2
0

trusted_peer.test 8.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304
  1. #!/usr/bin/env bash
  2. # trusted_peer.test
  3. # copyright wolfSSL 2016
  4. # if we can, isolate the network namespace to eliminate port collisions.
  5. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
  6. if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
  7. export NETWORK_UNSHARE_HELPER_CALLED=yes
  8. exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
  9. fi
  10. elif [ "${AM_BWRAPPED-}" != "yes" ]; then
  11. bwrap_path="$(command -v bwrap)"
  12. if [ -n "$bwrap_path" ]; then
  13. export AM_BWRAPPED=yes
  14. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  15. fi
  16. unset AM_BWRAPPED
  17. fi
  18. # getting unique port is modeled after resume.test script
  19. # need a unique port since may run the same time as testsuite
  20. # use server port zero hack to get one
  21. port=0
  22. no_pid=-1
  23. server_pid=$no_pid
  24. counter=0
  25. # let's use absolute path to a local dir (make distcheck may be in sub dir)
  26. # also let's add some randomness by adding pid in case multiple 'make check's
  27. # per source tree
  28. ready_file=`pwd`/wolfssl_tp_ready$$
  29. # variables for certs so can use RSA or ECC
  30. client_cert=`pwd`/certs/client-cert.pem
  31. client_ca=`pwd`/certs/ca-cert.pem
  32. client_key=`pwd`/certs/client-key.pem
  33. ca_key=`pwd`/certs/ca-key.pem
  34. server_cert=`pwd`/certs/server-cert.pem
  35. server_key=`pwd`/certs/server-key.pem
  36. combined_cert=`pwd`/certs/client_combined.pem
  37. wrong_ca=`pwd`/certs/wolfssl-website-ca.pem
  38. wrong_cert=`pwd`/certs/server-revoked-cert.pem
  39. echo "ready file \"$ready_file\""
  40. create_port() {
  41. while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
  42. echo -e "waiting for ready file..."
  43. sleep 0.1
  44. counter=$((counter+ 1))
  45. done
  46. if test -e "$ready_file"; then
  47. echo -e "found ready file, starting client..."
  48. # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
  49. sleep 0.1
  50. # get created port 0 ephemeral port
  51. port=`cat "$ready_file"`
  52. else
  53. echo -e "NO ready file ending test..."
  54. do_cleanup
  55. fi
  56. }
  57. remove_ready_file() {
  58. if test -e "$ready_file"; then
  59. echo -e "removing existing ready file"
  60. rm "$ready_file"
  61. fi
  62. }
  63. do_cleanup() {
  64. echo "in cleanup"
  65. if [ $server_pid != $no_pid ]
  66. then
  67. echo "killing server"
  68. kill -9 $server_pid
  69. fi
  70. remove_ready_file
  71. }
  72. do_trap() {
  73. echo "got trap"
  74. do_cleanup
  75. exit 1
  76. }
  77. trap do_trap INT TERM
  78. [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
  79. # Look for if RSA and/or ECC is enabled and adjust certs/keys
  80. ciphers=`./examples/client/client -e`
  81. if [[ "$ciphers" != *"RSA"* ]]; then
  82. if [[ $ciphers == *"ECDSA"* ]]; then
  83. client_cert=`pwd`/certs/client-ecc-cert.pem
  84. client_ca=`pwd`/certs/server-ecc.pem
  85. client_key=`pwd`/certs/ecc-client-key.pem
  86. ca_key=`pwd`/certs/ecc-key.pem
  87. server_cert=`pwd`/certs/server-ecc.pem
  88. server_key=`pwd`/certs/ecc-key.pem
  89. wrong_ca=`pwd`/certs/server-ecc-comp.pem
  90. wrong_cert=`pwd`/certs/server-ecc-comp.pem
  91. else
  92. echo "configure options not set up for test. No RSA or ECC"
  93. exit 0
  94. fi
  95. fi
  96. # CRL list not set up for tests
  97. crl_test=`./examples/client/client -h`
  98. if [[ "$crl_test" == *"-C "* ]]; then
  99. echo "test not set up to run with CRL"
  100. exit 0
  101. fi
  102. # Test for trusted peer certs build
  103. echo ""
  104. echo "Checking built with trusted peer certs "
  105. echo "-----------------------------------------------------"
  106. port=0
  107. remove_ready_file
  108. ./examples/server/server -E "$client_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
  109. server_pid=$!
  110. create_port
  111. ./examples/client/client -A "$client_ca" -p $port
  112. RESULT=$?
  113. remove_ready_file
  114. # if fail here then is a settings issue so return 0
  115. if [ $RESULT -ne 0 ]; then
  116. echo -e "\n\nTrusted peer certs not enabled \"WOLFSSL_TRUST_PEER_CERT\""
  117. do_cleanup
  118. exit 0
  119. fi
  120. echo ""
  121. # Test that using no CA's and only trusted peer certs works
  122. echo "Server and Client relying on trusted peer cert loaded"
  123. echo "-----------------------------------------------------"
  124. port=0
  125. ./examples/server/server -A "$wrong_ca" -E "$client_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
  126. server_pid=$!
  127. create_port
  128. ./examples/client/client -A "$wrong_ca" -E "$server_cert" -c "$client_cert" -p $port
  129. RESULT=$?
  130. remove_ready_file
  131. if [ $RESULT -ne 0 ]; then
  132. echo -e "\nServer and Client trusted peer cert failed!"
