mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 00:50:49 +02:00
5f755f6bd5
Correct the logic for checking if the client and server examples are compiled in the test scripts. The previous logic was inverted, causing the tests to always skip if the examples *were* compiled.
548 lines
20 KiB
Bash
Executable File
548 lines
20 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# ocsp-stapling2.test
|
|
# Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2
|
|
|
|
SCRIPT_DIR="$(dirname "$0")"
|
|
|
|
# if we can, isolate the network namespace to eliminate port collisions.
|
|
if [[ -n "$NETWORK_UNSHARE_HELPER" ]]; then
|
|
if [[ -z "$NETWORK_UNSHARE_HELPER_CALLED" ]]; then
|
|
export NETWORK_UNSHARE_HELPER_CALLED=yes
|
|
exec "$NETWORK_UNSHARE_HELPER" "$0" "$@" || exit $?
|
|
fi
|
|
elif [ "${AM_BWRAPPED-}" != "yes" ]; then
|
|
bwrap_path="$(command -v bwrap)"
|
|
if [ -n "$bwrap_path" ]; then
|
|
export AM_BWRAPPED=yes
|
|
exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
|
|
fi
|
|
unset AM_BWRAPPED
|
|
fi
|
|
|
|
if [[ -z "${RETRIES_REMAINING-}" ]]; then
|
|
export RETRIES_REMAINING=2
|
|
fi
|
|
|
|
[ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \
|
|
&& exit 1
|
|
|
|
[ ! -x ./examples/server/server ] && printf '\n\n%s\n' "Server doesn't exist" \
|
|
&& exit 1
|
|
|
|
if ./examples/client/client -? 2>&1 | grep "Client not compiled in!" ; then
|
|
echo 'skipping ocsp-stapling2.test because client not compiled in.' 1>&2
|
|
exit 77
|
|
fi
|
|
|
|
if ./examples/server/server -? 2>&1 | grep "Server not compiled in!" ; then
|
|
echo 'skipping ocsp-stapling2.test because server not compiled in.' 1>&2
|
|
exit 77
|
|
fi
|
|
|
|
if ! ./examples/client/client -V | grep -q 3; then
|
|
echo 'skipping ocsp-stapling2.test because TLS1.2 is not available.' 1>&2
|
|
exit 77
|
|
fi
|
|
|
|
if ./examples/client/client '-#' | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then
|
|
echo 'skipping oscp-stapling2.test because WOLFSSL_SNIFFER defined.'
|
|
exit 77
|
|
fi
|
|
|
|
if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then
|
|
IPV6_SUPPORTED=yes
|
|
else
|
|
IPV6_SUPPORTED=no
|
|
fi
|
|
|
|
if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then
|
|
if [[ "$IPV6_SUPPORTED" == "no" ]]; then
|
|
echo 'Skipping IPV6 test in environment lacking IPV6 support.'
|
|
exit 77
|
|
fi
|
|
LOCALHOST='[::1]'
|
|
LOCALHOST_FOR_NC='-6 ::1'
|
|
else
|
|
LOCALHOST='127.0.0.1'
|
|
LOCALHOST_FOR_NC='127.0.0.1'
|
|
fi
|
|
|
|
PARENTDIR="$PWD"
|
|
|
|
# create a unique workspace directory ending in PID for the script instance ($$)
|
|
# to make this instance orthogonal to any others running, even on same repo.
|
|
# TCP ports are also carefully formed below from the PID, to minimize conflicts.
|
|
|
|
WORKSPACE="${PARENTDIR}/workspace.pid$$"
|
|
|
|
mkdir "${WORKSPACE}" || exit $?
|
|
cp -pR ${SCRIPT_DIR}/../certs "${WORKSPACE}"/ || exit $?
|
|
cd "$WORKSPACE" || exit $?
