From 38ef5a36cda2afe031b213f7bbc69aa1d1780fd7 Mon Sep 17 00:00:00 2001
From: "slavomir.katuscak%sun.com"
 <slavomir.katuscak%sun.com@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Thu, 5 Feb 2009 13:31:53 +0000
Subject: [PATCH] Bug 473790: Adding CRL funcionality + some tests. r=alexei

git-svn-id: svn://10.0.0.236/trunk@256114 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/security/nss/tests/chains/chains.sh   | 146 ++++++++++++++++--
 .../nss/tests/chains/scenarios/revoc.cfg      |  82 ++++++++++
 .../nss/tests/chains/scenarios/scenarios      |   1 +
 3 files changed, 214 insertions(+), 15 deletions(-)
 create mode 100644 mozilla/security/nss/tests/chains/scenarios/revoc.cfg

diff --git a/mozilla/security/nss/tests/chains/chains.sh b/mozilla/security/nss/tests/chains/chains.sh
index 60bec6ef44a..f1725b02a83 100644
--- a/mozilla/security/nss/tests/chains/chains.sh
+++ b/mozilla/security/nss/tests/chains/chains.sh
@@ -71,12 +71,15 @@ chains_init()
 
     CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
 
-    CERT_SN=$(date '+%m%d%H%M%S')
-    PK7_NONCE=$CERT_SN;
+    CERT_SN_CNT=$(date '+%m%d%H%M%S')
+    CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
+
+    PK7_NONCE=$CERT_SN_CNT;
 
     AIA_FILES="${HOSTDIR}/aiafiles"
 
     CU_DATA=${HOSTDIR}/cu_data
+    CRL_DATA=${HOSTDIR}/crl_data
 
     html_head "Certificate Chains Tests"
 }
@@ -102,6 +105,22 @@ print_cu_data()
     echo "==="
 }
 
+set_cert_sn()
+{
+    if [ -z "${SERIAL}" ]; then
+        CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1)
+        CERT_SN=${CERT_SN_CNT}
+    else
+        echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null
+        if [ $? -eq 0 ]; then
+            CERT_SN=$(echo ${SERIAL} | cut -b 2-)
+            CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN})
+        else
+            CERT_SN=${SERIAL}
+        fi 
+    fi
+}
+
 ############################# create_db ################################
 # local shell function to create certificate database
 ########################################################################
@@ -119,8 +138,6 @@ create_db()
     echo "certutil -N -d ${DB} -f ${DB}/dbpasswd" 
     ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd
     html_msg $? 0 "${SCENARIO}${TESTNAME}" 
-
-    TESTDB=${DB}
 }
 
 ########################### create_root_ca #############################
@@ -131,7 +148,7 @@ create_root_ca()
     ENTITY=$1
     ENTITY_DB=${ENTITY}DB
 
-    CERT_SN=$(expr ${CERT_SN} + 1)
+    set_cert_sn
     date >> ${NOISE_FILE} 2>&1
 
     CTYPE_OPT=
@@ -399,7 +416,7 @@ sign_cert()
     REQ=${ENTITY}Req.der
     CERT=${ENTITY}${ISSUER}.der
 
-    CERT_SN=$(expr ${CERT_SN} + 1)
+    set_cert_sn
 
     EMAIL_OPT=
     if [ "${TYPE}" = "Bridge" ]; then
@@ -478,16 +495,83 @@ import_cert()
     html_msg $? 0 "${SCENARIO}${TESTNAME}"
 }
 
+import_crl()
+{
+    IMPORT=$1
+    DB=$2
+
+    CRL_NICK=`echo ${IMPORT} | cut -d: -f1`
+    CRL_FILE=${CRL_NICK}.crl
+
+    if [ ! -f "${CRL_FILE}" ]; then
+        return
+    fi 
+
+    TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}"
+    ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE} 
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+create_crl()
+{
+    ISSUER=$1
+    ISSUER_DB=${ISSUER}DB
+
+    CRL=${ISSUER}.crl
+
+    DATE=$(date -u '+%Y%m%d%H%M%SZ')
+    UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ')
+
+    echo "update=${DATE}" > ${CRL_DATA}
+    echo "nextupdate=${UPDATE}" >> ${CRL_DATA}
+
+    TESTNAME="Create CRL for ${ISSUER_DB}"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
+    echo "=== Crlutil input data ==="
+    cat ${CRL_DATA}
+    echo "==="
+    ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
+revoke_cert()
+{
+    ISSUER=$1
+    ISSUER_DB=${ISSUER}DB
+
+    CRL=${ISSUER}.crl
+
+    set_cert_sn
+
+    sleep 1
+    DATE=$(date -u '+%Y%m%d%H%M%SZ')
+    echo "update=${DATE}" > ${CRL_DATA}
+    echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA}
+
+    TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}"
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+    echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}"
+    echo "=== Crlutil input data ==="
+    cat ${CRL_DATA}
+    echo "==="
+    ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA}
+    html_msg $? 0 "${SCENARIO}${TESTNAME}"
+}
+
 ########################################################################
 # List of global variables related to certificate verification:
 #
 # Generated by parse_config:
-# TESTDB - DB used for testing
+# DB - DB used for testing
 # FETCH - fetch flag (used with AIA extension)
 # POLICY - list of policies
 # TRUST - trust anchor
 # VERIFY - list of certificates to use as vfychain parameters
 # EXP_RESULT - expected result
+# REV_OPTS - revocation options
 ########################################################################
 
 ############################# verify_cert ##############################
@@ -502,8 +586,8 @@ verify_cert()
     VFY_CERTS=
     VFY_LIST=
 
