tests/iopr/ocsp_iopr.sh
author Martin Thomson <martin.thomson@gmail.com>
Thu, 06 Oct 2016 00:00:32 +1100
changeset 12685 2d463826e09ac3cd8dafc4c9510c1bd81b16b115
parent 10685 6c43fe3ab5dd41803bbd6705979f73275d7668f6
permissions -rw-r--r--
Bug 1307772 - Require that the server use the draft version, r=ekr

#! /bin/bash
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

########################################################################
#
# mozilla/security/nss/tests/iopr/ocsp_iopr.sh
#
# NSS SSL interoperability QA. This file is included from ssl.sh
#
# needs to work on all Unix and Windows platforms
#
# special strings
# ---------------
#   FIXME ... known problems, search for this string
#   NOTE .... unexpected behavior
########################################################################
IOPR_OCSP_SOURCED=1

########################################################################
# The funtion works with variables defined in interoperability 
# configuration file that gets downloaded from a webserver.
# The function sets test parameters defind for a particular type
# of testing.
#
# No return value
#
setTestParam() {
    type=$1
    testParam=`eval 'echo $'${type}Param`
    testDescription=`eval 'echo $'${type}Descr`
    testProto=`eval 'echo $'${type}Proto`
    testPort=`eval 'echo $'${type}Port`
    testResponder=`eval 'echo $'${type}ResponderCert`
    testValidCertNames=`eval 'echo $'${type}ValidCertNames`
    testRevokedCertNames=`eval 'echo $'${type}RevokedCertNames`
    testStatUnknownCertNames=`eval 'echo $'${type}StatUnknownCertNames`
}

########################################################################
# The funtion checks status of a cert using ocspclnt.
# Params:
#    dbDir - nss cert db location
#    cert - cert in question
#    respUrl - responder url is available 
#    defRespCert - trusted responder cert
#
# Return values:
#    0 - test passed, 1 - otherwise.
#
ocsp_get_cert_status() {
    dbDir=$1
    cert=$2
    respUrl=$3
    defRespCert=$4
    
    if [ -n "$respUrl" -o -n "$defRespCert" ]; then
        if [ -z "$respUrl" -o -z "$defRespCert" ]; then
            html_failed "Incorrect test params" 
            return 1
        fi
        clntParam="-l $respUrl -t $defRespCert"
    fi

    if [ -z "${MEMLEAK_DBG}" ]; then
        outFile=$dbDir/ocsptest.out.$$
        echo "ocspclnt -d $dbDir -S $cert $clntParam"
        ${BINDIR}/ocspclnt -d $dbDir -S $cert $clntParam >$outFile 2>&1
        ret=$?
        echo "ocspclnt output:"
        cat $outFile
        [ -z "`grep succeeded $outFile`" ] && ret=1
    
        rm -f $outFile
        return $ret
    fi

    OCSP_ATTR="-d $dbDir -S $cert $clntParam"
    ${RUN_COMMAND_DBG} ${BINDIR}/ocspclnt ${OCSP_ATTR}
}

########################################################################
# The funtion checks status of a cert using ocspclnt.
# Params:
#    testType - type of the test based on type of used responder
#    servName - FQDM of the responder server
#    dbDir - nss cert db location
#
# No return value
#
ocsp_iopr() {
    testType=$1
    servName=$2
    dbDir=$3

    setTestParam $testType
    if [ "`echo $testParam | grep NOCOV`" != "" ]; then
        echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
            "run by server configuration"
        return 0
    fi
    
    if [ -z "${MEMLEAK_DBG}" ]; then
        html_head "OCSP testing with responder at $IOPR_HOSTADDR. <br>" \
            "Test Type: $testDescription"
    fi

    if [ -n "$testResponder" ]; then
        responderUrl="$testProto://$servName:$testPort"
    else
        responderUrl=""
    fi

    if [ -z "${MEMLEAK_DBG}" ]; then
        for certName in $testValidCertNames; do
            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
                "$testResponder"
            html_msg $? 0 "Getting status of a valid cert ($certName)" \
                "produced a returncode of $ret, expected is 0."
        done

        for certName in $testRevokedCertNames; do
            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
                "$testResponder"
            html_msg $? 1 "Getting status of a unvalid cert ($certName)" \
                "produced a returncode of $ret, expected is 1." 
        done

        for certName in $testStatUnknownCertNames; do
            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
                "$testResponder"
            html_msg $? 1 "Getting status of a cert with unknown status " \
                        "($certName) produced a returncode of $ret, expected is 1."
        done
    else
        for certName in $testValidCertNames $testRevokedCertNames \
            $testStatUnknownCertName; do
            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
                "$testResponder" 
        done
    fi
}
  
#####################################################################
# Initial point for running ocsp test againt multiple hosts involved in
# interoperability testing. Called from nss/tests/ocsp/ocsp.sh
# It will only proceed with test run for a specific host if environment variable 
# IOPR_HOSTADDR_LIST was set, had the host name in the list
# and all needed file were successfully downloaded and installed for the host.
#
# Returns 1 if interoperability testing is off, 0 otherwise. 
#
ocsp_iopr_run() {
    NO_ECC_CERTS=1 # disable ECC for interoperability tests

    if [ "$IOPR" -ne 1 ]; then
        return 1
    fi
    cd ${CLIENTDIR}

    if [ -n "${MEMLEAK_DBG}" ]; then
        html_head "Memory leak checking - IOPR"
    fi

    num=1
    IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
    while [ "$IOPR_HOST_PARAM" ]; do
        IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
        IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
        [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
        
        . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
        RES=$?
        
        num=`expr $num + 1`
        IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`

        if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
            continue
        fi
        
        #=======================================================
        # Check what server is configured to run ssl tests
        #
        [ -z "`echo ${supportedTests_new} | grep -i ocsp`" ] && continue;

        # Testing directories defined by webserver.
        if [ -n "${MEMLEAK_DBG}" ]; then
            LOGNAME=iopr-${IOPR_HOSTADDR}
            LOGFILE=${LOGDIR}/${LOGNAME}.log
        fi
       
        # Testing directories defined by webserver.
        echo "Testing ocsp interoperability.
                Client: local(tstclnt).
                Responder: remote($IOPR_HOSTADDR)"

        for ocspTestType in ${supportedTests_new}; do
            if [ -z "`echo $ocspTestType | grep -i ocsp`" ]; then
                continue
            fi
            if [ -n "${MEMLEAK_DBG}" ]; then
                ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
                    ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} 2>> ${LOGFILE}
            else
                ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
                    ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
            fi
        done

        if [ -n "${MEMLEAK_DBG}" ]; then
            log_parse
            ret=$?
            html_msg ${ret} 0 "${LOGNAME}" \
                "produced a returncode of $ret, expected is 0"
        fi

        echo "================================================"
        echo "Done testing ocsp interoperability with $IOPR_HOSTADDR"
    done

    if [ -n "${MEMLEAK_DBG}" ]; then
        html "</TABLE><BR>"
    fi

    NO_ECC_CERTS=0
    return 0
}