|
|
ln -s ../examples
|
|
|
|
CERT_DIR="certs/ocsp"
|
|
|
|
|
|
ready_file1="$WORKSPACE"/wolf_ocsp_s2_readyF1$$
|
|
ready_file2="$WORKSPACE"/wolf_ocsp_s2_readyF2$$
|
|
ready_file3="$WORKSPACE"/wolf_ocsp_s2_readyF3$$
|
|
ready_file4="$WORKSPACE"/wolf_ocsp_s2_readyF4$$
|
|
ready_file5="$WORKSPACE"/wolf_ocsp_s2_readyF5$$
|
|
printf '%s\n' "ready file 1: $ready_file1"
|
|
printf '%s\n' "ready file 2: $ready_file2"
|
|
printf '%s\n' "ready file 3: $ready_file3"
|
|
printf '%s\n' "ready file 4: $ready_file4"
|
|
printf '%s\n' "ready file 5: $ready_file5"
|
|
|
|
test_cnf="ocsp_s2.cnf"
|
|
|
|
wait_for_readyFile(){
|
|
|
|
counter=0
|
|
|
|
while [ ! -s $1 -a "$counter" -lt 20 ]; do
|
|
if [[ -n "${2-}" ]]; then
|
|
if ! kill -0 $2 2>&-; then
|
|
echo "pid $2 for port ${3-} exited before creating ready file. bailing..."
|
|
exit 1
|
|
fi
|
|
fi
|
|
echo -e "waiting for ready file..."
|
|
sleep 0.1
|
|
counter=$((counter+ 1))
|
|
done
|
|
|
|
if test -e $1; then
|
|
echo -e "found ready file, starting client..."
|
|
else
|
|
echo -e "NO ready file at $1 -- ending test..."
|
|
exit 1
|
|
fi
|
|
|
|
}
|
|
|
|
remove_single_rF(){
|
|
if test -e $1; then
|
|
printf '%s\n' "removing ready file: $1"
|
|
rm $1
|
|
fi
|
|
}
|
|
|
|
#create a configure file for cert generation with the port 0 solution
|
|
create_new_cnf() {
|
|
printf '%s\n' "Random Ports Selected: $1 $2 $3 $4"
|
|
|
|
printf '%s\n' "#" > $test_cnf
|
|
printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf
|
|
printf '%s\n' "#" >> $test_cnf
|
|
printf '%s\n' "" >> $test_cnf
|
|
printf '%s\n' "# Extensions to add to a certificate request (intermediate1-ca)" >> $test_cnf
|
|
printf '%s\n' "[ v3_req1 ]" >> $test_cnf
|
|
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
|
|
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
|
|
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
|
|
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
|
|
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$1" >> $test_cnf
|
|
printf '%s\n' "" >> $test_cnf
|
|
printf '%s\n' "# Extensions to add to a certificate request (intermediate2-ca)" >> $test_cnf
|
|
printf '%s\n' "[ v3_req2 ]" >> $test_cnf
|
|
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
|
|
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
|
|
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
|
|
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
|
|
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$2" >> $test_cnf
|
|
printf '%s\n' "" >> $test_cnf
|
|
printf '%s\n' "# Extensions to add to a certificate request (intermediate3-ca)" >> $test_cnf
|
|
printf '%s\n' "[ v3_req3 ]" >> $test_cnf
|
|
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
|
|
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
|
|
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
|
|
printf '%s\n' "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" >> $test_cnf
|
|
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$3" >> $test_cnf
|
|
printf '%s\n' "" >> $test_cnf
|
|
printf '%s\n' "# Extensions for a typical CA" >> $test_cnf
|
|
printf '%s\n' "[ v3_ca ]" >> $test_cnf
|
|
printf '%s\n' "basicConstraints = CA:true" >> $test_cnf
|
