Files
wolfssl/scripts/crl-revoked.test
T
Juliusz Sosinowicz 5f755f6bd5 Fix compilation checks in test scripts
Correct the logic for checking if the client and server examples are compiled
in the test scripts. The previous logic was inverted, causing the tests to
always skip if the examples *were* compiled.
2026-02-10 13:14:55 +01:00

246 lines
6.9 KiB
Bash
Executable File

#!/usr/bin/env bash
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
&& exit 1
if ./examples/client/client -? 2>&1 | grep "Client not compiled in!" ; then
echo 'skipping crl-revoked.test because client not compiled in.' 1>&2
exit 77
fi
if ./examples/server/server -? 2>&1 | grep "Server not compiled in!" ; then
echo 'skipping crl-revoked.test because server not compiled in.' 1>&2
exit 77
fi
#crl.test
# if we can, isolate the network namespace to eliminate port collisions.
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
export NETWORK_UNSHARE_HELPER_CALLED=yes
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
fi
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
bwrap_path="$(command -v bwrap)"
if [ -n "$bwrap_path" ]; then
export AM_BWRAPPED=yes
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
fi
unset AM_BWRAPPED
fi
# Workaround to not pollute the certs folder with our files that can impact other tests
RUNNING_DIR=$(mktemp -d)
cp -rp . $RUNNING_DIR/.
cd $RUNNING_DIR
revocation_code="-361"
revocation_code_openssl="23"
exit_code=1
counter=0
# need a unique resume port since may run the same time as testsuite
# use server port zero hack to get one
crl_port=0
#no_pid tells us process was never started if -1
no_pid=-1
#server_pid captured on startup, stores the id of the server process
server_pid=$no_pid
# let's use absolute path to a local dir (make distcheck may be in sub dir)
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_crl_ready$$
CERT_DIR=certs
remove_ready_file() {
if test -e "$ready_file"; then
echo -e "removing existing ready file"
rm "$ready_file"
fi
}
# trap this function so if user aborts with ^C or other kill signal we still
# get an exit that will in turn clean up the file system
abort_trap() {
echo "script aborted"
if [ $server_pid != $no_pid ]
then
echo "killing server"
kill -9 $server_pid
fi
exit_code=2 #different exit code in case of user interrupt
echo "got abort signal, exiting with $exit_code"
exit $exit_code
}
trap abort_trap INT TERM
# trap this function so that if we exit on an error the file system will still
# be restored and the other tests may still pass. Never call this function
# instead use "exit <some value>" and this function will run automatically
restore_file_system() {
remove_ready_file
cd / && rm -rf "$RUNNING_DIR"
}
trap restore_file_system EXIT
run_test() {
echo -e "\nStarting example server for crl test...\n"
remove_ready_file
# starts the server on crl_port, -R generates ready file to be used as a
# mutex lock, -c loads the revoked certificate. We capture the processid
# into the variable server_pid
./examples/server/server -R "$ready_file" -p $crl_port \
-c ${CERT_DIR}/server-revoked-cert.pem \
-k ${CERT_DIR}/server-revoked-key.pem &
server_pid=$!
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
# sleep for an additional 0.1 to mitigate race on write/read of $ready_file:
sleep 0.1
if test -e "$ready_file"; then
echo -e "found ready file, starting client..."
else
echo -e "NO ready file ending test..."
exit 1
fi
# get created port 0 ephemeral port
crl_port="$(cat "$ready_file")"
# starts client on crl_port and captures the output from client
capture_out=$(./examples/client/client -p $crl_port 2>&1)
client_result=$?
wait $server_pid
server_result=$?
case "$capture_out" in
*"$revocation_code"*|*"$revocation_code_openssl"*)
# only exit with zero on detection of the expected error code
echo ""
echo "Successful Revocation!!!!"
echo ""
if [ $exit_hash_dir_code -ne 0 ]; then
exit_code=1
else
exit_code=0
echo "exiting with $exit_code"
exit $exit_code
fi
;;
*)
echo ""
echo "Certificate was not revoked saw this instead: $capture_out"
echo ""
echo "configure with --enable-crl and run this script again"
echo ""
esac
}
run_hashdir_test() {
echo -e "\n\nHash dir with CRL and Certificate loading"
remove_ready_file
# create hashed cert and crl
pushd ${CERT_DIR}
# ca file
ca_hash_name=`openssl x509 -in ca-cert.pem -hash -noout`
if [ -f "$ca_hash_name".0 ]; then
rm "$ca_hash_name".0
fi
ln -s ca-cert.pem "$ca_hash_name".0
# crl file
crl_hash_name=`openssl crl -in ./crl/crl.pem -hash -noout`
if [ -f "$crl_hash_name".r0 ]; then
rm "$crl_hash_name".r0
fi
ln -s ./crl/crl.pem "$crl_hash_name".r0
popd
# starts the server on crl_port, -R generates ready file to be used as a
# mutex lock, -c loads the revoked certificate. We capture the processid
# into the variable server_pid
./examples/server/server -R "$ready_file" -p $crl_port \
-c ${CERT_DIR}/server-revoked-cert.pem \
-k ${CERT_DIR}/server-revoked-key.pem &
server_pid=$!
while [ ! -s "$ready_file" -a "$counter" -lt 20 ]; do
echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
# get created port 0 ephemeral port
crl_port="$(cat "$ready_file")"
# starts client on crl_port and captures the output from client
capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
client_result=$?
wait $server_pid
server_result=$?
case "$capture_out" in
*"$revocation_code"*|*"$revocation_code_openssl"*)
# only exit with zero on detection of the expected error code
echo ""
echo "Successful Revocation!!!! with hash dir"
echo ""
exit_hash_dir_code=0
;;
*)
echo ""
echo "Certificate was not revoked saw this instead: $capture_out"
echo ""
echo "configure with --enable-crl and run this script again"
echo ""
exit_hash_dir_code=1
esac
# clean up hashed cert and crl
pushd ${CERT_DIR}
rm "$ca_hash_name".0
rm "$crl_hash_name".r0
popd
}
######### begin program #########
# Check for enabling hash dir feature
./examples/client/client -? 2>&1 | grep -- 'hash dir'
if [ $? -eq 0 ]; then
hash_dir=yes
exit_hash_dir_code=1
fi
if [ "$hash_dir" = "yes" ]; then
run_hashdir_test
else
exit_hash_dir_code=0
fi
# Check that server is enabled
./examples/server/server -? 2>&1 | grep -- 'Create Ready file'
if [ $? -eq 0 ]; then
# run the test
run_test
else
exit_code=0
fi
# If we get to this exit, exit_code will be a 1 signaling failure
echo "exiting with $exit_code certificate was not revoked"
exit $exit_code
########## end program ##########