wolfssl/scripts/crl-revoked.test

#!/bin/bash

#crl.test
CERT_DIR=certs

# if we can, isolate the network namespace to eliminate port collisions.
if [ "${AM_BWRAPPED-}" != "yes" ]; then
    bwrap_path="$(command -v bwrap)"
    if [ -n "$bwrap_path" ]; then
        export AM_BWRAPPED=yes
        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
    fi
    unset AM_BWRAPPED
fi

revocation_code="-361"
exit_code=1
counter=0
# need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one
crl_port=0
#no_pid tells us process was never started if -1
no_pid=-1
#server_pid captured on startup, stores the id of the server process
server_pid=$no_pid
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_crl_ready$$

remove_ready_file() {
    if test -e "$ready_file"; then
        echo -e "removing existing ready file"
        rm "$ready_file"
    fi
}

# trap this function so if user aborts with ^C or other kill signal we still
# get an exit that will in turn clean up the file system
abort_trap() {
    echo "script aborted"

    if  [ $server_pid != $no_pid ]
    then
        echo "killing server"
        kill -9 $server_pid
    fi

    exit_code=2 #different exit code in case of user interrupt

    echo "got abort signal, exiting with $exit_code"
    exit $exit_code
}
trap abort_trap INT TERM


# trap this function so that if we exit on an error the file system will still
# be restored and the other tests may still pass. Never call this function
# instead use "exit <some value>" and this function will run automatically
restore_file_system() {
    remove_ready_file
}
trap restore_file_system EXIT

run_test() {
    echo -e "\nStarting example server for crl test...\n"

    remove_ready_file

    # starts the server on crl_port, -R generates ready file to be used as a
    # mutex lock, -c loads the revoked certificate. We capture the processid
    # into the variable server_pid
    ./examples/server/server -R "$ready_file" -p $crl_port \
                             -c ${CERT_DIR}/server-revoked-cert.pem \
                             -k ${CERT_DIR}/server-revoked-key.pem &
    server_pid=$!

    while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
        echo -e "waiting for ready file..."
        sleep 0.1
        counter=$((counter+ 1))
    done

    # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
    sleep 0.1

    if test -e "$ready_file"; then
        echo -e "found ready file, starting client..."
    else
        echo -e "NO ready file ending test..."
        exit 1
    fi

    # get created port 0 ephemeral port
    crl_port="$(cat "$ready_file")"

    # starts client on crl_port and captures the output from client
    capture_out=$(./examples/client/client -p $crl_port 2>&1)
    client_result=$?

    wait $server_pid
    server_result=$?

    case  "$capture_out" in
    *$revocation_code*)
        # only exit with zero on detection of the expected error code
        echo ""
        echo "Successful Revocation!!!!"
        echo ""
        if [ $exit_hash_dir_code -ne 0 ]; then
           exit_code=1
        else
           exit_code=0
           echo "exiting with $exit_code"
           exit $exit_code
        fi
        ;;
    *)
        echo ""
        echo "Certificate was not revoked saw this instead: $capture_out"
        echo ""
        echo "configure with --enable-crl and run this script again"
        echo ""
    esac
}

run_hashdir_test() {
  echo -e "\n\nHash dir with CRL and Certificate loading"

  remove_ready_file
  # create hashed cert and crl
  pushd ${CERT_DIR}
  # ca file
  ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
  if [ -f "$ca_hash_name".0 ]; then
     rm "$ca_hash_name".0
  fi
  ln -s ca-cert.pem "$ca_hash_name".0
  # crl file
  crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
  if [ -f "$crl_hash_name".r0 ]; then
     rm "$crl_hash_name".r0
  fi
  ln -s ./crl/crl.pem "$crl_hash_name".r0
  popd
  
  # starts the server on crl_port, -R generates ready file to be used as a
  # mutex lock, -c loads the revoked certificate. We capture the processid
  # into the variable server_pid
  ./examples/server/server -R "$ready_file" -p $crl_port \
                             -c ${CERT_DIR}/server-revoked-cert.pem \
                             -k ${CERT_DIR}/server-revoked-key.pem &
  server_pid=$!
  while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
        echo -e "waiting for ready file..."
        sleep 0.1
        counter=$((counter+ 1))
  done

  # get created port 0 ephemeral port
  crl_port="$(cat "$ready_file")"
  
  # starts client on crl_port and captures the output from client
  capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
  client_result=$?
  
  wait $server_pid
  server_result=$?

  case  "$capture_out" in
    *$revocation_code*)
        # only exit with zero on detection of the expected error code
        echo ""
        echo "Successful Revocation!!!! with hash dir"
        echo ""
        exit_hash_dir_code=0
        ;;
    *)
        echo ""
        echo "Certificate was not revoked saw this instead: $capture_out"
        echo ""
        echo "configure with --enable-crl and run this script again"
        echo ""
        exit_hash_dir_code=1
    esac
  
  # clean up hashed cert and crl
  pushd ${CERT_DIR}
  rm "$ca_hash_name".0
  rm "$crl_hash_name".r0
  popd

}
######### begin program #########

# Check for enabling hash dir feature
./examples/client/client -? 2>&1 | grep -- 'hash dir'
if [ $? -eq 0 ]; then
   hash_dir=yes
   exit_hash_dir_code=1
fi

if [ "$hash_dir" = "yes" ]; then
   run_hashdir_test
else
   exit_hash_dir_code=0
fi

# run the test
run_test

# If we get to this exit, exit_code will be a 1 signaling failure
echo "exiting with $exit_code certificate was not revoked"
exit $exit_code
########## end program ##########