Wire up SSL client authentication for OpenSSL/Android through the net/ stack

net/data/ssl/scripts/client_authentication/run-forwarded-test-server.sh

+#!/bin/bash
+#
+
+# Ensure script exits if commands fail.
+set -e
+
+# Scrappy script to test client certificate support on an Android device.
+PROGDIR=$(dirname "$0")
+PROGNAME=$(basename "$0")
+
+HELP=
+VERBOSE=0
+BUILDTYPE=${BUILDTYPE:-Release}
+FORWARDER_SOCKET=openssl_server_forwarder
+FORWARDER_HOST_PORT=5000
+HOST_SERVER_PORT=4433
+DEVICE_SERVER_PORT=$HOST_SERVER_PORT
+
+for OPT; do
+  case $OPT in
+    -v|--verbose)
+      VERBOSE=$(( $VERBOSE + 1 ))
+      ;;
+    -q|--quiet)
+      VERBOSE=$(( $VERBOSE - 1 ))
+      ;;
+    --help|-h|-?)
+      HELP=true
+      ;;
+    --release)
+      BUILDTYPE=Release
+      ;;
+    --debug)
+      BUILDTYPE=Debug
+      ;;
+    -*)
+      echo "ERROR: Unsupported option: $OPT, see --help for details."
+      exit 1
+      ;;
+    *)
+      echo "ERROR: This script doesn't take parameters. See --help."
+      exit 1
+  esac
+done
+
+if [ "$HELP" ]; then
+  echo "\
+Usage: $PROGNAME [options]
+
+This program is used to start a HTTPS server on your local machine, after
+setting up a reverse network redirection on an attached Android device.
+
+Start this script, then on the device, open the following URL in your
+browser:
+
+  https://localhost:$DEVICE_SERVER_PORT
+
+This shall prompt you for an installed client certificate.
+
+Valid options are:
+    --help|-h|-?    Print this message.
+    --verbose       Increase verbosity.
+    --quiet         Decrease verbosity.
+    --release       Assume BUILDTYPE=Release.
+    --debug         Assume BUILDTYPE=Debug.
+    -v              Same as --verbose.
+    -q              Same as --quiet.
+"
+  exit 0
+fi
+
+run () {
+  if [ "$VERBOSE" -ge 1 ]; then
+    echo "COMMAND: $@"
+  fi
+  "$@"
+}
+
+# Return the PID of a given program running on the device.
+# $1: Program full path
+get_pid_of () {
+  $ADB shell ps | awk '$9 ~ "'$1'" { print $2; }'
+}
+
+CHROME_OUT=$(cd "$PROGDIR/../../../../../out" && pwd)
+echo "CHROME_OUT=$CHROME_OUT"
+if [ ! -d "$CHROME_OUT" ]; then
+  echo "ERROR: Can't find: $CHROME_OUT"
+  exit 1
+fi
+
+# Configuration defaults:
+BUILDTYPE=${BUILDTYPE:-Release}
+
+FORWARDER_SOCKET=openssl_server_forwarder
+FORWARDER_HOST_PORT=5000
+HOST_SERVER_PORT=4433
+DEVICE_SERVER_PORT=$HOST_SERVER_PORT
+
+HOST_FORWARDER=host_forwarder
+DEVICE_FORWARDER=device_forwarder
+DATA_TMP=/data/local/tmp
+
+ADB=${ADB:-adb}
+
+# Kill any existing forwarder.
+DEVICE_PID=$(get_pid_of $DATA_TMP/$DEVICE_FORWARDER)
+if [ "$DEVICE_PID" ]; then
+  echo "Killing existing device forwarder instance."
+  run adb shell kill -9 "$DEVICE_PID"
+fi
+
+# Push the forwarder to the device, and start it.
+run $ADB push $CHROME_OUT/$BUILDTYPE/$DEVICE_FORWARDER \
+    $DATA_TMP/$DEVICE_FORWARDER
+run $ADB forward tcp:$FORWARDER_HOST_PORT localabstract:$FORWARDER_SOCKET
+run $ADB shell $DATA_TMP/$DEVICE_FORWARDER $FORWARDER_SOCKET
+run sleep 1
+
+# Check that the device forwarder was started.
+if [ -z "$($ADB shell ps | grep -e $DEVICE_FORWARDER)" ]; then
+  echo "Could not start device forwarder!?"
+  exit 1
+fi
+
+# Now send a command to it to reverse-forward the server ports
+run $CHROME_OUT/$BUILDTYPE/$HOST_FORWARDER \
+    "$FORWARDER_HOST_PORT:$DEVICE_SERVER_PORT:$HOST_SERVER_PORT:127.0.0.1"
+
+# localhost:4433. The server will be accessible for www connections and
+# will require a client certificate issued by Client Auth Test Root 1.
+run openssl s_server \
+  -accept $HOST_SERVER_PORT \
+  -cert $PROGDIR/out/root_1.pem \
+  -key $PROGDIR/out/root_1.key \
+  -www \
+  -Verify 5 \
+  -CAfile $PROGDIR/out/root_1.pem