|
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
|
|
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
|
|
printf '%s\n' "keyUsage = keyCertSign, cRLSign" >> $test_cnf
|
|
printf '%s\n' "authorityInfoAccess = OCSP;URI:http://127.0.0.1:$4" >> $test_cnf
|
|
printf '%s\n' "" >> $test_cnf
|
|
printf '%s\n' "# OCSP extensions." >> $test_cnf
|
|
printf '%s\n' "[ v3_ocsp ]" >> $test_cnf
|
|
printf '%s\n' "basicConstraints = CA:false" >> $test_cnf
|
|
printf '%s\n' "subjectKeyIdentifier = hash" >> $test_cnf
|
|
printf '%s\n' "authorityKeyIdentifier = keyid:always,issuer:always" >> $test_cnf
|
|
printf '%s\n' "extendedKeyUsage = OCSPSigning" >> $test_cnf
|
|
|
|
mv $test_cnf $CERT_DIR/$test_cnf
|
|
cd $CERT_DIR
|
|
CURR_LOC="$PWD"
|
|
printf '%s\n' "echo now in $CURR_LOC"
|
|
./renewcerts-for-test.sh $test_cnf
|
|
cd $WORKSPACE
|
|
}
|
|
|
|
remove_ready_file(){
|
|
if test -e $ready_file1; then
|
|
printf '%s\n' "removing ready file: $ready_file1"
|
|
rm $ready_file1
|
|
fi
|
|
if test -e $ready_file2; then
|
|
printf '%s\n' "removing ready file: $ready_file2"
|
|
rm $ready_file2
|
|
fi
|
|
if test -e $ready_file3; then
|
|
printf '%s\n' "removing ready file: $ready_file3"
|
|
rm $ready_file3
|
|
fi
|
|
if test -e $ready_file4; then
|
|
printf '%s\n' "removing ready file: $ready_file4"
|
|
rm $ready_file4
|
|
fi
|
|
if test -e $ready_file5; then
|
|
printf '%s\n' "removing ready file: $ready_file5"
|
|
rm $ready_file5
|
|
fi
|
|
}
|
|
|
|
cleanup()
|
|
{
|
|
exit_status=$?
|
|
for i in $(jobs -pr)
|
|
do
|
|
kill -s KILL "$i"
|
|
done
|
|
remove_ready_file
|
|
rm $CERT_DIR/$test_cnf
|
|
cd "$PARENTDIR" || return 1
|
|
rm -r "$WORKSPACE" || return 1
|
|
|
|
if [[ ("$exit_status" == 1) && ($RETRIES_REMAINING -gt 0) ]]; then
|
|
echo "retrying..."
|
|
RETRIES_REMAINING=$((RETRIES_REMAINING - 1))
|
|
exec $0 "$@"
|
|
fi
|
|
}
|
|
trap cleanup EXIT INT TERM HUP
|
|
|
|
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
|
|
|
|
# check if supported key size is large enough to handle 4096 bit RSA
|
|
size="$(./examples/client/client '-?' | grep "Max RSA key")"
|
|
size="${size//[^0-9]/}"
|
|
if [ ! -z "$size" ]; then
|
|
printf 'check on max key size of %d ...' $size
|
|
if [ $size -lt 4096 ]; then
|
|
printf '%s\n' "4096 bit RSA keys not supported"
|
|
exit 0
|
|
fi
|
|
printf 'OK\n'
|
|
fi
|
|
|
|
#get four unique ports
|
|
|
|
# choose consecutive ports based on the PID, skipping any that are
|
|
# already bound, to avoid the birthday problem in case other
|
|
# instances are sharing this host.
|
|
|
|
get_first_free_port() {
|
|
local ret="$1"
|
|
while :; do
|
|
if [[ "$ret" -ge 65536 ]]; then
|
|
ret=1024
|
|
fi
|
|
if ! nc -z ${LOCALHOST_FOR_NC} "$ret"; then
|
|
break
|
|
fi
|
|
ret=$((ret+1))
|
|
done
|
|
echo "$ret"
|
|
return 0
|
|
}
|
|
|
|
base_port=$((((($$ + $RETRIES_REMAINING) * 5) % (65536 - 2048)) + 1024))
|
|
port1=$(get_first_free_port $base_port)
|
|
port2=$(get_first_free_port $((port1 + 1)))
|
|
port3=$(get_first_free_port $((port2 + 1)))
|
|
port4=$(get_first_free_port $((port3 + 1)))
|
|
port5=$(get_first_free_port $((port4 + 1)))
|
|
|
|
# 1:
|
|
./examples/server/server -R $ready_file1 -p $port1 &
|
|
server_pid1=$!
