $CERTNAME (ext)" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request (ext)" - cp ${CERTDIR}/req ${CLIENT_CADIR} - certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)" - certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}.cert" 2>&1 - CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)" - certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1 -# -# Repeat the above for EC certs -# - CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)" - cp ${CERTDIR}/req ${CLIENT_CADIR} - certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \ - -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1 - - CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)" - certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${CERTNAME}-ec.cert" 2>&1 - CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)" - certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1 -# -# done with EC certs -# - echo "Importing all the client's own CA chain into the servers DB" - for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ; - do - N=`basename $CA | sed -e "s/.ca.cert//"` - if [ $N = "clientCA" ] ; then - T="-t T,C,C" - else - T="-t u,u,u" - fi - CU_ACTION="Import $N CA $T for $CERTNAME (ext.)" - certu -A -n $N $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \ - -i "${CA}" 2>&1 - done - if [ "$CERTFAILED" != 0 ] ; then - cert_log "ERROR: EXT failed $RET" - else - cert_log "SUCCESS: EXT passed" - fi -} - -############################## cert_ssl ################################ -# local shell function to create client + server certs for SSL test -######################################################################## -cert_ssl() -{ - ################# Creating Certs for SSL test ########################### - # - CERTFAILED=0 - echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" - cert_create_certs ${CLIENTDIR} "TestUser" 70 ${D_CLIENT} - - echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\" - echo " ${HOSTADDR} ------------------------------------" - cert_create_certs ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER} - certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} - certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER} -# echo "************* Copying CA files to ${SERVERDIR}" -# cp ${CADIR}/*.db . -# hw_acc -# CU_ACTION="Creating ${CERTNAME}'s Server Cert" -# CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US" -# certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \ -# -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1 - - if [ "$CERTFAILED" != 0 ] ; then - cert_log "ERROR: SSL failed $RET" - else - cert_log "SUCCESS: SSL passed" - fi -} -############################## cert_stresscerts ################################ -# local shell function to create client certs for SSL stresstest -######################################################################## -cert_stresscerts() -{ - - ############### Creating Certs for SSL stress test ####################### - # - CERTDIR="$CLIENTDIR" - cd "${CERTDIR}" - - PROFILEDIR=${CERTDIR} - if [ -n "${MULTIACCESS_DBM}" ]; then - PROFILEDIR="multiaccess:${D_CLIENT}" - fi - CERTFAILED=0 - echo "$SCRIPTNAME: Creating Client CA Issued Certificates ===============" - - CONTINUE=$GLOB_MAX_CERT - CERTSERIAL=10 - - while [ $CONTINUE -ge $GLOB_MIN_CERT ] - do - CERTNAME="TestUser$CONTINUE" -# cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL - cert_add_certs - CERTSERIAL=`expr $CERTSERIAL + 1 ` - CONTINUE=`expr $CONTINUE - 1 ` - done - if [ "$CERTFAILED" != 0 ] ; then - cert_log "ERROR: StressCert failed $RET" - else - cert_log "SUCCESS: StressCert passed" - fi -} - -############################## cert_fips ##################################### -# local shell function to create certificates for FIPS tests -############################################################################## -cert_fips() -{ - CERTFAILED=0 - echo "$SCRIPTNAME: Creating FIPS 140-1 DSA Certificates ==============" - cert_init_cert "${FIPSDIR}" "FIPS PUB 140-1 Test Certificate" 1000 "${D_FIPS}" - - CU_ACTION="Initializing ${CERTNAME}'s Cert DB" - certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 - - echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------" - CU_ACTION="Enable FIPS mode on database for ${CERTNAME}" - echo "modutil -dbdir ${PROFILEDIR} -fips true " - modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <${CU_ACTION} ($RET) " - cert_log "ERROR: ${CU_ACTION} failed $RET" - else - html_passed "${CU_ACTION}" - fi - - CU_ACTION="Generate Certificate for ${CERTNAME}" - CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140-1, L=Mountain View, ST=California, C=US" - certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -m 500 -z "${R_NOISE_FILE}" 2>&1 - if [ "$RET" -eq 0 ]; then - cert_log "SUCCESS: FIPS passed" - fi -} - -############################## cert_cleanup ############################ -# local shell function to finish this script (no exit since it might be -# sourced) -######################################################################## -cert_cleanup() -{ - cert_log "$SCRIPTNAME: finished $SCRIPTNAME" - html "
" - cd ${QADIR} - . common/cleanup.sh -} - -################## main ################################################# - -cert_init -cert_all_CA -cert_extended_ssl -cert_ssl -cert_smime_client -cert_fips -if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then - cert_stresscerts - #following lines to be used when databases are to be reused - #cp -r /u/sonmi/tmp/stress/kentuckyderby.13/* $HOSTDIR - #cp -r $HOSTDIR/../${HOST}.2/* $HOSTDIR - -fi -cert_cleanup diff --git a/security/nss/tests/fixtests.sh b/security/nss/tests/fixtests.sh deleted file mode 100755 index 42cbdf8ee577..000000000000 --- a/security/nss/tests/fixtests.sh +++ /dev/null @@ -1,117 +0,0 @@ -#!/bin/sh -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is the elliptic curve test suite. -# -# The Initial Developer of the Original Code is -# Sun Microsystems, Inc. -# Portions created by the Initial Developer are Copyright (C) 2003 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# Dr Vipul Gupta , Sun Microsystems Laboratories -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -####################### fix_test_scripts ####################### -# -# Depending on the argument either enable or disable EC based -# tests in the cert and ssl directories. -# -################################################################ -fix_test_scripts() -{ - FLAG=$1 - CERT_DIR=cert - CERT_SCRIPT=cert.sh - SMIME_DIR=smime - SMIME_SCRIPT=smime.sh - SSL_DIR=ssl - SSLAUTH=sslauth.txt - SSLCOV=sslcov.txt - SSL_SCRIPT=ssl.sh - SSLSTRESS=sslstress.txt - TOOLS_DIR=tools - TOOLS_SCRIPT=tools.sh - EC_PREFIX=ec - NOEC_PREFIX=noec - - if [ xx$FLAG = xx"enable_ecc" ]; then - if [ -f $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT -a \ - -f $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLAUTH -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLCOV -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLSTRESS -a \ - -f $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT ]; then - echo "noecc files exist" - else - echo "noecc files are missing" - echo "Saving files as noec" - cp $CERT_DIR/$CERT_SCRIPT $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT - cp $SMIME_DIR/$SMIME_SCRIPT $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT - cp $SSL_DIR/$SSLAUTH $SSL_DIR/$NOEC_PREFIX$SSLAUTH - cp $SSL_DIR/$SSLCOV $SSL_DIR/$NOEC_PREFIX$SSLCOV - cp $SSL_DIR/$SSL_SCRIPT $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT - cp $SSL_DIR/$SSLSTRESS $SSL_DIR/$NOEC_PREFIX$SSLSTRESS - cp $TOOLS_DIR/$TOOLS_SCRIPT $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT - fi - echo "Overwriting with ec versions" - cp $CERT_DIR/$EC_PREFIX$CERT_SCRIPT $CERT_DIR/$CERT_SCRIPT - cp $SMIME_DIR/$EC_PREFIX$SMIME_SCRIPT $SMIME_DIR/$SMIME_SCRIPT - cp $SSL_DIR/$EC_PREFIX$SSLAUTH $SSL_DIR/$SSLAUTH - cp $SSL_DIR/$EC_PREFIX$SSLCOV $SSL_DIR/$SSLCOV - cp $SSL_DIR/$EC_PREFIX$SSL_SCRIPT $SSL_DIR/$SSL_SCRIPT - cp $SSL_DIR/$EC_PREFIX$SSLSTRESS $SSL_DIR/$SSLSTRESS - cp $TOOLS_DIR/$EC_PREFIX$TOOLS_SCRIPT $TOOLS_DIR/$TOOLS_SCRIPT - elif [ xx$FLAG = xx"disable_ecc" ]; then - if [ -f $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT -a \ - -f $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLAUTH -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLCOV -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT -a \ - -f $SSL_DIR/$NOEC_PREFIX$SSLSTRESS -a \ - -f $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT ]; then - echo "noecc files exist" - echo "Overwriting with noec versions" - cp $CERT_DIR/$NOEC_PREFIX$CERT_SCRIPT $CERT_DIR/$CERT_SCRIPT - cp $SMIME_DIR/$NOEC_PREFIX$SMIME_SCRIPT $SMIME_DIR/$SMIME_SCRIPT - cp $SSL_DIR/$NOEC_PREFIX$SSLAUTH $SSL_DIR/$SSLAUTH - cp $SSL_DIR/$NOEC_PREFIX$SSLCOV $SSL_DIR/$SSLCOV - cp $SSL_DIR/$NOEC_PREFIX$SSL_SCRIPT $SSL_DIR/$SSL_SCRIPT - cp $SSL_DIR/$NOEC_PREFIX$SSLSTRESS $SSL_DIR/$SSLSTRESS - cp $TOOLS_DIR/$NOEC_PREFIX$TOOLS_SCRIPT $TOOLS_DIR/$TOOLS_SCRIPT - else - echo "Already disabled." - fi - else - echo "Needs either \"enable_ecc\" or \"disable_ecc\" as argument." - fi -} - - -fix_test_scripts $1 diff --git a/security/nss/tests/smime/ecsmime.sh b/security/nss/tests/smime/ecsmime.sh deleted file mode 100644 index e94000bfa2da..000000000000 --- a/security/nss/tests/smime/ecsmime.sh +++ /dev/null @@ -1,260 +0,0 @@ -#! /bin/sh -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1994-2000 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -######################################################################## -# -# mozilla/security/nss/tests/smime/smime.sh -# -# Script to test NSS smime -# -# needs to work on all Unix and Windows platforms -# -# special strings -# --------------- -# FIXME ... known problems, search for this string -# NOTE .... unexpected behavior -# -######################################################################## - -############################## smime_init ############################## -# local shell function to initialize this script -######################################################################## -smime_init() -{ - SCRIPTNAME=smime.sh # sourced - $0 would point to all.sh - - if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for - CLEANUP="${SCRIPTNAME}" # cleaning this script will do it - fi - - if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then - cd ../common - . ./init.sh - fi - if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here - cd ../cert - . ./cert.sh - fi - SCRIPTNAME=smime.sh - html_head "S/MIME Tests" - - grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { - Exit 11 "Fatal - S/MIME of cert.sh needs to pass first" - } - - SMIMEDIR=${HOSTDIR}/smime - R_SMIMEDIR=../smime - mkdir -p ${SMIMEDIR} - cd ${SMIMEDIR} - cp ${QADIR}/smime/alice.txt ${SMIMEDIR} -} - - -############################## smime_main ############################## -# local shell function to test basic signed and enveloped messages -# from 1 --> 2" -######################################################################## -smime_main() -{ - - echo "$SCRIPTNAME: Signing Attached Message (ECDSA SHA1) ------------------" - echo "cmsutil -S -N Alice-ec -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.sig" - cmsutil -S -N Alice-ec -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.sig - html_msg $? 0 "Create Signature Alice (ECDSA SHA1)" "." - - echo "cmsutil -D -i alice-ec.sig -d ${P_R_BOBDIR} -o alice-ec.data1" - cmsutil -D -i alice-ec.sig -d ${P_R_BOBDIR} -o alice-ec.data1 - html_msg $? 0 "Decode Alice's Signature (ECDSA SHA1)" "." - - echo "diff alice.txt alice-ec.data1" - diff alice.txt alice-ec.data1 - html_msg $? 0 "Compare Decoded Signature and Original (ECDSA SHA1)" "." - - echo "$SCRIPTNAME: Signing Attached Message (SHA1) ------------------" - echo "cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig" - cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig - html_msg $? 0 "Create Signature Alice (SHA1)" "." - - echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1" - cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1 - html_msg $? 0 "Decode Alice's Signature (SHA1)" "." - - echo "diff alice.txt alice.data1" - diff alice.txt alice.data1 - html_msg $? 0 "Compare Decoded Signature and Original (SHA1)" "." - - echo "$SCRIPTNAME: Signing Attached Message (SHA256) ------------------" - echo "cmsutil -S -N Alice -H SHA256 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig" - cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig - html_msg $? 0 "Create Signature Alice (SHA256)" "." - - echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1" - cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1 - html_msg $? 0 "Decode Alice's Signature (SHA256)" "." - - echo "diff alice.txt alice.data1" - diff alice.txt alice.data1 - html_msg $? 0 "Compare Decoded Signature and Original (SHA256)" "." - - echo "$SCRIPTNAME: Signing Attached Message (SHA384) ------------------" - echo "cmsutil -S -N Alice -H SHA384 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig" - cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig - html_msg $? 0 "Create Signature Alice (SHA384)" "." - - echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1" - cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1 - html_msg $? 0 "Decode Alice's Signature (SHA384)" "." - - echo "diff alice.txt alice.data1" - diff alice.txt alice.data1 - html_msg $? 0 "Compare Decoded Signature and Original (SHA384)" "." - - echo "$SCRIPTNAME: Signing Attached Message (SHA512) ------------------" - echo "cmsutil -S -N Alice -H SHA512 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig" - cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig - html_msg $? 0 "Create Signature Alice (SHA512)" "." - - echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1" - cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1 - html_msg $? 0 "Decode Alice's Signature (SHA512)" "." - - echo "diff alice.txt alice.data1" - diff alice.txt alice.data1 - html_msg $? 0 "Compare Decoded Signature and Original (SHA512)" "." - - echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------" - echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\" - echo " -o alice.env" - cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env - html_msg $? 0 "Create Enveloped Data Alice" "." - - echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1" - cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1 - html_msg $? 0 "Decode Enveloped Data Alice" "." - - echo "diff alice.txt alice.data1" - diff alice.txt alice.data1 - html_msg $? 0 "Compare Decoded Enveloped Data and Original" "." - - # multiple recip - echo "$SCRIPTNAME: Testing multiple recipients ------------------------------" - echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o alicecc.env \\" - echo " -r bob@bogus.com,dave@bogus.com" - cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \ - -r bob@bogus.com,dave@bogus.com - ret=$? - html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "." - if [ $ret != 0 ] ; then - echo "certutil -L -d ${P_R_ALICEDIR}" - certutil -L -d ${P_R_ALICEDIR} - echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com" - certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com - fi - - echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------" - echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o aliceve.env \\" - echo " -r eve@bogus.net" - cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \ - -r eve@bogus.net - ret=$? - html_msg $ret 0 "Encrypt to a Multiple Email cert" "." - - echo "cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2" - cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2 - html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Bob" "." - - echo "cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3" - cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3 - html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Dave" "." - - echo "cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4" - cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4 - html_msg $? 0 "Decrypt with a Multiple Email cert" "." - - diff alice.txt alice.data2 - html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Bob" "." - - diff alice.txt alice.data3 - html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Dave" "." - - diff alice.txt alice.data4 - html_msg $? 0 "Compare Decoded with Multiple Email cert" "." - - echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------" - echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\" - echo " -d ${P_R_ALICEDIR} > co.der" - cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der - html_msg $? 0 "Create Certs-Only Alice" "." - - echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}" - cmsutil -D -i co.der -d ${P_R_BOBDIR} - html_msg $? 0 "Verify Certs-Only by CA" "." - - echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------" - echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\" - echo " -r \"bob@bogus.com\" > alice.enc" - cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \ - -r "bob@bogus.com" > alice.enc - html_msg $? 0 "Create Encrypted-Data" "." - - echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\" - echo " -o alice.data2" - cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2 - html_msg $? 0 "Decode Encrypted-Data" "." - - diff alice.txt alice.data2 - html_msg $? 0 "Compare Decoded and Original Data" "." -} - -############################## smime_cleanup ########################### -# local shell function to finish this script (no exit since it might be -# sourced) -######################################################################## -smime_cleanup() -{ - html "
