227 lines
6.3 KiB
Plaintext
227 lines
6.3 KiB
Plaintext
|
#!/bin/bash
|
||
|
|
||
|
#crl.test
|
||
|
# if we can, isolate the network namespace to eliminate port collisions.
|
||
|
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
|
||
|
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
|
||
|
export NETWORK_UNSHARE_HELPER_CALLED=yes
|
||
|
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
|
||
|
fi
|
||
|
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
|
||
|
bwrap_path="$(command -v bwrap)"
|
||
|
if [ -n "$bwrap_path" ]; then
|
||
|
export AM_BWRAPPED=yes
|
||
|
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
|
||
|
fi
|
||
|
unset AM_BWRAPPED
|
||
|
fi
|
||
|
|
||
|
# Workaround to not pollute the certs folder with our files that can impact other tests
|
||
|
RUNNING_DIR=$(mktemp -d)
|
||
|
cp -rp . $RUNNING_DIR/.
|
||
|
cd $RUNNING_DIR
|
||
|
|
||
|
revocation_code="-361"
|
||
|
revocation_code_openssl="23"
|
||
|
exit_code=1
|
||
|
counter=0
|
||
|
# need a unique resume port since may run the same time as testsuite
|
||
|
# use server port zero hack to get one
|
||
|
crl_port=0
|
||
|
#no_pid tells us process was never started if -1
|
||
|
no_pid=-1
|
||
|
#server_pid captured on startup, stores the id of the server process
|
||
|
server_pid=$no_pid
|
||
|
# let's use absolute path to a local dir (make distcheck may be in sub dir)
|
||
|
# also let's add some randomness by adding pid in case multiple 'make check's
|
||
|
# per source tree
|
||
|
ready_file=`pwd`/wolfssl_crl_ready$$
|
||
|
CERT_DIR=certs
|
||
|
|
||
|
remove_ready_file() {
|
||
|
if test -e "$ready_file"; then
|
||
|
echo -e "removing existing ready file"
|
||
|
rm "$ready_file"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
# trap this function so if user aborts with ^C or other kill signal we still
|
||
|
# get an exit that will in turn clean up the file system
|
||
|
abort_trap() {
|
||
|
echo "script aborted"
|
||
|
|
||
|
if [ $server_pid != $no_pid ]
|
||
|
then
|
||
|
echo "killing server"
|
||
|
kill -9 $server_pid
|
||
|
fi
|
||
|
|
||
|
exit_code=2 #different exit code in case of user interrupt
|
||
|
|
||
|
echo "got abort signal, exiting with $exit_code"
|
||
|
exit $exit_code
|
||
|
}
|
||
|
trap abort_trap INT TERM
|
||
|
|
||
|
|
||
|
# trap this function so that if we exit on an error the file system will still
|
||
|
# be restored and the other tests may still pass. Never call this function
|
||
|
# instead use "exit <some value>" and this function will run automatically
|
||
|
restore_file_system() {
|
||
|
remove_ready_file
|
||
|
cd / && rm -rf "$RUNNING_DIR"
|
||
|
}
|
||
|
trap restore_file_system EXIT
|
||
|
|
||
|
run_test() {
|
||
|
echo -e "\nStarting example server for crl test...\n"
|
||
|
|
||
|
remove_ready_file
|
||
|
|
||
|
# starts the server on crl_port, -R generates ready file to be used as a
|
||
|
# mutex lock, -c loads the revoked certificate. We capture the processid
|
||
|
# into the variable server_pid
|
||
|
./examples/server/server -R "$ready_file" -p $crl_port \
|
||
|
-c ${CERT_DIR}/server-revoked-cert.pem \
|
||
|
-k ${CERT_DIR}/server-revoked-key.pem &
|
||
|
server_pid=$!
|
||
|
|
||
|
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
|
||
|
echo -e "waiting for ready file..."
|
||
|
sleep 0.1
|
||
|
counter=$((counter+ 1))
|
||
|
done
|
||
|
|
||
|
# sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
|
||
|
sleep 0.1
|
||
|
|
||
|
if test -e "$ready_file"; then
|
||
|
echo -e "found ready file, starting client..."
|
||
|
else
|
||
|
echo -e "NO ready file ending test..."
