#! /bin/sh # $OpenLDAP: pkg/ldap/tests/scripts/test031-component-filter,v 1.7.2.9 2007/01/02 21:44:13 kurt Exp $ ## This work is part of OpenLDAP Software . ## ## Copyright 1998-2007 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## . echo "running defines.sh" . $SRCDIR/scripts/defines.sh ## If you use this script then ## Make sure that you turn on LDAP_COMP_MATCH in slapd source codes ## and --enable-modules is configured yes if test "$AC_WITH_MODULES_ENABLED" != "yes" ; then echo "dynamic module disabled, test skipped" exit 0 fi mkdir -p $TESTDIR $DBDIR1 ## Make sure that you set a proper path to component matching ## module directory in $COMPCONF ## moduleload path/to/component/library/compmatch.la ## otherwise it fails to execute slapd echo "Running slapadd to build slapd database..." . $CONFFILTER $BACKEND $MONITORDB < $COMPCONF > $ADDCONF $SLAPADD -f $ADDCONF -l $LDIFCOMPMATCH RC=$? if test $RC != 0 ; then echo "slapadd failed ($RC)!" echo "Be sure to have a certificate module in tests/data/comp_libs " echo "The module is in openldap/contrib/slapd-modules/comp_match" echo "Test skipped." exit 0 fi echo "Running slapindex to index slapd database..." . $CONFFILTER $BACKEND $MONITORDB < $CONF > $CONF1 $SLAPINDEX -f $CONF1 RC=$? if test $RC != 0 ; then echo "warning: slapindex failed ($RC)" echo " assuming no indexing support" fi echo "Starting slapd on TCP/IP port $PORT1..." $SLAPD -f $ADDCONF -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & PID=$! if test $WAIT != 0 ; then echo PID $PID read foo fi KILLPIDS="$PID" sleep 1 echo "Testing slapd searching..." for i in 0 1 2 3 4 5; do $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ 'objectclass=*' > /dev/null 2>&1 RC=$? if test $RC = 0 ; then break fi echo "Waiting 5 seconds for slapd to start..." sleep 5 done if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi cat /dev/null > $SEARCHOUT echo "Testing Component Filter Match RFC3687 Certificate searching:" echo "# Testing Component Filter Match RFC3687 Certificate searching:" >> $SEARCHOUT FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.serialNumber\", rule allComponentsMatch, value 0 })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.version\", rule allComponentsMatch, value 2 })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.issuer.rdnSequence.1.1.value\", rule caseExactMatch, value \"US\" })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.issuer.rdnSequence.1.1.value\", rule allComponentsMatch, value \"US\" })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.issuer.rdnSequence\", rule allComponentsMatch, value { { { type 2.5.4.6 , value \"US\" } } } })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.extensions.0\", rule integerMatch, value 3 })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.extensions.\2a.extnID\", rule allComponentsMatch, value 2.5.29.14 })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=not:item:{ component \"toBeSigned.extensions.\2a\", rule allComponentsMatch, value { extnID 2.5.29.19 , extnValue '30030101FF'H })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.issuer.rdnSequence\", rule distinguishedNameMatch, value \"c=US\" })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.issuer.rdnSequence.1\", rule rdnMatch, value \"c=US\" })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.extensions.\2a.extnValue.content.\282.5.29.35\29.authorityCertSerialNumber\", rule integerMatch, value 0 })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.subject.rdnSequence.\2a\", rule rdnMatch, value \"c=US\" })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.subject.rdnSequence.\2a.\2a.value.\282.5.4.6\29\", rule caseExactMatch, value \"US\" })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi # extraction filter FILTER="(x509CertificateIssuer=c=US)" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi # extraction filter FILTER="(x509CertificateSerial=0)" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi # extraction filter FILTER="(x509CertificateSerialAndIssuer:certificateExactMatch:=0\$c=US)" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi FILTER="(certificateRevocationList:componentFilterMatch:=item:{ component \"tbsCertList.revokedCertificates.\2a.userCertificate\", rule integerMatch, value 952069669 })" echo " f=$FILTER ..." echo "# f=$FILTER ..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ "$FILTER" >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then echo "ldapsearch failed ($RC)!" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit $RC fi test $KILLSERVERS != no && kill -HUP $KILLPIDS echo "Filtering ldapsearch results..." . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT echo "Comparing filter output..." $CMP $SEARCHFLT $COMPSEARCHOUT > $CMPOUT if test $? != 0 ; then echo "Comparison failed" exit 1 fi echo ">>>>> Test succeeded" exit 0