" - cd ${QADIR} - . common/cleanup.sh -} - -################## main ################################################# - -smime_init -smime_main -smime_cleanup - diff --git a/security/nss/tests/smime/smime.sh b/security/nss/tests/smime/smime.sh index f8e2e6c8cab7..fbda8b02005c 100755 --- a/security/nss/tests/smime/smime.sh +++ b/security/nss/tests/smime/smime.sh @@ -21,6 +21,7 @@ # the Initial Developer. All Rights Reserved. # # Contributor(s): +# Dr Vipul Gupta , Sun Microsystems Laboratories # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or @@ -71,7 +72,12 @@ smime_init() . ./cert.sh fi SCRIPTNAME=smime.sh - html_head "S/MIME Tests" + + if [ -n "$NSS_ENABLE_ECC" ] ; then + html_head "S/MIME Tests with ECC" + else + html_head "S/MIME Tests" + fi grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { Exit 11 "Fatal - S/MIME of cert.sh needs to pass first" @@ -110,6 +116,32 @@ smime_sign() echo "diff alice.txt alice.data.${HASH}" diff alice.txt alice.data.${HASH} html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "." + +# Test ECDSA signing for all hash algorithms. + if [ -n "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------" + echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}" + cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG} + html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "." + + echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} " + cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} + html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "." + + echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------" + echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}" + cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG} + html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "." + + echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}" + cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH} + html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "." + + echo "diff alice.txt alice-ec.data.${HASH}" + diff alice.txt alice-ec.data.${HASH} + html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "." + fi + } @@ -146,7 +178,7 @@ smime_main() # multiple recip echo "$SCRIPTNAME: Testing multiple recipients ------------------------------" - echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o alicecc.env \\" + echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\" echo " -r bob@bogus.com,dave@bogus.com" cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \ -r bob@bogus.com,dave@bogus.com @@ -160,7 +192,7 @@ smime_main() fi echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------" - echo "cmsutil -E -i alicecc.txt -d ${P_R_ALICEDIR} -o aliceve.env \\" + echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\" echo " -r eve@bogus.net" cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \ -r eve@bogus.net diff --git a/security/nss/tests/ssl/ecssl.sh b/security/nss/tests/ssl/ecssl.sh deleted file mode 100644 index 549c6b398304..000000000000 --- a/security/nss/tests/ssl/ecssl.sh +++ /dev/null @@ -1,350 +0,0 @@ -#! /bin/sh -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1994-2000 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# Dr Vipul Gupta , Sun Microsystems Laboratories -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -######################################################################## -# -# mozilla/security/nss/tests/ssl/ecssl.sh -# -# Script to test NSS SSL -# -# needs to work on all Unix and Windows platforms -# -# special strings -# --------------- -# FIXME ... known problems, search for this string -# NOTE .... unexpected behavior -# -######################################################################## - -############################## ssl_init ################################ -# local shell function to initialize this script -######################################################################## -ssl_init() -{ - SCRIPTNAME=ssl.sh # sourced - $0 would point to all.sh - - if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for - CLEANUP="${SCRIPTNAME}" # cleaning this script will do it - fi - - if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then - cd ../common - . ./init.sh - fi - if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here - cd ../cert - . ./cert.sh - fi - SCRIPTNAME=ssl.sh - echo "$SCRIPTNAME: SSL tests ===============================" - - grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || { - html_head "SSL Test failure" - Exit 8 "Fatal - SSL of cert.sh needs to pass first" - } - - PORT=${PORT-8443} - - # Test case files - SSLCOV=${QADIR}/ssl/sslcov.txt - SSLAUTH=${QADIR}/ssl/sslauth.txt - SSLSTRESS=${QADIR}/ssl/sslstress.txt - REQUEST_FILE=${QADIR}/ssl/sslreq.txt - - #temparary files - SERVEROUTFILE=${TMP}/tests_server.$$ - SERVERPID=${TMP}/tests_pid.$$ - - R_SERVERPID=../tests_pid.$$ - - TEMPFILES="$TMPFILES ${SERVEROUTFILE} ${SERVERPID}" - - fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't - #fileout=1 - #verbose="-v" #FIXME - see where this is usefull - - USER_NICKNAME=TestUser - NORM_EXT="" - - cd ${CLIENTDIR} -} - -########################### is_selfserv_alive ########################## -# local shell function to exit with a fatal error if selfserver is not -# running -######################################################################## -is_selfserv_alive() -{ - if [ ! -f "${SERVERPID}" ]; then - echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist" - sleep 5 - if [ ! -f "${SERVERPID}" ]; then - Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist" - fi - fi - PID=`cat ${SERVERPID}` - #if [ "${OS_ARCH}" = "Linux" ]; then - kill -0 $PID >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" - #else - #$PS -e | grep $PID >/dev/null || \ - #Exit 10 "Fatal - selfserv process not detectable" - #fi -} - -########################### wait_for_selfserv ########################## -# local shell function to wait until selfserver is running and initialized -######################################################################## -wait_for_selfserv() -{ - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -q " - echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \\" - #echo "tstclnt -q started at `date`" - tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} - if [ $? -ne 0 ]; then - html_failed " Wait for Server " - echo "RETRY: tstclnt -p ${PORT} -h ${HOSTADDR} -q \\" - echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" - tstclnt -p ${PORT} -h ${HOSTADDR} -q -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} - elif [ sparam = "-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz" ] ; then # "$1" = "cov" ] ; then - html_passed " Wait for Server" - fi - is_selfserv_alive -} - -########################### kill_selfserv ############################## -# local shell function to kill the selfserver after the tests are done -######################################################################## -kill_selfserv() -{ - ${KILL} `cat ${SERVERPID}` - wait `cat ${SERVERPID}` - if [ ${fileout} -eq 1 ]; then - cat ${SERVEROUTFILE} - fi - # On Linux selfserv needs up to 30 seconds to fully die and free - # the port. Wait until the port is free. (Bug 129701) - if [ "${OS_ARCH}" = "Linux" ]; then - until selfserv -b -p ${PORT} 2>/dev/null; do - sleep 1 - done - fi - rm ${SERVERPID} -} - -########################### start_selfserv ############################# -# local shell function to start the selfserver with the parameters required -# for this test and log information (parameters, start time) -# also: wait until the server is up and running -######################################################################## -start_selfserv() -{ - if [ -n "$testname" ] ; then - echo "$SCRIPTNAME: $testname ----" - fi - sparam=`echo $sparam | sed -e 's;_; ;g'` - echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \\" - echo " -e ${HOSTADDR}-ec \\" - echo " -w nss ${sparam} -i ${R_SERVERPID} $verbose &" - echo "selfserv started at `date`" - if [ ${fileout} -eq 1 ]; then - selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \ - -e ${HOSTADDR}-ec \ - -w nss ${sparam} -i ${R_SERVERPID} $verbose \ - > ${SERVEROUTFILE} 2>&1 & - else - selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} \ - -e ${HOSTADDR}-ec \ - -w nss ${sparam} -i ${R_SERVERPID} $verbose & - fi - wait_for_selfserv -} - -############################## ssl_cov ################################# -# local shell function to perform SSL Cipher Coverage tests -######################################################################## -ssl_cov() -{ - html_head "SSL Cipher Coverage $NORM_EXT" - - testname="" - sparam="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz" - start_selfserv # Launch the server - - p="" - - while read tls param testname - do - p=`echo "$testname" | sed -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS - - if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then - echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - elif [ "$tls" != "#" ] ; then - echo "$SCRIPTNAME: running $testname ----------------------------" - TLS_FLAG=-T - if [ $tls = "TLS" ]; then - TLS_FLAG="" - fi - - is_selfserv_alive - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} \\" - echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" - - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} -f \ - -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? - cat ${TMP}/$HOST.tmp.$$ - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - html_msg $ret 0 "${testname}" - fi - done < ${SSLCOV} - - kill_selfserv - html "
