wget/tests/Test-https-crl.px

#!/usr/bin/env perl

use strict;
use warnings;
use Socket;
use WgetFeature qw(https);
use SSLTest;
use File::Remove 'remove';

###############################################################################
my @tempfiles;

# code, msg, headers, content
my %urls = (
    '/somefile.txt' => {
        code => "200",
        msg => "Dontcare",
        headers => {
            "Content-type" => "text/plain",
        },
        content => "blabla",
    },
);

# Skip the test if openssl is not available
my $ossl = `openssl version`;
unless ($ossl =~ m/OpenSSL 1/)
{
  exit 77;
}

my $srcdir;
if (@ARGV) {
    $srcdir = shift @ARGV;
} elsif (defined $ENV{srcdir}) {
    $srcdir = $ENV{srcdir};
}
$srcdir = Cwd::abs_path("$srcdir");

my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "WgetTestingServer";
$ENV{'HOSTALIASES'} = "$srcdir/certs/wgethosts";

my $addr = gethostbyname($testhostname);
unless ($addr)
{
    warn "Failed to resolve $addr, using $srcdir/certs/wgethosts\n";
    exit 77;
}
unless (inet_ntoa($addr) =~ "127.0.0.1")
{
    warn "Failed to resolve $$addr, using $srcdir/certs/wgethosts\n";
    exit 77;
}

# Create certindex
push (@tempfiles, "$cdir/certindex");
open  CERTID, ">", "$cdir/certindex" or
      warn "Cannot overwrite file $cdir/certindex";
close CERTID;

# Create certserial
push (@tempfiles, "$cdir/certserial");
open  CERTSN, ">", "$cdir/certserial" or
      warn "Cannot overwrite file $cdir/certserial";
print CERTSN "1122";
close CERTSN;

# Create crlnumber
push (@tempfiles, "$cdir/crlnumber");
open  CRLN, ">", "$cdir/crlnumber" or
      warn "Cannot overwrite file $cdir/crlnumber";
print CRLN "1122";
close CRLN;

my $caconf     = "$srcdir/certs/rootca.conf";
my $cacrt      = "$srcdir/certs/test-ca-cert.pem";
my $cakey      = "$srcdir/certs/test-ca-key.pem";

# Prepare server certificate
my $servercrt  = "$cdir/tmpserver$$.crt";
my $serverkey  = "$cdir/tmpserver$$.key";
my $servercsr  = "$cdir/tmpserver$$.csr";
push (@tempfiles, $servercrt, $serverkey, $servercsr);
my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=".
                 "$testhostname/emailAddress=servertester";
my $servercmd  = "openssl genrsa -out $serverkey 4096 && openssl req -new".
                 " -sha256 -key $serverkey -out $servercsr -days 365 ".
                 " -subj \"$serversubj\" &&".
                 "openssl ca -batch -config $caconf -notext -in $servercsr".
                 " -out $servercrt";

system($servercmd);

my $servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ;
                   openssl rsa  -noout -modulus -in $serverkey | openssl md5) |
                   uniq | wc -l`;
# Check if certificate and key are made correctly.
unless(-e $servercrt && -e $serverkey && $servercheck == 1)
{
    exit 77; # skip
}

# Try Wget using SSL first without --no-check-certificate. Expect Success.
my $port    = 32443;
my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt".
                                    " https://$testhostname:$port/somefile.txt";
my $expected_error_code = 0;
my %existing_files = (
);

my %expected_downloaded_files = (
  'somefile.txt' => {
    content => "blabla",
  },
);

my $sslsock = SSLTest->new(cmdline   => $cmdline,
                           input     => \%urls,
                           errcode   => $expected_error_code,
                           existing  => \%existing_files,
                           output    => \%expected_downloaded_files,
                           certfile  => $servercrt,
                           keyfile   => $serverkey,
                           lhostname => $testhostname,
                           sslport   => $port);
if ($sslsock->run() != 0)
{
  exit -1;
}

# Revoke the certificate
my $crlfile   = "$cdir/servercrl.pem";
push (@tempfiles, $crlfile);
my $revokecmd = "openssl ca -config $caconf -revoke $servercrt &&
                 openssl ca -config $caconf -gencrl -keyfile $cakey ".
                 "-cert $cacrt -out $crlfile";

system($revokecmd);
# Check if CRL file is generated.
unless(-e $crlfile)
{
    exit 77; # skip
}

# To read a CRL file use the following command:
# openssl crl -text -in $srcdir/certs/root.crl.pem

# Retry the test with CRL. Expect Failure.
$port    = 23443;
$cmdline = $WgetTest::WGETPATH . " --crl-file=$crlfile ".
                                 " --ca-certificate=$cacrt".
                                 " https://$testhostname:$port/somefile.txt";

$expected_error_code = 5;

my $retryssl = SSLTest->new(cmdline  => $cmdline,
                           input     => \%urls,
                           errcode   => $expected_error_code,
                           existing  => \%existing_files,
                           output    => \%expected_downloaded_files,
                           certfile  => $servercrt,
                           keyfile   => $serverkey,
                           lhostname => $testhostname,
                           sslport   => $port);
if ($retryssl->run() == 0)
{
  exit -1;
}
else
{
  print "Test successful.\n";
  exit 0;
}
# vim: et ts=4 sw=4

END {
    print "remove(@tempfiles);\n";
    remove(@tempfiles);
}