[thirdparty/openssl.git] / test / recipes / 80-test_ca.t

#! /usr/bin/env perl
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


use strict;
use warnings;

use POSIX;
use File::Path 2.00 qw/rmtree/;
use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/;
use OpenSSL::Test::Utils;
use Time::Local qw/timegm/;

setup("test_ca");

$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);

my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';;
my $std_openssl_cnf = '"'
    . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
    . '"';

rmtree("demoCA", { safe => 0 });

plan tests => 15;
 SKIP: {
     my $cakey = srctop_file("test", "certs", "ca-key.pem");
     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
     skip "failed creating CA structure", 4
         if !ok(run(perlapp(["CA.pl","-newca",
                             "-extra-req", "-key $cakey"], stdin => undef)),
                'creating CA structure');

     my $eekey = srctop_file("test", "certs", "ee-key.pem");
     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
     skip "failed creating new certificate request", 3
         if !ok(run(perlapp(["CA.pl","-newreq",
                             '-extra-req', "-outform DER -section userreq -key $eekey"])),
                'creating certificate request');
     $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
     skip "failed to sign certificate request", 2
         if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
                'signing certificate request');

     ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
        'verifying new certificate');

     skip "CT not configured, can't use -precert", 1
         if disabled("ct");

     my $eekey2 = srctop_file("test", "certs", "ee-key-3072.pem");
     $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
     ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)),
        'creating new pre-certificate');
}

SKIP: {
    skip "SM2 is not supported by this OpenSSL build", 1
        if disabled("sm2");

    is(yes(cmdstr(app(["openssl", "ca", "-config",
                       $cnf,
                       "-in", srctop_file("test", "certs", "sm2-csr.pem"),
                       "-out", "sm2-test.crt",
                       "-sigopt", "distid:1234567812345678",
                       "-vfyopt", "distid:1234567812345678",
                       "-md", "sm3",
                       "-cert", srctop_file("test", "certs", "sm2-root.crt"),
                       "-keyfile", srctop_file("test", "certs", "sm2-root.key")]))),
       0,
       "Signing SM2 certificate request");
}

test_revoke('notimes', {
    should_succeed => 1,
});
test_revoke('lastupdate_invalid', {
    lastupdate     => '1234567890',
    should_succeed => 0,
});
test_revoke('lastupdate_utctime', {
    lastupdate     => '200901123456Z',
    should_succeed => 1,
});
test_revoke('lastupdate_generalizedtime', {
    lastupdate     => '20990901123456Z',
    should_succeed => 1,
});
test_revoke('nextupdate_invalid', {
    nextupdate     => '1234567890',
    should_succeed => 0,
});
test_revoke('nextupdate_utctime', {
    nextupdate     => '200901123456Z',
    should_succeed => 1,
});
test_revoke('nextupdate_generalizedtime', {
    nextupdate     => '20990901123456Z',
    should_succeed => 1,
});
test_revoke('both_utctime', {
    lastupdate     => '200901123456Z',
    nextupdate     => '200908123456Z',
    should_succeed => 1,
});
test_revoke('both_generalizedtime', {
    lastupdate     => '20990901123456Z',
    nextupdate     => '20990908123456Z',
    should_succeed => 1,
});

sub test_revoke {
    my ($filename, $opts) = @_;

    subtest "Revoke certificate and generate CRL: $filename" => sub {
        # Before Perl 5.12.0, the range of times Perl could represent was
        # limited by the size of time_t, so Time::Local was hamstrung by the
        # Y2038 problem
        # Perl 5.12.0 onwards use an internal time implementation with a
        # guaranteed >32-bit time range on all architectures, so the tests
        # involving post-2038 times won't fail provided we're running under
        # that version or newer
        plan skip_all =>
            'Perl >= 5.12.0 required to run certificate revocation tests'
            if $] < 5.012000;

        $ENV{CN2} = $filename;
        ok(
            run(app(['openssl',
                     'req',
                     '-config',  $cnf,
                     '-new',
                     '-key',     data_file('revoked.key'),
                     '-out',     "$filename-req.pem",
                     '-section', 'userreq',
            ])),
            'Generate CSR'
        );
        delete $ENV{CN2};

        ok(
            run(app(['openssl',
                     'ca',
                     '-batch',
                     '-config',  $cnf,
                     '-in',      "$filename-req.pem",
                     '-out',     "$filename-cert.pem",
            ])),
            'Sign CSR'
        );

        ok(
            run(app(['openssl',
                     'ca',
                     '-config', $cnf,
                     '-revoke', "$filename-cert.pem",
            ])),
            'Revoke certificate'
        );

        my @gencrl_opts;

        if (exists $opts->{lastupdate}) {
            push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate};
        }

        if (exists $opts->{nextupdate}) {
            push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate};
        }

        is(
            run(app(['openssl',
                     'ca',
                     '-config', $cnf,
                     '-gencrl',
                     '-out',    "$filename-crl.pem",
                     '-crlsec', '60',
                     @gencrl_opts,
            ])),
            $opts->{should_succeed},
            'Generate CRL'
        );
        my $crl_gentime = time;

