@@ -927,6 +927,9 @@ case "${WITH_SSL_CLIENT}${WITH_SSL_SERVER}" in
927927 * cert) rm -rf " ${TESTCERT_PATH_BASE} " || true ;;
928928 * ) log_warn " TESTCERT_PATH_BASE seems wrong: '${TESTCERT_PATH_BASE} '"
929929 esac
930+
931+ SKID=" 0x1234567890abcdef1234"
932+
930933 mkdir -p " ${TESTCERT_PATH_ROOTCA} " || die " Could not mkdir TESTCERT_PATH_ROOTCA"
931934 ( cd " ${TESTCERT_PATH_ROOTCA} " || exit
932935 log_info " SSL: Preparing test Root CA..."
@@ -939,19 +942,63 @@ case "${WITH_SSL_CLIENT}${WITH_SSL_SERVER}" in
939942 [ -e /dev/random ] && \
940943 dd if=/dev/random of=.random bs=16 count=1
941944 } || date > .random
945+
942946 # Create the certificate database:
943947 certutil -N -d . -f .pwfile \
944948 || die " Could not init NSS CA database in ` pwd` "
949+
945950 # Generate a certificate for CA:
946951 # HACK NOTE: The first "yes" is for "Is this a CA certificate [y/N]?" question,
947952 # others default (empty) for possible other questions, e.g.
948953 # Enter the path length constraint, enter to skip [<0 for unlimited path]: >
949954 # Is this a critical extension [y/N]? :
950955 # Some builds of certutil fail with SIGSEGV due to infinite input from `yes ""`,
951956 # but generally we do not know how many questions are asked:
952- (echo y; yes " " | certutil -S -d . -f .pwfile -n " ${TESTCERT_ROOTCA_NAME} " " CN=${TESTCERT_ROOTCA_NAME} ,OU=Test,O=NIT,ST=StateOfChaos,C=US" " CT,," " $$ "
953- || { (echo y; echo ' ' ; echo n) | certutil -S -d . -f .pwfile -n " ${TESTCERT_ROOTCA_NAME} " " CN=${TESTCERT_ROOTCA_NAME} ,OU=Test,O=NIT,ST=StateOfChaos,C=US" " CT,," " ` expr $$ + 1` " ; } \
954- || die " Could not generate NSS CA certificate ($? )"
957+ cscmd () {
958+ certutil -S -x \
959+ -d . -f .pwfile \
960+ -n " ${TESTCERT_ROOTCA_NAME} "
961+ -s " CN=${TESTCERT_ROOTCA_NAME} ,OU=Test,O=NIT,ST=StateOfChaos,C=US"
962+ -t " CT,C,C"
963+ -m 1 \
964+ --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation \
965+ -z .random \
966+ -2 \
967+ -3 \
968+ --extSKID
969+ }
970+ if [ x" ${NUT_CERTUTIL_INTERACTIVE-} " = xtrue ] ; then
971+ cscmd
972+ else {
973+ # # Generating key. This may take a few moments...
974+ # > Is this a CA certificate [y/N]?
975+ echo y
976+ # > Enter the path length constraint, enter to skip [<0 for unlimited path]:
977+ echo ' -1'
978+ # > Is this a critical extension [y/N]
979+ echo y
980+
981+ # > Enter value for the authKeyID extension [y/N]?
982+ echo y
983+ # > Enter value for the key identifier fields,enter to omit:
984+ echo " ${SKID} "
985+ # # Select one of the following general name type:
986+ # # [...] Any other number to finish
987+ # > Choice: >
988+ echo ' '
989+ # > Enter value for the authCertSerial field, enter to omit:
990+ echo ' '
991+ # > Is this a critical extension [y/N]?
992+ echo ' '
993+
994+ # # Adding Subject Key ID extension.
995+ # > Enter value for the key identifier fields,enter to omit:
996+ echo " ${SKID} "
997+ # > Is this a critical extension [y/N]?
998+ echo n
999+ } | cscmd
1000+ fi || die " Could not generate NSS CA certificate ($? )"
1001+
9551002 # Extract the CA certificate to be able to use or import it later:
9561003 certutil -L -d . -f .pwfile -n " ${TESTCERT_ROOTCA_NAME} "
9571004 || die " Could not extract the NSS CA certificate to PEM"
@@ -1028,24 +1075,78 @@ EOF
10281075 # Create the certificate database:
10291076 certutil -N -d . -f .pwfile \
10301077 || die " Could not init NSS Server database in ` pwd` "
1078+
10311079 # Import the CA certificate, so users of this DB trust it:
1032- certutil -A -d . -f .pwfile -n " ${TESTCERT_ROOTCA_NAME} " " TC,," " ${TESTCERT_PATH_ROOTCA} "
1080+ certutil -A -d . -f .pwfile \
1081+ -n " ${TESTCERT_ROOTCA_NAME} "
1082+ -t " TC,,"
1083+ -a -i " ${TESTCERT_PATH_ROOTCA} "
10331084 || die " Could not import the CA certificate to NSS Server database"
1085+
10341086 # Create a server certificate request:
10351087 # NOTE: IRL Each run should have a separate random seed; for tests we cut a few corners!
