[thirdparty/openssl.git] / test / recipes / 80-test_tsa.t

#! /usr/bin/env perl
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


use strict;
use warnings;

use POSIX;
use File::Spec::Functions qw/splitdir curdir catfile/;
use File::Compare;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file data_file/;
use OpenSSL::Test::Utils;

setup("test_tsa");

plan skip_all => "TS is not supported by this OpenSSL build"
    if disabled("ts");

# All these are modified inside indir further down. They need to exist
# here, however, to be available in all subroutines.
my $openssl_conf;
my $testtsa;
my $tsacakey;
my $CAtsa;
my @QUERY = ("openssl", "ts", "-query");
my @REPLY;
my @VERIFY = ("openssl", "ts", "-verify");

sub create_tsa_cert {
    my $INDEX = shift;
    my $EXT = shift;
    my $r = 1;
    $ENV{TSDNSECT} = "ts_cert_dn";

    ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
                "-out", "tsa_req${INDEX}.pem",
                "-key", srctop_file("test", "certs", "alt${INDEX}-key.pem"),
                "-keyout", "tsa_key${INDEX}.pem"])));
    note "using extension $EXT";
    ok(run(app(["openssl", "x509", "-req",
                "-in", "tsa_req${INDEX}.pem",
                "-out", "tsa_cert${INDEX}.pem",
                "-CA", "tsaca.pem", "-CAkey", $tsacakey,
                "-CAcreateserial",
                "-extfile", $openssl_conf, "-extensions", $EXT])));
}

sub create_resp {
    my $config = shift;
    my $chain = shift;
    my $queryfile = shift;
    my $outputfile = shift;

    ok(run(app([@REPLY, "-section", $config, "-queryfile", $queryfile,
                "-chain", $chain, # this overrides "certs" entry in config
                "-out", $outputfile])));
}

sub verify_ok {
    my $datafile = shift;
    my $queryfile = shift;
    my $inputfile = shift;
    my $untrustedfile = shift;

    ok(run(app([@VERIFY, "-queryfile", $queryfile, "-in", $inputfile,
                "-CAfile", "tsaca.pem", "-untrusted", $untrustedfile])));
    ok(run(app([@VERIFY, "-data", $datafile, "-in", $inputfile,
                "-CAfile", "tsaca.pem", "-untrusted", $untrustedfile])));
}

sub verify_fail {
    my $queryfile = shift;
    my $inputfile = shift;
    my $untrustedfile = shift; # is needed for resp2, but not for resp1
    my $cafile = shift;

    ok(!run(app([@VERIFY, "-queryfile", $queryfile, "-in", $inputfile,
                 "-untrusted", $untrustedfile, "-CAfile", $cafile])));
}

# main functions

plan tests => 27;

note "setting up TSA test directory";
indir "tsa" => sub
{
    $openssl_conf = srctop_file("test", "CAtsa.cnf");
    $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
    $tsacakey = srctop_file("test", "certs", "ca-key.pem");
    $CAtsa = srctop_file("test", "CAtsa.cnf");
    @REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply");

    # ../apps/CA.pl needs these
    $ENV{OPENSSL_CONFIG} = "-config $openssl_conf";
    $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);

 SKIP: {
     $ENV{TSDNSECT} = "ts_ca_dn";
     skip "failed", 19
         unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
                            "-new", "-x509", "-noenc",
                            "-out", "tsaca.pem", "-key", $tsacakey])),
                   'creating a new CA for the TSA tests');

     skip "failed", 18
         unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
             create_tsa_cert("1", "tsa_cert")
     };

     skip "failed", 17
         unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
             create_tsa_cert("2", "non_tsa_cert")
     };

     skip "failed", 16
         unless ok(run(app([@QUERY, "-data", $testtsa,
                            "-tspolicy", "tsa_policy1", "-cert",
                            "-out", "req1.tsq"])),
                   'creating req1.req time stamp request for file testtsa');