" -} - -############################## ssl_auth ################################ -# local shell function to perform SSL Client Authentication tests -######################################################################## -ssl_auth() -{ - html_head "SSL Client Authentication $NORM_EXT" - - while read value sparam cparam testname - do - if [ $value != "#" ]; then - cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` - start_selfserv - - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} \\" - echo " ${cparam} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ - -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? - cat ${TMP}/$HOST.tmp.$$ - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - - html_msg $ret $value "${testname}" \ - "produced a returncode of $ret, expected is $value" - kill_selfserv - fi - done < ${SSLAUTH} - - html "
" -} - - -############################## ssl_stress ############################## -# local shell function to perform SSL stress test -######################################################################## -ssl_stress() -{ - html_head "SSL Stress Test $NORM_EXT" - - while read value sparam cparam testname - do - p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS - if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended test" ] ; then - echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - elif [ $value != "#" ]; then - cparam=`echo $cparam | sed -e 's;_; ;g'` - start_selfserv - if [ `uname -n` = "sjsu" ] ; then - echo "debugging disapering selfserv... ps -ef | grep selfserv" - ps -ef | grep selfserv - fi - - echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \\" - echo " $verbose ${HOSTADDR}" - echo "strsclnt started at `date`" - strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} -w nss $cparam \ - $verbose ${HOSTADDR} - ret=$? - echo "strsclnt completed at `date`" - html_msg $ret $value "${testname}" - if [ `uname -n` = "sjsu" ] ; then - echo "debugging disapering selfserv... ps -ef | grep selfserv" - ps -ef | grep selfserv - fi - kill_selfserv - fi - done < ${SSLSTRESS} - - html "
" -} - - -############################## ssl_cleanup ############################# -# local shell function to finish this script (no exit since it might be -# sourced) -######################################################################## -ssl_cleanup() -{ - rm $SERVERPID 2>/dev/null - cd ${QADIR} - . common/cleanup.sh -} - -################## main ################################################# - -#this script may be sourced from the distributed stress test - in this case do nothing... - -if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then - ssl_init - ssl_cov - ssl_auth - ssl_stress - - SERVERDIR=$EXT_SERVERDIR - CLIENTDIR=$EXT_CLIENTDIR - R_SERVERDIR=$R_EXT_SERVERDIR - R_CLIENTDIR=$R_EXT_CLIENTDIR - P_R_SERVERDIR=$P_R_EXT_SERVERDIR - P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR - USER_NICKNAME=ExtendedSSLUser - NORM_EXT="Extended test" - cd ${CLIENTDIR} - ssl_cov - ssl_auth - ssl_stress - ssl_cleanup -fi diff --git a/security/nss/tests/ssl/ecsslauth.txt b/security/nss/tests/ssl/ecsslauth.txt deleted file mode 100644 index 12a617fb1d2a..000000000000 --- a/security/nss/tests/ssl/ecsslauth.txt +++ /dev/null @@ -1,50 +0,0 @@ -# -# This file defines the tests for client auth. -# -# expected -# return server client Test Case name -# value params params -# ------ ------ ------ --------------- - 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth) - 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password) - 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth) - 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth) - 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) - 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth) - 0 -r -T_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) - 0 -r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) - 0 -r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) - 254 -r_-r -T_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) - 254 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) - 0 -r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth (client auth) - 0 -r_-r_-r -w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth) - 0 -r_-r_-r -w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) - 0 -r_-r_-r -w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) - 1 -r_-r_-r_-r -w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth) - 1 -r_-r_-r_-r -w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password) - 0 -r_-r_-r_-r -w_nss_-n_TestUser_ TLS Require client auth on 2nd hs (client auth) - 0 -r_-r_-r -T_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) - 0 -r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) - 0 -r_-r_-r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) - 1 -r_-r_-r_-r -T_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) - 1 -r_-r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) - 0 -r_-r_-r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) -# -# Use EC cert for client authentication -# - 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password) - 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth) - 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password) - 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth) - 0 -r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password) - 0 -r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth) - 254 -r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password) - 0 -r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth) - 0 -r_-r_-r -w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password) - 0 -r_-r_-r -w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth) - 1 -r_-r_-r_-r -w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password) - 0 -r_-r_-r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth) - 0 -r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) - 0 -r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) - 1 -r_-r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password) - 0 -r_-r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) diff --git a/security/nss/tests/ssl/ecsslcov.txt b/security/nss/tests/ssl/ecsslcov.txt deleted file mode 100644 index 4242fdd1b294..000000000000 --- a/security/nss/tests/ssl/ecsslcov.txt +++ /dev/null @@ -1,94 +0,0 @@ -# -# This file enables test coverage of the various SSL ciphers -# -# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We -# mix up the enable functions so we can tests boths paths. -# -# Enable Cipher Test Name -# TLS -# - noTLS A SSL2 RC4 128 WITH MD5 - TLS B SSL2 RC4 128 EXPORT40 WITH MD5 - TLS C SSL2 RC2 128 CBC WITH MD5 - noTLS D SSL2 RC2 128 CBC EXPORT40 WITH MD5 - TLS E SSL2 DES 64 CBC WITH MD5 - noTLS F SSL2 DES 192 EDE3 CBC WITH MD5 -# -# ECC ciphers (SSL3) -# - noTLS :C001 SSL3 ECDH ECDSA WITH NULL SHA - noTLS :C002 SSL3 ECDH ECDSA WITH RC4 128 SHA - noTLS :C003 SSL3 ECDH ECDSA WITH 3DES EDE CBC SHA - noTLS :C004 SSL3 ECDH ECDSA WITH AES 128 CBC SHA - noTLS :C005 SSL3 ECDH ECDSA WITH AES 256 CBC SHA - noTLS :C006 SSL3 ECDHE ECDSA WITH NULL SHA - noTLS :C007 SSL3 ECDHE ECDSA WITH RC4 128 SHA - noTLS :C008 SSL3 ECDHE ECDSA WITH 3DES EDE CBC SHA - noTLS :C009 SSL3 ECDHE ECDSA WITH AES 128 CBC SHA - noTLS :C00A SSL3 ECDHE ECDSA WITH AES 256 CBC SHA - noTLS :C00B SSL3 ECDH RSA WITH NULL SHA - noTLS :C00C SSL3 ECDH RSA WITH RC4 128 SHA - noTLS :C00D SSL3 ECDH RSA WITH 3DES EDE CBC SHA - noTLS :C00E SSL3 ECDH RSA WITH AES 128 CBC SHA - noTLS :C00F SSL3 ECDH RSA WITH AES 256 CBC SHA - noTLS :C010 SSL3 ECDHE RSA WITH NULL SHA - noTLS :C011 SSL3 ECDHE RSA WITH RC4 128 SHA - noTLS :C012 SSL3 ECDHE RSA WITH 3DES EDE CBC SHA - noTLS :C013 SSL3 ECDHE RSA WITH AES 128 CBC SHA - noTLS :C014 SSL3 ECDHE RSA WITH AES 256 CBC SHA -# -# ECC ciphers (TLS) -# - TLS :C001 TLS ECDH ECDSA WITH NULL SHA - TLS :C002 TLS ECDH ECDSA WITH RC4 128 SHA - TLS :C003 TLS ECDH ECDSA WITH 3DES EDE CBC SHA - TLS :C004 TLS ECDH ECDSA WITH AES 128 CBC SHA - TLS :C005 TLS ECDH ECDSA WITH AES 256 CBC SHA - TLS :C006 TLS ECDHE ECDSA WITH NULL SHA - TLS :C007 TLS ECDHE ECDSA WITH RC4 128 SHA - TLS :C008 TLS ECDHE ECDSA WITH 3DES EDE CBC SHA - TLS :C009 TLS ECDHE ECDSA WITH AES 128 CBC SHA - TLS :C00A TLS ECDHE ECDSA WITH AES 256 CBC SHA - TLS :C00B TLS ECDH RSA WITH NULL SHA - TLS :C00C TLS ECDH RSA WITH RC4 128 SHA - TLS :C00D TLS ECDH RSA WITH 3DES EDE CBC SHA - TLS :C00E TLS ECDH RSA WITH AES 128 CBC SHA - TLS :C00F TLS ECDH RSA WITH AES 256 CBC SHA - TLS :C010 TLS ECDHE RSA WITH NULL SHA - TLS :C011 TLS ECDHE RSA WITH RC4 128 SHA - TLS :C012 TLS ECDHE RSA WITH 3DES EDE CBC SHA - TLS :C013 TLS ECDHE RSA WITH AES 128 CBC SHA - TLS :C014 TLS ECDHE RSA WITH AES 256 CBC SHA -# -# noTLS a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA -# noTLS b SSL3 FORTEZZA DMS WITH RC4 128 SHA - noTLS c SSL3 RSA WITH RC4 128 MD5 - noTLS d SSL3 RSA WITH 3DES EDE CBC SHA - noTLS e SSL3 RSA WITH DES CBC SHA - noTLS f SSL3 RSA EXPORT WITH RC4 40 MD5 - noTLS g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5 -# noTLS h SSL3 FORTEZZA DMS WITH NULL SHA - noTLS i SSL3 RSA WITH NULL MD5 - noTLS j SSL3 RSA FIPS WITH 3DES EDE CBC SHA - noTLS k SSL3 RSA FIPS WITH DES CBC SHA - noTLS l SSL3 RSA EXPORT WITH DES CBC SHA (new) - noTLS m SSL3 RSA EXPORT WITH RC4 56 SHA (new) - noTLS n SSL3 RSA WITH RC4 128 SHA - noTLS v SSL3 RSA WITH AES 128 CBC SHA - noTLS y SSL3 RSA WITH AES 256 CBC SHA - noTLS z SSL3 RSA WITH NULL SHA -# - TLS c TLS RSA WITH RC4 128 MD5 - TLS d TLS RSA WITH 3DES EDE CBC SHA - TLS e TLS RSA WITH DES CBC SHA - TLS f TLS RSA EXPORT WITH RC4 40 MD5 - TLS g TLS RSA EXPORT WITH RC2 CBC 40 MD5 - TLS i TLS RSA WITH NULL MD5 - TLS j TLS RSA FIPS WITH 3DES EDE CBC SHA - TLS k TLS RSA FIPS WITH DES CBC SHA - TLS l TLS RSA EXPORT WITH DES CBC SHA (new) - TLS m TLS RSA EXPORT WITH RC4 56 SHA (new) - TLS n TLS RSA WITH RC4 128 SHA - TLS v TLS RSA WITH AES 128 CBC SHA - TLS y TLS RSA WITH AES 256 CBC SHA - TLS z TLS RSA WITH NULL SHA diff --git a/security/nss/tests/ssl/ecsslstress.txt b/security/nss/tests/ssl/ecsslstress.txt deleted file mode 100644 index b82c862109ae..000000000000 --- a/security/nss/tests/ssl/ecsslstress.txt +++ /dev/null @@ -1,25 +0,0 @@ -# -# This file defines the tests for client auth. -# -# expected -# return server client Test Case name -# value params params -# ------ ------ ------ --------------- - 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 - 0 _ -c_1000_-C_c_-T Stress SSL3 RC4 128 with MD5 - 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 -# -# ECC ciphers -# XXX Session reuse does not seem to work for ECDH-ECDSA, ECDHE-ECDSA ciphers -# but works ok for ECDHE-RSA ciphers. With session reuse turned off -# setting up 1000 connections would take too long so use only 10 connections -# - 0 -c_:C009 -c_10_-C_:C009_-N_-T Stress SSL3 ECDHE-ECDSA AES 128 CBC with SHA (no reuse) - 0 -c_:C013 -c_100_-C_:C013_-T Stress SSL3 ECDHE-RSA AES 128 CBC with SHA - 0 -c_:C004 -c_10_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) - 0 -c_:C00E -c_10_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) - 0 -c_:C013 -c_100_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA -# -# add client auth versions here... -# -# 0 -r -w_bogus_-n_"Test_User" TLS Request don't require client auth (bad password) diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index 6b47d5544067..2e4051889648 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -21,6 +21,7 @@ # the Initial Developer. All Rights Reserved. # # Contributor(s): +# Dr Vipul Gupta , Sun Microsystems Laboratories # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or @@ -102,6 +103,12 @@ ssl_init() USER_NICKNAME=TestUser NORM_EXT="" + if [ -n "$NSS_ENABLE_ECC" ] ; then + ECC_STRING=" - with ECC" + else + ECC_STRING="" + fi + cd ${CLIENTDIR} } @@ -147,7 +154,7 @@ wait_for_selfserv() echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} - elif [ sparam = "-c ABCDEFcdefgijklmnvyz" ] ; then # "$1" = "cov" ] ; then + elif [ "$sparam" = "$CSHORT" -o "$sparam" = "$CLONG" ] ; then html_passed " Wait for Server" fi is_selfserv_alive @@ -189,16 +196,21 @@ start_selfserv() echo "$SCRIPTNAME: $testname ----" fi sparam=`echo $sparam | sed -e 's;_; ;g'` + if [ -n "$NSS_ENABLE_ECC" ] ; then + ECC_OPTIONS="-e ${HOSTADDR}-ec" + else + ECC_OPTIONS="" + fi echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" - echo " -w nss ${sparam} -i ${R_SERVERPID} $verbose &" + echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &" echo "selfserv started at `date`" if [ ${fileout} -eq 1 ]; then selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - -w nss ${sparam} -i ${R_SERVERPID} $verbose \ + ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \ > ${SERVEROUTFILE} 2>&1 & else selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ - -w nss ${sparam} -i ${R_SERVERPID} $verbose & + ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose & fi # The PID $! returned by the MKS or Cygwin shell is not the PID of # the real background process, but rather the PID of a helper @@ -221,24 +233,30 @@ start_selfserv() ######################################################################## ssl_cov() { - html_head "SSL Cipher Coverage $NORM_EXT - $BYPASS_STRING" + html_head "SSL Cipher Coverage $NORM_EXT - $BYPASS_STRING $ECC_STRING" testname="" - sparam="-c ABCDEFcdefgijklmnvyz" + if [ -n "$NSS_ENABLE_ECC" ] ; then + sparam="$CLONG" + else + sparam="$CSHORT" + fi start_selfserv # Launch the server p="" - while read tls param testname + while read ectype tls param testname do p=`echo "$testname" | sed -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - elif [ "$tls" != "#" ] ; then + elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$ectype" != "#" ] ; then echo "$SCRIPTNAME: running $testname ----------------------------" TLS_FLAG=-T - if [ $tls = "TLS" ]; then + if [ "$tls" = "TLS" ]; then TLS_FLAG="" fi @@ -266,11 +284,13 @@ ssl_cov() ######################################################################## ssl_auth() { - html_head "SSL Client Authentication $NORM_EXT - $BYPASS_STRING" + html_head "SSL Client Authentication $NORM_EXT - $BYPASS_STRING $ECC_STRING" - while read value sparam cparam testname + while read ectype value sparam cparam testname do - if [ $value != "#" ]; then + if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$ectype" != "#" ]; then cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` start_selfserv @@ -299,17 +319,19 @@ ssl_auth() ######################################################################## ssl_stress() { - html_head "SSL Stress Test $NORM_EXT - $BYPASS_STRING" + html_head "SSL Stress Test $NORM_EXT - $BYPASS_STRING $ECC_STRING" - while read value sparam cparam testname + while read ectype value sparam cparam testname do p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"` #sonmi, only run extended test on SSL3 and TLS if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then echo "$SCRIPTNAME: skipping $testname for $NORM_EXT" - elif [ $value != "#" ]; then + elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$ectype" != "#" ]; then cparam=`echo $cparam | sed -e 's;_; ;g'` start_selfserv - if [ `uname -n` = "sjsu" ] ; then + if [ "`uname -n`" = "sjsu" ] ; then echo "debugging disapering selfserv... ps -ef | grep selfserv" ps -ef | grep selfserv fi @@ -322,7 +344,7 @@ ssl_stress() ret=$? echo "strsclnt completed at `date`" html_msg $ret $value "${testname}" - if [ `uname -n` = "sjsu" ] ; then + if [ "`uname -n`" = "sjsu" ] ; then echo "debugging disapering selfserv... ps -ef | grep selfserv" ps -ef | grep selfserv fi @@ -339,7 +361,7 @@ ssl_stress() ssl_crl_ssl() { - html_head "CRL SSL Client Tests $NORM_EXT" + html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING" # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it. # Cert number $UNREVOKED_CERT_GRP_1 was not revoked @@ -347,9 +369,11 @@ ssl_crl_ssl() CRL_GROUP_RANGE=$CRL_GRP_1_RANGE UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1 - while read value sparam cparam testname + while read ectype value sparam cparam testname do - if [ $value != "#" ]; then + if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + elif [ "$ectype" != "#" ]; then servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` pwd=`echo $cparam | grep nss` user=`echo $cparam | grep TestUser` @@ -443,6 +467,7 @@ is_revoked() { load_group_crl() { group=$1 + ectype=$2 OUTFILE_TMP=${TMP}/$HOST.tmp.