Commit a435c037 authored by Kai Engert's avatar Kai Engert

Bug 970539, NSS tool improvements/fixes: certutil/btoa/pp/httpserv, r=rrelyea

--HG--
extra : amend_source : 50ec9151d179f3cadbf66ff958e7bda7198405f9
parent 2c45353d
......@@ -92,6 +92,10 @@ static void Usage(char *progName)
"-i input");
fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
"-o output");
fprintf(stderr, "%-20s Wrap output in BEGIN/END lines and the given suffix\n",
"-w suffix");
fprintf(stderr, "%-20s (use \"c\" as a shortcut for suffix CERTIFICATE)\n",
"");
exit(-1);
}
......@@ -102,6 +106,7 @@ int main(int argc, char **argv)
FILE *inFile, *outFile;
PLOptState *optstate;
PLOptStatus status;
char *suffix = NULL;
inFile = 0;
outFile = 0;
......@@ -111,7 +116,7 @@ int main(int argc, char **argv)
progName = progName ? progName+1 : argv[0];
/* Parse command line arguments */
optstate = PL_CreateOptState(argc, argv, "i:o:");
optstate = PL_CreateOptState(argc, argv, "i:o:w:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
default:
......@@ -135,6 +140,13 @@ int main(int argc, char **argv)
return -1;
}
break;
case 'w':
if (!strcmp(optstate->value, "c"))
suffix = strdup("CERTIFICATE");
else
suffix = strdup(optstate->value);
break;
}
}
if (status == PL_OPT_BAD)
......@@ -171,11 +183,17 @@ int main(int argc, char **argv)
#endif
outFile = stdout;
}
if (suffix) {
fprintf(outFile, "-----BEGIN %s-----\n", suffix);
}
rv = encode_file(outFile, inFile);
if (rv != SECSuccess) {
fprintf(stderr, "%s: lossage: error=%d errno=%d\n",
progName, PORT_GetError(), errno);
return -1;
}
if (suffix) {
fprintf(outFile, "-----END %s-----\n", suffix);
}
return 0;
}
This diff is collapsed.
This diff is collapsed.
......@@ -35,6 +35,7 @@ enum certutilExtns {
ext_inhibitAnyPolicy,
ext_subjectKeyID,
ext_nameConstraints,
ext_subjectAltName,
ext_End
};
......@@ -47,7 +48,11 @@ typedef ExtensionEntry certutilExtnList[ext_End];
extern SECStatus
AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
certutilExtnList extList);
certutilExtnList extList, const char *extGeneric);
extern SECStatus
GetOidFromString(PLArenaPool *arena, SECItem *to,
const char *from, size_t fromLen);
#endif /* _CERTUTIL_H */
......@@ -1312,8 +1312,10 @@ main(int argc, char **argv)
inFile = PR_Open(revoInfo->crlFilename, PR_RDONLY, 0);
if (inFile) {
rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
PR_Close(inFile);
inFile = NULL;
}
if (!inFile || rv != SECSuccess) {
if (rv != SECSuccess) {
fprintf(stderr, "unable to read crl file %s\n",
revoInfo->crlFilename);
exit(1);
......
......@@ -52,6 +52,19 @@ static char consoleName[] = {
#include "ssl.h"
#include "sslproto.h"
static PRBool utf8DisplayEnabled = PR_FALSE;
void
SECU_EnableUtf8Display(PRBool enable)
{
utf8DisplayEnabled = enable;
}
PRBool
SECU_GetUtf8DisplayEnabled(void)
{
return utf8DisplayEnabled;
}
static void
secu_ClearPassword(char *p)
......@@ -609,12 +622,22 @@ secu_PrintRawStringQuotesOptional(FILE *out, SECItem *si, const char *m,
for (i = 0; i < si->len; i++) {
unsigned char val = si->data[i];
unsigned char c;
if (SECU_GetWrapEnabled() && column > 76) {
SECU_Newline(out);
SECU_Indent(out, level); column = level*INDENT_MULT;
}
fprintf(out,"%c", printable[val]); column++;
if (utf8DisplayEnabled) {
if (val < 32)
c = '.';
else
c = val;
} else {
c = printable[val];
}
fprintf(out,"%c", c);
column++;
}
if (quotes) {
......
