trusted_peer.test 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286
  1. #!/bin/sh
  2. # trusted_peer.test
  3. # copyright wolfSSL 2016
  4. # getting unique port is modeled after resume.test script
  5. # need a unique port since may run the same time as testsuite
  6. # use server port zero hack to get one
  7. port=0
  8. no_pid=-1
  9. server_pid=$no_pid
  10. counter=0
  11. # let's use absolute path to a local dir (make distcheck may be in sub dir)
  12. # also let's add some randomness by adding pid in case multiple 'make check's
  13. # per source tree
  14. ready_file=`pwd`/wolfssl_tp_ready$$
  15. # variables for certs so can use RSA or ECC
  16. client_cert=`pwd`/certs/client-cert.pem
  17. client_ca=`pwd`/certs/ca-cert.pem
  18. client_key=`pwd`/certs/client-key.pem
  19. ca_key=`pwd`/certs/ca-key.pem
  20. server_cert=`pwd`/certs/server-cert.pem
  21. server_key=`pwd`/certs/server-key.pem
  22. combined_cert=`pwd`/certs/client_combined.pem
  23. wrong_ca=`pwd`/certs/wolfssl-website-ca.pem
  24. wrong_cert=`pwd`/certs/server-revoked-cert.pem
  25. echo "ready file $ready_file"
  26. create_port() {
  27. while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
  28. echo -e "waiting for ready file..."
  29. sleep 0.1
  30. counter=$((counter+ 1))
  31. done
  32. if test -e $ready_file; then
  33. echo -e "found ready file, starting client..."
  34. # get created port 0 ephemeral port
  35. port=`cat $ready_file`
  36. else
  37. echo -e "NO ready file ending test..."
  38. do_cleanup
  39. fi
  40. }
  41. remove_ready_file() {
  42. if test -e $ready_file; then
  43. echo -e "removing existing ready file"
  44. rm $ready_file
  45. fi
  46. }
  47. do_cleanup() {
  48. echo "in cleanup"
  49. if [ $server_pid != $no_pid ]
  50. then
  51. echo "killing server"
  52. kill -9 $server_pid
  53. fi
  54. remove_ready_file
  55. }
  56. do_trap() {
  57. echo "got trap"
  58. do_cleanup
  59. exit -1
  60. }
  61. trap do_trap INT TERM
  62. [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
  63. # Look for if RSA and/or ECC is enabled and adjust certs/keys
  64. ciphers=`./examples/client/client -e`
  65. if [[ $ciphers != *"RSA"* ]]; then
  66. if [[ $ciphers == *"ECDSA"* ]]; then
  67. client_cert=`pwd`/certs/client-ecc-cert.pem
  68. client_ca=`pwd`/certs/server-ecc.pem
  69. client_key=`pwd`/certs/ecc-client-key.pem
  70. ca_key=`pwd`/certs/ecc-key.pem
  71. server_cert=`pwd`/certs/server-ecc.pem
  72. server_key=`pwd`/certs/ecc-key.pem
  73. wrong_ca=`pwd`/certs/server-ecc-comp.pem
  74. wrong_cert=`pwd`/certs/server-ecc-comp.pem
  75. else
  76. echo "configure options not set up for test. No RSA or ECC"
  77. exit 0
  78. fi
  79. fi
  80. # CRL list not set up for tests
  81. crl_test=`./examples/client/client -h`
  82. if [[ $crl_test == *"-C "* ]]; then
  83. echo "test not set up to run with CRL"
  84. exit 0
  85. fi
  86. # Test for trusted peer certs build
  87. echo ""
  88. echo "Checking built with trusted peer certs "
  89. echo "-----------------------------------------------------"
  90. port=0
  91. remove_ready_file
  92. ./examples/server/server -E $client_cert -c $server_cert -k $server_key -R $ready_file -p $port &
  93. server_pid=$!
  94. create_port
  95. ./examples/client/client -A $client_ca -p $port
  96. RESULT=$?
  97. remove_ready_file
  98. # if fail here then is a settings issue so return 0
  99. if [ $RESULT -ne 0 ]; then
  100. echo -e "\n\nTrusted peer certs not enabled \"WOLFSSL_TRUST_PEER_CERT\""
  101. do_cleanup
  102. exit 0
  103. fi
  104. echo ""
  105. # Test that using no CA's and only trusted peer certs works
  106. echo "Server and Client relying on trusted peer cert loaded"
  107. echo "-----------------------------------------------------"
  108. port=0
  109. ./examples/server/server -A $wrong_ca -E $client_cert -c $server_cert -k $server_key -R $ready_file -p $port &
  110. server_pid=$!
  111. create_port
  112. ./examples/client/client -A $wrong_ca -E $server_cert -c $client_cert -p $port
  113. RESULT=$?
  114. remove_ready_file
  115. if [ $RESULT -ne 0 ]; then
  116. echo -e "\nServer and Client trusted peer cert failed!"
  117. do_cleanup
  118. exit 1
  119. fi
  120. echo ""
  121. # Test that using server trusted peer certs works
  122. echo "Server relying on trusted peer cert loaded"
  123. echo "-----------------------------------------------------"
  124. port=0
  125. ./examples/server/server -A $wrong_ca -E $client_cert -c $server_cert -k $server_key -R $ready_file -p $port &
  126. server_pid=$!