1036- certutil -R -d . -f .pwfile -s " CN=${TESTCERT_SERVER_NAME} ,OU=Test,O=NIT,ST=StateOfChaos,C=US" " ${TESTCERT_PATH_ROOTCA} " " dns:localhost,dns:localhost6,dns:127.0.0.1,dns:::1,ip:127.0.0.1,ip:::1"
1088+ certutil -R -d . -f .pwfile \
1089+ -s " CN=${TESTCERT_SERVER_NAME} ,OU=Test,O=NIT,ST=StateOfChaos,C=US"
1090+ -a -o server.req \
1091+ -z " ${TESTCERT_PATH_ROOTCA} "
1092+ --extKeyUsage " serverAuth"
1093+ --nsCertType sslServer \
1094+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
1095+ --extSAN " dns:localhost,dns:localhost6,dns:127.0.0.1,dns:::1,ip:127.0.0.1,ip:::1"
10371096 || die " Could not create a NSS Server certificate request"
10381097
10391098 # Sign a certificate request with the CA certificate:
10401099 # HACK NOTE: "No" for "Is this a CA certificate" question, defaults for others
10411100 # Some builds of certutil fail with SIGSEGV due to infinite input from `yes ""`,
10421101 # but generally we do not know how many questions are asked:
1043- (echo n; yes " " | certutil -C -d " ${TESTCERT_PATH_ROOTCA} " " ${TESTCERT_PATH_ROOTCA} " " ${TESTCERT_ROOTCA_NAME} " " serverAuth" " ` expr $$ + 2` "
1044- || { (echo n; echo ' ' ; echo ' n' | certutil -C -d " ${TESTCERT_PATH_ROOTCA} " " ${TESTCERT_PATH_ROOTCA} " " ${TESTCERT_ROOTCA_NAME} " " serverAuth" " ` expr $$ + 3` " ; } \
1045- || die " Could not sign a NSS Server certificate request with the NSS CA database ($? )"
1102+ cscmd () {
1103+ certutil -C -d " ${TESTCERT_PATH_ROOTCA} "
1104+ -f " ${TESTCERT_PATH_ROOTCA} "
1105+ -c " ${TESTCERT_ROOTCA_NAME} "
1106+ -a -i server.req -o server.crt \
1107+ --extKeyUsage " serverAuth"
1108+ --nsCertType sslServer \
1109+ -m 2 \
1110+ -2 \
1111+ -3 \
1112+ --extSKID
1113+ }
1114+ if [ x" ${NUT_CERTUTIL_INTERACTIVE-} " = xtrue ] ; then
1115+ cscmd
1116+ else {
1117+ # # Generating key. This may take a few moments...
1118+ # > Is this a CA certificate [y/N]?
1119+ echo n
1120+ # > Enter the path length constraint, enter to skip [<0 for unlimited path]:
1121+ echo ' '
1122+ # > Is this a critical extension [y/N]
1123+ echo n
1124+
1125+ # > Enter value for the authKeyID extension [y/N]?
1126+ echo y
1127+ # > Enter value for the key identifier fields,enter to omit:
1128+ echo " ${SKID} "
1129+ # # Select one of the following general name type:
1130+ # # [...] Any other number to finish
1131+ # > Choice: >
1132+ echo ' '
1133+ # > Enter value for the authCertSerial field, enter to omit:
1134+ echo ' '
1135+ # > Is this a critical extension [y/N]?
1136+ echo ' '
1137+
1138+ # # Adding Subject Key ID extension.
1139+ # > Enter value for the key identifier fields,enter to omit:
1140+ echo " ${SKID} "
1141+ # > Is this a critical extension [y/N]?
1142+ echo n
1143+ } | cscmd
1144+ fi || die " Could not sign a NSS Server certificate request with the NSS CA database ($? )"
10461145
10471146 # Import the signed certificate into server database:
1048- certutil -A -d . -f .pwfile -n " ${TESTCERT_SERVER_NAME} " " ,,"
1147+ certutil -A -d . -f .pwfile \
1148+ -n " ${TESTCERT_SERVER_NAME} "
1149+ -a -i server.crt -t " ,,"
10491150 || die " Could not import the signed NSS Server certificate into server database"
10501151
10511152 ls -l " ${TESTCERT_PATH_SERVER} " * .db " ${TESTCERT_PATH_SERVER} " * .txt \
@@ -1091,11 +1192,16 @@ EOF
10911192 log_info " SSL: Preparing test client certificate..."
10921193 # Also create 3-file database of client key+cert store
10931194 echo " ${TESTCERT_CLIENT_PASS} " > " .pwfile"
1195+
10941196 # Create the certificate database:
10951197 certutil -N -d . -f .pwfile \
10961198 || die " Could not init NSS Client database in ` pwd` "
1199+
10971200 # Import the CA certificate, so users of this DB trust it:
1098- certutil -A -d . -f .pwfile -n " ${TESTCERT_ROOTCA_NAME} " " TC,," " ${TESTCERT_PATH_ROOTCA} "
1201+ certutil -A -d . -f .pwfile \
1202+ -n " ${TESTCERT_ROOTCA_NAME} "
1203+ -t " TC,,"
1204+ -a -i " ${TESTCERT_PATH_ROOTCA} "
10991205 || die " Could not import the CA certificate to NSS Client database"
11001206
11011207 # Import server cert into client database so we can trust it (CERTHOST directive):
@@ -1105,24 +1211,72 @@ EOF
11051211 # certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL:
11061212 # You are attempting to import a cert with the same issuer/serial
11071213 # as an existing cert, but that is not the same cert.
1108- certutil -A -d . -f .pwfile -n " ${TESTCERT_SERVER_NAME} " " ${TESTCERT_PATH_SERVER} /server.crt" " ,,"
1214+ certutil -A -d . -f .pwfile \
1215+ -n " ${TESTCERT_SERVER_NAME} "
1216+ -a -i " ${TESTCERT_PATH_SERVER} /server.crt"
1217+ -t " ,,"
11091218 || die " Could not import the Server certificate to NSS Client database"
11101219
11111220 # Create a client certificate request:
11121221 # NOTE: IRL Each run should have a separate random seed; for tests we cut a few corners!
1113- certutil -R -d . -f .pwfile -s " CN=${TESTCERT_CLIENT_NAME} ,OU=Test,O=NIT,ST=StateOfChaos,C=US" " ${TESTCERT_PATH_ROOTCA} "
1222+ certutil -R -d . -f .pwfile \
1223+ -s " CN=${TESTCERT_CLIENT_NAME} ,OU=Test,O=NIT,ST=StateOfChaos,C=US"
1224+ -a -o client.req \
1225+ -z " ${TESTCERT_PATH_ROOTCA} "
11141226 || die " Could not create a NSS Client certificate request"
11151227
11161228 # Sign a certificate request with the CA certificate:
11171229 # HACK NOTE: "No" for "Is this a CA certificate" question, defaults for others
11181230 # Some builds of certutil fail with SIGSEGV due to infinite input from `yes ""`,
11191231 # but generally we do not know how many questions are asked:
1120- (echo n; yes " " | certutil -C -d " ${TESTCERT_PATH_ROOTCA} " " ${TESTCERT_PATH_ROOTCA} " " ${TESTCERT_ROOTCA_NAME} " " clientAuth" " ` expr $$ + 4` "
1121- || { (echo n; echo " " ; echo n) | certutil -C -d " ${TESTCERT_PATH_ROOTCA} " " ${TESTCERT_PATH_ROOTCA} " " ${TESTCERT_ROOTCA_NAME} " " clientAuth" " ` expr $$ + 5` " ; } \
1122- || die " Could not sign a NSS Client certificate request with the NSS CA database ($? )"
1232+ cscmd () {
1233+ certutil -C -d " ${TESTCERT_PATH_ROOTCA} "
1234+ -f " ${TESTCERT_PATH_ROOTCA} "
1235+ -c " ${TESTCERT_ROOTCA_NAME} "
1236+ -a -i client.req -o client.crt \
1237+ --extKeyUsage " clientAuth"
1238+ --nsCertType sslClient \
1239+ -m 3 \
1240+ -2 \
1241+ -3 \
1242+ --extSKID
1243+ }
1244+ if [ x" ${NUT_CERTUTIL_INTERACTIVE-} " = xtrue ] ; then
1245+ cscmd
1246+ else {
1247+ # # Generating key. This may take a few moments...
1248+ # > Is this a CA certificate [y/N]?
1249+ echo n
1250+ # > Enter the path length constraint, enter to skip [<0 for unlimited path]:
1251+ echo ' '
1252+ # > Is this a critical extension [y/N]
1253+ echo n
1254+
1255+ # > Enter value for the authKeyID extension [y/N]?
1256+ echo y
1257+ # > Enter value for the key identifier fields,enter to omit:
1258+ echo " ${SKID} "
1259+ # # Select one of the following general name type:
1260+ # # [...] Any other number to finish
1261+ # > Choice: >
1262+ echo ' '
1263+ # > Enter value for the authCertSerial field, enter to omit:
1264+ echo ' '
1265+ # > Is this a critical extension [y/N]?
1266+ echo ' '
1267+
1268+ # # Adding Subject Key ID extension.
1269+ # > Enter value for the key identifier fields,enter to omit:
1270+ echo " ${SKID} "
1271+ # > Is this a critical extension [y/N]?
1272+ echo n
1273+ } | cscmd
1274+ fi || die " Could not sign a NSS Client certificate request with the NSS CA database ($? )"
11231275
11241276 # Import the signed certificate into client database:
1125- certutil -A -d . -f .pwfile -n " ${TESTCERT_CLIENT_NAME} " " ,,"
1277+ certutil -A -d . -f .pwfile \
1278+ -n " ${TESTCERT_CLIENT_NAME} "
1279+ -a -i client.crt -t " ,,"
11261280 || die " Could not import the signed NSS Client certificate into client database"
11271281
11281282 ls -l " ${TESTCERT_PATH_CLIENT} " * .db " ${TESTCERT_PATH_CLIENT} " * .txt \
0 commit comments