test_key_expiration.sh (6950B)
1 #!/bin/sh 2 3 # Note: some of this code is lifted from zero_length_keys.sh and 4 # test_keygen.sh, and could be unified. 5 6 umask 077 7 set -e 8 9 # emulate realpath(), in case coreutils or equivalent is not installed. 10 abspath() { 11 f="$*" 12 if [ -d "$f" ]; then 13 dir="$f" 14 base="" 15 else 16 dir="$(dirname "$f")" 17 base="/$(basename "$f")" 18 fi 19 dir="$(cd "$dir" && pwd)" 20 echo "$dir$base" 21 } 22 23 if [ $# -eq 0 ] || [ ! -f "${1}" ] || [ ! -x "${1}" ]; then 24 if [ "$TESTING_TOR_BINARY" = "" ] ; then 25 echo "Usage: ${0} PATH_TO_TOR [case-number]" 26 exit 1 27 fi 28 fi 29 30 UNAME_OS=$(uname -s | cut -d_ -f1) 31 if test "$UNAME_OS" = 'CYGWIN' || \ 32 test "$UNAME_OS" = 'MSYS' || \ 33 test "$UNAME_OS" = 'MINGW'; then 34 echo "This test is unreliable on Windows. See trac #26076. Skipping." >&2 35 exit 77 36 fi 37 38 # find the tor binary 39 if [ $# -ge 1 ]; then 40 TOR_BINARY="${1}" 41 shift 42 else 43 TOR_BINARY="${TESTING_TOR_BINARY:-./src/app/tor}" 44 fi 45 46 TOR_BINARY="$(abspath "$TOR_BINARY")" 47 48 echo "TOR BINARY IS ${TOR_BINARY}" 49 50 if "$TOR_BINARY" --list-modules | grep -q "relay: no"; then 51 echo "This test requires the relay module. Skipping." >&2 52 exit 77 53 fi 54 55 if [ $# -ge 1 ]; then 56 dflt=0 57 else 58 dflt=1 59 fi 60 61 CASE1=$dflt 62 CASE2=$dflt 63 CASE3=$dflt 64 CASE4=$dflt 65 CASE5=$dflt 66 CASE6=$dflt 67 CASE7=$dflt 68 CASE8=$dflt 69 70 if [ $# -ge 1 ]; then 71 eval "CASE${1}"=1 72 fi 73 74 75 dump() { xxd -p "$1" | tr -d '\n '; } 76 die() { echo "$1" >&2 ; exit 5; } 77 check_dir() { [ -d "$1" ] || die "$1 did not exist"; } 78 check_file() { [ -e "$1" ] || die "$1 did not exist"; } 79 check_no_file() { if [ -e "$1" ]; then die "$1 was not supposed to exist"; fi } 80 check_files_eq() { cmp "$1" "$2" || die "$1 and $2 did not match: $(dump "$1") vs $(dump "$2")"; } 81 check_keys_eq() { check_files_eq "${SRC}/keys/${1}" "${ME}/keys/${1}"; } 82 83 DATA_DIR=$(mktemp -d -t tor_key_expiration_tests.XXXXXX) 84 if [ -z "$DATA_DIR" ]; then 85 echo "Failure: mktemp invocation returned empty string" >&2 86 exit 3 87 fi 88 if [ ! -d "$DATA_DIR" ]; then 89 echo "Failure: mktemp invocation result doesn't point to directory" >&2 90 exit 3 91 fi 92 trap 'rm -rf "$DATA_DIR"' 0 93 94 # Use an absolute path for this or Tor will complain 95 DATA_DIR=$(cd "${DATA_DIR}" && pwd) 96 97 touch "${DATA_DIR}/empty_torrc" 98 touch "${DATA_DIR}/empty_defaults_torrc" 99 100 QUIETLY="--hush" 101 SILENTLY="--quiet" 102 TOR="${TOR_BINARY} --DisableNetwork 1 --ShutdownWaitLength 0 --ORPort 12345 --ExitRelay 0 --DataDirectory ${DATA_DIR} -f ${DATA_DIR}/empty_torrc --defaults-torrc ${DATA_DIR}/empty_defaults_torrc" 103 104 ##### SETUP 105 # 106 # Here we create a set of keys. 107 108 # Step 1: Start Tor with --list-fingerprint --quiet. Make sure everything is there. 109 echo "Setup step #1" 110 ${TOR} ${SILENTLY} --list-fingerprint > /dev/null 111 112 check_dir "${DATA_DIR}/keys" 113 check_file "${DATA_DIR}/keys/ed25519_master_id_public_key" 114 check_file "${DATA_DIR}/keys/ed25519_master_id_secret_key" 115 check_file "${DATA_DIR}/keys/ed25519_signing_cert" 116 check_file "${DATA_DIR}/keys/ed25519_signing_secret_key" 117 check_file "${DATA_DIR}/keys/secret_id_key" 118 check_file "${DATA_DIR}/keys/secret_onion_key" 119 check_file "${DATA_DIR}/keys/secret_onion_key_ntor" 120 121 ##### TEST CASES 122 123 echo "=== Starting key expiration tests." 124 125 FN="${DATA_DIR}/stderr" 126 127 if [ "$CASE1" = 1 ]; then 128 echo "==== Case 1: Test --key-expiration without argument and ensure usage" 129 echo " instructions are printed." 