automated test for trusted peer certs

configure.ac

@@ -2501,6 +2501,18 @@ AM_CONDITIONAL([BUILD_MCAPI], [test "x$ENABLED_MCAPI" = "xyes"])
 # check if PSK was enabled for conditionally running psk.test script
 AM_CONDITIONAL([BUILD_PSK], [test "x$ENABLED_PSK" = "xyes"])
 
+
+# check if should run the trusted peer certs test
+case $C_EXTRA_FLAGS in
+    *WOLFSSL_TRUST_PEER_CERT*)
+        have_tp=yes
+        break;;
+    *)
+        have_tp=no ;;
+esac
+AM_CONDITIONAL([BUILD_TRUST_PEER_CERT], [test "x$have_tp" = "xyes"])
+
+
 ################################################################################
 # Check for build-type conflicts                                               #
 ################################################################################

examples/client/client.c

@@ -380,6 +380,9 @@ static void Usage(void)
 #ifdef HAVE_CRL
     printf("-C          Disable CRL\n");
 #endif
+#ifdef WOLFSSL_TRUST_PEER_CERT
+    printf("-T <file>   Path to load trusted peer cert\n");
+#endif
 }
 
 THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
@@ -438,6 +441,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     const char* ourCert    = cliCert;
     const char* ourKey     = cliKey;
 
+#ifdef WOLFSSL_TRUST_PEER_CERT
+    const char* trustCert  = NULL;
+#endif
+
 #ifdef HAVE_SNI
     char*  sniHostName = NULL;
 #endif
@@ -490,7 +497,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
 #ifndef WOLFSSL_VXWORKS
     while ((ch = mygetopt(argc, argv,
-            "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W:")) != -1) {
+          "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W:E:")) != -1) {
         switch (ch) {
             case '?' :
                 Usage();
@@ -532,6 +539,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             #endif
                 break;
 
+            #ifdef WOLFSSL_TRUST_PEER_CERT
+            case 'E' :
+                trustCert = myoptarg;
+                break;
+            #endif
+
             case 'm' :
                 matchName = 1;
                 break;
@@ -978,9 +991,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             err_sys("can't load ecc ca file, Please run from wolfSSL home dir");
 #endif /* HAVE_ECC */
 #ifdef WOLFSSL_TRUST_PEER_CERT
-        if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, svrCert, SSL_FILETYPE_PEM))
+        if (trustCert) {
-                                                               != SSL_SUCCESS) {
+            if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert,
-            err_sys("can't load trusted peer cert file");
+                                            SSL_FILETYPE_PEM)) != SSL_SUCCESS) {
+                err_sys("can't load trusted peer cert file");
+            }
         }
 #endif /* WOLFSSL_TRUST_PEER_CERT */
     }

examples/server/server.c

@@ -238,6 +238,9 @@ static void Usage(void)
     printf("-n          Use NTRU key (needed for NTRU suites)\n");
 #endif
     printf("-B <num>    Benchmark throughput using <num> bytes and print stats\n");
+#ifdef WOLFSSL_TRUST_PEER_CERT
+    printf("-E <file>   Path to load trusted peer cert\n");
+#endif
 }
 
 THREAD_RETURN CYASSL_THREAD server_test(void* args)
@@ -288,6 +291,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     int    argc = ((func_args*)args)->argc;
     char** argv = ((func_args*)args)->argv;
 
+#ifdef WOLFSSL_TRUST_PEER_CERT
+    const char* trustCert  = NULL;
+#endif
+
 #ifndef NO_PSK
     int sendPskIdentityHint = 1;
 #endif
@@ -330,7 +337,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 #ifdef WOLFSSL_VXWORKS
     useAnyAddr = 1;
 #else
-    while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:j"))
+    while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:j:E:"))
                          != -1) {
         switch (ch) {
             case '?' :
@@ -507,6 +514,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
                 }
                 break;
 
+            #ifdef WOLFSSL_TRUST_PEER_CERT
+            case 'E' :
+                 trustCert = myoptarg;
+                break;
+            #endif
+
             default:
                 Usage();
                 exit(MY_EX_USAGE);
@@ -686,9 +699,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
         if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
             err_sys("can't load ca file, Please run from wolfSSL home dir");
         #ifdef WOLFSSL_TRUST_PEER_CERT
-        if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, cliCert, SSL_FILETYPE_PEM))
+        if (trustCert) {
-                                                               != SSL_SUCCESS) {
+            if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert,
-            err_sys("can't load trusted peer cert file");
+                                            SSL_FILETYPE_PEM)) != SSL_SUCCESS) {
+                err_sys("can't load trusted peer cert file");
+            }
         }
         #endif /* WOLFSSL_TRUST_PEER_CERT */
    }

scripts/include.am

@@ -51,6 +51,10 @@ if BUILD_PSK
 dist_noinst_SCRIPTS+= scripts/psk.test
 endif
 
+if BUILD_TRUST_PEER_CERT
+dist_noinst_SCRIPTS+= scripts/trusted_peer.test
+endif
+
 EXTRA_DIST +=  scripts/testsuite.pcap
 # leave openssl.test as extra until non bash works
 EXTRA_DIST +=  scripts/openssl.test

