SecurityTests/clxutils/anchorTest/intermedTest

   1 #! /bin/csh -f
   2 #
   3 # verify contents of /System/Library/Keychains/SystemCACertificates.keychain
   4 #
   5 set BUILD_DIR=$LOCAL_BUILD_DIR
   6 set QUIET=NO
   7 #
   8 set CERT_KC=/System/Library/Keychains/SystemCACertificates.keychain
   9 #
  10 # the contents of SystemCACertificates gets dumped here as a pile of certs.
  11 # We delete on successful exit, else we leave them there.
  12 #
  13 set CERTS_DIR=$BUILD_DIR/intermediateCerts
  14 #
  15 # binaries we need
  16 #
  17 set CERTCRL=$BUILD_DIR/certcrl
  18 set CERTS_FROM_DB=$BUILD_DIR/certsFromDb
  19 foreach targ ($CERTCRL $CERTS_FROM_DB)
  20         if(! -e $targ) then
  21                 echo === $targ is missing. Try building clxutil.
  22                 exit(1)
  23         endif
  24 end
  25
  26 #
  27 set TRUST_SETTINGS_ARG=
  28 #
  29 while ( $#argv > 0 )
  30     switch ( "$argv[1]" )
  31         case q:
  32             set QUIET=YES
  33             shift
  34             breaksw
  35                 case 't':
  36                         set TRUST_SETTINGS_ARG=-g
  37             shift
  38             breaksw
  39         default:
  40             echo "Usage: intermedTest [q(uiet)] [t(rustSettings)]"
  41             exit(1)
  42     endsw
  43 end
  44 #
  45 echo Starting intermedTest
  46
  47 if ($QUIET == NO) then
  48         echo Initializing $CERTS_DIR...
  49 endif
  50 set cmd="rm -rf $CERTS_DIR"
  51 if ($QUIET == NO) then
  52         echo $cmd
  53 endif
  54 $cmd || exit(1)
  55 set cmd="mkdir -p $CERTS_DIR"
  56 if ($QUIET == NO) then
  57         echo $cmd
  58 endif
  59 $cmd || exit(1)
  60
  61 if ($QUIET == NO) then
  62         echo Extracting certs from $CERT_KC... ===
  63 endif
  64 set cmd="$CERTS_FROM_DB $CERT_KC f $CERTS_DIR/intermed q"
  65 if ($QUIET == NO) then
  66         echo $cmd
  67 endif
  68 $cmd || exit(1)
  69
  70 #
  71 # certcrl args:
  72 #
  73 #  -s  use system anchors
  74 #  -a  allow certs unverified by CRLs
  75 #  -f  leaf cert is a CA
  76 #  -L  silent
  77 #  -g  use Trust Settings
  78 #
  79 # We can also specify an evaluation date prior to the expiration of
  80 # various intermediate certs via the EVAL_TIME string:
  81 #
  82 #set EVAL_TIME="-T 20081201000000"
  83 #echo "### Verification date for intermedTest is 2008-12-01"
  84 set EVAL_TIME=""
  85
  86 set GOT_ERROR=0
  87 foreach certFile ($CERTS_DIR/*)
  88         set cmd="$CERTCRL -c $certFile -s -a -f -L $TRUST_SETTINGS_ARG $EVAL_TIME"
  89         if ($QUIET == NO) then
  90                 echo $cmd
  91         endif
  92
  93         set CERTNAM=`basename "$certFile"`
  94         set CERTNUM=`echo -n "$CERTNAM" | sed -e 's/^intermed_\([0-9].*\)/\1/g'`
  95         # skip DOD intermediates in this range as AIA fetch is timing out!
  96         if($CERTNUM > 43 && $CERTNUM < 54) then
  97                 echo "******** Note: skipping $CERTNAM due to unreachable AIA location"
  98                 set ERR=0
  99         else
 100                 $cmd
 101                 set ERR=$status
 102         endif
 103
 104         if($ERR == 1) then
 105            echo "******** Note: $CERTNAM is expired"
 106         else
 107         if($ERR != 0) then
 108            echo "++++++++ Verification error on $CERTNAM"
 109            $CERTCRL -c $certFile -s -a -f -v
 110            set GOT_ERROR=1
 111         endif
 112         endif
 113 end
 114
 115 if($GOT_ERROR == 1) then
 116         echo ++++ TEST FAILED ++++
 117         exit(1)
 118 endif
 119
 120 set cmd="rm -rf $CERTS_DIR"
 121 if ($QUIET == NO) then
 122         echo $cmd
 123 endif
 124 # $cmd || exit(1)
 125
 126 if ($QUIET == NO) then
 127         echo "...intermedTest complete"
 128 endif