  127. create_port
  128. ./examples/client/client -A $client_ca -c $client_cert -p $port
  129. RESULT=$?
  130. remove_ready_file
  131. if [ $RESULT -ne 0 ]; then
  132. echo -e "\nServer trusted peer cert test failed!"
  133. do_cleanup
  134. exit 1
  135. fi
  136. echo ""
  137. # Test that using client trusted peer certs works
  138. echo "Client relying on trusted peer cert loaded"
  139. echo "-----------------------------------------------------"
  140. port=0
  141. ./examples/server/server -c $server_cert -k $server_key -R $ready_file -p $port &
  142. server_pid=$!
  143. create_port
  144. ./examples/client/client -A $wrong_ca -E $server_cert -p $port
  145. RESULT=$?
  146. remove_ready_file
  147. if [ $RESULT -ne 0 ]; then
  148. echo -e "\nClient trusted peer cert test failed!"
  149. do_cleanup
  150. exit 1
  151. fi
  152. echo ""
  153. # Test that client fall through to CA works
  154. echo "Client fall through to loaded CAs"
  155. echo "-----------------------------------------------------"
  156. port=0
  157. ./examples/server/server -c $server_cert -k $server_key -R $ready_file -p $port &
  158. server_pid=$!
  159. create_port
  160. ./examples/client/client -A $client_ca -E $wrong_cert -p $port
  161. RESULT=$?
  162. remove_ready_file
  163. if [ $RESULT -ne 0 ]; then
  164. echo -e "\nClient trusted peer cert fall through to CA test failed!"
  165. do_cleanup
  166. exit 1
  167. fi
  168. echo ""
  169. # Test that client can fail
  170. # check if using ECC client example is hard coded to load correct ECC ca so skip
  171. if [[ $wrong_ca != *"ecc"* ]]; then
  172. echo "Client wrong CA and wrong trusted peer cert loaded"
  173. echo "-----------------------------------------------------"
  174. port=0
  175. ./examples/server/server -c $server_cert -k $server_key -R $ready_file -p $port &
  176. server_pid=$!
  177. create_port
  178. ./examples/client/client -A $wrong_ca -E $wrong_cert -p $port
  179. RESULT=$?
  180. remove_ready_file
  181. if [ $RESULT -eq 0 ]; then
  182. echo -e "\nClient trusted peer cert test failed!"
  183. do_cleanup
  184. exit 1
  185. fi
  186. echo ""
  187. fi
  188. # Test that server can fail
  189. echo "Server wrong CA and wrong trusted peer cert loaded"
  190. echo "-----------------------------------------------------"
  191. port=0
  192. ./examples/server/server -A $wrong_ca -E $wrong_cert -c $server_cert -k $server_key -R $ready_file -p $port &
  193. server_pid=$!
  194. create_port
  195. ./examples/client/client -A $client_ca -p $port
  196. RESULT=$?
  197. remove_ready_file
  198. if [ $RESULT -eq 0 ]; then
  199. echo -e "\nServer trusted peer cert test failed!"
  200. do_cleanup
  201. exit 1
  202. fi
  203. echo ""
  204. # Test that server fall through to CA works
  205. echo "Server fall through to loaded CAs"
  206. echo "-----------------------------------------------------"
  207. port=0
  208. ./examples/server/server -E $wrong_cert -c $server_cert -k $server_key -R $ready_file -p $port &
  209. server_pid=$!
  210. create_port
  211. ./examples/client/client -A $client_ca -p $port
  212. RESULT=$?
  213. remove_ready_file
  214. if [ $RESULT -ne 0 ]; then
  215. echo -e "\nServer trusted peer cert fall through to CA test failed!"
  216. do_cleanup
  217. exit 1
  218. fi
  219. echo ""
  220. # test loading multiple certs
  221. echo "Server loading multiple trusted peer certs"
  222. echo "Test two success cases and one fail case"
  223. echo "-----------------------------------------------------"
  224. port=0
  225. cat $client_cert $client_ca > $combined_cert
  226. ./examples/server/server -i -A $wrong_ca -E $combined_cert -c $server_cert -k $server_key -R $ready_file -p $port &
  227. server_pid=$!
  228. create_port
  229. ./examples/client/client -A $client_ca -c $client_cert -k $client_key -p $port
  230. RESULT=$?
  231. if [ $RESULT -ne 0 ]; then
  232. echo -e "\nServer load multiple trusted peer certs failed!"
  233. do_cleanup
  234. exit 1
  235. fi
  236. ./examples/client/client -A $client_ca -c $client_ca -k $ca_key -p $port
  237. RESULT=$?
  238. if [ $RESULT -ne 0 ]; then
  239. echo -e "\nServer load multiple trusted peer certs failed!"
  240. do_cleanup
  241. exit 1
  242. fi
  243. ./examples/client/client -A $client_ca -c $wrong_cert -k $client_key -p $port
  244. RESULT=$?
  245. if [ $RESULT -eq 0 ]; then
  246. echo -e "\nServer load multiple trusted peer certs failed!"
  247. do_cleanup
  248. exit 1
  249. fi
  250. do_cleanup # kill PID of server running in infinit loop
  251. rm $combined_cert
  252. remove_ready_file
  253. echo ""
  254. echo "-----------------------------------------------------"
  255. echo "ALL TESTS PASSED"
  256. echo "-----------------------------------------------------"
  257. exit 0