feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

automated test for trusted peer certs

Browse Source
This commit is contained in:
Jacob Barthelmeh
2016-03-01 16:35:32 -07:00
parent 05d2cec7c1
commit d969e2ba11
5 changed files with 264 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
configure.ac
View File

@ -2501,6 +2501,18 @@ AM_CONDITIONAL([BUILD_MCAPI], [test "x$ENABLED_MCAPI" = "xyes"])
# check if PSK was enabled for conditionally running psk.test script
AM_CONDITIONAL([BUILD_PSK], [test "x$ENABLED_PSK" = "xyes"])
# check if should run the trusted peer certs test
case $C_EXTRA_FLAGS in
*WOLFSSL_TRUST_PEER_CERT*)
have_tp=yes
break;;
*)
have_tp=no ;;
esac
AM_CONDITIONAL([BUILD_TRUST_PEER_CERT], [test "x$have_tp" = "xyes"])
################################################################################
# Check for build-type conflicts #
################################################################################

23
examples/client/client.c
View File

@ -380,6 +380,9 @@ static void Usage(void)
#ifdef HAVE_CRL
printf("-C Disable CRL\n");
#endif
#ifdef WOLFSSL_TRUST_PEER_CERT
printf("-T <file> Path to load trusted peer cert\n");
#endif
}
THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
@ -438,6 +441,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
const char* ourCert = cliCert;
const char* ourKey = cliKey;
#ifdef WOLFSSL_TRUST_PEER_CERT
const char* trustCert = NULL;
#endif
#ifdef HAVE_SNI
char* sniHostName = NULL;
#endif
@ -490,7 +497,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifndef WOLFSSL_VXWORKS
while ((ch = mygetopt(argc, argv,
"?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W:")) != -1) {
"?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W:E:")) != -1) {
switch (ch) {
case '?' :
Usage();
@ -532,6 +539,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
break;
#ifdef WOLFSSL_TRUST_PEER_CERT
case 'E' :
trustCert = myoptarg;
break;
#endif
case 'm' :
matchName = 1;
break;
@ -978,9 +991,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("can't load ecc ca file, Please run from wolfSSL home dir");
#endif /* HAVE_ECC */
#ifdef WOLFSSL_TRUST_PEER_CERT
if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, svrCert, SSL_FILETYPE_PEM))
!= SSL_SUCCESS) {
err_sys("can't load trusted peer cert file");
if (trustCert) {
if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert,
SSL_FILETYPE_PEM)) != SSL_SUCCESS) {
err_sys("can't load trusted peer cert file");
}
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
}

23
examples/server/server.c
View File

@ -238,6 +238,9 @@ static void Usage(void)
printf("-n Use NTRU key (needed for NTRU suites)\n");
#endif
printf("-B <num> Benchmark throughput using <num> bytes and print stats\n");
#ifdef WOLFSSL_TRUST_PEER_CERT
printf("-E <file> Path to load trusted peer cert\n");
#endif
}
THREAD_RETURN CYASSL_THREAD server_test(void* args)
@ -288,6 +291,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
int argc = ((func_args*)args)->argc;
char** argv = ((func_args*)args)->argv;
#ifdef WOLFSSL_TRUST_PEER_CERT
const char* trustCert = NULL;
#endif
#ifndef NO_PSK
int sendPskIdentityHint = 1;
#endif
@ -330,7 +337,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef WOLFSSL_VXWORKS
useAnyAddr = 1;
#else
while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:j"))
while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:j:E:"))
!= -1) {
switch (ch) {
case '?' :
@ -507,6 +514,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
}
break;
#ifdef WOLFSSL_TRUST_PEER_CERT
case 'E' :
trustCert = myoptarg;
break;
#endif
default:
Usage();
exit(MY_EX_USAGE);
@ -686,9 +699,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
#ifdef WOLFSSL_TRUST_PEER_CERT
if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, cliCert, SSL_FILETYPE_PEM))
!= SSL_SUCCESS) {
err_sys("can't load trusted peer cert file");
if (trustCert) {
if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert,
SSL_FILETYPE_PEM)) != SSL_SUCCESS) {
err_sys("can't load trusted peer cert file");
}
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
}