......@@ -139,6 +139,9 @@ SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
extern PRBool SECU_GetWrapEnabled(void);
extern void SECU_EnableWrap(PRBool enable);
extern PRBool SECU_GetUtf8DisplayEnabled(void);
extern void SECU_EnableUtf8Display(PRBool enable);
/* revalidate the cert and print information about cert verification
* failure at time == now */
extern void
......
......@@ -22,22 +22,27 @@ extern int fprintf(FILE *, char *, ...);
static void Usage(char *progName)
{
fprintf(stderr,
"Usage: %s -t type [-a] [-i input] [-o output] [-w]\n",
"Usage: %s [-t type] [-a] [-i input] [-o output] [-w] [-u]\n",
progName);
fprintf(stderr, "%-20s Specify the input type (must be one of %s,\n",
fprintf(stderr, "Pretty prints a file containing ASN.1 data in DER or ascii format.\n");
fprintf(stderr, "%-14s Specify input and display type: %s (sk),\n",
"-t type", SEC_CT_PRIVATE_KEY);
fprintf(stderr, "%-20s %s, %s, %s,\n", "", SEC_CT_PUBLIC_KEY,
fprintf(stderr, "%-14s %s (pk), %s (c), %s (cr),\n", "", SEC_CT_PUBLIC_KEY,
SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
fprintf(stderr, "%-20s %s, %s, %s or %s)\n", "", SEC_CT_CERTIFICATE_ID,
fprintf(stderr, "%-14s %s (ci), %s (p7), %s or %s (n).\n", "", SEC_CT_CERTIFICATE_ID,
SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n",
fprintf(stderr, "%-14s (Use either the long type name or the shortcut.)\n", "", SEC_CT_CERTIFICATE_ID,
SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
fprintf(stderr, "%-14s Input is in ascii encoded form (RFC1113)\n",
"-a");
fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
fprintf(stderr, "%-14s Define an input file to use (default is stdin)\n",
"-i input");
fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
fprintf(stderr, "%-14s Define an output file to use (default is stdout)\n",
"-o output");
fprintf(stderr, "%-20s Don't wrap long output lines\n",
fprintf(stderr, "%-14s Don't wrap long output lines\n",
"-w");
fprintf(stderr, "%-14s Use UTF-8 (default is to show non-ascii as .)\n",
"-u");
exit(-1);
}
......@@ -59,7 +64,7 @@ int main(int argc, char **argv)
inFile = 0;
outFile = 0;
typeTag = 0;
optstate = PL_CreateOptState(argc, argv, "at:i:o:w");
optstate = PL_CreateOptState(argc, argv, "at:i:o:uw");
while ( PL_GetNextOpt(optstate) == PL_OPT_OK ) {
switch (optstate->option) {
case '?':
......@@ -92,6 +97,10 @@ int main(int argc, char **argv)
typeTag = strdup(optstate->value);
break;
case 'u':
SECU_EnableUtf8Display(PR_TRUE);
break;
case 'w':
wrap = PR_FALSE;
break;
......@@ -125,27 +134,34 @@ int main(int argc, char **argv)
SECU_EnableWrap(wrap);
/* Pretty print it */
if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0) {
if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0 ||
PORT_Strcmp(typeTag, "c") == 0) {
rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
SECU_PrintCertificate);
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0) {
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0 ||
PORT_Strcmp(typeTag, "ci") == 0) {
rv = SECU_PrintSignedContent(outFile, &data, 0, 0,
SECU_PrintDumpDerIssuerAndSerial);
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0) {
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0 ||
PORT_Strcmp(typeTag, "cr") == 0) {
rv = SECU_PrintSignedData(outFile, &data, "Certificate Request", 0,
SECU_PrintCertificateRequest);
} else if (PORT_Strcmp (typeTag, SEC_CT_CRL) == 0) {
} else if (PORT_Strcmp(typeTag, SEC_CT_CRL) == 0) {
rv = SECU_PrintSignedData (outFile, &data, "CRL", 0, SECU_PrintCrl);
#ifdef HAVE_EPV_TEMPLATE
} else if (PORT_Strcmp(typeTag, SEC_CT_PRIVATE_KEY) == 0) {
} else if (PORT_Strcmp(typeTag, SEC_CT_PRIVATE_KEY) == 0 ||
PORT_Strcmp(typeTag, "sk") == 0) {
rv = SECU_PrintPrivateKey(outFile, &data, "Private Key", 0);
#endif
} else if (PORT_Strcmp(typeTag, SEC_CT_PUBLIC_KEY) == 0) {
} else if (PORT_Strcmp(typeTag, SEC_CT_PUBLIC_KEY) == 0 ||
PORT_Strcmp (typeTag, "pk") == 0) {
rv = SECU_PrintSubjectPublicKeyInfo(outFile, &data, "Public Key", 0);
} else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) {
} else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0 ||
PORT_Strcmp (typeTag, "p7") == 0) {
rv = SECU_PrintPKCS7ContentInfo(outFile, &data,
"PKCS #7 Content Info", 0);
} else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0) {
} else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0 ||
PORT_Strcmp (typeTag, "n") == 0) {
rv = SECU_PrintDERName(outFile, &data, "Name", 0);
} else {
fprintf(stderr, "%s: don't know how to print out '%s' files\n",
......