        # The following tests only need to run if the CRL was supposed to be
        # generated:
        return unless $opts->{should_succeed};

        my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate');
        if (exists $opts->{lastupdate}) {
            is(
                $crl_lastupdate,
                rfc5280_time($opts->{lastupdate}),
                'CRL lastUpdate field has expected value'
            );
        } else {
            diag("CRL lastUpdate:   $crl_lastupdate");
            diag("openssl run time: $crl_gentime");
            ok(
                # Is the CRL's lastUpdate time within a second of the time that
                # `openssl ca -gencrl` was executed?
                $crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1,
                'CRL lastUpdate field has (roughly) expected value'
            );
        }

        my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate');
        if (exists $opts->{nextupdate}) {
            is(
                $crl_nextupdate,
                rfc5280_time($opts->{nextupdate}),
                'CRL nextUpdate field has expected value'
            );
        } else {
            diag("CRL nextUpdate:   $crl_nextupdate");
            diag("openssl run time: $crl_gentime");
            ok(
                # Is the CRL's lastUpdate time within a second of the time that
                # `openssl ca -gencrl` was executed, taking into account the use
                # of '-crlsec 60'?
                $crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61,
                'CRL nextUpdate field has (roughly) expected value'
            );
        }
    };
}

sub yes {
    my $cntr = 10;
    open(PIPE, "|-", join(" ",@_));
    local $SIG{PIPE} = "IGNORE";
    1 while $cntr-- > 0 && print PIPE "y\n";
    close PIPE;
    return 0;
}

# Get the value of the lastUpdate or nextUpdate field from a CRL
sub crl_field {
    my ($crl_path, $field_name) = @_;

    my @out = run(
        app(['openssl',
             'crl',
             '-in', $crl_path,
             '-noout',
             '-' . lc($field_name),
        ]),
        capture => 1,
        statusvar => \my $exit,
    );
    ok($exit, "CRL $field_name field retrieved");
    diag("CRL $field_name: $out[0]");

    $out[0] =~ s/^\Q$field_name\E=//;
    $out[0] =~ s/\n?//;
    my $time = human_time($out[0]);

    return $time;
}

# Converts human-readable ASN1_TIME_print() output to Unix time
sub human_time {
    my ($human) = @_;

    my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/;

    my %months = (
        Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4,  Jun => 5,
        Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11,
    );

    return timegm($s, $m, $h, $d, $months{$mo}, $y);
}

# Converts an RFC 5280 timestamp to Unix time
sub rfc5280_time {
    my ($asn1) = @_;

    my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;

