[apple/security.git] / SecurityTests / clxutils / anchorTest / intermedTest

#! /bin/csh -f
#
# verify contents of /System/Library/Keychains/SystemCACertificates.keychain
#
set BUILD_DIR=$LOCAL_BUILD_DIR
set QUIET=NO
#
set CERT_KC=/System/Library/Keychains/SystemCACertificates.keychain
#
# the contents of SystemCACertificates gets dumped here as a pile of certs.
# We delete on successful exit, else we leave them there.
#
set CERTS_DIR=$BUILD_DIR/intermediateCerts
#
# binaries we need
#
set CERTCRL=$BUILD_DIR/certcrl
set CERTS_FROM_DB=$BUILD_DIR/certsFromDb
foreach targ ($CERTCRL $CERTS_FROM_DB)
	if(! -e $targ) then
		echo === $targ is missing. Try building clxutil. 
		exit(1)
	endif
end

#
set TRUST_SETTINGS_ARG=
#
while ( $#argv > 0 )
    switch ( "$argv[1]" )
        case q:
            set QUIET=YES
            shift
            breaksw
		case 't':
			set TRUST_SETTINGS_ARG=-g
            shift
            breaksw
        default:
            echo "Usage: intermedTest [q(uiet)] [t(rustSettings)]"
            exit(1)
    endsw
end
#
echo Starting intermedTest

if ($QUIET == NO) then
	echo Initializing $CERTS_DIR... 
endif
set cmd="rm -rf $CERTS_DIR"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)
set cmd="mkdir -p $CERTS_DIR"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

if ($QUIET == NO) then
	echo Extracting certs from $CERT_KC... ===
endif
set cmd="$CERTS_FROM_DB $CERT_KC f $CERTS_DIR/intermed q"
if ($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

#
# certcrl args:
#
#  -s  use system anchors
#  -a  allow certs unverified by CRLs
#  -f  leaf cert is a CA
#  -L  silent
#  -g  use Trust Settings
#
# We can also specify an evaluation date prior to the expiration of 
# various intermediate certs via the EVAL_TIME string:
#
#set EVAL_TIME="-T 20081201000000"
#echo "### Verification date for intermedTest is 2008-12-01"
set EVAL_TIME=""

set GOT_ERROR=0
foreach certFile ($CERTS_DIR/*)
	set cmd="$CERTCRL -c $certFile -s -a -f -L $TRUST_SETTINGS_ARG $EVAL_TIME"
	if ($QUIET == NO) then
		echo $cmd
	endif

	set CERTNAM=`basename "$certFile"`
	set CERTNUM=`echo -n "$CERTNAM" | sed -e 's/^intermed_\([0-9].*\)/\1/g'`
	# skip DOD intermediates in this range as AIA fetch is timing out!
	if($CERTNUM > 43 && $CERTNUM < 54) then
		echo "******** Note: skipping $CERTNAM due to unreachable AIA location"
		set ERR=0
	else
		$cmd
		set ERR=$status
	endif

	if($ERR == 1) then
	   echo "******** Note: $CERTNAM is expired"
	else
	if($ERR != 0) then
	   echo "++++++++ Verification error on $CERTNAM"
	   $CERTCRL -c $certFile -s -a -f -v
	   set GOT_ERROR=1
	endif
	endif
end

if($GOT_ERROR == 1) then
	echo ++++ TEST FAILED ++++
	exit(1)
endif

set cmd="rm -rf $CERTS_DIR"
if ($QUIET == NO) then
	echo $cmd
endif
# $cmd || exit(1)

