summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore2
-rw-r--r--configure.ac1
-rw-r--r--trust/tests/Makefile.am6
-rw-r--r--trust/tests/test-extract.in189
4 files changed, 198 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
index 5c18615..0d348a5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -56,8 +56,10 @@ x86_64-w64-mingw32
/*/tests/test-*
!/*/tests/test-*.[ch]
+!/*/tests/test-*.in
/*/tests/frob-*
!/*/tests/frob-*.[ch]
+!/*/tests/frob-*.in
/x86_64_w64-mingw32/
diff --git a/configure.ac b/configure.ac
index 4538079..b2f4f8b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -512,6 +512,7 @@ AC_CONFIG_FILES([Makefile
trust/Makefile
trust/trust-extract-compat
trust/tests/Makefile
+ trust/tests/test-extract
])
AC_OUTPUT
diff --git a/trust/tests/Makefile.am b/trust/tests/Makefile.am
index e53a6ae..1f13b2a 100644
--- a/trust/tests/Makefile.am
+++ b/trust/tests/Makefile.am
@@ -114,3 +114,9 @@ test_openssl_SOURCES = \
$(TRUST)/extract-openssl.c \
$(TRUST)/save.c \
$(NULL)
+
+noinst_SCRIPTS = \
+ test-extract
+
+installcheck-local:
+ sh $(builddir)/test-extract
diff --git a/trust/tests/test-extract.in b/trust/tests/test-extract.in
new file mode 100644
index 0000000..59f6cd6
--- /dev/null
+++ b/trust/tests/test-extract.in
@@ -0,0 +1,189 @@
+#!/bin/sh
+
+set -euf
+
+# -----------------------------------------------------------------------------
+# Basic fundamentals
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+datarootdir=@datarootdir@
+datadir=@datadir@
+sysconfdir=@sysconfdir@
+libdir=@libdir@
+privatedir=@privatedir@
+with_trust_paths=@with_trust_paths@
+script=$(basename $0)
+
+# -----------------------------------------------------------------------------
+# Testing
+
+warning()
+{
+ echo "$script: $@" >&2
+}
+
+assert_fail()
+{
+ warning $@
+ exit 1
+}
+
+assert_contains()
+{
+ if ! grep -qF $2 $1; then
+ assert_fail "$1 does not contain $2"
+ fi
+}
+
+assert_not_contains()
+{
+ if grep -qF $2 $1; then
+ assert_fail "$1 contains $2"
+ fi
+}
+
+teardown()
+{
+ for x in $TD; do
+ if [ -d $x ]; then
+ rmdir $x
+ elif [ -f $x ]; then
+ rm $x
+ fi
+ done
+ TD=""
+}
+
+teardown_dirty()
+{
+ echo "not ok $TEST_NUMBER $TEST_NAME"
+ teardown
+}
+
+openssl_quiet()
+(
+ command='/Generating a|-----|^[.+]+$|writing new private key/d'
+ exec 3>&1
+ openssl $@ 2>&1 >&3 3>&- | sed -r "$command" 3>&-
+)
+
+skip()
+{
+ TEST_SKIP=yes
+ echo "ok $TEST_NUMBER # skip $TEST_NAME: $@"
+}
+
+setup()
+{
+ # Parse the trust paths
+ oldifs="$IFS"
+ IFS=:
+ set $with_trust_paths
+ IFS="$oldifs"
+
+ if [ ! -d $1 ]; then
+ skip "$1 is not a directory"
+ return
+ fi
+
+ SOURCE_1=$1
+ if [ $# -lt 2 ]; then
+ warning "certain tests neutered if only 1 trust path: $with_trust_paths"
+ SOURCE_2=$1
+ else
+ SOURCE_2=$2
+ fi
+
+ # Make a temporary directory
+ dir=$(mktemp -d)
+ cd $dir
+ CLEANUP="$dir $TD"
+
+ # Generate a unique identifier
+ CERT_1_CN=test_$(dd if=/dev/urandom count=40 bs=1 status=none | base64 | tr -d '+/=')
+ CERT_2_CN=test_$(dd if=/dev/urandom count=40 bs=1 status=none | base64 | tr -d '+/=')
+ CERT_3_CN=test_$(dd if=/dev/urandom count=40 bs=1 status=none | base64 | tr -d '+/=')
+
+ # Generate relevant certificates
+ openssl_quiet req -x509 -newkey rsa:512 -keyout /dev/null -days 3 -nodes \
+ -out cert_1.pem -subj /CN=$CERT_1_CN
+ openssl_quiet req -x509 -newkey rsa:512 -keyout /dev/null -days 3 -nodes \
+ -out cert_2.pem -subj /CN=$CERT_2_CN
+ openssl_quiet req -x509 -newkey rsa:512 -keyout /dev/null -days 3 -nodes \
+ -out cert_3.pem -subj /CN=$CERT_3_CN
+
+ TD="cert_1.pem cert_2.pem cert_3.pem $TD"
+
+ mkdir -p $SOURCE_1/anchors
+ cp cert_1.pem $SOURCE_1/anchors/
+
+ mkdir -p $SOURCE_2/anchors
+ cp cert_2.pem $SOURCE_2/anchors/
+ cp cert_3.pem $SOURCE_2/anchors/
+
+ TD="$SOURCE_1/anchors/cert_1.pem $SOURCE_2/anchors/cert_2.pem $SOURCE_2/anchors/cert_3.pem $TD"
+}
+
+run()
+{
+ TOTAL=0
+ for TEST_NAME in $@; do
+ TOTAL=$(expr $TOTAL + 1)
+ done
+
+ echo "1..$TOTAL"
+
+ TEST_NUMBER=0
+ for TEST_NAME in $@; do
+ TEST_NUMBER=$(expr $TEST_NUMBER + 1)
+ (
+ trap teardown_dirty EXIT
+ trap "teardown_dirty; exit 127" INT TERM
+ TD=""
+
+ TEST_SKIP=no
+ setup
+
+ if [ $TEST_SKIP != "yes" ]; then
+ $TEST_NAME
+ fi
+ if [ $TEST_SKIP != "yes" ]; then
+ echo "ok $TEST_NUMBER $TEST_NAME"
+ fi
+
+ trap - EXIT
+ teardown
+ )
+ done
+}
+
+# -----------------------------------------------------------------------------
+# Main tests
+
+test_extract()
+{
+ trust extract --filter=ca-anchors --format=pem-bundle \
+ --purpose=server-auth --comment \
+ extract-test.pem
+
+ assert_contains extract-test.pem $CERT_1_CN
+ assert_contains extract-test.pem $CERT_2_CN
+ assert_contains extract-test.pem $CERT_3_CN
+}
+
+test_blacklist()
+{
+ mkdir -p $SOURCE_1/blacklist
+ cp cert_3.pem $SOURCE_1/blacklist
+ TD="$SOURCE_1/blacklist/cert_3.pem $TD"
+
+ trust extract --filter=ca-anchors --format=pem-bundle \
+ --purpose=server-auth --comment \
+ blacklist-test.pem
+
+ assert_contains blacklist-test.pem $CERT_1_CN
+ assert_not_contains blacklist-test.pem $CERT_3_CN
+}
+
+run test_extract test_blacklist