$$ grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}` @@ -454,6 +479,15 @@ load_group_crl() { return 1; fi + # Add -ec suffix for ECC + if [ "$ectype" = "ECC" ] ; then + ecsuffix="-ec" + eccomment="ECC " + else + ecsuffix="" + eccomment="" + fi + if [ "$RELOAD_CRL" != "" ]; then if [ $group -eq 1 ]; then echo "==================== Resetting to group 1 crl ===================" @@ -461,18 +495,18 @@ load_group_crl() { start_selfserv is_selfserv_alive fi - echo "================= Reloading CRL for group $grpBegin - $grpEnd =============" + echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd =============" echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" - echo " -w nss -n TestUser${UNREVOKED_CERT_GRP_1}" + echo " -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}" echo "Request:" - echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}" + echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}" echo "" echo "RELOAD time $i" tstclnt -p ${PORT} -h ${HOSTADDR} -f \ - -d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1} \ - <<_EOF_REQUEST_ >${OUTFILE_TMP} 2>&1 -GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd} + -d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \ + >${OUTFILE_TMP} 2>&1 <<_EOF_REQUEST_ +GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} _EOF_REQUEST_ cat ${OUTFILE_TMP} @@ -485,11 +519,12 @@ _EOF_REQUEST_ echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv =====" kill_selfserv - CU_ACTION="Importing CRL for groups $grpBegin - $grpEnd" - crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd} \ + CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd" + crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \ -p ../tests.pw.928 ret=$? if [ "$ret" -eq 0 ]; then + html_passed " ${CU_ACTION}" return 1 fi start_selfserv @@ -502,7 +537,7 @@ _EOF_REQUEST_ ssl_crl_cache() { - html_head "Cache CRL SSL Client Tests $NORM_EXT" + html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING" SSLAUTH_TMP=${TMP}/authin.tl.tmp SERV_ARG=-r_-r rm -f ${SSLAUTH_TMP} @@ -514,82 +549,89 @@ ssl_crl_cache() do sparam=$SERV_ARG start_selfserv - while read value sparam cparam testname + while read ectype value sparam cparam testname do - servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` - pwd=`echo $cparam | grep nss` - user=`echo $cparam | grep TestUser` - _cparam=$cparam - case $servarg in - 1) if [ -z "$pwd" -o -z "$user" ]; then - rev_modvalue=0 - else - rev_modvalue=254 - fi - ;; - 2) rev_modvalue=254 ;; + if [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + else + servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'` + pwd=`echo $cparam | grep nss` + user=`echo $cparam | grep TestUser` + _cparam=$cparam + case $servarg in + 1) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=254 + fi + ;; + 2) rev_modvalue=254 ;; - 3) if [ -z "$pwd" -o -z "$user" ]; then - rev_modvalue=0 - else - rev_modvalue=1 - fi - ;; - 4) rev_modvalue=1 ;; - esac - TEMP_NUM=0 - LOADED_GRP=1 - while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] - do - while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ] + 3) if [ -z "$pwd" -o -z "$user" ]; then + rev_modvalue=0 + else + rev_modvalue=1 + fi + ;; + 4) rev_modvalue=1 ;; + esac + TEMP_NUM=0 + LOADED_GRP=1 + while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ] do - CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}` - TEMP_NUM=`expr $TEMP_NUM + 1` - USER_NICKNAME="TestUser${CURR_SER_NUM}" - cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` - - echo "Server Args: $SERV_ARG" - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" - echo " ${cparam} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ - -d ${R_CLIENTDIR} < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? - cat ${TMP}/$HOST.tmp.$$ - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - is_revoked ${CURR_SER_NUM} ${LOADED_GRP} - isRevoked=$? - if [ $isRevoked -eq 0 ]; then - modvalue=$rev_modvalue - testAddMsg="revoked" - else - modvalue=$value - testAddMsg="not revoked" - fi - - is_selfserv_alive - ss_status=$? - if [ "$ss_status" -ne 0 ]; then - html_msg $ret $modvalue \ - "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ - "produced a returncode of $ret, expected is $modvalue. " \ - "selfserv is not alive!" - else - html_msg $ret $modvalue \ - "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ - "produced a returncode of $ret, expected is $modvalue" + while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ] + do + CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}` + TEMP_NUM=`expr $TEMP_NUM + 1` + USER_NICKNAME="TestUser${CURR_SER_NUM}" + cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" ` + + echo "Server Args: $SERV_ARG" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + -d ${R_CLIENTDIR} < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + is_revoked ${CURR_SER_NUM} ${LOADED_GRP} + isRevoked=$? + if [ $isRevoked -eq 0 ]; then + modvalue=$rev_modvalue + testAddMsg="revoked" + else + modvalue=$value + testAddMsg="not revoked" + fi + + is_selfserv_alive + ss_status=$? + if [ "$ss_status" -ne 0 ]; then + html_msg $ret $modvalue \ + "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue. " \ + "selfserv is not alive!" + else + html_msg $ret $modvalue \ + "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \ + "produced a returncode of $ret, expected is $modvalue" + fi + done + LOADED_GRP=`expr $LOADED_GRP + 1` + TEMP_NUM=0 + if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then + load_group_crl $LOADED_GRP $ectype + html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \ + "produced a returncode of $ret, expected is 0" fi done - LOADED_GRP=`expr $LOADED_GRP + 1` - TEMP_NUM=0 - if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then - load_group_crl $LOADED_GRP - html_msg $ret 0 "Load group $LOADED_GRP crl " \ - "produced a returncode of $ret, expected is 0" - fi - done - load_group_crl 1 + # Restart selfserv to roll back to two initial group 1 crls + # TestCA CRL and TestCA-ec CRL + kill_selfserv + start_selfserv + fi done < ${SSLAUTH_TMP} kill_selfserv SERV_ARG="${SERV_ARG}_-r" @@ -637,7 +679,7 @@ ssl_run() ssl_auth ssl_stress - # the next round off ssl tests will only run if these vars are reset + # the next round of ssl tests will only run if these vars are reset SERVERDIR=$ORIG_SERVERDIR CLIENTDIR=$ORIG_CLIENTDIR R_SERVERDIR=$ORIG_R_SERVERDIR @@ -647,13 +689,15 @@ ssl_run() USER_NICKNAME=TestUser NORM_EXT= cd ${QADIR}/ssl - ssl_cleanup } ################## main ################################################# #this script may be sourced from the distributed stress test - in this case do nothing... +CSHORT="-c ABCDEFcdefgijklmnvyz" +CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz" + if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then ssl_init @@ -668,7 +712,6 @@ if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then ssl_crl_ssl ssl_crl_cache - ssl_cleanup # Test all combinations of server bypass and client bypass CLIENT_OPTIONS="-B -s" @@ -680,4 +723,5 @@ if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then BYPASS_STRING="Server Bypass" ssl_run + ssl_cleanup fi diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt index c150e1090724..deb30c3b6803 100644 --- a/security/nss/tests/ssl/sslauth.txt +++ b/security/nss/tests/ssl/sslauth.txt @@ -1,31 +1,50 @@ # # This file defines the tests for client auth. # -# expected -# return server client Test Case name -# value params params -# ------ ------ ------ --------------- - 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth) - 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password) - 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth) - 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth) - 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) - 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth) - 0 -r -T_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) - 0 -r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) - 0 -r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) - 254 -r_-r -T_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) - 254 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) - 0 -r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth (client auth) - 0 -r_-r_-r -w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth) - 0 -r_-r_-r -w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) - 