if ($QUIET == NO) then
	echo "...intermedTest complete"
endif
Commit	Line	Data
d8f41ccd A	1	#! /bin/csh -f
	2	#
	3	# verify contents of /System/Library/Keychains/SystemCACertificates.keychain
	4	#
	5	set BUILD_DIR=$LOCAL_BUILD_DIR
	6	set QUIET=NO
	7	#
	8	set CERT_KC=/System/Library/Keychains/SystemCACertificates.keychain
	9	#
	10	# the contents of SystemCACertificates gets dumped here as a pile of certs.
	11	# We delete on successful exit, else we leave them there.
	12	#
	13	set CERTS_DIR=$BUILD_DIR/intermediateCerts
	14	#
	15	# binaries we need
	16	#
	17	set CERTCRL=$BUILD_DIR/certcrl
	18	set CERTS_FROM_DB=$BUILD_DIR/certsFromDb
	19	foreach targ ($CERTCRL $CERTS_FROM_DB)
	20	if(! -e $targ) then
	21	echo === $targ is missing. Try building clxutil.
	22	exit(1)
	23	endif
	24	end
	25
	26	#
	27	set TRUST_SETTINGS_ARG=
	28	#
	29	while ( $#argv > 0 )
	30	switch ( "$argv[1]" )
	31	case q:
	32	set QUIET=YES
	33	shift
	34	breaksw
	35	case 't':
	36	set TRUST_SETTINGS_ARG=-g
	37	shift
	38	breaksw
	39	default:
	40	echo "Usage: intermedTest [q(uiet)] [t(rustSettings)]"
	41	exit(1)
	42	endsw
	43	end
	44	#
	45	echo Starting intermedTest
	46
	47	if ($QUIET == NO) then
	48	echo Initializing $CERTS_DIR...
	49	endif
	50	set cmd="rm -rf $CERTS_DIR"
	51	if ($QUIET == NO) then
	52	echo $cmd
	53	endif
	54	$cmd \|\| exit(1)
	55	set cmd="mkdir -p $CERTS_DIR"
	56	if ($QUIET == NO) then
	57	echo $cmd
	58	endif
	59	$cmd \|\| exit(1)
	60
	61	if ($QUIET == NO) then
	62	echo Extracting certs from $CERT_KC... ===
	63	endif
	64	set cmd="$CERTS_FROM_DB $CERT_KC f $CERTS_DIR/intermed q"
65	if ($QUIET == NO) then
66	echo $cmd
67	endif
68	$cmd \|\| exit(1)
69
70	#
71	# certcrl args:
72	#
73	# -s use system anchors
74	# -a allow certs unverified by CRLs
75	# -f leaf cert is a CA
76	# -L silent
77	# -g use Trust Settings
78	#
79	# We can also specify an evaluation date prior to the expiration of
80	# various intermediate certs via the EVAL_TIME string:
81	#
82	#set EVAL_TIME="-T 20081201000000"
83	#echo "### Verification date for intermedTest is 2008-12-01"
84	set EVAL_TIME=""
85
86	set GOT_ERROR=0
87	foreach certFile ($CERTS_DIR/*)
88	set cmd="$CERTCRL -c $certFile -s -a -f -L $TRUST_SETTINGS_ARG $EVAL_TIME"
89	if ($QUIET == NO) then
90	echo $cmd
91	endif
92
93	set CERTNAM=`basename "$certFile"`
94	set CERTNUM=`echo -n "$CERTNAM" \| sed -e 's/^intermed_\([0-9].*\)/\1/g'`
95	# skip DOD intermediates in this range as AIA fetch is timing out!
96	if($CERTNUM > 43 && $CERTNUM < 54) then
97	echo "******** Note: skipping $CERTNAM due to unreachable AIA location"
98	set ERR=0
99	else
100	$cmd
101	set ERR=$status
102	endif
103
104	if($ERR == 1) then
105	echo "******** Note: $CERTNAM is expired"
106	else
107	if($ERR != 0) then
108	echo "++++++++ Verification error on $CERTNAM"
109	$CERTCRL -c $certFile -s -a -f -v
110	set GOT_ERROR=1
111	endif
112	endif
113	end
114
115	if($GOT_ERROR == 1) then
116	echo ++++ TEST FAILED ++++
117	exit(1)
118	endif
119
120	set cmd="rm -rf $CERTS_DIR"
121	if ($QUIET == NO) then
122	echo $cmd
123	endif
124	# $cmd \|\| exit(1)
125
126	if ($QUIET == NO) then
127	echo "...intermedTest complete"
128	endif