crl-revoked.test 6.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225
  1. #!/bin/bash
  2. #crl.test
  3. # if we can, isolate the network namespace to eliminate port collisions.
  4. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
  5. if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
  6. export NETWORK_UNSHARE_HELPER_CALLED=yes
  7. exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
  8. fi
  9. elif [ "${AM_BWRAPPED-}" != "yes" ]; then
  10. bwrap_path="$(command -v bwrap)"
  11. if [ -n "$bwrap_path" ]; then
  12. export AM_BWRAPPED=yes
  13. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  14. fi
  15. unset AM_BWRAPPED
  16. fi
  17. # Workaround to not pollute the certs folder with our files that can impact other tests
  18. RUNNING_DIR=$(mktemp -d)
  19. cp -rp . $RUNNING_DIR/.
  20. cd $RUNNING_DIR
  21. revocation_code="-361"
  22. exit_code=1
  23. counter=0
  24. # need a unique resume port since may run the same time as testsuite
  25. # use server port zero hack to get one
  26. crl_port=0
  27. #no_pid tells us process was never started if -1
  28. no_pid=-1
  29. #server_pid captured on startup, stores the id of the server process
  30. server_pid=$no_pid
  31. # let's use absolute path to a local dir (make distcheck may be in sub dir)
  32. # also let's add some randomness by adding pid in case multiple 'make check's
  33. # per source tree
  34. ready_file=`pwd`/wolfssl_crl_ready$$
  35. CERT_DIR=certs
  36. remove_ready_file() {
  37. if test -e "$ready_file"; then
  38. echo -e "removing existing ready file"
  39. rm "$ready_file"
  40. fi
  41. }
  42. # trap this function so if user aborts with ^C or other kill signal we still
  43. # get an exit that will in turn clean up the file system
  44. abort_trap() {
  45. echo "script aborted"
  46. if [ $server_pid != $no_pid ]
  47. then
  48. echo "killing server"
  49. kill -9 $server_pid
  50. fi
  51. exit_code=2 #different exit code in case of user interrupt
  52. echo "got abort signal, exiting with $exit_code"
  53. exit $exit_code
  54. }
  55. trap abort_trap INT TERM
  56. # trap this function so that if we exit on an error the file system will still
  57. # be restored and the other tests may still pass. Never call this function
  58. # instead use "exit <some value>" and this function will run automatically
  59. restore_file_system() {
  60. remove_ready_file
  61. cd / && rm -rf "$RUNNING_DIR"
  62. }
  63. trap restore_file_system EXIT
  64. run_test() {
  65. echo -e "\nStarting example server for crl test...\n"
  66. remove_ready_file
  67. # starts the server on crl_port, -R generates ready file to be used as a
  68. # mutex lock, -c loads the revoked certificate. We capture the processid
  69. # into the variable server_pid
  70. ./examples/server/server -R "$ready_file" -p $crl_port \
  71. -c ${CERT_DIR}/server-revoked-cert.pem \
  72. -k ${CERT_DIR}/server-revoked-key.pem &
  73. server_pid=$!
  74. while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
  75. echo -e "waiting for ready file..."
  76. sleep 0.1
  77. counter=$((counter+ 1))
  78. done
  79. # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
  80. sleep 0.1
  81. if test -e "$ready_file"; then
  82. echo -e "found ready file, starting client..."
  83. else
  84. echo -e "NO ready file ending test..."
  85. exit 1
  86. fi
  87. # get created port 0 ephemeral port
  88. crl_port="$(cat "$ready_file")"
  89. # starts client on crl_port and captures the output from client
  90. capture_out=$(./examples/client/client -p $crl_port 2>&1)
  91. client_result=$?
  92. wait $server_pid
  93. server_result=$?
  94. case "$capture_out" in
  95. *$revocation_code*)
  96. # only exit with zero on detection of the expected error code
  97. echo ""
  98. echo "Successful Revocation!!!!"
  99. echo ""
  100. if [ $exit_hash_dir_code -ne 0 ]; then
  101. exit_code=1
  102. else
  103. exit_code=0
  104. echo "exiting with $exit_code"
  105. exit $exit_code
  106. fi
  107. ;;
  108. *)
  109. echo ""
  110. echo "Certificate was not revoked saw this instead: $capture_out"
  111. echo ""
  112. echo "configure with --enable-crl and run this script again"
  113. echo ""
  114. esac
  115. }
  116. run_hashdir_test() {
  117. echo -e "\n\nHash dir with CRL and Certificate loading"
  118. remove_ready_file
  119. # create hashed cert and crl
  120. pushd ${CERT_DIR}
  121. # ca file
  122. ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
  123. if [ -f "$ca_hash_name".0 ]; then
  124. rm "$ca_hash_name".0
  125. fi
  126. ln -s ca-cert.pem "$ca_hash_name".0
  127. # crl file
  128. crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
  129. if [ -f "$crl_hash_name".r0 ]; then
  130. rm "$crl_hash_name".r0
  131. fi
  132. ln -s ./crl/crl.pem "$crl_hash_name".r0
  133. popd
  134. # starts the server on crl_port, -R generates ready file to be used as a
  135. # mutex lock, -c loads the revoked certificate. We capture the processid
  136. # into the variable server_pid
  137. ./examples/server/server -R "$ready_file" -p $crl_port \
  138. -c ${CERT_DIR}/server-revoked-cert.pem \
  139. -k ${CERT_DIR}/server-revoked-key.pem &
  140. server_pid=$!
  141. while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
  142. echo -e "waiting for ready file..."
  143. sleep 0.1
  144. counter=$((counter+ 1))
  145. done
  146. # get created port 0 ephemeral port
  147. crl_port="$(cat "$ready_file")"
  148. # starts client on crl_port and captures the output from client
  149. capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
  150. client_result=$?
  151. wait $server_pid
  152. server_result=$?
  153. case "$capture_out" in
  154. *$revocation_code*)
  155. # only exit with zero on detection of the expected error code
  156. echo ""
  157. echo "Successful Revocation!!!! with hash dir"
  158. echo ""
  159. exit_hash_dir_code=0
  160. ;;
  161. *)
  162. echo ""
  163. echo "Certificate was not revoked saw this instead: $capture_out"
  164. echo ""
  165. echo "configure with --enable-crl and run this script again"
  166. echo ""
  167. exit_hash_dir_code=1
  168. esac
  169. # clean up hashed cert and crl
  170. pushd ${CERT_DIR}
  171. rm "$ca_hash_name".0
  172. rm "$crl_hash_name".r0
  173. popd
  174. }
  175. ######### begin program #########
  176. # Check for enabling hash dir feature
  177. ./examples/client/client -? 2>&1 | grep -- 'hash dir'
  178. if [ $? -eq 0 ]; then
  179. hash_dir=yes
  180. exit_hash_dir_code=1
  181. fi
  182. if [ "$hash_dir" = "yes" ]; then
  183. run_hashdir_test
  184. else
  185. exit_hash_dir_code=0
  186. fi
  187. # run the test
  188. run_test
  189. # If we get to this exit, exit_code will be a 1 signaling failure
  190. echo "exiting with $exit_code certificate was not revoked"
  191. exit $exit_code
  192. ########## end program ##########