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
# get created port 0 ephemeral port
|
||
|
crl_port="$(cat "$ready_file")"
|
||
|
|
||
|
# starts client on crl_port and captures the output from client
|
||
|
capture_out=$(./examples/client/client -p $crl_port 2>&1)
|
||
|
client_result=$?
|
||
|
|
||
|
wait $server_pid
|
||
|
server_result=$?
|
||
|
|
||
|
case "$capture_out" in
|
||
|
*"$revocation_code"*|*"$revocation_code_openssl"*)
|
||
|
# only exit with zero on detection of the expected error code
|
||
|
echo ""
|
||
|
echo "Successful Revocation!!!!"
|
||
|
echo ""
|
||
|
if [ $exit_hash_dir_code -ne 0 ]; then
|
||
|
exit_code=1
|
||
|
else
|
||
|
exit_code=0
|
||
|
echo "exiting with $exit_code"
|
||
|
exit $exit_code
|
||
|
fi
|
||
|
;;
|
||
|
*)
|
||
|
echo ""
|
||
|
echo "Certificate was not revoked saw this instead: $capture_out"
|
||
|
echo ""
|
||
|
echo "configure with --enable-crl and run this script again"
|
||
|
echo ""
|
||
|
esac
|
||
|
}
|
||
|
|
||
|
run_hashdir_test() {
|
||
|
echo -e "\n\nHash dir with CRL and Certificate loading"
|
||
|
|
||
|
remove_ready_file
|
||
|
# create hashed cert and crl
|
||
|
pushd ${CERT_DIR}
|
||
|
# ca file
|
||
|
ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
|
||
|
if [ -f "$ca_hash_name".0 ]; then
|
||
|
rm "$ca_hash_name".0
|
||
|
fi
|
||
|
ln -s ca-cert.pem "$ca_hash_name".0
|
||
|
# crl file
|
||
|
crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
|
||
|
if [ -f "$crl_hash_name".r0 ]; then
|
||
|
rm "$crl_hash_name".r0
|
||
|
fi
|
||
|
ln -s ./crl/crl.pem "$crl_hash_name".r0
|
||
|
popd
|
||
|
|
||
|
# starts the server on crl_port, -R generates ready file to be used as a
|
||
|
# mutex lock, -c loads the revoked certificate. We capture the processid
|
||
|
# into the variable server_pid
|
||
|
./examples/server/server -R "$ready_file" -p $crl_port \
|
||
|
-c ${CERT_DIR}/server-revoked-cert.pem \
|
||
|
-k ${CERT_DIR}/server-revoked-key.pem &
|
||
|
server_pid=$!
|
||
|
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
|
||
|
echo -e "waiting for ready file..."
|
||
|
sleep 0.1
|
||
|
counter=$((counter+ 1))
|
||
|
done
|
||
|
|
||
|
# get created port 0 ephemeral port
|
||
|
crl_port="$(cat "$ready_file")"
|
||
|
|
||
|
# starts client on crl_port and captures the output from client
|
||
|
capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
|
||
|
client_result=$?
|
||
|
|
||
|
wait $server_pid
|
||
|
server_result=$?
|
||
|
|
||
|
case "$capture_out" in
|
||
|
*"$revocation_code"*|*"$revocation_code_openssl"*)
|
||
|
# only exit with zero on detection of the expected error code
|
||
|
echo ""
|
||
|
echo "Successful Revocation!!!! with hash dir"
|
||
|
echo ""
|
||
|
exit_hash_dir_code=0
|
||
|
;;
|
||
|
*)
|
||
|
echo ""
|
||
|
echo "Certificate was not revoked saw this instead: $capture_out"
|
||
|
echo ""
|
||
|
echo "configure with --enable-crl and run this script again"
|
||
|
echo ""
|
||
|
exit_hash_dir_code=1
|
||
|
esac
|
||
|
|
||
|
# clean up hashed cert and crl
|
||
|
pushd ${CERT_DIR}
|
||
|
rm "$ca_hash_name".0
|
||
|
rm "$crl_hash_name".r0
|
||
|
popd
|
||
|
|
||
|
}
|
||
|
######### begin program #########
|
||
|
|
||
|
# Check for enabling hash dir feature
|
||
|
./examples/client/client -? 2>&1 | grep -- 'hash dir'
|
||
|
if [ $? -eq 0 ]; then
|
||
|
hash_dir=yes
|
||
|
exit_hash_dir_code=1
|
||
|
fi
|
||
|
|
||
|
if [ "$hash_dir" = "yes" ]; then
|
||
|
run_hashdir_test
|
||
|
else
|
||
|
exit_hash_dir_code=0
|
||
|
fi
|
||
|
|
||
|
# run the test
|
||
|
run_test
|
||
|
|
||
|
# If we get to this exit, exit_code will be a 1 signaling failure
|
||
|
echo "exiting with $exit_code certificate was not revoked"
|
||
|
exit $exit_code
|
||
|
########## end program ##########
|