130 131 ${TOR} ${QUIETLY} --key-expiration 2>"$FN" || true 132 grep "No valid argument to --key-expiration found!" "$FN" >/dev/null || \ 133 die "Tor didn't mention supported --key-expiration arguments" 134 135 echo "==== Case 1: ok" 136 fi 137 138 if [ "$CASE2" = 1 ]; then 139 echo "==== Case 2: Start Tor with --key-expiration 'sign' and make sure it" 140 echo " prints an expiration using ISO8601 date format." 141 142 ${TOR} ${QUIETLY} --key-expiration sign 2>"$FN" 143 grep "signing-cert-expiry: [0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}" "$FN" >/dev/null || \ 144 die "Tor didn't print an expiration" 145 146 echo "==== Case 2: ok" 147 fi 148 149 if [ "$CASE3" = 1 ]; then 150 echo "==== Case 3: Start Tor with --key-expiration 'sign', when there is no" 151 echo " signing key, and make sure that Tor generates a new key" 152 echo " and prints its certificate's expiration." 153 154 mv "${DATA_DIR}/keys/ed25519_signing_cert" \ 155 "${DATA_DIR}/keys/ed25519_signing_cert.bak" 156 157 ${TOR} --key-expiration sign > "$FN" 2>&1 158 grep "It looks like I need to generate and sign a new medium-term signing key" "$FN" >/dev/null || \ 159 die "Tor didn't create a new signing key" 160 check_file "${DATA_DIR}/keys/ed25519_signing_cert" 161 grep "signing-cert-expiry:" "$FN" >/dev/null || \ 162 die "Tor didn't print an expiration" 163 164 mv "${DATA_DIR}/keys/ed25519_signing_cert.bak" \ 165 "${DATA_DIR}/keys/ed25519_signing_cert" 166 167 echo "==== Case 3: ok" 168 fi 169 170 if [ "$CASE4" = 1 ]; then 171 echo "==== Case 4: Start Tor with --format iso8601 and make sure it prints an" 172 echo " error message due to missing --key-expiration argument." 173 174 ${TOR} --format iso8601 > "$FN" 2>&1 || true 175 grep -- "--format specified without --key-expiration!" "$FN" >/dev/null || \ 176 die "Tor didn't print a missing --key-expiration error message" 177 178 echo "==== Case 4: ok" 179 fi 180 181 if [ "$CASE5" = 1 ]; then 182 echo "==== Case 5: Start Tor with --key-expiration 'sign' --format '' and" 183 echo " make sure it prints an error message due to missing value." 184 185 ${TOR} --key-expiration sign --format > "$FN" 2>&1 || true 186 grep "Command-line option '--format' with no value. Failing." "$FN" >/dev/null || \ 187 die "Tor didn't print a missing format value error message" 188 189 echo "==== Case 5: ok" 190 fi 191 192 if [ "$CASE6" = 1 ]; then 193 echo "==== Case 6: Start Tor with --key-expiration 'sign' --format 'invalid'" 194 echo " and make sure it prints an error message due to invalid" 195 echo " value." 196 197 ${TOR} --key-expiration sign --format invalid > "$FN" 2>&1 || true 198 grep "Invalid --format value" "$FN" >/dev/null || \ 199 die "Tor didn't print an invalid format value error message" 200 201 echo "==== Case 6: ok" 202 fi 203 204 if [ "$CASE7" = 1 ]; then 205 echo "==== Case 7: Start Tor with --key-expiration 'sign' --format 'iso8601'" 206 echo " and make sure it prints an expiration using ISO8601 date" 207 echo " format." 208 209 ${TOR} ${QUIETLY} --key-expiration sign --format iso8601 2>"$FN" 210 grep "signing-cert-expiry: [0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}" "$FN" >/dev/null || \ 211 die "Tor didn't print an expiration" 212 213 echo "==== Case 7: ok" 214 fi 215 216 if [ "$CASE8" = 1 ]; then 217 echo "==== Case 8: Start Tor with --key-expiration 'sign' --format 'timestamp'" 218 echo " and make sure it prints an expiration using timestamp date" 219 echo " format." 220 221 ${TOR} ${QUIETLY} --key-expiration sign --format timestamp 2>"$FN" 222 grep "signing-cert-expiry: [0-9]\{5,\}" "$FN" >/dev/null || \ 223 die "Tor didn't print an expiration" 224 225 echo "==== Case 8: ok" 226 fi