scripts/trusted_peer.test

@@ -0,0 +1,210 @@
+#!/bin/sh
+
+# trusted_peer.test
+# copyright wolfSSL 2016
+
+# getting unique port is modeled after resume.test script
+# need a unique port since may run the same time as testsuite
+# use server port zero hack to get one
+port=0
+no_pid=-1
+server_pid=$no_pid
+counter=0
+# let's use absolute path to a local dir (make distcheck may be in sub dir)
+# also let's add some randomness by adding pid in case multiple 'make check's
+# per source tree
+ready_file=`pwd`/wolfssl_tp_ready$$
+
+echo "ready file $ready_file"
+
+create_port() {
+    while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
+        echo -e "waiting for ready file..."
+        sleep 0.1
+        counter=$((counter+ 1))
+    done
+
+    if test -e $ready_file; then
+        echo -e "found ready file, starting client..."
+
+        # get created port 0 ephemeral port
+        port=`cat $ready_file`
+    else
+        echo -e "NO ready file ending test..."
+        do_cleanup
+    fi
+}
+
+remove_ready_file() {
+    if test -e $ready_file; then
+        echo -e "removing existing ready file"
+    rm $ready_file
+    fi
+}
+
+do_cleanup() {
+    echo "in cleanup"
+
+    if  [ $server_pid != $no_pid ]
+    then
+        echo "killing server"
+        kill -9 $server_pid
+    fi
+    remove_ready_file
+}
+
+do_trap() {
+    echo "got trap"
+    do_cleanup
+    exit -1
+}
+
+trap do_trap INT TERM
+
+[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
+
+# Test for trusted peer certs build
+echo ""
+echo "Checking built with trusted peer certs "
+echo "-----------------------------------------------------"
+port=0
+./examples/server/server -E certs/client-cert.pem -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -p $port
+RESULT=$?
+remove_ready_file
+# if fail here then is a settings issue so return 0
+if [ $RESULT -ne 0 ]; then
+    echo -e "\n\nTrusted peer certs not enabled \"WOLFSSL_TRUST_PEER_CERT\""
+    do_cleanup
+    exit 0
+fi
+echo ""
+
+# Test that using no CA's and only trusted peer certs works
+echo "Server and Client relying on trusted peer cert loaded"
+echo "-----------------------------------------------------"
+port=0
+./examples/server/server -A certs/wolfssl-website-ca.pem -E certs/client-cert.pem -c certs/server-cert.pem -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -A certs/wolfssl-website-ca.pem -E certs/server-cert.pem -c certs/client-cert.pem -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\nServer and Client trusted peer cert failed!"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Test that using server trusted peer certs works
+echo "Server relying on trusted peer cert loaded"
+echo "-----------------------------------------------------"
+port=0
+./examples/server/server -A certs/wolfssl-website-ca.pem -E certs/client-cert.pem -c certs/server-cert.pem -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -c certs/client-cert.pem -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\nServer trusted peer cert test failed!"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Test that using client trusted peer certs works
+echo "Client relying on trusted peer cert loaded"
+echo "-----------------------------------------------------"
+port=0
+./examples/server/server -c certs/server-cert.pem -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -E certs/server-cert.pem -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\nClient trusted peer cert test failed!"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Test that client fall through to CA works
+echo "Client fall through to loaded CAs"
+echo "-----------------------------------------------------"
+port=0
+./examples/server/server -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -E certs/server-revoked-cert.pem -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\nClient trusted peer cert fall through to CA test failed!"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Test that client can fail
+echo "Client wrong CA and wrong trusted peer cert loaded"
+echo "-----------------------------------------------------"
+port=0
+./examples/server/server -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -A certs/wolfssl-website-ca.pem -E certs/server-revoked-cert.pem -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -eq 0 ]; then
+    echo -e "\nClient trusted peer cert test failed!"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Test that server can fail
+echo "Server wrong CA and wrong trusted peer cert loaded"
+echo "-----------------------------------------------------"
+port=0
+./examples/server/server -A certs/wolfssl-website-ca.pem -E certs/server-revoked-cert.pem -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -eq 0 ]; then
+    echo -e "\nServer trusted peer cert test failed!"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+# Test that server fall through to CA works
+echo "Server fall through to loaded CAs"
+echo "-----------------------------------------------------"
+port=0
+./examples/server/server -E certs/server-revoked-cert.pem -R $ready_file -p $port &
+server_pid=$!
+create_port
+./examples/client/client -p $port
+RESULT=$?
+remove_ready_file
+if [ $RESULT -ne 0 ]; then
+    echo -e "\nServer trusted peer cert fall through to CA test failed!"
+    do_cleanup
+    exit 1
+fi
+echo ""
+
+echo "-----------------------------------------------------"
+echo "ALL TESTS PASSED"
+echo "-----------------------------------------------------"
+
+exit 0
+
+