    return timegm($s, $m, $h, $d, $mo - 1, $y);
}
Commit	Line	Data
596d6b7e	1	#! /usr/bin/env perl
38fc02a7	2	# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
596d6b7e	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
596d6b7e RS	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
88b8a527 RL	9
	10	use strict;
	11	use warnings;
	12
	13	use POSIX;
e9fd82f6	14	use File::Path 2.00 qw/rmtree/;
64713cb1	15	use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/;
51f5930a	16	use OpenSSL::Test::Utils;
64713cb1	17	use Time::Local qw/timegm/;
88b8a527 RL	18
	19	setup("test_ca");
	20
25c78440	21	$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
4e6e57cf RS	22
	23	my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';;
	24	my $std_openssl_cnf = '"'
	25	. srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
	26	. '"';
88b8a527	27
e9fd82f6	28	rmtree("demoCA", { safe => 0 });
88b8a527	29
64713cb1	30	plan tests => 15;
88b8a527	31	SKIP: {
91f2b15f	32	my $cakey = srctop_file("test", "certs", "ca-key.pem");
4e6e57cf	33	$ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
a4c5f859	34	skip "failed creating CA structure", 4
a0430488	35	if !ok(run(perlapp(["CA.pl","-newca",
91f2b15f	36	"-extra-req", "-key $cakey"], stdin => undef)),
a0430488	37	'creating CA structure');
88b8a527	38
91f2b15f	39	my $eekey = srctop_file("test", "certs", "ee-key.pem");
4e6e57cf	40	$ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
a4c5f859	41	skip "failed creating new certificate request", 3
a0430488	42	if !ok(run(perlapp(["CA.pl","-newreq",
91f2b15f	43	'-extra-req', "-outform DER -section userreq -key $eekey"])),
a0430488	44	'creating certificate request');
4e6e57cf	45	$ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
a4c5f859	46	skip "failed to sign certificate request", 2
a0430488 P	47	if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
a0430488 P	48	'signing certificate request');
88b8a527	49
7d9b2d53	50	ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
32804b04	51	'verifying new certificate');
caee75d2	52
51f5930a RL	53	skip "CT not configured, can't use -precert", 1
	54	if disabled("ct");
	55
91f2b15f	56	my $eekey2 = srctop_file("test", "certs", "ee-key-3072.pem");
4e6e57cf	57	$ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
91f2b15f	58	ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)),
caee75d2	59	'creating new pre-certificate');
88b8a527 RL	60	}
88b8a527 RL	61
bc42bd62 PY	62	SKIP: {
bc42bd62 PY	63	skip "SM2 is not supported by this OpenSSL build", 1
c602fadc	64	if disabled("sm2");
bc42bd62 PY	65
bc42bd62 PY	66	is(yes(cmdstr(app(["openssl", "ca", "-config",
4e6e57cf	67	$cnf,
bc42bd62 PY	68	"-in", srctop_file("test", "certs", "sm2-csr.pem"),
bc42bd62 PY	69	"-out", "sm2-test.crt",
fda127be RL	70	"-sigopt", "distid:1234567812345678",
fda127be RL	71	"-vfyopt", "distid:1234567812345678",
bc42bd62 PY	72	"-md", "sm3",
	73	"-cert", srctop_file("test", "certs", "sm2-root.crt"),
	74	"-keyfile", srctop_file("test", "certs", "sm2-root.key")]))),
	75	0,
	76	"Signing SM2 certificate request");
	77	}
88b8a527	78
64713cb1 CN	79	test_revoke('notimes', {
	80	should_succeed => 1,
	81	});
	82	test_revoke('lastupdate_invalid', {
	83	lastupdate => '1234567890',
	84	should_succeed => 0,
	85	});
	86	test_revoke('lastupdate_utctime', {
	87	lastupdate => '200901123456Z',
	88	should_succeed => 1,
	89	});
	90	test_revoke('lastupdate_generalizedtime', {
	91	lastupdate => '20990901123456Z',
	92	should_succeed => 1,
	93	});
	94	test_revoke('nextupdate_invalid', {
	95	nextupdate => '1234567890',
	96	should_succeed => 0,
	97	});
	98	test_revoke('nextupdate_utctime', {
	99	nextupdate => '200901123456Z',
	100	should_succeed => 1,
	101	});
	102	test_revoke('nextupdate_generalizedtime', {
	103	nextupdate => '20990901123456Z',
	104	should_succeed => 1,
	105	});
	106	test_revoke('both_utctime', {
	107	lastupdate => '200901123456Z',
	108	nextupdate => '200908123456Z',
	109	should_succeed => 1,
	110	});
	111	test_revoke('both_generalizedtime', {
	112	lastupdate => '20990901123456Z',
	113	nextupdate => '20990908123456Z',
	114	should_succeed => 1,
	115	});
	116
	117	sub test_revoke {
	118	my ($filename, $opts) = @_;
	119
64713cb1	120	subtest "Revoke certificate and generate CRL: $filename" => sub {
914079d1 RL	121	# Before Perl 5.12.0, the range of times Perl could represent was
	122	# limited by the size of time_t, so Time::Local was hamstrung by the
