#!/bin/sh
# 20210123
# Jan Mojzis
# Public domain.

set -e

umask 077

dir=`dirname "$0"`

# change directory to $AUTOPKGTEST_TMP
cd "${AUTOPKGTEST_TMP}"

# run tlswrapper port 10000
tcpserver -HRDl0 127.0.0.1 10000 \
sh -c '
  exec 2>tlswrapper.log
  exec tlswrapper -vv -f ec.pem -f rsa.pem -a authca.pem cat data.in
' &
tcpserverpid=$!

cleanup() {
  ex=$?
  #kill tcpserver
  kill -TERM "${tcpserverpid}" 1>/dev/null 2>/dev/null || :
  kill -KILL "${tcpserverpid}" 1>/dev/null 2>/dev/null || :
  if [ ${ex} -gt 0 ]; then
    (
      echo "tlswrapper.log:"
      cat tlswrapper.log
      echo "openssl.log:"
      cat openssl.log
    ) >&2
  fi
  rm -f data.in data.out openssl.log ec.pem rsa.pem authca.pem ca.pem client.pem tlswrapper.log
  exit "${ex}"
}
trap "cleanup" EXIT TERM INT

# create CA
"${dir}/ca.sh" ec prime256v1 >ca.pem

# create auth CA
"${dir}/ca.sh" ec prime256v1 >authca.pem

# create RSA certfile
"${dir}/server.sh" ca.pem rsa 2048 '127.0.0.1' > rsa.pem

# create ECDSA certdir
"${dir}/server.sh" ca.pem ec prime256v1 '127.0.0.1' > ec.pem

# create user certicicate
"${dir}/client.sh" authca.pem ec prime256v1 'user' > userec.pem
"${dir}/client.sh" authca.pem rsa 2048 'user' > userrsa.pem

SCLIENT_CMD="openssl s_client -nocommands -quiet -tls1_2 -verify_return_error -CAfile ca.pem"
(
  echo "ec prime256v1"
  echo "ec secp384r1"
  echo "ec secp521r1"
  echo "rsa 2048"
  echo "rsa 3072"
  echo "rsa 4096"
) | (
  while read type size; do
    # create random datafile
    dd if=/dev/urandom of=data.in bs=1 count=32 2>/dev/null

    # create user certicicate
    "${dir}/client.sh" authca.pem "${type}" "${size}" user > client.pem

    # run test
    (
      exec 0</dev/null
      ${SCLIENT_CMD} -cert client.pem -connect 127.0.0.1:10000 1>data.out 2>openssl.log || rm data.out
      if [ x"`sha512sum < data.in`" != x"`sha512sum < data.out`" ]; then
        echo "TLS auth test: ${type} ${size}: failed:" >&2
        exit 1
      fi
      echo "TLS auth test: ${type} ${size}: OK"
    )

    # create random datafile
    dd if=/dev/urandom of=data.in bs=1 count=32 2>/dev/null

    # run noauth test
    (
      exec 0</dev/null
      if ${SCLIENT_CMD} -connect 127.0.0.1:10000 1>data.out 2>openssl.log; then
        echo "TLS auth noauth test: ${type} ${size}: failed: connection accepted without client certificate" >&2
        exit 1
      fi
      echo "TLS auth noauth test: ${type} ${size}: OK: connection not accepted without client certificate"
    )

    # create random datafile
    dd if=/dev/urandom of=data.in bs=1 count=32 2>/dev/null

    # create user certicicate (bad CA)
    "${dir}/client.sh" ca.pem "${type}" "${size}" user > client.pem

    # run badauth test
    (
      exec 0</dev/null
      if ${SCLIENT_CMD} -cert client.pem -connect 127.0.0.1:10000 1>data.out 2>openssl.log; then
        echo "TLS auth badauth test: ${type} ${size}: failed: connection accepted with bad client certificate" >&2
        exit 1
      fi
      echo "TLS auth badauth test: ${type} ${size}: OK: connection not accepted with bad client certificate"
    )
  done
)
