1
0

crl-revoked.test 6.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220
  1. #!/bin/bash
  2. #crl.test
  3. CERT_DIR=certs
  4. # if we can, isolate the network namespace to eliminate port collisions.
  5. if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
  6. if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
  7. export NETWORK_UNSHARE_HELPER_CALLED=yes
  8. exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
  9. fi
  10. elif [ "${AM_BWRAPPED-}" != "yes" ]; then
  11. bwrap_path="$(command -v bwrap)"
  12. if [ -n "$bwrap_path" ]; then
  13. export AM_BWRAPPED=yes
  14. exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
  15. fi
  16. unset AM_BWRAPPED
  17. fi
  18. revocation_code="-361"
  19. exit_code=1
  20. counter=0
  21. # need a unique resume port since may run the same time as testsuite
  22. # use server port zero hack to get one
  23. crl_port=0
  24. #no_pid tells us process was never started if -1
  25. no_pid=-1
  26. #server_pid captured on startup, stores the id of the server process
  27. server_pid=$no_pid
  28. # let's use absolute path to a local dir (make distcheck may be in sub dir)
  29. # also let's add some randomness by adding pid in case multiple 'make check's
  30. # per source tree
  31. ready_file=`pwd`/wolfssl_crl_ready$$
  32. remove_ready_file() {
  33. if test -e "$ready_file"; then
  34. echo -e "removing existing ready file"
  35. rm "$ready_file"
  36. fi
  37. }
  38. # trap this function so if user aborts with ^C or other kill signal we still
  39. # get an exit that will in turn clean up the file system
  40. abort_trap() {
  41. echo "script aborted"
  42. if [ $server_pid != $no_pid ]
  43. then
  44. echo "killing server"
  45. kill -9 $server_pid
  46. fi
  47. exit_code=2 #different exit code in case of user interrupt
  48. echo "got abort signal, exiting with $exit_code"
  49. exit $exit_code
  50. }
  51. trap abort_trap INT TERM
  52. # trap this function so that if we exit on an error the file system will still
  53. # be restored and the other tests may still pass. Never call this function
  54. # instead use "exit <some value>" and this function will run automatically
  55. restore_file_system() {
  56. remove_ready_file
  57. }
  58. trap restore_file_system EXIT
  59. run_test() {
  60. echo -e "\nStarting example server for crl test...\n"
  61. remove_ready_file
  62. # starts the server on crl_port, -R generates ready file to be used as a
  63. # mutex lock, -c loads the revoked certificate. We capture the processid
  64. # into the variable server_pid
  65. ./examples/server/server -R "$ready_file" -p $crl_port \
  66. -c ${CERT_DIR}/server-revoked-cert.pem \
  67. -k ${CERT_DIR}/server-revoked-key.pem &
  68. server_pid=$!
  69. while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
  70. echo -e "waiting for ready file..."
  71. sleep 0.1
  72. counter=$((counter+ 1))
  73. done
  74. # sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
  75. sleep 0.1
  76. if test -e "$ready_file"; then
  77. echo -e "found ready file, starting client..."
  78. else
  79. echo -e "NO ready file ending test..."
  80. exit 1
  81. fi
  82. # get created port 0 ephemeral port
  83. crl_port="$(cat "$ready_file")"
  84. # starts client on crl_port and captures the output from client
  85. capture_out=$(./examples/client/client -p $crl_port 2>&1)
  86. client_result=$?
  87. wait $server_pid
  88. server_result=$?
  89. case "$capture_out" in
  90. *$revocation_code*)
  91. # only exit with zero on detection of the expected error code
  92. echo ""
  93. echo "Successful Revocation!!!!"
  94. echo ""
  95. if [ $exit_hash_dir_code -ne 0 ]; then
  96. exit_code=1
  97. else
  98. exit_code=0
  99. echo "exiting with $exit_code"
  100. exit $exit_code
  101. fi
  102. ;;
  103. *)
  104. echo ""
  105. echo "Certificate was not revoked saw this instead: $capture_out"
  106. echo ""
  107. echo "configure with --enable-crl and run this script again"
  108. echo ""
  109. esac
  110. }
  111. run_hashdir_test() {
  112. echo -e "\n\nHash dir with CRL and Certificate loading"
  113. remove_ready_file
  114. # create hashed cert and crl
  115. pushd ${CERT_DIR}
  116. # ca file
  117. ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
  118. if [ -f "$ca_hash_name".0 ]; then
  119. rm "$ca_hash_name".0
  120. fi
  121. ln -s ca-cert.pem "$ca_hash_name".0
  122. # crl file
  123. crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
  124. if [ -f "$crl_hash_name".r0 ]; then
  125. rm "$crl_hash_name".r0
  126. fi
  127. ln -s ./crl/crl.pem "$crl_hash_name".r0
  128. popd
  129. # starts the server on crl_port, -R generates ready file to be used as a
  130. # mutex lock, -c loads the revoked certificate. We capture the processid
  131. # into the variable server_pid
  132. ./examples/server/server -R "$ready_file" -p $crl_port \
  133. -c ${CERT_DIR}/server-revoked-cert.pem \
  134. -k ${CERT_DIR}/server-revoked-key.pem &
  135. server_pid=$!
  136. while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
  137. echo -e "waiting for ready file..."
  138. sleep 0.1
  139. counter=$((counter+ 1))
  140. done
  141. # get created port 0 ephemeral port
  142. crl_port="$(cat "$ready_file")"
  143. # starts client on crl_port and captures the output from client
  144. capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
  145. client_result=$?
  146. wait $server_pid
  147. server_result=$?
  148. case "$capture_out" in
  149. *$revocation_code*)
  150. # only exit with zero on detection of the expected error code
  151. echo ""
  152. echo "Successful Revocation!!!! with hash dir"
  153. echo ""
  154. exit_hash_dir_code=0
  155. ;;
  156. *)
  157. echo ""
  158. echo "Certificate was not revoked saw this instead: $capture_out"
  159. echo ""
  160. echo "configure with --enable-crl and run this script again"
  161. echo ""
  162. exit_hash_dir_code=1
  163. esac
  164. # clean up hashed cert and crl
  165. pushd ${CERT_DIR}
  166. rm "$ca_hash_name".0
  167. rm "$crl_hash_name".r0
  168. popd
  169. }
  170. ######### begin program #########
  171. # Check for enabling hash dir feature
  172. ./examples/client/client -? 2>&1 | grep -- 'hash dir'
  173. if [ $? -eq 0 ]; then
  174. hash_dir=yes
  175. exit_hash_dir_code=1
  176. fi
  177. if [ "$hash_dir" = "yes" ]; then
  178. run_hashdir_test
  179. else
  180. exit_hash_dir_code=0
  181. fi
  182. # run the test
  183. run_test
  184. # If we get to this exit, exit_code will be a 1 signaling failure
  185. echo "exiting with $exit_code certificate was not revoked"
  186. exit $exit_code
  187. ########## end program ##########