crl-revoked.test 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216
  1. #!/bin/bash
  2. #crl.test
  3. CERT_DIR=certs
  4. # if we can, isolate the network namespace to eliminate port collisions.
  5. if [ "${AM_BWRAPPED-}" != "yes" ]; then
  6. bwrap_path="$(command -v bwrap)"
  7. if [ -n "$bwrap_path" ]; then
  8. export AM_BWRAPPED=yes
  9. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  10. fi
  11. unset AM_BWRAPPED
  12. fi
  13. revocation_code="-361"
  14. exit_code=1
  15. counter=0
  16. # need a unique resume port since may run the same time as testsuite
  17. # use server port zero hack to get one
  18. crl_port=0
  19. #no_pid tells us process was never started if -1
  20. no_pid=-1
  21. #server_pid captured on startup, stores the id of the server process
  22. server_pid=$no_pid
  23. # let's use absolute path to a local dir (make distcheck may be in sub dir)
  24. # also let's add some randomness by adding pid in case multiple 'make check's
  25. # per source tree
  26. ready_file=`pwd`/wolfssl_crl_ready$$
  27. remove_ready_file() {
  28. if test -e "$ready_file"; then
  29. echo -e "removing existing ready file"
  30. rm "$ready_file"
  31. fi
  32. }
  33. # trap this function so if user aborts with ^C or other kill signal we still
  34. # get an exit that will in turn clean up the file system
  35. abort_trap() {
  36. echo "script aborted"
  37. if [ $server_pid != $no_pid ]
  38. then
  39. echo "killing server"
  40. kill -9 $server_pid
  41. fi
  42. exit_code=2 #different exit code in case of user interrupt
  43. echo "got abort signal, exiting with $exit_code"
  44. exit $exit_code
  45. }
  46. trap abort_trap INT TERM
  47. # trap this function so that if we exit on an error the file system will still
  48. # be restored and the other tests may still pass. Never call this function
  49. # instead use "exit <some value>" and this function will run automatically
  50. restore_file_system() {
  51. remove_ready_file
  52. }
  53. trap restore_file_system EXIT
  54. run_test() {
  55. echo -e "\nStarting example server for crl test...\n"
  56. remove_ready_file
  57. # starts the server on crl_port, -R generates ready file to be used as a
  58. # mutex lock, -c loads the revoked certificate. We capture the processid
  59. # into the variable server_pid
  60. ./examples/server/server -R "$ready_file" -p $crl_port \
  61. -c ${CERT_DIR}/server-revoked-cert.pem \
  62. -k ${CERT_DIR}/server-revoked-key.pem &
  63. server_pid=$!
  64. while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
  65. echo -e "waiting for ready file..."
  66. sleep 0.1
  67. counter=$((counter+ 1))
  68. done
  69. # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
  70. sleep 0.1
  71. if test -e "$ready_file"; then
  72. echo -e "found ready file, starting client..."
  73. else
  74. echo -e "NO ready file ending test..."
  75. exit 1
  76. fi
  77. # get created port 0 ephemeral port
  78. crl_port="$(cat "$ready_file")"
  79. # starts client on crl_port and captures the output from client
  80. capture_out=$(./examples/client/client -p $crl_port 2>&1)
  81. client_result=$?
  82. wait $server_pid
  83. server_result=$?
  84. case "$capture_out" in
  85. *$revocation_code*)
  86. # only exit with zero on detection of the expected error code
  87. echo ""
  88. echo "Successful Revocation!!!!"
  89. echo ""
  90. if [ $exit_hash_dir_code -ne 0 ]; then
  91. exit_code=1
  92. else
  93. exit_code=0
  94. echo "exiting with $exit_code"
  95. exit $exit_code
  96. fi
  97. ;;
  98. *)
  99. echo ""
  100. echo "Certificate was not revoked saw this instead: $capture_out"
  101. echo ""
  102. echo "configure with --enable-crl and run this script again"
  103. echo ""
  104. esac
  105. }
  106. run_hashdir_test() {
  107. echo -e "\n\nHash dir with CRL and Certificate loading"
  108. remove_ready_file
  109. # create hashed cert and crl
  110. pushd ${CERT_DIR}
  111. # ca file
  112. ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
  113. if [ -f "$ca_hash_name".0 ]; then
  114. rm "$ca_hash_name".0
  115. fi
  116. ln -s ca-cert.pem "$ca_hash_name".0
  117. # crl file
  118. crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
  119. if [ -f "$crl_hash_name".r0 ]; then
  120. rm "$crl_hash_name".r0
  121. fi
  122. ln -s ./crl/crl.pem "$crl_hash_name".r0
  123. popd
  124. # starts the server on crl_port, -R generates ready file to be used as a
  125. # mutex lock, -c loads the revoked certificate. We capture the processid
  126. # into the variable server_pid
  127. ./examples/server/server -R "$ready_file" -p $crl_port \
  128. -c ${CERT_DIR}/server-revoked-cert.pem \
  129. -k ${CERT_DIR}/server-revoked-key.pem &
  130. server_pid=$!
  131. while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
  132. echo -e "waiting for ready file..."
  133. sleep 0.1
  134. counter=$((counter+ 1))
  135. done
  136. # get created port 0 ephemeral port
  137. crl_port="$(cat "$ready_file")"
  138. # starts client on crl_port and captures the output from client
  139. capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
  140. client_result=$?
  141. wait $server_pid
  142. server_result=$?
  143. case "$capture_out" in
  144. *$revocation_code*)
  145. # only exit with zero on detection of the expected error code
  146. echo ""
  147. echo "Successful Revocation!!!! with hash dir"
  148. echo ""
  149. exit_hash_dir_code=0
  150. ;;
  151. *)
  152. echo ""
  153. echo "Certificate was not revoked saw this instead: $capture_out"
  154. echo ""
  155. echo "configure with --enable-crl and run this script again"
  156. echo ""
  157. exit_hash_dir_code=1
  158. esac
  159. # clean up hashed cert and crl
  160. pushd ${CERT_DIR}
  161. rm "$ca_hash_name".0
  162. rm "$crl_hash_name".r0
  163. popd
  164. }
  165. ######### begin program #########
  166. # Check for enabling hash dir feature
  167. ./examples/client/client -? 2>&1 | grep -- 'hash dir'
  168. if [ $? -eq 0 ]; then
  169. hash_dir=yes
  170. exit_hash_dir_code=1
  171. fi
  172. if [ "$hash_dir" = "yes" ]; then
  173. run_hashdir_test
  174. else
  175. exit_hash_dir_code=0
  176. fi
  177. # run the test
  178. run_test
  179. # If we get to this exit, exit_code will be a 1 signaling failure
  180. echo "exiting with $exit_code certificate was not revoked"
  181. exit $exit_code
  182. ########## end program ##########