-    if [ -n "${TESTDB}" ]; then
-        DB_OPT="-d ${TESTDB}"
+    if [ -n "${DB}" ]; then
+        DB_OPT="-d ${DB}"
     fi
 
     if [ -n "${FETCH}" ]; then
@@ -546,15 +630,15 @@ verify_cert()
         fi
     done
 
-    TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${DB_OPT} ${FETCH_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+    TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${POLICY_OPT} ${TRUST_OPT}"
     echo "${SCRIPTNAME}: ${TESTNAME}"
-    echo "vfychain ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+    echo "vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
 
     if [ -z "${MEMLEAK_DBG}" ]; then
-        ${BINDIR}/vfychain ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}
+        ${BINDIR}/vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 
         RESULT=$?
     else 
-        ${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>> ${LOGFILE}
+        ${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${REV_OPTS} ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>> ${LOGFILE}
         RESULT=$?
     fi
 
@@ -661,6 +745,17 @@ parse_config()
         "import")
             IMPORT="${VALUE}"
             import_cert "${IMPORT}" "${DB}"
+            import_crl "${IMPORT}" "${DB}"
+            ;;
+        "crl")
+            ISSUER="${VALUE}"
+            create_crl "${ISSUER}"
+            ;;
+        "revoke")
+            REVOKE="${VALUE}"
+            ;;
+        "serial")
+            SERIAL="${VALUE}"
             ;;
         "verify")
             VERIFY="${VALUE}"
@@ -668,15 +763,16 @@ parse_config()
             POLICY=
             FETCH=
             EXP_RESULT=
+            REV_OPTS=
             ;;
         "cert")
             VERIFY="${VERIFY} ${VALUE}"
             ;;
         "testdb")
             if [ -n "${VALUE}" ]; then
-                TESTDB="${VALUE}DB"
+                DB="${VALUE}DB"
             else
-                TESTDB=
+                DB=
             fi
             ;;
         "trust")
@@ -689,6 +785,18 @@ parse_config()
             EXP_RESULT="${VALUE}"
             parse_result
             ;;
+        "rev_type")
+            REV_OPTS="${REV_OPTS} -g ${VALUE}"
+            ;;
+        "rev_flags")
+            REV_OPTS="${REV_OPTS} -h ${VALUE}"
+            ;;
+        "rev_mtype")
+            REV_OPTS="${REV_OPTS} -m ${VALUE}"
+            ;;
+        "rev_mflags")
+            REV_OPTS="${REV_OPTS} -s ${VALUE}"
+            ;;
         "scenario")
             SCENARIO="${VALUE}: "
 
@@ -701,6 +809,9 @@ parse_config()
                 LOGFILE="${LOGDIR}/${LOGNAME}"
             fi
             ;;
+        "break")
+            break
+            ;;
         "")
             if [ -n "${ENTITY}" ]; then
                 if [ -z "${DB}" ]; then
@@ -717,6 +828,11 @@ parse_config()
                 verify_cert
                 VERIFY=
             fi
+
+            if [ -n "${REVOKE}" ]; then
+                revoke_cert "${REVOKE}" "${DB}"
+                REVOKE=
+            fi
             ;;
         *)
             if [ `echo ${KEY} | cut -b 1` != "#" ]; then
diff --git a/mozilla/security/nss/tests/chains/scenarios/revoc.cfg b/mozilla/security/nss/tests/chains/scenarios/revoc.cfg
new file mode 100644
index 00000000000..38b58dd84b0
--- /dev/null
+++ b/mozilla/security/nss/tests/chains/scenarios/revoc.cfg
@@ -0,0 +1,82 @@
+scenario Revocation
+
+entity Root
+  type Root
+  serial 10
+
+entity CA0
+  type Intermediate
+  issuer Root
+  serial 11
+
+entity CA1
+  type Intermediate
+  issuer CA0
+  serial 12
+
+entity EE11
+  type EE
+  issuer CA1
+  serial 13
+
+entity EE12
+  type EE
+  issuer CA1
+  serial 14
+
+entity CA2
+  type Intermediate
+  issuer CA0
+  serial 15
+
+entity EE21
+  type EE
+  issuer CA2
+  serial 16
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA1
+  serial 14
+
+revoke CA0
+  serial 15
+
+db All
+
+import Root::CTu,CTu,CTu
+import CA0:Root:
+import CA1:CA0:
+import CA2:CA0:
+
+# EE11 - not revoked 
+verify EE11:CA1
+  trust Root:
+  rev_type leaf
+  rev_mtype crl
+  result pass
+
+# EE12 - revoked
+verify EE12:CA1
+  trust Root:
+  rev_type leaf
+  rev_mtype crl
+  result fail
+
+# EE11 - CA1 not revoked 
+verify EE11:CA1
+  trust Root:
+  rev_type chain
+  rev_mtype crl
+  result pass
+
+# EE21 - CA2 revoked
+verify EE21:CA2
+  trust Root:
+  rev_type chain
+  rev_mtype crl
+  result fail
+
diff --git a/mozilla/security/nss/tests/chains/scenarios/scenarios b/mozilla/security/nss/tests/chains/scenarios/scenarios
index 26d79889c90..15a429a2854 100644
--- a/mozilla/security/nss/tests/chains/scenarios/scenarios
+++ b/mozilla/security/nss/tests/chains/scenarios/scenarios
@@ -12,3 +12,4 @@ bridgewithhalfaia.cfg
 bridgewithpolicyextensionandmapping.cfg
 realcerts.cfg
 dsa.cfg
+revoc.cfg