|
|
wait_for_readyFile $ready_file1 $server_pid1 $port1
|
|
if [ ! -f $ready_file1 ]; then
|
|
printf '%s\n' "Failed to create ready file1: \"$ready_file1\""
|
|
exit 1
|
|
fi
|
|
# 2:
|
|
./examples/server/server -R $ready_file2 -p $port2 &
|
|
server_pid2=$!
|
|
wait_for_readyFile $ready_file2 $server_pid2 $port2
|
|
if [ ! -f $ready_file2 ]; then
|
|
printf '%s\n' "Failed to create ready file2: \"$ready_file2\""
|
|
exit 1
|
|
fi
|
|
# 3:
|
|
./examples/server/server -R $ready_file3 -p $port3 &
|
|
server_pid3=$!
|
|
wait_for_readyFile $ready_file3 $server_pid3 $port3
|
|
if [ ! -f $ready_file3 ]; then
|
|
printf '%s\n' "Failed to create ready file3: \"$ready_file3\""
|
|
exit 1
|
|
fi
|
|
# 4:
|
|
./examples/server/server -R $ready_file4 -p $port4 &
|
|
server_pid4=$!
|
|
wait_for_readyFile $ready_file4 $server_pid4 $port4
|
|
if [ ! -f $ready_file4 ]; then
|
|
printf '%s\n' "Failed to create ready file4: \"$ready_file4\""
|
|
exit 1
|
|
fi
|
|
|
|
printf '%s\n' "------------- PORTS ---------------"
|
|
printf '%s' "Random ports selected: $port1 $port2"
|
|
printf '%s\n' " $port3 $port4"
|
|
printf '%s\n' "-----------------------------------"
|
|
# Use client connections to cleanly shutdown the servers
|
|
./examples/client/client -p $port1
|
|
./examples/client/client -p $port2
|
|
./examples/client/client -p $port3
|
|
./examples/client/client -p $port4
|
|
create_new_cnf $port1 $port2 $port3 \
|
|
$port4
|
|
|
|
sleep 0.1
|
|
|
|
# setup ocsp responders
|
|
# OLD: ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
|
|
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
|
|
# purposes!
|
|
openssl ocsp -port $port1 -nmin 1 \
|
|
-index certs/ocsp/index-ca-and-intermediate-cas.txt \
|
|
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
|
-rkey certs/ocsp/ocsp-responder-key.pem \
|
|
-CA certs/ocsp/root-ca-cert.pem \
|
|
"$@" \
|
|
&
|
|
|
|
# OLD: ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
|
|
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
|
|
# purposes!
|
|
openssl ocsp -port $port2 -nmin 1 \
|
|
-index certs/ocsp/index-intermediate2-ca-issued-certs.txt \
|
|
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
|
-rkey certs/ocsp/ocsp-responder-key.pem \
|
|
-CA certs/ocsp/intermediate2-ca-cert.pem \
|
|
"$@" \
|
|
&
|
|
|
|
# OLD: ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
|
|
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
|
|
# purposes!
|
|
openssl ocsp -port $port3 -nmin 1 \
|
|
-index certs/ocsp/index-intermediate3-ca-issued-certs.txt \
|
|
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
|
-rkey certs/ocsp/ocsp-responder-key.pem \
|
|
-CA certs/ocsp/intermediate3-ca-cert.pem \
|
|
"$@" \
|
|
&
|
|
|
|
# NEW: openssl isn't being cleaned up, invoke directly in script for cleanup
|
|
# purposes!
|
|
openssl ocsp -port $port4 -nmin 1 \
|
|
-index certs/ocsp/index-ca-and-intermediate-cas.txt \
|
|
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
|
-rkey certs/ocsp/ocsp-responder-key.pem \
|
|
-CA certs/ocsp/root-ca-cert.pem \
|
|
"$@" \
|
|
&
|
|
|
|
sleep 0.1
|
|
# "jobs" is not portable for posix. Must use bash interpreter!
|
|
[ $(jobs -r | wc -l) -ne 4 ] && printf '\n\n%s\n' "Setup ocsp responder failed, skipping" && exit 0
|
|
|
|
printf '\n\n%s\n\n' "All OCSP responders started successfully!"
|
|
printf '%s\n\n' "------------- TEST CASE 1 SHOULD PASS ------------------------"
|
|
# client test against our own server - GOOD CERTS
|
|
./examples/server/server -c certs/ocsp/server3-cert.pem \
|
|
-k certs/ocsp/server3-key.pem -R $ready_file5 \
|
|
-p $port5 &
|
|
server_pid5=$!
|
|
wait_for_readyFile $ready_file5 $server_pid5 $port5
|
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
|
|
-p $port5
|
|
RESULT=$?
|
|
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
|
|
printf '%s\n\n' "Test PASSED!"
|
|
|
|
printf '%s\n\n' "------------- TEST CASE 2 SHOULD PASS ------------------------"
|
|
remove_single_rF $ready_file5
|
|
./examples/server/server -c certs/ocsp/server3-cert.pem \
|
|
-k certs/ocsp/server3-key.pem -R $ready_file5 \
|
|
-p $port5 &
|
|
server_pid5=$!
|
|
wait_for_readyFile $ready_file5 $server_pid5 $port5
|
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
|
|
-p $port5
|
|
RESULT=$?
|
|
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 2 failed" && exit 1
|
|
printf '%s\n\n' "Test PASSED!"
|
|
|
|
printf '%s\n\n' "------------- TEST CASE 3 SHOULD REVOKE ----------------------"
|
|
# client test against our own server - REVOKED SERVER CERT
|
|
remove_single_rF $ready_file5
|
|
./examples/server/server -c certs/ocsp/server4-cert.pem \
|
|
-k certs/ocsp/server4-key.pem -R $ready_file5 \
|
|
-p $port5 &
|
|
server_pid5=$!
|
|
wait_for_readyFile $ready_file5 $server_pid5 $port5
|
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
|
|
-p $port5
|
|
RESULT=$?
|
|
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
|
|
printf '%s\n\n' "Test successfully REVOKED!"
|
|
|
|
printf '%s\n\n' "------------- TEST CASE 4 SHOULD REVOKE ----------------------"
|
|
remove_single_rF $ready_file5
|
|
./examples/server/server -c certs/ocsp/server4-cert.pem \
|
|
-k certs/ocsp/server4-key.pem -R $ready_file5 \
|
|
-p $port5 &
|
|
sleep 0.1
|
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
|
|
-p $port5
|
|
RESULT=$?
|
|
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
|
|
printf '%s\n\n' "Test successfully REVOKED!"
|
|
|
|
printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ------------------------"
|
|
# client test against our own server - REVOKED INTERMEDIATE CERT
|
|
remove_single_rF $ready_file5
|
|
./examples/server/server -c certs/ocsp/server5-cert.pem \
|
|
-k certs/ocsp/server5-key.pem -R $ready_file5 \
|
|
-p $port5 &
|
|
server_pid5=$!
|
|
wait_for_readyFile $ready_file5 $server_pid5 $port5
|
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -v 3 \
|
|
-p $port5
|
|
RESULT=$?
|
|
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 3 failed $RESULT" && exit 1
|
|
printf '%s\n\n' "Test PASSED!"
|
|
|
|
printf '%s\n\n' "------------- TEST CASE 6 SHOULD REVOKE ----------------------"
|
|
remove_single_rF $ready_file5
|
|
./examples/server/server -c certs/ocsp/server5-cert.pem \
|
|
-k certs/ocsp/server5-key.pem -R $ready_file5 \
|
|
-p $port5 &
|
|
server_pid5=$!
|
|
wait_for_readyFile $ready_file5 $server_pid5 $port5
|
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
|
|
-p $port5
|
|
RESULT=$?
|
|
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
|
|
printf '%s\n\n' "Test successfully REVOKED!"
|
|
printf '%s\n\n' "------------- TEST CASE 7 LOAD CERT IN SSL -------------------"
|
|
remove_single_rF $ready_file5
|
|
./examples/server/server -c certs/ocsp/server1-cert.pem \
|
|
-k certs/ocsp/server1-key.pem -R $ready_file5 \
|
|
-p $port5 -H loadSSL &
|
|
server_pid5=$!
|
|
wait_for_readyFile $ready_file5 $server_pid5 $port5
|
|
echo "test connection" | openssl s_client -status -legacy_renegotiation -connect ${LOCALHOST}:$port5 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem
|
|
RESULT=$?
|
|
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1
|
|
wait $server_pid5
|
|
if [ $? -ne 0 ]; then
|
|
printf '%s\n' "Unexpected server result"
|
|
exit 1
|
|
fi
|
|
printf '%s\n\n' "Test successful"
|
|
printf '%s\n\n' "------------- TEST CASE 8 SHOULD REVOKE ----------------------"
|
|
remove_single_rF $ready_file5
|
|
./examples/server/server -c certs/ocsp/server4-cert.pem \
|
|
-k certs/ocsp/server4-key.pem -R $ready_file5 \
|
|
-p $port5 -H loadSSL &
|
|
server_pid5=$!
|
|
sleep 0.1
|
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 3 -v 3 \
|
|
-p $port5
|
|
RESULT=$?
|
|
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection succeeded $RESULT" && exit 1
|
|
wait $server_pid5
|
|
if [ $? -ne 1 ]; then
|
|
printf '%s\n' "Unexpected server result"
|
|
exit 1
|
|
fi
|
|
printf '%s\n\n' "Test successfully REVOKED!"
|
|
|
|
# need a unique port since may run the same time as testsuite
|
|
generate_port() {
|
|
#-------------------------------------------------------------------------#
|
|
# Generate a random port number
|
|
#-------------------------------------------------------------------------#
|
|
|
|
if [[ "$OSTYPE" == "linux"* || "$OSTYPE" == "msys"
|
|
|| "$OSTYPE" == "cygwin" ]]; then
|
|
port=$(($(od -An -N2 /dev/urandom) % (65535-49512) + 49512))
|
|
elif [[ "$OSTYPE" == "darwin"* ]]; then
|
|
port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
|
|
else
|
|
echo "Unknown OS TYPE"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Start OpenSSL server that has no OCSP responses to return
|
|
generate_port
|
|
openssl s_server -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port &
|
|
openssl_pid=$!
|
|
MAX_TIMEOUT=10
|
|
until nc -z localhost $port # Wait for openssl to be ready
|
|
do
|
|
sleep 0.05
|
|
if [ "$MAX_TIMEOUT" == "0" ]; then
|
|
break
|
|
fi
|
|
((MAX_TIMEOUT--))
|
|
done
|
|
|
|
printf '%s\n\n' "------------- TEST CASE 9 SHOULD PASS ----------------------"
|
|
# client asks for OCSP staple but doesn't fail when none returned
|
|
./examples/client/client -p $port -g -v 3 -W 2
|
|
|
|
RESULT=$?
|
|
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 9 failed" && exit 1
|
|
printf '%s\n\n' "Test PASSED!"
|
|
|
|
printf '%s\n\n' "------------- TEST CASE 10 SHOULD UNKNOWN -------------------"
|
|
# client asks for OCSP staple but doesn't fail when none returned
|
|
./examples/client/client -p $port -g -v 3 -W 2m
|
|
|
|
RESULT=$?
|
|
[ $RESULT -ne 1 ] \
|
|
&& printf '\n\n%s\n' "Client connection 10 succeeded $RESULT" \
|
|
&& exit 1
|
|
printf '%s\n\n' "Test PASSED!"
|
|
|
|
|
|
if ./examples/client/client -? 2>&1 | grep -q 'DTLS'; then
|
|
printf '%s\n\n' "------------- TEST CASE DTLS-1 SHOULD PASS -------------------"
|
|
# client test against our own server - GOOD CERTS
|
|
./examples/server/server -c certs/ocsp/server3-cert.pem \
|
|
-k certs/ocsp/server3-key.pem -R $ready_file5 \
|
|
-p $port5 -u -v 3 &
|
|
server_pid5=$!
|
|
sleep 0.2
|
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 2 -u -v 3 \
|
|
-p $port5
|
|
RESULT=$?
|
|
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 1 failed" && exit 1
|
|
printf '%s\n\n' "Test PASSED!"
|
|
fi
|
|
|
|
printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
|
|
|
|
exit 0
|