......@@ -28,12 +28,12 @@ static const NameToKind name2kinds[] = {
* (See: http://www.iana.org/assignments/ldap-parameters)
*/
/* RFC 3280, 4630 MUST SUPPORT */
{ "CN", 64, SEC_OID_AVA_COMMON_NAME, SEC_ASN1_DS},
{ "CN", 640, SEC_OID_AVA_COMMON_NAME, SEC_ASN1_DS},
{ "ST", 128, SEC_OID_AVA_STATE_OR_PROVINCE,
SEC_ASN1_DS},
{ "O", 64, SEC_OID_AVA_ORGANIZATION_NAME,
{ "O", 128, SEC_OID_AVA_ORGANIZATION_NAME,
SEC_ASN1_DS},
{ "OU", 64, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
{ "OU", 128, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
SEC_ASN1_DS},
{ "dnQualifier", 32767, SEC_OID_AVA_DN_QUALIFIER, SEC_ASN1_PRINTABLE_STRING},
{ "C", 2, SEC_OID_AVA_COUNTRY_NAME, SEC_ASN1_PRINTABLE_STRING},
......@@ -377,7 +377,7 @@ ParseRFC1485AVA(PLArenaPool *arena, const char **pbp, const char *endptr)
char sep = 0;
char tagBuf[32];
char valBuf[384];
char valBuf[1024];
PORT_Assert(arena);
if (SECSuccess != scanTag(pbp, endptr, tagBuf, sizeof tagBuf) ||
......@@ -889,7 +889,7 @@ get_hex_string(SECItem *data)
static SECStatus
AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict)
{
#define TMPBUF_LEN 384
#define TMPBUF_LEN 2048
const NameToKind *pn2k = name2kinds;
SECItem *avaValue = NULL;
char *unknownTag = NULL;
......
......@@ -137,6 +137,39 @@ const SEC_ASN1Template CERT_GeneralNamesTemplate[] = {
};
static struct {
CERTGeneralNameType type;
char *name;
} typesArray[] = {
{ certOtherName, "other" },
{ certRFC822Name, "email" },
{ certRFC822Name, "rfc822" },
{ certDNSName, "dns" },
{ certX400Address, "x400" },
{ certX400Address, "x400addr" },
{ certDirectoryName, "directory" },
{ certDirectoryName, "dn" },
{ certEDIPartyName, "edi" },
{ certEDIPartyName, "ediparty" },
{ certURI, "uri" },
{ certIPAddress, "ip" },
{ certIPAddress, "ipaddr" },
{ certRegisterID, "registerid" }
};
CERTGeneralNameType
CERT_GetGeneralNameTypeFromString(const char *string)
{
int types_count = sizeof(typesArray)/sizeof(typesArray[0]);
int i;
for (i=0; i < types_count; i++) {
if (PORT_Strcasecmp(string, typesArray[i].name) == 0) {
return typesArray[i].type;
}
}
return 0;
}
CERTGeneralName *
CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type)
......
......@@ -26,6 +26,9 @@ cert_DecodeGeneralNames(PLArenaPool *arena, SECItem **encodedGenName);
extern SECStatus
cert_DestroyGeneralNames(CERTGeneralName *name);
extern CERTGeneralNameType
CERT_GetGeneralNameTypeFromString(const char *string);
extern SECStatus
cert_EncodeNameConstraints(CERTNameConstraints *constraints, PLArenaPool *arena,
SECItem *dest);
......
