Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 473790: Adding CRL funcionality + some tests. r=alexei

Browse Source 
git-svn-id: svn://10.0.0.236/trunk@256114 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
slavomir.katuscak%sun.com 2009-02-05 13:31:53 +00:00
parent c6d219246d
commit 38ef5a36cd
3 changed files with 214 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
mozilla/security/nss/tests/chains/chains.sh
View File

@ -71,12 +71,15 @@ chains_init()
CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
CERT_SN=$(date '+%m%d%H%M%S')
PK7_NONCE=$CERT_SN;
CERT_SN_CNT=$(date '+%m%d%H%M%S')
CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
PK7_NONCE=$CERT_SN_CNT;
AIA_FILES="${HOSTDIR}/aiafiles"
CU_DATA=${HOSTDIR}/cu_data
CRL_DATA=${HOSTDIR}/crl_data
html_head "Certificate Chains Tests"
}
@ -102,6 +105,22 @@ print_cu_data()
echo "==="
}
set_cert_sn()
{
if [ -z "${SERIAL}" ]; then
CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1)
CERT_SN=${CERT_SN_CNT}
else
echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null
if [ $? -eq 0 ]; then
CERT_SN=$(echo ${SERIAL} | cut -b 2-)
CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN})
else
CERT_SN=${SERIAL}
fi
fi
}
############################# create_db ################################
# local shell function to create certificate database
########################################################################
@ -119,8 +138,6 @@ create_db()
echo "certutil -N -d ${DB} -f ${DB}/dbpasswd"
${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd
html_msg $? 0 "${SCENARIO}${TESTNAME}"
TESTDB=${DB}
}
########################### create_root_ca #############################
@ -131,7 +148,7 @@ create_root_ca()
ENTITY=$1
ENTITY_DB=${ENTITY}DB
CERT_SN=$(expr ${CERT_SN} + 1)
set_cert_sn
date >> ${NOISE_FILE} 2>&1
CTYPE_OPT=
@ -399,7 +416,7 @@ sign_cert()
REQ=${ENTITY}Req.der
CERT=${ENTITY}${ISSUER}.der
CERT_SN=$(expr ${CERT_SN} + 1)
set_cert_sn
EMAIL_OPT=
if [ "${TYPE}" = "Bridge" ]; then
@ -478,16 +495,83 @@ import_cert()
html_msg $? 0 "${SCENARIO}${TESTNAME}"
}
import_crl()
{
IMPORT=$1
DB=$2
CRL_NICK=`echo ${IMPORT} | cut -d: -f1`
CRL_FILE=${CRL_NICK}.crl
if [ ! -f "${CRL_FILE}" ]; then
return
fi
TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database"
echo "${SCRIPTNAME}: ${TESTNAME}"
echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}"
${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}
html_msg $? 0 "${SCENARIO}${TESTNAME}"
}
create_crl()
{
ISSUER=$1
ISSUER_DB=${ISSUER}DB
CRL=${ISSUER}.crl
DATE=$(date -u '+%Y%m%d%H%M%SZ')
UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ')
echo "update=${DATE}" > ${CRL_DATA}
echo "nextupdate=${UPDATE}" >> ${CRL_DATA}
TESTNAME="Create CRL for ${ISSUER_DB}"
echo "${SCRIPTNAME}: ${TESTNAME}"
echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
echo "=== Crlutil input data ==="
cat ${CRL_DATA}
echo "==="
${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
html_msg $? 0 "${SCENARIO}${TESTNAME}"
}
revoke_cert()
{
ISSUER=$1
ISSUER_DB=${ISSUER}DB
CRL=${ISSUER}.crl
set_cert_sn
sleep 1
DATE=$(date -u '+%Y%m%d%H%M%SZ')
echo "update=${DATE}" > ${CRL_DATA}
echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA}
TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}"
echo "${SCRIPTNAME}: ${TESTNAME}"
echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
echo "=== Crlutil input data ==="
cat ${CRL_DATA}
echo "==="
${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
html_msg $? 0 "${SCENARIO}${TESTNAME}"
}
########################################################################
# List of global variables related to certificate verification:
#
# Generated by parse_config:
# TESTDB - DB used for testing
# DB - DB used for testing
# FETCH - fetch flag (used with AIA extension)
# POLICY - list of policies
# TRUST - trust anchor
# VERIFY - list of certificates to use as vfychain parameters
# EXP_RESULT - expected result
# REV_OPTS - revocation options
########################################################################
############################# verify_cert ##############################
@ -502,8 +586,8 @@ verify_cert()
VFY_CERTS=
VFY_LIST=
if [ -n "${TESTDB}" ]; then
DB_OPT="-d ${TESTDB}"
if [ -n "${DB}" ]; then
DB_OPT="-d ${DB}"
fi
if [ -n "${FETCH}" ]; then
@ -546,15 +630,15 @@ verify_cert()
fi
done
TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${DB_OPT} ${FETCH_OPT} ${POLICY_OPT} ${TRUST_OPT}"
TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${POLICY_OPT} ${TRUST_OPT}"
echo "${SCRIPTNAME}: ${TESTNAME}"
echo "vfychain ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
echo "vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
if [ -z "${MEMLEAK_DBG}" ]; then
${BINDIR}/vfychain ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}
${BINDIR}/vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}
RESULT=$?
else
${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>> ${LOGFILE}
${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${REV_OPTS} ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>> ${LOGFILE}
RESULT=$?
fi
@ -661,6 +745,17 @@ parse_config()
"import")
IMPORT="${VALUE}"
import_cert "${IMPORT}" "${DB}"
import_crl "${IMPORT}" "${DB}"
;;
"crl")
ISSUER="${VALUE}"
create_crl "${ISSUER}"
;;
"revoke")
REVOKE="${VALUE}"
;;
"serial")
SERIAL="${VALUE}"
;;
"verify")
VERIFY="${VALUE}"
@ -668,15 +763,16 @@ parse_config()
POLICY=
FETCH=
EXP_RESULT=
REV_OPTS=
;;
"cert")
VERIFY="${VERIFY} ${VALUE}"
;;
"testdb")
if [ -n "${VALUE}" ]; then
TESTDB="${VALUE}DB"
DB="${VALUE}DB"
else
TESTDB=
DB=
fi
;;
"trust")
@ -689,6 +785,18 @@ parse_config()
EXP_RESULT="${VALUE}"
parse_result
;;
"rev_type")
REV_OPTS="${REV_OPTS} -g ${VALUE}"
;;
"rev_flags")
REV_OPTS="${REV_OPTS} -h ${VALUE}"
;;
"rev_mtype")
REV_OPTS="${REV_OPTS} -m ${VALUE}"
;;
"rev_mflags")
REV_OPTS="${REV_OPTS} -s ${VALUE}"
;;
"scenario")
SCENARIO="${VALUE}: "
@ -701,6 +809,9 @@ parse_config()
LOGFILE="${LOGDIR}/${LOGNAME}"
fi
;;
"break")
break
;;
"")
if [ -n "${ENTITY}" ]; then
if [ -z "${DB}" ]; then
@ -717,6 +828,11 @@ parse_config()
verify_cert
VERIFY=
fi
if [ -n "${REVOKE}" ]; then
revoke_cert "${REVOKE}" "${DB}"
REVOKE=
fi
;;
*)
if [ `echo ${KEY} | cut -b 1` != "#" ]; then