  133. do_cleanup
  134. exit 1
  135. fi
  136. echo ""
  137. # Test that using server trusted peer certs works
  138. echo "Server relying on trusted peer cert loaded"
  139. echo "-----------------------------------------------------"
  140. port=0
  141. ./examples/server/server -A "$wrong_ca" -E "$client_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
  142. server_pid=$!
  143. create_port
  144. ./examples/client/client -A "$client_ca" -c "$client_cert" -p $port
  145. RESULT=$?
  146. remove_ready_file
  147. if [ $RESULT -ne 0 ]; then
  148. echo -e "\nServer trusted peer cert test failed!"
  149. do_cleanup
  150. exit 1
  151. fi
  152. echo ""
  153. # Test that using client trusted peer certs works
  154. echo "Client relying on trusted peer cert loaded"
  155. echo "-----------------------------------------------------"
  156. port=0
  157. ./examples/server/server -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
  158. server_pid=$!
  159. create_port
  160. ./examples/client/client -A "$wrong_ca" -E "$server_cert" -p $port
  161. RESULT=$?
  162. remove_ready_file
  163. if [ $RESULT -ne 0 ]; then
  164. echo -e "\nClient trusted peer cert test failed!"
  165. do_cleanup
  166. exit 1
  167. fi
  168. echo ""
  169. # Test that client fall through to CA works
  170. echo "Client fall through to loaded CAs"
  171. echo "-----------------------------------------------------"
  172. port=0
  173. ./examples/server/server -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
  174. server_pid=$!
  175. create_port
  176. ./examples/client/client -A "$client_ca" -E "$wrong_cert" -p $port
  177. RESULT=$?
  178. remove_ready_file
  179. if [ $RESULT -ne 0 ]; then
  180. echo -e "\nClient trusted peer cert fall through to CA test failed!"
  181. do_cleanup
  182. exit 1
  183. fi
  184. echo ""
  185. # Test that client can fail
  186. # check if using ECC client example is hard coded to load correct ECC ca so skip
  187. if [[ $wrong_ca != *"ecc"* ]]; then
  188. echo "Client wrong CA and wrong trusted peer cert loaded"
  189. echo "-----------------------------------------------------"
  190. port=0
  191. ./examples/server/server -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
  192. server_pid=$!
  193. create_port
  194. ./examples/client/client -A "$wrong_ca" -E "$wrong_cert" -p $port
  195. RESULT=$?
  196. remove_ready_file
  197. if [ $RESULT -eq 0 ]; then
  198. echo -e "\nClient trusted peer cert test failed!"
  199. do_cleanup
  200. exit 1
  201. fi
  202. echo ""
  203. fi
  204. # Test that server can fail
  205. echo "Server wrong CA and wrong trusted peer cert loaded"
  206. echo "-----------------------------------------------------"
  207. port=0
  208. ./examples/server/server -A "$wrong_ca" -E "$wrong_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
  209. server_pid=$!
  210. create_port
  211. ./examples/client/client -A "$client_ca" -p $port
  212. RESULT=$?
  213. remove_ready_file
  214. if [ $RESULT -eq 0 ]; then
  215. echo -e "\nServer trusted peer cert test failed!"
  216. do_cleanup
  217. exit 1
  218. fi
  219. echo ""
  220. # Test that server fall through to CA works
  221. echo "Server fall through to loaded CAs"
  222. echo "-----------------------------------------------------"
  223. port=0
  224. ./examples/server/server -E "$wrong_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
  225. server_pid=$!
  226. create_port
  227. ./examples/client/client -A "$client_ca" -p $port
  228. RESULT=$?
  229. remove_ready_file
  230. if [ $RESULT -ne 0 ]; then
  231. echo -e "\nServer trusted peer cert fall through to CA test failed!"
  232. do_cleanup
  233. exit 1
  234. fi
  235. echo ""
  236. # test loading multiple certs
  237. echo "Server loading multiple trusted peer certs"
  238. echo "Test two success cases and one fail case"
  239. echo "-----------------------------------------------------"
  240. port=0
  241. cat "$client_cert" "$client_ca" > "$combined_cert"
  242. ./examples/server/server -i -A "$wrong_ca" -E "$combined_cert" -c "$server_cert" -k "$server_key" -R "$ready_file" -p $port &
  243. server_pid=$!
  244. create_port
  245. ./examples/client/client -A "$client_ca" -c "$client_cert" -k "$client_key" -p $port
  246. RESULT=$?
  247. if [ $RESULT -ne 0 ]; then
  248. echo -e "\nServer load multiple trusted peer certs failed!"
  249. do_cleanup
  250. exit 1
  251. fi
  252. ./examples/client/client -A "$client_ca" -c "$client_ca" -k "$ca_key" -p $port
  253. RESULT=$?
  254. if [ $RESULT -ne 0 ]; then
  255. echo -e "\nServer load multiple trusted peer certs failed!"
  256. do_cleanup
  257. exit 1
  258. fi
  259. ./examples/client/client -A "$client_ca" -c "$wrong_cert" -k "$client_key" -p $port
  260. RESULT=$?
  261. if [ $RESULT -eq 0 ]; then
  262. echo -e "\nServer load multiple trusted peer certs failed!"
  263. do_cleanup
  264. exit 1
  265. fi
  266. do_cleanup # kill PID of server running in infinite loop
  267. rm "$combined_cert"
  268. remove_ready_file
  269. echo ""
  270. echo "-----------------------------------------------------"
  271. echo "ALL TESTS PASSED"
  272. echo "-----------------------------------------------------"
  273. exit 0