4
scripts/include.am
View File

@ -51,6 +51,10 @@ if BUILD_PSK
dist_noinst_SCRIPTS+= scripts/psk.test
endif
if BUILD_TRUST_PEER_CERT
dist_noinst_SCRIPTS+= scripts/trusted_peer.test
endif
EXTRA_DIST += scripts/testsuite.pcap
# leave openssl.test as extra until non bash works
EXTRA_DIST += scripts/openssl.test

210
scripts/trusted_peer.test Executable file
View File

@ -0,0 +1,210 @@
#!/bin/sh
# trusted_peer.test
# copyright wolfSSL 2016
# getting unique port is modeled after resume.test script
# need a unique port since may run the same time as testsuite
# use server port zero hack to get one
port=0
no_pid=-1
server_pid=$no_pid
counter=0
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_tp_ready$$
echo "ready file $ready_file"
create_port() {
while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
if test -e $ready_file; then
echo -e "found ready file, starting client..."
# get created port 0 ephemeral port
port=`cat $ready_file`
else
echo -e "NO ready file ending test..."
do_cleanup
fi
}
remove_ready_file() {
if test -e $ready_file; then
echo -e "removing existing ready file"
rm $ready_file
fi
}
do_cleanup() {
echo "in cleanup"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
remove_ready_file
}
do_trap() {
echo "got trap"
do_cleanup
exit -1
}
trap do_trap INT TERM
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# Test for trusted peer certs build
echo ""
echo "Checking built with trusted peer certs "
echo "-----------------------------------------------------"
port=0
./examples/server/server -E certs/client-cert.pem -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -p $port
RESULT=$?
remove_ready_file
# if fail here then is a settings issue so return 0
if [ $RESULT -ne 0 ]; then
echo -e "\n\nTrusted peer certs not enabled \"WOLFSSL_TRUST_PEER_CERT\""
do_cleanup
exit 0
fi
echo ""
# Test that using no CA's and only trusted peer certs works
echo "Server and Client relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A certs/wolfssl-website-ca.pem -E certs/client-cert.pem -c certs/server-cert.pem -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A certs/wolfssl-website-ca.pem -E certs/server-cert.pem -c certs/client-cert.pem -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nServer and Client trusted peer cert failed!"
do_cleanup
exit 1
fi
echo ""
# Test that using server trusted peer certs works
echo "Server relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A certs/wolfssl-website-ca.pem -E certs/client-cert.pem -c certs/server-cert.pem -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -c certs/client-cert.pem -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nServer trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that using client trusted peer certs works
echo "Client relying on trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -c certs/server-cert.pem -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -E certs/server-cert.pem -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nClient trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that client fall through to CA works
echo "Client fall through to loaded CAs"
echo "-----------------------------------------------------"
port=0
./examples/server/server -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -E certs/server-revoked-cert.pem -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nClient trusted peer cert fall through to CA test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that client can fail
echo "Client wrong CA and wrong trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -A certs/wolfssl-website-ca.pem -E certs/server-revoked-cert.pem -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\nClient trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that server can fail
echo "Server wrong CA and wrong trusted peer cert loaded"
echo "-----------------------------------------------------"
port=0
./examples/server/server -A certs/wolfssl-website-ca.pem -E certs/server-revoked-cert.pem -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\nServer trusted peer cert test failed!"
do_cleanup
exit 1
fi
echo ""
# Test that server fall through to CA works
echo "Server fall through to loaded CAs"
echo "-----------------------------------------------------"
port=0
./examples/server/server -E certs/server-revoked-cert.pem -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\nServer trusted peer cert fall through to CA test failed!"
do_cleanup
exit 1
fi
echo ""
echo "-----------------------------------------------------"
echo "ALL TESTS PASSED"
echo "-----------------------------------------------------"
exit 0