82
mozilla/security/nss/tests/chains/scenarios/revoc.cfg Normal file
View File

@ -0,0 +1,82 @@
scenario Revocation
entity Root
type Root
serial 10
entity CA0
type Intermediate
issuer Root
serial 11
entity CA1
type Intermediate
issuer CA0
serial 12
entity EE11
type EE
issuer CA1
serial 13
entity EE12
type EE
issuer CA1
serial 14
entity CA2
type Intermediate
issuer CA0
serial 15
entity EE21
type EE
issuer CA2
serial 16
crl Root
crl CA0
crl CA1
crl CA2
revoke CA1
serial 14
revoke CA0
serial 15
db All
import Root::CTu,CTu,CTu
import CA0:Root:
import CA1:CA0:
import CA2:CA0:
# EE11 - not revoked
verify EE11:CA1
trust Root:
rev_type leaf
rev_mtype crl
result pass
# EE12 - revoked
verify EE12:CA1
trust Root:
rev_type leaf
rev_mtype crl
result fail
# EE11 - CA1 not revoked
verify EE11:CA1
trust Root:
rev_type chain
rev_mtype crl
result pass
# EE21 - CA2 revoked
verify EE21:CA2
trust Root:
rev_type chain
rev_mtype crl
result fail

1
mozilla/security/nss/tests/chains/scenarios/scenarios
View File

@ -12,3 +12,4 @@ bridgewithhalfaia.cfg
bridgewithpolicyextensionandmapping.cfg
realcerts.cfg
dsa.cfg
revoc.cfg