......@@ -1055,6 +1055,8 @@ SECMOD_InternaltoPubMechFlags;
;+};
;+NSS_3.16.2 { # NSS 3.16.2 release
;+ global:
CERT_AddExtensionByOID;
CERT_GetGeneralNameTypeFromString;
PK11_PubEncrypt;
PK11_PrivDecrypt;
;+ local:
......
......@@ -55,6 +55,11 @@ static const CK_C_INITIALIZE_ARGS secmodLockFunctions = {
CKF_OS_LOCKING_OK
,NULL
};
static const CK_C_INITIALIZE_ARGS secmodNoLockArgs = {
NULL, NULL, NULL, NULL,
CKF_LIBRARY_CANT_CREATE_OS_THREADS
,NULL
};
static PRBool loadSingleThreadedModules = PR_TRUE;
static PRBool enforceAlreadyInitializedError = PR_TRUE;
......@@ -209,12 +214,18 @@ secmod_ModuleInit(SECMODModule *mod, SECMODModule **reload,
return SECFailure;
}
if (mod->isThreadSafe == PR_FALSE) {
pInitArgs = NULL;
} else if (mod->libraryParams == NULL) {
pInitArgs = (void *) &secmodLockFunctions;
if (mod->libraryParams == NULL) {
if (mod->isThreadSafe) {
pInitArgs = (void *) &secmodLockFunctions;
} else {
pInitArgs = NULL;
}
} else {
moduleArgs = secmodLockFunctions;
if (mod->isThreadSafe) {
moduleArgs = secmodLockFunctions;
} else {
moduleArgs = secmodNoLockArgs;
}
moduleArgs.LibraryParameters = (void *) mod->libraryParams;
pInitArgs = &moduleArgs;
}
......@@ -251,18 +262,30 @@ secmod_ModuleInit(SECMODModule *mod, SECMODModule **reload,
}
}
if (crv != CKR_OK) {
if (pInitArgs == NULL ||
if (!mod->isThreadSafe ||
crv == CKR_NETSCAPE_CERTDB_FAILED ||
crv == CKR_NETSCAPE_KEYDB_FAILED) {
PORT_SetError(PK11_MapError(crv));
return SECFailure;
}
/* If we had attempted to init a single threaded module "with"
* parameters and it failed, should we retry "without" parameters?
* (currently we don't retry in this scenario) */
if (!loadSingleThreadedModules) {
PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11);
return SECFailure;
}
/* If we arrive here, the module failed a ThreadSafe init. */
mod->isThreadSafe = PR_FALSE;
crv = PK11_GETTAB(mod)->C_Initialize(NULL);
if (!mod->libraryParams) {
pInitArgs = NULL;
} else {
moduleArgs = secmodNoLockArgs;
moduleArgs.LibraryParameters = (void *) mod->libraryParams;
pInitArgs = &moduleArgs;
}
crv = PK11_GETTAB(mod)->C_Initialize(pInitArgs);
if ((CKR_CRYPTOKI_ALREADY_INITIALIZED == crv) &&
(!enforceAlreadyInitializedError)) {
*alreadyLoaded = PR_TRUE;
......
......@@ -6,6 +6,7 @@
#include "secitem.h"
#include "secport.h"
#include "secerr.h"
#include "secoid.h"
/* if to->data is not NULL, and to->len is large enough to hold the result,
* then the resultant OID will be copyed into to->data, and to->len will be
......@@ -112,3 +113,33 @@ bad_data:
}
return rv;
}
SECStatus
SEC_NumberOrNameStringToOIDTag(PLArenaPool *arena, SECOidTag *to, const char *from)
{
SECStatus rv;
SECOidTag tag;
SECOidData *coid;
/* try dotted form first */
rv = SEC_StringToOID(arena, to, from, strlen(from));
if (rv == SECSuccess) {
return rv;
}
/* Check to see if it matches a name in our oid table.
* SECOID_FindOIDByTag returns NULL if tag is out of bounds.
