]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
c89fd035 | 2 | # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. |
596d6b7e | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
88b8a527 RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use POSIX; | |
14 | use File::Spec::Functions qw/splitdir curdir catfile/; | |
15 | use File::Compare; | |
c89fd035 | 16 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file data_file/; |
bec5e4ae | 17 | use OpenSSL::Test::Utils; |
88b8a527 RL |
18 | |
19 | setup("test_tsa"); | |
20 | ||
bec5e4ae RL |
21 | plan skip_all => "TS is not supported by this OpenSSL build" |
22 | if disabled("ts"); | |
23 | ||
88b8a527 RL |
24 | # All these are modified inside indir further down. They need to exist |
25 | # here, however, to be available in all subroutines. | |
83e0d090 | 26 | my $openssl_conf; |
88b8a527 | 27 | my $testtsa; |
91f2b15f | 28 | my $tsacakey; |
88b8a527 | 29 | my $CAtsa; |
c89fd035 DDO |
30 | my @QUERY = ("openssl", "ts", "-query"); |
31 | my @REPLY; | |
32 | my @VERIFY = ("openssl", "ts", "-verify"); | |
88b8a527 RL |
33 | |
34 | sub create_tsa_cert { | |
35 | my $INDEX = shift; | |
36 | my $EXT = shift; | |
37 | my $r = 1; | |
1c73c3bc | 38 | $ENV{TSDNSECT} = "ts_cert_dn"; |
88b8a527 | 39 | |
83e0d090 | 40 | ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new", |
1c73c3bc | 41 | "-out", "tsa_req${INDEX}.pem", |
91f2b15f | 42 | "-key", srctop_file("test", "certs", "alt${INDEX}-key.pem"), |
1c73c3bc | 43 | "-keyout", "tsa_key${INDEX}.pem"]))); |
88b8a527 | 44 | note "using extension $EXT"; |
1c73c3bc RL |
45 | ok(run(app(["openssl", "x509", "-req", |
46 | "-in", "tsa_req${INDEX}.pem", | |
47 | "-out", "tsa_cert${INDEX}.pem", | |
91f2b15f | 48 | "-CA", "tsaca.pem", "-CAkey", $tsacakey, |
1c73c3bc | 49 | "-CAcreateserial", |
83e0d090 | 50 | "-extfile", $openssl_conf, "-extensions", $EXT]))); |
88b8a527 RL |
51 | } |
52 | ||
6b937ae3 DDO |
53 | sub create_resp { |
54 | my $config = shift; | |
55 | my $chain = shift; | |
88b8a527 RL |
56 | my $queryfile = shift; |
57 | my $outputfile = shift; | |
88b8a527 | 58 | |
6b937ae3 DDO |
59 | ok(run(app([@REPLY, "-section", $config, "-queryfile", $queryfile, |
60 | "-chain", $chain, # this overrides "certs" entry in config | |
61 | "-out", $outputfile]))); | |
88b8a527 RL |
62 | } |
63 | ||
6b937ae3 DDO |
64 | sub verify_ok { |
65 | my $datafile = shift; | |
88b8a527 RL |
66 | my $queryfile = shift; |
67 | my $inputfile = shift; | |
6b937ae3 | 68 | my $untrustedfile = shift; |
88b8a527 | 69 | |
6b937ae3 DDO |
70 | ok(run(app([@VERIFY, "-queryfile", $queryfile, "-in", $inputfile, |
71 | "-CAfile", "tsaca.pem", "-untrusted", $untrustedfile]))); | |
72 | ok(run(app([@VERIFY, "-data", $datafile, "-in", $inputfile, | |
73 | "-CAfile", "tsaca.pem", "-untrusted", $untrustedfile]))); | |
88b8a527 RL |
74 | } |
75 | ||
6b937ae3 | 76 | sub verify_fail { |
88b8a527 RL |
77 | my $queryfile = shift; |
78 | my $inputfile = shift; | |
6b937ae3 DDO |
79 | my $untrustedfile = shift; # is needed for resp2, but not for resp1 |
80 | my $cafile = shift; | |
88b8a527 | 81 | |
6b937ae3 DDO |
82 | ok(!run(app([@VERIFY, "-queryfile", $queryfile, "-in", $inputfile, |
83 | "-untrusted", $untrustedfile, "-CAfile", $cafile]))); | |
88b8a527 RL |
84 | } |
85 | ||
86 | # main functions | |
87 | ||
6b937ae3 | 88 | plan tests => 27; |
88b8a527 | 89 | |
1c73c3bc RL |
90 | note "setting up TSA test directory"; |
91 | indir "tsa" => sub | |
92 | { | |
83e0d090 | 93 | $openssl_conf = srctop_file("test", "CAtsa.cnf"); |
42e0ccdf | 94 | $testtsa = srctop_file("test", "recipes", "80-test_tsa.t"); |
91f2b15f | 95 | $tsacakey = srctop_file("test", "certs", "ca-key.pem"); |
42e0ccdf | 96 | $CAtsa = srctop_file("test", "CAtsa.cnf"); |
c89fd035 | 97 | @REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply"); |
83e0d090 RL |
98 | |
99 | # ../apps/CA.pl needs these | |
100 | $ENV{OPENSSL_CONFIG} = "-config $openssl_conf"; | |
101 | $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); | |
88b8a527 | 102 | |
1c73c3bc RL |
103 | SKIP: { |
104 | $ENV{TSDNSECT} = "ts_ca_dn"; | |
105 | skip "failed", 19 | |
83e0d090 | 106 | unless ok(run(app(["openssl", "req", "-config", $openssl_conf, |
ef898017 | 107 | "-new", "-x509", "-noenc", |
91f2b15f | 108 | "-out", "tsaca.pem", "-key", $tsacakey])), |
1c73c3bc RL |
109 | 'creating a new CA for the TSA tests'); |
110 | ||
111 | skip "failed", 18 | |
112 | unless subtest 'creating tsa_cert1.pem TSA server cert' => sub { | |
113 | create_tsa_cert("1", "tsa_cert") | |
114 | }; | |
115 | ||
116 | skip "failed", 17 | |
117 | unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { | |
118 | create_tsa_cert("2", "non_tsa_cert") | |
119 | }; | |
120 | ||
121 | skip "failed", 16 | |
c89fd035 | 122 | unless ok(run(app([@QUERY, "-data", $testtsa, |
08538fc0 | 123 | "-tspolicy", "tsa_policy1", "-cert", |
1c73c3bc RL |
124 | "-out", "req1.tsq"])), |
125 | 'creating req1.req time stamp request for file testtsa'); | |
126 | ||
c89fd035 | 127 | ok(run(app([@QUERY, "-in", "req1.tsq", "-text"])), |
1c73c3bc RL |
128 | 'printing req1.req'); |
129 | ||
130 | subtest 'generating valid response for req1.req' => sub { | |
6b937ae3 DDO |
131 | create_resp("tsa_config1", "tsaca.pem", "req1.tsq", "resp1.tsr") |
132 | }; | |
133 | ||
134 | subtest 'generating response with wrong 2nd certid for req1.req' => sub { | |
135 | create_resp("tsa_config1", "tsa_cert1.pem", "req1.tsq", | |
136 | "resp1_invalid.tsr") | |
1c73c3bc RL |
137 | }; |
138 | ||
c89fd035 | 139 | ok(run(app([@REPLY, "-in", "resp1.tsr", "-text"])), |
1c73c3bc RL |
140 | 'printing response'); |
141 | ||
142 | subtest 'verifying valid response' => sub { | |
6b937ae3 | 143 | verify_ok($testtsa, "req1.tsq", "resp1.tsr", "tsa_cert1.pem") |
1c73c3bc RL |
144 | }; |
145 | ||
146 | skip "failed", 11 | |
147 | unless subtest 'verifying valid token' => sub { | |
c89fd035 | 148 | ok(run(app([@REPLY, "-in", "resp1.tsr", |
1c73c3bc | 149 | "-out", "resp1.tsr.token", "-token_out"]))); |
c89fd035 | 150 | ok(run(app([@VERIFY, "-queryfile", "req1.tsq", |
1c73c3bc | 151 | "-in", "resp1.tsr.token", "-token_in", |
c89fd035 DDO |
152 | "-CAfile", "tsaca.pem"]))); |
153 | ok(run(app([@VERIFY, "-data", $testtsa, | |
1c73c3bc | 154 | "-in", "resp1.tsr.token", "-token_in", |
c89fd035 | 155 | "-CAfile", "tsaca.pem"]))); |
1c73c3bc RL |
156 | }; |
157 | ||
158 | skip "failed", 10 | |
c89fd035 | 159 | unless ok(run(app([@QUERY, "-data", $testtsa, |
08538fc0 | 160 | "-tspolicy", "tsa_policy2", "-no_nonce", |
1c73c3bc RL |
161 | "-out", "req2.tsq"])), |
162 | 'creating req2.req time stamp request for file testtsa'); | |
163 | ||
c89fd035 | 164 | ok(run(app([@QUERY, "-in", "req2.tsq", "-text"])), |
1c73c3bc RL |
165 | 'printing req2.req'); |
166 | ||
167 | skip "failed", 8 | |
168 | unless subtest 'generating valid response for req2.req' => sub { | |
6b937ae3 | 169 | create_resp("tsa_config1", "tsaca.pem", "req2.tsq", "resp2.tsr") |
1c73c3bc RL |
170 | }; |
171 | ||
172 | skip "failed", 7 | |
173 | unless subtest 'checking -token_in and -token_out options with -reply' => sub { | |
174 | my $RESPONSE2="resp2.tsr.copy.tsr"; | |
175 | my $TOKEN_DER="resp2.tsr.token.der"; | |
176 | ||
c89fd035 | 177 | ok(run(app([@REPLY, "-in", "resp2.tsr", |
1c73c3bc | 178 | "-out", "$TOKEN_DER", "-token_out"]))); |
c89fd035 | 179 | ok(run(app([@REPLY, "-in", "$TOKEN_DER", |
1c73c3bc RL |
180 | "-token_in", "-out", "$RESPONSE2"]))); |
181 | is(compare($RESPONSE2, "resp2.tsr"), 0); | |
c89fd035 | 182 | ok(run(app([@REPLY, "-in", "resp2.tsr", |
1c73c3bc | 183 | "-text", "-token_out"]))); |
c89fd035 | 184 | ok(run(app([@REPLY, "-in", "$TOKEN_DER", |
1c73c3bc | 185 | "-token_in", "-text", "-token_out"]))); |
c89fd035 | 186 | ok(run(app([@REPLY, "-queryfile", "req2.tsq", |
1c73c3bc RL |
187 | "-text", "-token_out"]))); |
188 | }; | |
189 | ||
c89fd035 | 190 | ok(run(app([@REPLY, "-in", "resp2.tsr", "-text"])), |
1c73c3bc RL |
191 | 'printing response'); |
192 | ||
6b937ae3 DDO |
193 | subtest 'verifying valid resp1, wrong untrusted is not used' => sub { |
194 | verify_ok($testtsa, "req1.tsq", "resp1.tsr", "tsa_cert2.pem") | |
195 | }; | |
196 | ||
197 | subtest 'verifying invalid resp1 with wrong 2nd certid' => sub { | |
198 | verify_fail($testtsa, "req1.tsq", "resp1_invalid.tsr", "tsa_cert2.pem") | |
1c73c3bc RL |
199 | }; |
200 | ||
6b937ae3 DDO |
201 | subtest 'verifying valid resp2, correct untrusted being used' => sub { |
202 | verify_ok($testtsa, "req2.tsq", "resp2.tsr", "tsa_cert1.pem") | |
1c73c3bc RL |
203 | }; |
204 | ||
6b937ae3 DDO |
205 | subtest 'verifying resp2 against wrong req1 should fail' => sub { |
206 | verify_fail("req1.tsq", "resp2.tsr", "tsa_cert1.pem", "tsaca.pem") | |
207 | }; | |
208 | ||
209 | subtest 'verifying resp1 against wrong req2 should fail' => sub { | |
210 | verify_fail("req2.tsq", "resp1.tsr", "tsa_cert1.pem", "tsaca.pem") | |
211 | }; | |
212 | ||
213 | subtest 'verifying resp1 using wrong untrusted should fail' => sub { | |
214 | verify_fail("req2.tsq", "resp2.tsr", "tsa_cert2.pem", "tsaca.pem") | |
215 | }; | |
216 | ||
217 | subtest 'verifying resp1 using wrong root should fail' => sub { | |
218 | verify_fail("req1.tsq", "resp1.tsr", "tsa_cert1.pem", "tsa_cert1.pem") | |
1c73c3bc RL |
219 | }; |
220 | ||
221 | skip "failure", 2 | |
c89fd035 | 222 | unless ok(run(app([@QUERY, "-data", $CAtsa, |
1c73c3bc RL |
223 | "-no_nonce", "-out", "req3.tsq"])), |
224 | "creating req3.req time stamp request for file CAtsa.cnf"); | |
225 | ||
c89fd035 | 226 | ok(run(app([@QUERY, "-in", "req3.tsq", "-text"])), |
1c73c3bc RL |
227 | 'printing req3.req'); |
228 | ||
6b937ae3 DDO |
229 | subtest 'verifying resp1 against wrong req3 should fail' => sub { |
230 | verify_fail("req3.tsq", "resp1.tsr", "tsa_cert1.pem", "tsaca.pem") | |
1c73c3bc | 231 | }; |
88b8a527 | 232 | } |
6b937ae3 DDO |
233 | |
234 | # verifying response with two ESSCertIDs, referring to leaf cert | |
235 | # "sectigo-signer.pem" and intermediate cert "sectigo-time-stamping-ca.pem" | |
236 | # 1. validation chain contains these certs and root "user-trust-ca.pem" | |
237 | ok(run(app([@VERIFY, "-no_check_time", | |
238 | "-queryfile", data_file("all-zero.tsq"), | |
239 | "-in", data_file("sectigo-all-zero.tsr"), | |
240 | "-CAfile", data_file("user-trust-ca.pem")])), | |
241 | "validation with two ESSCertIDs and 3-element chain"); | |
242 | # 2. validation chain contains these certs, a cross-cert, and different root | |
243 | ok(run(app([@VERIFY, "-no_check_time", | |
244 | "-queryfile", data_file("all-zero.tsq"), | |
245 | "-in", data_file("sectigo-all-zero.tsr"), | |
246 | "-untrusted", data_file("user-trust-ca-aaa.pem"), | |
247 | "-CAfile", data_file("comodo-aaa.pem")])), | |
248 | "validation with two ESSCertIDs and 4-element chain"); | |
249 | ||
1c73c3bc | 250 | }, create => 1, cleanup => 1 |