	123	# Y2038 problem
	124	# Perl 5.12.0 onwards use an internal time implementation with a
	125	# guaranteed >32-bit time range on all architectures, so the tests
	126	# involving post-2038 times won't fail provided we're running under
	127	# that version or newer
	128	plan skip_all =>
	129	'Perl >= 5.12.0 required to run certificate revocation tests'
	130	if $] < 5.012000;
	131
64713cb1 CN	132	$ENV{CN2} = $filename;
	133	ok(
	134	run(app(['openssl',
	135	'req',
	136	'-config', $cnf,
	137	'-new',
	138	'-key', data_file('revoked.key'),
	139	'-out', "$filename-req.pem",
	140	'-section', 'userreq',
	141	])),
	142	'Generate CSR'
	143	);
	144	delete $ENV{CN2};
	145
	146	ok(
	147	run(app(['openssl',
	148	'ca',
	149	'-batch',
	150	'-config', $cnf,
	151	'-in', "$filename-req.pem",
	152	'-out', "$filename-cert.pem",
	153	])),
	154	'Sign CSR'
	155	);
	156
	157	ok(
	158	run(app(['openssl',
	159	'ca',
	160	'-config', $cnf,
	161	'-revoke', "$filename-cert.pem",
	162	])),
	163	'Revoke certificate'
	164	);
	165
	166	my @gencrl_opts;
	167
	168	if (exists $opts->{lastupdate}) {
	169	push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate};
	170	}
	171
	172	if (exists $opts->{nextupdate}) {
	173	push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate};
	174	}
	175
	176	is(
	177	run(app(['openssl',
	178	'ca',
	179	'-config', $cnf,
	180	'-gencrl',
	181	'-out', "$filename-crl.pem",
	182	'-crlsec', '60',
	183	@gencrl_opts,
	184	])),
	185	$opts->{should_succeed},
	186	'Generate CRL'
	187	);
	188	my $crl_gentime = time;
	189
	190	# The following tests only need to run if the CRL was supposed to be
	191	# generated:
	192	return unless $opts->{should_succeed};
	193
	194	my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate');
	195	if (exists $opts->{lastupdate}) {
196	is(
197	$crl_lastupdate,
198	rfc5280_time($opts->{lastupdate}),
199	'CRL lastUpdate field has expected value'
200	);
201	} else {
202	diag("CRL lastUpdate: $crl_lastupdate");
203	diag("openssl run time: $crl_gentime");
204	ok(
205	# Is the CRL's lastUpdate time within a second of the time that
206	# `openssl ca -gencrl` was executed?
207	$crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1,
208	'CRL lastUpdate field has (roughly) expected value'
209	);
210	}
211
212	my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate');
213	if (exists $opts->{nextupdate}) {
214	is(
215	$crl_nextupdate,
216	rfc5280_time($opts->{nextupdate}),
217	'CRL nextUpdate field has expected value'
218	);
219	} else {
220	diag("CRL nextUpdate: $crl_nextupdate");
221	diag("openssl run time: $crl_gentime");
222	ok(
223	# Is the CRL's lastUpdate time within a second of the time that
224	# `openssl ca -gencrl` was executed, taking into account the use
225	# of '-crlsec 60'?
226	$crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61,
227	'CRL nextUpdate field has (roughly) expected value'
228	);
229	}
230	};
231	}
232
88b8a527	233	sub yes {
4034c38b	234	my $cntr = 10;
88b8a527 RL	235	open(PIPE, "\|-", join(" ",@_));
88b8a527 RL	236	local $SIG{PIPE} = "IGNORE";
4034c38b	237	1 while $cntr-- > 0 && print PIPE "y\n";
88b8a527 RL	238	close PIPE;
	239	return 0;
	240	}
42e0ccdf	241
64713cb1 CN	242	# Get the value of the lastUpdate or nextUpdate field from a CRL
	243	sub crl_field {
	244	my ($crl_path, $field_name) = @_;
	245
	246	my @out = run(
	247	app(['openssl',
	248	'crl',
	249	'-in', $crl_path,
	250	'-noout',
	251	'-' . lc($field_name),
	252	]),
	253	capture => 1,
	254	statusvar => \my $exit,
	255	);
	256	ok($exit, "CRL $field_name field retrieved");
	257	diag("CRL $field_name: $out[0]");
	258
	259	$out[0] =~ s/^\Q$field_name\E=//;
	260	$out[0] =~ s/\n?//;
	261	my $time = human_time($out[0]);
	262
	263	return $time;
	264	}
	265
	266	# Converts human-readable ASN1_TIME_print() output to Unix time
	267	sub human_time {
	268	my ($human) = @_;
	269
	270	my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/;
	271
	272	my %months = (
	273	Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4, Jun => 5,
	274	Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11,
	275	);
	276
	277	return timegm($s, $m, $h, $d, $months{$mo}, $y);
	278	}
	279
	280	# Converts an RFC 5280 timestamp to Unix time
	281	sub rfc5280_time {
	282	my ($asn1) = @_;
	283
	284	my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;
	285
	286	return timegm($s, $m, $h, $d, $mo - 1, $y);
	287	}