*/
tag = SEC_OID_UNKNOWN;
coid = SECOID_FindOIDByTag_Util(tag);
for ( ; coid; coid = SECOID_FindOIDByTag(++tag)) {
if (PORT_Strcasecmp(from, coid->desc) == 0) {
break;
}
}
if (coid == NULL) {
/* none found */
return SECFailure;
}
return SECITEM_CopyItem(arena, to, &coid->oid);
}
......@@ -1176,6 +1176,201 @@ cert_extensions()
done < ${QADIR}/cert/certext.txt
}
cert_make_with_param()
{
DIRPASS="$1"
CERTNAME="$2"
MAKE="$3"
SUBJ="$4"
EXTRA="$5"
EXPECT="$6"
TESTNAME="$7"
echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
RET=$?
if [ "${RET}" -ne "${EXPECT}" ]; then
# if we expected failure to create, then delete unexpected certificate
if [ "${EXPECT}" -ne 0 ]; then
${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
fi
CERTFAILED=1
html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}"
cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed"
return 1
fi
html_passed "${TESTNAME} (${COUNT})"
return 0
}
cert_list_and_count_dns()
{
DIRPASS="$1"
CERTNAME="$2"
EXPECT="$3"
EXPECTCOUNT="$4"
TESTNAME="$5"
echo certutil ${DIRPASS} -L ${CERTNAME}
${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME}
RET=$?
if [ "${RET}" -ne "${EXPECT}" ]; then
CERTFAILED=1
html_failed "${TESTNAME} (${COUNT}) - list and count"
cert_log "ERROR: ${TESTNAME} - list and count failed"
return 1
fi
LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS`
if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then
CERTFAILED=1
html_failed "${TESTNAME} (${COUNT}) - list and count"
cert_log "ERROR: ${TESTNAME} - list and count failed"
return 1
fi
html_passed "${TESTNAME} (${COUNT})"
return 0
}
cert_dump_ext_to_file()
{
DIRPASS="$1"
CERTNAME="$2"
OID="$3"
OUTFILE="$4"
EXPECT="$5"
TESTNAME="$6"
echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID}
echo "writing output to ${OUTFILE}"
${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE}
RET=$?
if [ "${RET}" -ne "${EXPECT}" ]; then
CERTFAILED=1
html_failed "${TESTNAME} (${COUNT}) - dump to file"
cert_log "ERROR: ${TESTNAME} - dump to file failed"
return 1
fi
html_passed "${TESTNAME} (${COUNT})"
return 0
}
cert_delete()
{
DIRPASS="$1"
CERTNAME="$2"
EXPECT="$3"
TESTNAME="$4"
echo certutil ${DIRPASS} -D ${CERTNAME}
${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
RET=$?
if [ "${RET}" -ne "${EXPECT}" ]; then
CERTFAILED=1
html_failed "${TESTNAME} (${COUNT}) - delete cert"
cert_log "ERROR: ${TESTNAME} - delete cert failed"
return 1
fi
html_passed "${TESTNAME} (${COUNT})"
return 0
}
cert_inc_count()
{
COUNT=`expr ${COUNT} + 1`
}
############################## cert_crl_ssl ############################
# test adding subject-alt-name, dumping, and adding generic extension
########################################################################
cert_san_and_generic_extensions()
{
EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der
DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}"
CERTNAME="-n WithSAN"
MAKE="-S -t ,, -x -z ${R_NOISE_FILE}"
SUBJ="CN=example.com"
TESTNAME="san-and-generic-extensions"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extSAN example.com" 255 \
"create cert with invalid SAN parameter"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extSAN example.com,dns:www.example.com" 255 \
"create cert with invalid SAN parameter"
TN="create cert with valid SAN parameter"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extSAN dns:example.com,dns:www.example.com" 0 \
"${TN}"
cert_inc_count
cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
"${TN}"
cert_inc_count
cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \
"dump extension 2.5.29.17 to file ${EXTDUMP}"
cert_inc_count
cert_delete "${DIR}" "${CERTNAME}" 0 \
"${TN}"
cert_inc_count
cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
"expect failure to list cert, because we deleted it"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extGeneric ${EXTDUMP}" 255 \
"create cert with invalid generic ext parameter"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extGeneric not-critical:${EXTDUMP}" 255 \
"create cert with invalid generic ext parameter"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \
"create cert with invalid generic ext parameter"
TN="create cert with valid generic ext parameter"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \
"${TN}"
cert_inc_count
cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
"${TN}"
cert_inc_count
cert_delete "${DIR}" "${CERTNAME}" 0 \
"${TN}"
cert_inc_count
cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
"expect failure to list cert, because we deleted it"
}
############################## cert_crl_ssl ############################
# local shell function to generate certs and crls for SSL tests
########################################################################
......@@ -1513,6 +1708,7 @@ if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
fi
cert_eccurves
cert_extensions
cert_san_and_generic_extensions
cert_test_password
cert_test_distrust
cert_test_ocspresp
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment