diff options
Diffstat (limited to 'security/nss/tests/iopr/ocsp_iopr.sh')
-rw-r--r-- | security/nss/tests/iopr/ocsp_iopr.sh | 231 |
1 files changed, 231 insertions, 0 deletions
diff --git a/security/nss/tests/iopr/ocsp_iopr.sh b/security/nss/tests/iopr/ocsp_iopr.sh new file mode 100644 index 000000000..dcc6e1ffb --- /dev/null +++ b/security/nss/tests/iopr/ocsp_iopr.sh @@ -0,0 +1,231 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/iopr/ocsp_iopr.sh +# +# NSS SSL interoperability QA. This file is included from ssl.sh +# +# needs to work on all Unix and Windows platforms +# +# special strings +# --------------- +# FIXME ... known problems, search for this string +# NOTE .... unexpected behavior +######################################################################## +IOPR_OCSP_SOURCED=1 + +######################################################################## +# The funtion works with variables defined in interoperability +# configuration file that gets downloaded from a webserver. +# The function sets test parameters defind for a particular type +# of testing. +# +# No return value +# +setTestParam() { + type=$1 + testParam=`eval 'echo $'${type}Param` + testDescription=`eval 'echo $'${type}Descr` + testProto=`eval 'echo $'${type}Proto` + testPort=`eval 'echo $'${type}Port` + testResponder=`eval 'echo $'${type}ResponderCert` + testValidCertNames=`eval 'echo $'${type}ValidCertNames` + testRevokedCertNames=`eval 'echo $'${type}RevokedCertNames` + testStatUnknownCertNames=`eval 'echo $'${type}StatUnknownCertNames` +} + +######################################################################## +# The funtion checks status of a cert using ocspclnt. +# Params: +# dbDir - nss cert db location +# cert - cert in question +# respUrl - responder url is available +# defRespCert - trusted responder cert +# +# Return values: +# 0 - test passed, 1 - otherwise. +# +ocsp_get_cert_status() { + dbDir=$1 + cert=$2 + respUrl=$3 + defRespCert=$4 + + if [ -n "$respUrl" -o -n "$defRespCert" ]; then + if [ -z "$respUrl" -o -z "$defRespCert" ]; then + html_failed "Incorrect test params" + return 1 + fi + clntParam="-l $respUrl -t $defRespCert" + fi + + if [ -z "${MEMLEAK_DBG}" ]; then + outFile=$dbDir/ocsptest.out.$$ + echo "ocspclnt -d $dbDir -S $cert $clntParam" + ${BINDIR}/ocspclnt -d $dbDir -S $cert $clntParam >$outFile 2>&1 + ret=$? + echo "ocspclnt output:" + cat $outFile + [ -z "`grep succeeded $outFile`" ] && ret=1 + + rm -f $outFile + return $ret + fi + + OCSP_ATTR="-d $dbDir -S $cert $clntParam" + ${RUN_COMMAND_DBG} ${BINDIR}/ocspclnt ${OCSP_ATTR} +} + +######################################################################## +# The funtion checks status of a cert using ocspclnt. +# Params: +# testType - type of the test based on type of used responder +# servName - FQDM of the responder server +# dbDir - nss cert db location +# +# No return value +# +ocsp_iopr() { + testType=$1 + servName=$2 + dbDir=$3 + + setTestParam $testType + if [ "`echo $testParam | grep NOCOV`" != "" ]; then + echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \ + "run by server configuration" + return 0 + fi + + if [ -z "${MEMLEAK_DBG}" ]; then + html_head "OCSP testing with responder at $IOPR_HOSTADDR. <br>" \ + "Test Type: $testDescription" + fi + + if [ -n "$testResponder" ]; then + responderUrl="$testProto://$servName:$testPort" + else + responderUrl="" + fi + + if [ -z "${MEMLEAK_DBG}" ]; then + for certName in $testValidCertNames; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + html_msg $? 0 "Getting status of a valid cert ($certName)" \ + "produced a returncode of $ret, expected is 0." + done + + for certName in $testRevokedCertNames; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + html_msg $? 1 "Getting status of a unvalid cert ($certName)" \ + "produced a returncode of $ret, expected is 1." + done + + for certName in $testStatUnknownCertNames; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + html_msg $? 1 "Getting status of a cert with unknown status " \ + "($certName) produced a returncode of $ret, expected is 1." + done + else + for certName in $testValidCertNames $testRevokedCertNames \ + $testStatUnknownCertName; do + ocsp_get_cert_status $dbDir $certName "$responderUrl" \ + "$testResponder" + done + fi +} + +##################################################################### +# Initial point for running ocsp test againt multiple hosts involved in +# interoperability testing. Called from nss/tests/ocsp/ocsp.sh +# It will only proceed with test run for a specific host if environment variable +# IOPR_HOSTADDR_LIST was set, had the host name in the list +# and all needed file were successfully downloaded and installed for the host. +# +# Returns 1 if interoperability testing is off, 0 otherwise. +# +ocsp_iopr_run() { + NO_ECC_CERTS=1 # disable ECC for interoperability tests + + if [ "$IOPR" -ne 1 ]; then + return 1 + fi + cd ${CLIENTDIR} + + if [ -n "${MEMLEAK_DBG}" ]; then + html_head "Memory leak checking - IOPR" + fi + + num=1 + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + while [ "$IOPR_HOST_PARAM" ]; do + IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'` + IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'` + [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443 + + . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg + RES=$? + + num=`expr $num + 1` + IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '` + + if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then + continue + fi + + #======================================================= + # Check what server is configured to run ssl tests + # + [ -z "`echo ${supportedTests_new} | grep -i ocsp`" ] && continue; + + # Testing directories defined by webserver. + if [ -n "${MEMLEAK_DBG}" ]; then + LOGNAME=iopr-${IOPR_HOSTADDR} + LOGFILE=${LOGDIR}/${LOGNAME}.log + fi + + # Testing directories defined by webserver. + echo "Testing ocsp interoperability. + Client: local(tstclnt). + Responder: remote($IOPR_HOSTADDR)" + + for ocspTestType in ${supportedTests_new}; do + if [ -z "`echo $ocspTestType | grep -i ocsp`" ]; then + continue + fi + if [ -n "${MEMLEAK_DBG}" ]; then + ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \ + ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} 2>> ${LOGFILE} + else + ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \ + ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} + fi + done + + if [ -n "${MEMLEAK_DBG}" ]; then + log_parse + ret=$? + html_msg ${ret} 0 "${LOGNAME}" \ + "produced a returncode of $ret, expected is 0" + fi + + echo "================================================" + echo "Done testing ocsp interoperability with $IOPR_HOSTADDR" + done + + if [ -n "${MEMLEAK_DBG}" ]; then + html "</TABLE><BR>" + fi + + NO_ECC_CERTS=0 + return 0 +} + |