0 -r_-r_-r -w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) - 1 -r_-r_-r_-r -w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth) - 1 -r_-r_-r_-r -w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password) - 0 -r_-r_-r_-r -w_nss_-n_TestUser_ TLS Require client auth on 2nd hs (client auth) - 0 -r_-r_-r -T_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) - 0 -r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) - 0 -r_-r_-r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) - 1 -r_-r_-r_-r -T_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) - 1 -r_-r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) - 0 -r_-r_-r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) +# expected +# Enable return server client Test Case name +# ECC value params params +# ------- ------ ------ ------ --------------- + noECC 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth) + noECC 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password) + noECC 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth) + noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth) + noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) + noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth) + noECC 0 -r -T_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth) + noECC 0 -r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) + noECC 0 -r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) + noECC 254 -r_-r -T_-w_nss_-n_none SSL3 Require client auth (client does not provide auth) + noECC 254 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) + noECC 0 -r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth (client auth) + noECC 0 -r_-r_-r -w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -w_nss_-n_none TLS Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -w_bogus_-n_TestUser TLS Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -w_nss_-n_TestUser_ TLS Require client auth on 2nd hs (client auth) + noECC 0 -r_-r_-r -T_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth) + noECC 0 -r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) + noECC 1 -r_-r_-r_-r -T_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth) + noECC 1 -r_-r_-r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password) + noECC 0 -r_-r_-r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth) +# +# Use EC cert for client authentication +# + ECC 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password) + ECC 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth) + ECC 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password) + ECC 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth) + ECC 0 -r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password) + ECC 0 -r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth) + ECC 254 -r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password) + ECC 0 -r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth) + ECC 0 -r_-r_-r -w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -w_bogus_-n_TestUser-ec TLS Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth on 2nd hs (EC) (client auth) + ECC 0 -r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -T_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -T_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt index 52cbae7f5e9b..7399886456fd 100644 --- a/security/nss/tests/ssl/sslcov.txt +++ b/security/nss/tests/ssl/sslcov.txt @@ -4,45 +4,91 @@ # NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We # mix up the enable functions so we can tests boths paths. # -# Enable Cipher Test Name -# TLS +# Enable Enable Cipher Test Name +# EC TLS # - noTLS A SSL2 RC4 128 WITH MD5 - TLS B SSL2 RC4 128 EXPORT40 WITH MD5 - TLS C SSL2 RC2 128 CBC WITH MD5 - noTLS D SSL2 RC2 128 CBC EXPORT40 WITH MD5 - TLS E SSL2 DES 64 CBC WITH MD5 - noTLS F SSL2 DES 192 EDE3 CBC WITH MD5 + noECC noTLS A SSL2 RC4 128 WITH MD5 + noECC TLS B SSL2 RC4 128 EXPORT40 WITH MD5 + noECC TLS C SSL2 RC2 128 CBC WITH MD5 + noECC noTLS D SSL2 RC2 128 CBC EXPORT40 WITH MD5 + noECC TLS E SSL2 DES 64 CBC WITH MD5 + noECC noTLS F SSL2 DES 192 EDE3 CBC WITH MD5 # -# noTLS a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA -# noTLS b SSL3 FORTEZZA DMS WITH RC4 128 SHA - noTLS c SSL3 RSA WITH RC4 128 MD5 - noTLS d SSL3 RSA WITH 3DES EDE CBC SHA - noTLS e SSL3 RSA WITH DES CBC SHA - noTLS f SSL3 RSA EXPORT WITH RC4 40 MD5 - noTLS g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5 -# noTLS h SSL3 FORTEZZA DMS WITH NULL SHA - noTLS i SSL3 RSA WITH NULL MD5 - noTLS j SSL3 RSA FIPS WITH 3DES EDE CBC SHA - noTLS k SSL3 RSA FIPS WITH DES CBC SHA - noTLS l SSL3 RSA EXPORT WITH DES CBC SHA (new) - noTLS m SSL3 RSA EXPORT WITH RC4 56 SHA (new) - noTLS n SSL3 RSA WITH RC4 128 SHA - noTLS v SSL3 RSA WITH AES 128 CBC SHA - noTLS y SSL3 RSA WITH AES 256 CBC SHA - noTLS z SSL3 RSA WITH NULL SHA +# noECC noTLS a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA +# noECC noTLS b SSL3 FORTEZZA DMS WITH RC4 128 SHA + noECC noTLS c SSL3 RSA WITH RC4 128 MD5 + noECC noTLS d SSL3 RSA WITH 3DES EDE CBC SHA + noECC noTLS e SSL3 RSA WITH DES CBC SHA + noECC noTLS f SSL3 RSA EXPORT WITH RC4 40 MD5 + noECC noTLS g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5 +# noECC noTLS h SSL3 FORTEZZA DMS WITH NULL SHA + noECC noTLS i SSL3 RSA WITH NULL MD5 + noECC noTLS j SSL3 RSA FIPS WITH 3DES EDE CBC SHA + noECC noTLS k SSL3 RSA FIPS WITH DES CBC SHA + noECC noTLS l SSL3 RSA EXPORT WITH DES CBC SHA (new) + noECC noTLS m SSL3 RSA EXPORT WITH RC4 56 SHA (new) + noECC noTLS n SSL3 RSA WITH RC4 128 SHA + noECC noTLS v SSL3 RSA WITH AES 128 CBC SHA + noECC noTLS y SSL3 RSA WITH AES 256 CBC SHA + noECC noTLS z SSL3 RSA WITH NULL SHA # - TLS c TLS RSA WITH RC4 128 MD5 - TLS d TLS RSA WITH 3DES EDE CBC SHA - TLS e TLS RSA WITH DES CBC SHA - TLS f TLS RSA EXPORT WITH RC4 40 MD5 - TLS g TLS RSA EXPORT WITH RC2 CBC 40 MD5 - TLS i TLS RSA WITH NULL MD5 - TLS j TLS RSA FIPS WITH 3DES EDE CBC SHA - TLS k TLS RSA FIPS WITH DES CBC SHA - TLS l TLS RSA EXPORT WITH DES CBC SHA (new) - TLS m TLS RSA EXPORT WITH RC4 56 SHA (new) - TLS n TLS RSA WITH RC4 128 SHA - TLS v TLS RSA WITH AES 128 CBC SHA - TLS y TLS RSA WITH AES 256 CBC SHA - TLS z TLS RSA WITH NULL SHA + noECC TLS c TLS RSA WITH RC4 128 MD5 + noECC TLS d TLS RSA WITH 3DES EDE CBC SHA + noECC TLS e TLS RSA WITH DES CBC SHA + noECC TLS f TLS RSA EXPORT WITH RC4 40 MD5 + noECC TLS g TLS RSA EXPORT WITH RC2 CBC 40 MD5 + noECC TLS i TLS RSA WITH NULL MD5 + noECC TLS j TLS RSA FIPS WITH 3DES EDE CBC SHA + noECC TLS k TLS RSA FIPS WITH DES CBC SHA + noECC TLS l TLS RSA EXPORT WITH DES CBC SHA (new) + noECC TLS m TLS RSA EXPORT WITH RC4 56 SHA (new) + noECC TLS n TLS RSA WITH RC4 128 SHA + noECC TLS v TLS RSA WITH AES 128 CBC SHA + noECC TLS y TLS RSA WITH AES 256 CBC SHA + noECC TLS z TLS RSA WITH NULL SHA +# +# ECC ciphers (SSL3) +# + ECC noTLS :C001 SSL3 ECDH ECDSA WITH NULL SHA + ECC noTLS :C002 SSL3 ECDH ECDSA WITH RC4 128 SHA + ECC noTLS :C003 SSL3 ECDH ECDSA WITH 3DES EDE CBC SHA + ECC noTLS :C004 SSL3 ECDH ECDSA WITH AES 128 CBC SHA + ECC noTLS :C005 SSL3 ECDH ECDSA WITH AES 256 CBC SHA + ECC noTLS :C006 SSL3 ECDHE ECDSA WITH NULL SHA + ECC noTLS :C007 SSL3 ECDHE ECDSA WITH RC4 128 SHA + ECC noTLS :C008 SSL3 ECDHE ECDSA WITH 3DES EDE CBC SHA + ECC noTLS :C009 SSL3 ECDHE ECDSA WITH AES 128 CBC SHA + ECC noTLS :C00A SSL3 ECDHE ECDSA WITH AES 256 CBC SHA + ECC noTLS :C00B SSL3 ECDH RSA WITH NULL SHA + ECC noTLS :C00C SSL3 ECDH RSA WITH RC4 128 SHA + ECC noTLS :C00D SSL3 ECDH RSA WITH 3DES EDE CBC SHA + ECC noTLS :C00E SSL3 ECDH RSA WITH AES 128 CBC SHA + ECC noTLS :C00F SSL3 ECDH RSA WITH AES 256 CBC SHA + ECC noTLS :C010 SSL3 ECDHE RSA WITH NULL SHA + ECC noTLS :C011 SSL3 ECDHE RSA WITH RC4 128 SHA + ECC noTLS :C012 SSL3 ECDHE RSA WITH 3DES EDE CBC SHA + ECC noTLS :C013 SSL3 ECDHE RSA WITH AES 128 CBC SHA + ECC noTLS :C014 SSL3 ECDHE RSA WITH AES 256 CBC SHA +# +# ECC ciphers (TLS) +# + ECC TLS :C001 TLS ECDH ECDSA WITH NULL SHA + ECC TLS :C002 TLS ECDH ECDSA WITH RC4 128 SHA + ECC TLS :C003 TLS ECDH ECDSA WITH 3DES EDE CBC SHA + ECC TLS :C004 TLS ECDH ECDSA WITH AES 128 CBC SHA + ECC TLS :C005 TLS ECDH ECDSA WITH AES 256 CBC SHA + ECC TLS :C006 TLS ECDHE ECDSA WITH NULL SHA + ECC TLS :C007 TLS ECDHE ECDSA WITH RC4 128 SHA + ECC TLS :C008 TLS ECDHE ECDSA WITH 3DES EDE CBC SHA + ECC TLS :C009 TLS ECDHE ECDSA WITH AES 128 CBC SHA + ECC TLS :C00A TLS ECDHE ECDSA WITH AES 256 CBC SHA + ECC TLS :C00B TLS ECDH RSA WITH NULL SHA + ECC TLS :C00C TLS ECDH RSA WITH RC4 128 SHA + ECC TLS :C00D TLS ECDH RSA WITH 3DES EDE CBC SHA + ECC TLS :C00E TLS ECDH RSA WITH AES 128 CBC SHA + ECC TLS :C00F TLS ECDH RSA