crl-revoked.test 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232
  1. #!/usr/bin/env bash
  2. #crl.test
  3. # if we can, isolate the network namespace to eliminate port collisions.
  4. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
  5. if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
  6. export NETWORK_UNSHARE_HELPER_CALLED=yes
  7. exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
  8. fi
  9. elif [ "${AM_BWRAPPED-}" != "yes" ]; then
  10. bwrap_path="$(command -v bwrap)"
  11. if [ -n "$bwrap_path" ]; then
  12. export AM_BWRAPPED=yes
  13. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  14. fi
  15. unset AM_BWRAPPED
  16. fi
  17. # Workaround to not pollute the certs folder with our files that can impact other tests
  18. RUNNING_DIR=$(mktemp -d)
  19. cp -rp . $RUNNING_DIR/.
  20. cd $RUNNING_DIR
  21. revocation_code="-361"
  22. revocation_code_openssl="23"
  23. exit_code=1
  24. counter=0
  25. # need a unique resume port since may run the same time as testsuite
  26. # use server port zero hack to get one
  27. crl_port=0
  28. #no_pid tells us process was never started if -1
  29. no_pid=-1
  30. #server_pid captured on startup, stores the id of the server process
  31. server_pid=$no_pid
  32. # let's use absolute path to a local dir (make distcheck may be in sub dir)
  33. # also let's add some randomness by adding pid in case multiple 'make check's
  34. # per source tree
  35. ready_file=`pwd`/wolfssl_crl_ready$$
  36. CERT_DIR=certs
  37. remove_ready_file() {
  38. if test -e "$ready_file"; then
  39. echo -e "removing existing ready file"
  40. rm "$ready_file"
  41. fi
  42. }
  43. # trap this function so if user aborts with ^C or other kill signal we still
  44. # get an exit that will in turn clean up the file system
  45. abort_trap() {
  46. echo "script aborted"
  47. if [ $server_pid != $no_pid ]
  48. then
  49. echo "killing server"
  50. kill -9 $server_pid
  51. fi
  52. exit_code=2 #different exit code in case of user interrupt
  53. echo "got abort signal, exiting with $exit_code"
  54. exit $exit_code
  55. }
  56. trap abort_trap INT TERM
  57. # trap this function so that if we exit on an error the file system will still
  58. # be restored and the other tests may still pass. Never call this function
  59. # instead use "exit <some value>" and this function will run automatically
  60. restore_file_system() {
  61. remove_ready_file
  62. cd / && rm -rf "$RUNNING_DIR"
  63. }
  64. trap restore_file_system EXIT
  65. run_test() {
  66. echo -e "\nStarting example server for crl test...\n"
  67. remove_ready_file
  68. # starts the server on crl_port, -R generates ready file to be used as a
  69. # mutex lock, -c loads the revoked certificate. We capture the processid
  70. # into the variable server_pid
  71. ./examples/server/server -R "$ready_file" -p $crl_port \
  72. -c ${CERT_DIR}/server-revoked-cert.pem \
  73. -k ${CERT_DIR}/server-revoked-key.pem &
  74. server_pid=$!
  75. while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
  76. echo -e "waiting for ready file..."
  77. sleep 0.1
  78. counter=$((counter+ 1))
  79. done
  80. # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
  81. sleep 0.1
  82. if test -e "$ready_file"; then
  83. echo -e "found ready file, starting client..."
  84. else
  85. echo -e "NO ready file ending test..."
  86. exit 1
  87. fi
  88. # get created port 0 ephemeral port
  89. crl_port="$(cat "$ready_file")"
  90. # starts client on crl_port and captures the output from client
  91. capture_out=$(./examples/client/client -p $crl_port 2>&1)
  92. client_result=$?
  93. wait $server_pid
  94. server_result=$?
  95. case "$capture_out" in
  96. *"$revocation_code"*|*"$revocation_code_openssl"*)
  97. # only exit with zero on detection of the expected error code
  98. echo ""
  99. echo "Successful Revocation!!!!"
  100. echo ""
  101. if [ $exit_hash_dir_code -ne 0 ]; then
  102. exit_code=1
  103. else
  104. exit_code=0
  105. echo "exiting with $exit_code"
  106. exit $exit_code
  107. fi
  108. ;;
  109. *)
  110. echo ""
  111. echo "Certificate was not revoked saw this instead: $capture_out"
  112. echo ""
  113. echo "configure with --enable-crl and run this script again"
  114. echo ""
  115. esac
  116. }
  117. run_hashdir_test() {
  118. echo -e "\n\nHash dir with CRL and Certificate loading"
  119. remove_ready_file
  120. # create hashed cert and crl
  121. pushd ${CERT_DIR}
  122. # ca file
  123. ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
  124. if [ -f "$ca_hash_name".0 ]; then
  125. rm "$ca_hash_name".0
  126. fi
  127. ln -s ca-cert.pem "$ca_hash_name".0
  128. # crl file
  129. crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
  130. if [ -f "$crl_hash_name".r0 ]; then
  131. rm "$crl_hash_name".r0
  132. fi
  133. ln -s ./crl/crl.pem "$crl_hash_name".r0
  134. popd
  135. # starts the server on crl_port, -R generates ready file to be used as a
  136. # mutex lock, -c loads the revoked certificate. We capture the processid
  137. # into the variable server_pid
  138. ./examples/server/server -R "$ready_file" -p $crl_port \
  139. -c ${CERT_DIR}/server-revoked-cert.pem \
  140. -k ${CERT_DIR}/server-revoked-key.pem &
  141. server_pid=$!
  142. while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
  143. echo -e "waiting for ready file..."
  144. sleep 0.1
  145. counter=$((counter+ 1))
  146. done
  147. # get created port 0 ephemeral port
  148. crl_port="$(cat "$ready_file")"
  149. # starts client on crl_port and captures the output from client
  150. capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
  151. client_result=$?
  152. wait $server_pid
  153. server_result=$?
  154. case "$capture_out" in
  155. *"$revocation_code"*|*"$revocation_code_openssl"*)
  156. # only exit with zero on detection of the expected error code
  157. echo ""
  158. echo "Successful Revocation!!!! with hash dir"
  159. echo ""
  160. exit_hash_dir_code=0
  161. ;;
  162. *)
  163. echo ""
  164. echo "Certificate was not revoked saw this instead: $capture_out"
  165. echo ""
  166. echo "configure with --enable-crl and run this script again"
  167. echo ""
  168. exit_hash_dir_code=1
  169. esac
  170. # clean up hashed cert and crl
  171. pushd ${CERT_DIR}
  172. rm "$ca_hash_name".0
  173. rm "$crl_hash_name".r0
  174. popd
  175. }
  176. ######### begin program #########
  177. # Check for enabling hash dir feature
  178. ./examples/client/client -? 2>&1 | grep -- 'hash dir'
  179. if [ $? -eq 0 ]; then
  180. hash_dir=yes
  181. exit_hash_dir_code=1
  182. fi
  183. if [ "$hash_dir" = "yes" ]; then
  184. run_hashdir_test
  185. else
  186. exit_hash_dir_code=0
  187. fi
  188. # Check that server is enabled
  189. ./examples/server/server -? 2>&1 | grep -- 'Create Ready file'
  190. if [ $? -eq 0 ]; then
  191. # run the test
  192. run_test
  193. else
  194. exit_code=0
  195. fi
  196. # If we get to this exit, exit_code will be a 1 signaling failure
  197. echo "exiting with $exit_code certificate was not revoked"
  198. exit $exit_code
  199. ########## end program ##########