123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232 |
- #!/usr/bin/env bash
- #crl.test
- # if we can, isolate the network namespace to eliminate port collisions.
- if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
- if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
- export NETWORK_UNSHARE_HELPER_CALLED=yes
- exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
- fi
- elif [ "${AM_BWRAPPED-}" != "yes" ]; then
- bwrap_path="$(command -v bwrap)"
- if [ -n "$bwrap_path" ]; then
- export AM_BWRAPPED=yes
- exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
- fi
- unset AM_BWRAPPED
- fi
- # Workaround to not pollute the certs folder with our files that can impact other tests
- RUNNING_DIR=$(mktemp -d)
- cp -rp . $RUNNING_DIR/.
- cd $RUNNING_DIR
- revocation_code="-361"
- revocation_code_openssl="23"
- exit_code=1
- counter=0
- # need a unique resume port since may run the same time as testsuite
- # use server port zero hack to get one
- crl_port=0
- #no_pid tells us process was never started if -1
- no_pid=-1
- #server_pid captured on startup, stores the id of the server process
- server_pid=$no_pid
- # let's use absolute path to a local dir (make distcheck may be in sub dir)
- # also let's add some randomness by adding pid in case multiple 'make check's
- # per source tree
- ready_file=`pwd`/wolfssl_crl_ready$$
- CERT_DIR=certs
- remove_ready_file() {
- if test -e "$ready_file"; then
- echo -e "removing existing ready file"
- rm "$ready_file"
- fi
- }
- # trap this function so if user aborts with ^C or other kill signal we still
- # get an exit that will in turn clean up the file system
- abort_trap() {
- echo "script aborted"
- if [ $server_pid != $no_pid ]
- then
- echo "killing server"
- kill -9 $server_pid
- fi
- exit_code=2 #different exit code in case of user interrupt
- echo "got abort signal, exiting with $exit_code"
- exit $exit_code
- }
- trap abort_trap INT TERM
- # trap this function so that if we exit on an error the file system will still
- # be restored and the other tests may still pass. Never call this function
- # instead use "exit <some value>" and this function will run automatically
- restore_file_system() {
- remove_ready_file
- cd / && rm -rf "$RUNNING_DIR"
- }
- trap restore_file_system EXIT
- run_test() {
- echo -e "\nStarting example server for crl test...\n"
- remove_ready_file
- # starts the server on crl_port, -R generates ready file to be used as a
- # mutex lock, -c loads the revoked certificate. We capture the processid
- # into the variable server_pid
- ./examples/server/server -R "$ready_file" -p $crl_port \
- -c ${CERT_DIR}/server-revoked-cert.pem \
- -k ${CERT_DIR}/server-revoked-key.pem &
- server_pid=$!
- while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
- echo -e "waiting for ready file..."
- sleep 0.1
- counter=$((counter+ 1))
- done
- # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
- sleep 0.1
- if test -e "$ready_file"; then
- echo -e "found ready file, starting client..."
- else
- echo -e "NO ready file ending test..."
- exit 1
- fi
- # get created port 0 ephemeral port
- crl_port="$(cat "$ready_file")"
- # starts client on crl_port and captures the output from client
- capture_out=$(./examples/client/client -p $crl_port 2>&1)
- client_result=$?
- wait $server_pid
- server_result=$?
- case "$capture_out" in
- *"$revocation_code"*|*"$revocation_code_openssl"*)
- # only exit with zero on detection of the expected error code
- echo ""
- echo "Successful Revocation!!!!"
- echo ""
- if [ $exit_hash_dir_code -ne 0 ]; then
- exit_code=1
- else
- exit_code=0
- echo "exiting with $exit_code"
- exit $exit_code
- fi
- ;;
- *)
- echo ""
- echo "Certificate was not revoked saw this instead: $capture_out"
- echo ""
- echo "configure with --enable-crl and run this script again"
- echo ""
- esac
- }
- run_hashdir_test() {
- echo -e "\n\nHash dir with CRL and Certificate loading"
- remove_ready_file
- # create hashed cert and crl
- pushd ${CERT_DIR}
- # ca file
- ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
- if [ -f "$ca_hash_name".0 ]; then
- rm "$ca_hash_name".0
- fi
- ln -s ca-cert.pem "$ca_hash_name".0
- # crl file
- crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
- if [ -f "$crl_hash_name".r0 ]; then
- rm "$crl_hash_name".r0
- fi
- ln -s ./crl/crl.pem "$crl_hash_name".r0
- popd
- # starts the server on crl_port, -R generates ready file to be used as a
- # mutex lock, -c loads the revoked certificate. We capture the processid
- # into the variable server_pid
- ./examples/server/server -R "$ready_file" -p $crl_port \
- -c ${CERT_DIR}/server-revoked-cert.pem \
- -k ${CERT_DIR}/server-revoked-key.pem &
- server_pid=$!
- while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
- echo -e "waiting for ready file..."
- sleep 0.1
- counter=$((counter+ 1))
- done
- # get created port 0 ephemeral port
- crl_port="$(cat "$ready_file")"
- # starts client on crl_port and captures the output from client
- capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
- client_result=$?
- wait $server_pid
- server_result=$?
- case "$capture_out" in
- *"$revocation_code"*|*"$revocation_code_openssl"*)
- # only exit with zero on detection of the expected error code
- echo ""
- echo "Successful Revocation!!!! with hash dir"
- echo ""
- exit_hash_dir_code=0
- ;;
- *)
- echo ""
- echo "Certificate was not revoked saw this instead: $capture_out"
- echo ""
- echo "configure with --enable-crl and run this script again"
- echo ""
- exit_hash_dir_code=1
- esac
- # clean up hashed cert and crl
- pushd ${CERT_DIR}
- rm "$ca_hash_name".0
- rm "$crl_hash_name".r0
- popd
- }
- ######### begin program #########
- # Check for enabling hash dir feature
- ./examples/client/client -? 2>&1 | grep -- 'hash dir'
- if [ $? -eq 0 ]; then
- hash_dir=yes
- exit_hash_dir_code=1
- fi
- if [ "$hash_dir" = "yes" ]; then
- run_hashdir_test
- else
- exit_hash_dir_code=0
- fi
- # Check that server is enabled
- ./examples/server/server -? 2>&1 | grep -- 'Create Ready file'
- if [ $? -eq 0 ]; then
- # run the test
- run_test
- else
- exit_code=0
- fi
- # If we get to this exit, exit_code will be a 1 signaling failure
- echo "exiting with $exit_code certificate was not revoked"
- exit $exit_code
- ########## end program ##########
|