WITH AES 256 CBC SHA + ECC TLS :C010 TLS ECDHE RSA WITH NULL SHA + ECC TLS :C011 TLS ECDHE RSA WITH RC4 128 SHA + ECC TLS :C012 TLS ECDHE RSA WITH 3DES EDE CBC SHA + ECC TLS :C013 TLS ECDHE RSA WITH AES 128 CBC SHA + ECC TLS :C014 TLS ECDHE RSA WITH AES 256 CBC SHA diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt index 253faa48e518..64c1b3d441fa 100644 --- a/security/nss/tests/ssl/sslstress.txt +++ b/security/nss/tests/ssl/sslstress.txt @@ -1,14 +1,29 @@ # -# This file defines the tests for client auth. +# This file defines the stress tests for ssl/tls # -# expected -# return server client Test Case name -# value params params -# ------ ------ ------ --------------- - 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 - 0 _ -c_1000_-C_c_-T Stress SSL3 RC4 128 with MD5 - 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 +# expected +# Enable return server client Test Case name +# ECC value params params +# ------- ------ ------ ------ --------------- + noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5 + noECC 0 _ -c_1000_-C_c_-T Stress SSL3 RC4 128 with MD5 + noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 # # add client auth versions here... # -# 0 -r -w_bogus_-n_"Test_User" TLS Request don't require client auth (bad password) +# noECC 0 -r -w_bogus_-n_"Test_User" TLS Request don't require client auth (bad password) +# +########################## ECC ciphers ############################## +# Currently, session reuse does not work for ECDH-ECDSA and ECDHE-ECDSA +# ciphers (see Bug 238051). Setting up 1000 connections without session +# reuse would take too long, so use only 10 connections +# + ECC 0 -c_:C009 -c_10_-C_:C009_-N_-T Stress SSL3 ECDHE-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C013 -c_100_-C_:C013_-T Stress SSL3 ECDHE-RSA AES 128 CBC with SHA + ECC 0 -c_:C004 -c_10_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C00E -c_10_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) + ECC 0 -c_:C013 -c_100_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA +# +# add client auth versions here... +# +# ECC 0 -r -w_bogus_-n_"Test_User-ec" TLS Request don't require client auth (bad password) diff --git a/security/nss/tests/tools/ectools.sh b/security/nss/tests/tools/ectools.sh deleted file mode 100644 index 65e8d7ce1ee9..000000000000 --- a/security/nss/tests/tools/ectools.sh +++ /dev/null @@ -1,210 +0,0 @@ -#! /bin/sh -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1994-2000 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# Dr Vipul Gupta , Sun Microsystems Laboratories -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -######################################################################## -# -# mozilla/security/nss/tests/tools/tools.sh -# -# Script to test basic functionallity of NSS tools -# -# needs to work on all Unix and Windows platforms -# -# tests implemented: -# pk12util -# signtool -# -# special strings -# --------------- -# FIXME ... known problems, search for this string -# NOTE .... unexpected behavior -######################################################################## - -############################## tools_init ############################## -# local shell function to initialize this script -######################################################################## -tools_init() -{ - SCRIPTNAME=tools.sh # sourced - $0 would point to all.sh - - if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for - CLEANUP="${SCRIPTNAME}" # cleaning this script will do it - fi - - if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then - cd ../common - . ./init.sh - fi - if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here - cd ../cert - . ./cert.sh - fi - SCRIPTNAME=tools.sh - html_head "Tools Tests" - - grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { - Exit 15 "Fatal - S/MIME of cert.sh needs to pass first" - } - - TOOLSDIR=${HOSTDIR}/tools - COPYDIR=${TOOLSDIR}/copydir - - R_TOOLSDIR=../tools - R_COPYDIR=../tools/copydir - P_R_COPYDIR=${R_COPYDIR} - if [ -n "${MULTIACCESS_DBM}" ]; then - P_R_COPYDIR="multiaccess:Tools.$version" - fi - - mkdir -p ${TOOLSDIR} - mkdir -p ${COPYDIR} - mkdir -p ${TOOLSDIR}/html - cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html - - cd ${TOOLSDIR} -} - -############################## tools_p12 ############################### -# local shell function to test basic functionality of pk12util -######################################################################## -tools_p12() -{ - echo "$SCRIPTNAME: Exporting Alice's email cert & key------------------" - echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" - echo " -w ${R_PWFILE}" - pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ - -w ${R_PWFILE} 2>&1 - ret=$? - html_msg $ret 0 "Exporting Alice's email cert & key (pk12util -o)" - check_tmpfile - - echo "$SCRIPTNAME: Importing Alice's email cert & key -----------------" - echo "pk12util -i Alice.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" - pk12util -i Alice.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 - ret=$? - html_msg $ret 0 "Importing Alice's email cert & key (pk12util -i)" - check_tmpfile - - echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------" - echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" - echo " -w ${R_PWFILE}" - pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ - -w ${R_PWFILE} 2>&1 - ret=$? - html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)" - check_tmpfile - - echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------" - echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" - pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 - ret=$? - html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)" - check_tmpfile - -} - -############################## tools_sign ############################## -# local shell function pk12util uses a hardcoded tmp file, if this exists -# and is owned by another user we don't get reasonable errormessages -######################################################################## -check_tmpfile() -{ - if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then - echo "Error: pk12util temp file exists. Please remove this file and" - echo " rerun the test (/tmp/Pk12uTemp) " - fi -} - -############################## tools_sign ############################## -# local shell function to test basic functionality of signtool -######################################################################## -tools_sign() -{ - echo "$SCRIPTNAME: Create objsign cert -------------------------------" - echo "signtool -G \"objectsigner\" -d ${P_R_ALICEDIR} -p \"nss\"" - signtool -G "objsigner" -d ${P_R_ALICEDIR} -p "nss" 2>&1 <
" - cd ${QADIR} - . common/cleanup.sh -} - -################## main ################################################# - -tools_init - -tools_p12 - -tools_sign -tools_cleanup - - diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh index 73d8173661ee..b32eed254b09 100644 --- a/security/nss/tests/tools/tools.sh +++ b/security/nss/tests/tools/tools.sh @@ -21,6 +21,7 @@ # the Initial Developer. All Rights Reserved. # # Contributor(s): +# Dr Vipul Gupta , Sun Microsystems Laboratories # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or @@ -74,7 +75,12 @@ tools_init() . ./cert.sh fi SCRIPTNAME=tools.sh - html_head "Tools Tests" + + if [ -n "$NSS_ENABLE_ECC" ] ; then + html_head "Tools Tests with ECC" + else + html_head "Tools Tests" + fi grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || { Exit 15 "Fatal - S/MIME of cert.sh needs to pass first" @@ -87,7 +93,7 @@ tools_init() R_COPYDIR=../tools/copydir P_R_COPYDIR=${R_COPYDIR} if [ -n "${MULTIACCESS_DBM}" ]; then - P_R_COPYDIR="multiaccess:Tools.$version" + P_R_COPYDIR="multiaccess:Tools.$version" fi mkdir -p ${TOOLSDIR} @@ -125,6 +131,32 @@ tools_p12() ret=$? html_msg $ret 0 "Listing Alice's pk12 file (pk12util -l)" check_tmpfile + + if [ -n "$NSS_ENABLE_ECC" ] ; then + echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------" + echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" + echo " -w ${R_PWFILE}" + pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ + -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)" + check_tmpfile + + echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------" + echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" + pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)" + check_tmpfile + + echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------" + echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}" + pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)" + check_tmpfile + fi + } ############################## tools_sign ##############################