From 5bcb9d49662a48f9444725923154a4913fcffba4 Mon Sep 17 00:00:00 2001 From: Paul Adelsbach Date: Tue, 10 Mar 2026 13:25:12 -0700 Subject: [PATCH] Generate CRLs from unit test script --- scripts/crl-gen-openssl.test | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/scripts/crl-gen-openssl.test b/scripts/crl-gen-openssl.test index ff6b1e90155..b41532be435 100755 --- a/scripts/crl-gen-openssl.test +++ b/scripts/crl-gen-openssl.test @@ -9,12 +9,33 @@ set -euo pipefail # (good). OPENSSL=${OPENSSL:-openssl} +UNIT_TEST=${UNIT_TEST:-./scripts/unit.test} +CRL_GEN_SUBTEST=${CRL_GEN_SUBTEST:-test_sk_X509_CRL_encode} if ! command -v "$OPENSSL" >/dev/null 2>&1; then echo "skipping crl-gen-openssl.test: openssl not found" exit 77 fi +if [ ! -x "$UNIT_TEST" ]; then + # Fallback for out-of-tree/in-tree differences. + if [ -x "./tests/unit.test" ]; then + UNIT_TEST="./tests/unit.test" + elif [ -x "./scripts/unit.test" ]; then + UNIT_TEST="./scripts/unit.test" + fi +fi + +if [ ! -x "$UNIT_TEST" ]; then + echo "skipping crl-gen-openssl.test: unit.test not found" + exit 77 +fi + +# Run the CRL unit test to generate the CRL files and avoid race conditions +# with the full unit test run. +echo "Generating CRLs with: $UNIT_TEST --api -$CRL_GEN_SUBTEST" +"$UNIT_TEST" --api "-$CRL_GEN_SUBTEST" + normalize_dn() { sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' \ -e 's/^issuer=//' -e 's/^subject=//' \ @@ -91,6 +112,8 @@ check_crl() { fi local verify_out verify_rc verify_out_norm + # Capture both stdout and stderr so we can reliably detect and print the + # revocation text. verify_out=$("$OPENSSL" verify -CAfile "$ca_cert" -crl_check \ -CRLfile "$crl" \ "$revoked_cert" 2>&1) || verify_rc=$? @@ -109,7 +132,7 @@ check_crl() { if [ -n "$good_cert" ]; then if ! "$OPENSSL" verify -CAfile "$ca_cert" -crl_check -CRLfile "$crl" \ - "$good_cert" >/dev/null 2>&1; then + "$good_cert" >/dev/null; then echo "expected successful verification for $label CRL with " \ "$good_cert" return 1