path: root/trust/test-extract.in

#!/bin/sh

set -euf

# -----------------------------------------------------------------------------
# Basic fundamentals

prefix=@prefix@
exec_prefix=@exec_prefix@
datarootdir=@datarootdir@
datadir=@datadir@
sysconfdir=@sysconfdir@
libdir=@libdir@
libexecdir=@libexecdir@
privatedir=@privatedir@
with_trust_paths=@with_trust_paths@
script=$(basename $0)

# -----------------------------------------------------------------------------
# Testing

warning()
{
	echo "$script: $@" >&2
}

assert_fail()
{
	warning $@
	exit 1
}

assert_contains()
{
	if ! grep -qF $2 $1; then
		assert_fail "$1 does not contain $2"
	fi
}

assert_not_contains()
{
	if grep -qF $2 $1; then
		assert_fail "$1 contains $2"
	fi
}

teardown()
{
	for x in $TD; do
		if [ -d $x ]; then
			rmdir $x
		elif [ -f $x ]; then
			rm $x
		fi
	done
	TD=""
}

teardown_dirty()
{
	echo "not ok $TEST_NUMBER $TEST_NAME"
	teardown
}

openssl_quiet()
(
	command='/Generating a|-----|^[.+]+$|writing new private key/d'
	exec 3>&1
	openssl $@ 2>&1 >&3 3>&- | sed -r "$command" 3>&-
)

skip()
{
	TEST_SKIP=yes
	echo "ok $TEST_NUMBER # skip $TEST_NAME: $@"
}

setup()
{
	# Parse the trust paths
	oldifs="$IFS"
	IFS=:
	set $with_trust_paths
	IFS="$oldifs"

	if [ ! -d $1 ]; then
		skip "$1 is not a directory"
		return
	fi

	SOURCE_1=$1
	if [ $# -lt 2 ]; then
		warning "certain tests neutered if only 1 trust path: $with_trust_paths"
		SOURCE_2=$1
	else
		SOURCE_2=$2
	fi

	# Make a temporary directory
	dir=$(mktemp -d)
	cd $dir
	CLEANUP="$dir $TD"

	# Generate a unique identifier
	CERT_1_CN=test_$(dd if=/dev/urandom count=40 bs=1 status=none | base64 | tr -d '+/=')
	CERT_2_CN=test_$(dd if=/dev/urandom count=40 bs=1 status=none | base64 | tr -d '+/=')
	CERT_3_CN=test_$(dd if=/dev/urandom count=40 bs=1 status=none | base64 | tr -d '+/=')

	# Generate relevant certificates
	openssl_quiet req -x509 -newkey rsa:512 -keyout /dev/null -days 3 -nodes \
		-out cert_1.pem -subj /CN=$CERT_1_CN
	openssl_quiet req -x509 -newkey rsa:512 -keyout /dev/null -days 3 -nodes \
		-out cert_2.pem -subj /CN=$CERT_2_CN
	openssl_quiet req -x509 -newkey rsa:512 -keyout /dev/null -days 3 -nodes \
		-out cert_3.pem -subj /CN=$CERT_3_CN

	TD="cert_1.pem cert_2.pem cert_3.pem $TD"

	mkdir -p $SOURCE_1/anchors
	cp cert_1.pem $SOURCE_1/anchors/

	mkdir -p $SOURCE_2/anchors
	cp cert_2.pem $SOURCE_2/anchors/
	cp cert_3.pem $SOURCE_2/anchors/

	TD="$SOURCE_1/anchors/cert_1.pem $SOURCE_2/anchors/cert_2.pem $SOURCE_2/anchors/cert_3.pem $TD"
}

run()
{
	TOTAL=0
	for TEST_NAME in $@; do
		TOTAL=$(expr $TOTAL + 1)
	done

	echo "1..$TOTAL"

	TEST_NUMBER=0
	for TEST_NAME in $@; do
		TEST_NUMBER=$(expr $TEST_NUMBER + 1)
		(
			trap teardown_dirty EXIT
			trap "teardown_dirty; exit 127" INT TERM
			TD=""

			TEST_SKIP=no
			setup

			if [ $TEST_SKIP != "yes" ]; then
				$TEST_NAME
			fi
			if [ $TEST_SKIP != "yes" ]; then
				echo "ok $TEST_NUMBER $TEST_NAME"
			fi

			trap - EXIT
			teardown
		)
	done
}

# -----------------------------------------------------------------------------
# Main tests

test_extract()
{
	trust extract --filter=ca-anchors --format=pem-bundle \
		--purpose=server-auth --comment \
		extract-test.pem

	assert_contains extract-test.pem $CERT_1_CN
	assert_contains extract-test.pem $CERT_2_CN
	assert_contains extract-test.pem $CERT_3_CN
}

test_blacklist()
{
	mkdir -p $SOURCE_1/blacklist
	cp cert_3.pem $SOURCE_1/blacklist
	TD="$SOURCE_1/blacklist/cert_3.pem $TD"

	trust extract --filter=ca-anchors --format=pem-bundle \
		--purpose=server-auth --comment \
		blacklist-test.pem

	assert_contains blacklist-test.pem $CERT_1_CN
	assert_not_contains blacklist-test.pem $CERT_3_CN
}

run test_extract test_blacklist