     ok(run(app([@QUERY, "-in", "req1.tsq", "-text"])),
        'printing req1.req');

     subtest 'generating valid response for req1.req' => sub {
         create_resp("tsa_config1", "tsaca.pem", "req1.tsq", "resp1.tsr")
     };

     subtest 'generating response with wrong 2nd certid for req1.req' => sub {
         create_resp("tsa_config1", "tsa_cert1.pem", "req1.tsq",
                     "resp1_invalid.tsr")
     };

     ok(run(app([@REPLY, "-in", "resp1.tsr", "-text"])),
        'printing response');

     subtest 'verifying valid response' => sub {
         verify_ok($testtsa, "req1.tsq", "resp1.tsr", "tsa_cert1.pem")
     };

     skip "failed", 11
         unless subtest 'verifying valid token' => sub {
             ok(run(app([@REPLY, "-in", "resp1.tsr",
                         "-out", "resp1.tsr.token", "-token_out"])));
             ok(run(app([@VERIFY, "-queryfile", "req1.tsq",
                         "-in", "resp1.tsr.token", "-token_in",
                         "-CAfile", "tsaca.pem"])));
             ok(run(app([@VERIFY, "-data", $testtsa,
                         "-in", "resp1.tsr.token", "-token_in",
                         "-CAfile", "tsaca.pem"])));
     };

     skip "failed", 10
         unless ok(run(app([@QUERY, "-data", $testtsa,
                            "-tspolicy", "tsa_policy2", "-no_nonce",
                            "-out", "req2.tsq"])),
                   'creating req2.req time stamp request for file testtsa');

     ok(run(app([@QUERY, "-in", "req2.tsq", "-text"])),
        'printing req2.req');

     skip "failed", 8
         unless subtest 'generating valid response for req2.req' => sub {
             create_resp("tsa_config1", "tsaca.pem", "req2.tsq", "resp2.tsr")
     };

     skip "failed", 7
         unless subtest 'checking -token_in and -token_out options with -reply' => sub {
             my $RESPONSE2="resp2.tsr.copy.tsr";
             my $TOKEN_DER="resp2.tsr.token.der";

             ok(run(app([@REPLY, "-in", "resp2.tsr",
                         "-out", "$TOKEN_DER", "-token_out"])));
             ok(run(app([@REPLY, "-in", "$TOKEN_DER",
                         "-token_in", "-out", "$RESPONSE2"])));
             is(compare($RESPONSE2, "resp2.tsr"), 0);
             ok(run(app([@REPLY, "-in", "resp2.tsr",
                         "-text", "-token_out"])));
             ok(run(app([@REPLY, "-in", "$TOKEN_DER",
                         "-token_in", "-text", "-token_out"])));
             ok(run(app([@REPLY, "-queryfile", "req2.tsq",
                         "-text", "-token_out"])));
     };

     ok(run(app([@REPLY, "-in", "resp2.tsr", "-text"])),
        'printing response');

     subtest 'verifying valid resp1, wrong untrusted is not used' => sub {
         verify_ok($testtsa, "req1.tsq", "resp1.tsr", "tsa_cert2.pem")
     };

     subtest 'verifying invalid resp1 with wrong 2nd certid' => sub {
         verify_fail($testtsa, "req1.tsq", "resp1_invalid.tsr", "tsa_cert2.pem")
     };

     subtest 'verifying valid resp2, correct untrusted being used' => sub {
         verify_ok($testtsa, "req2.tsq", "resp2.tsr", "tsa_cert1.pem")
     };

     subtest 'verifying resp2 against wrong req1 should fail' => sub {
         verify_fail("req1.tsq", "resp2.tsr", "tsa_cert1.pem", "tsaca.pem")
     };

     subtest 'verifying resp1 against wrong req2 should fail' => sub {
         verify_fail("req2.tsq", "resp1.tsr", "tsa_cert1.pem", "tsaca.pem")
     };

     subtest 'verifying resp1 using wrong untrusted should fail' => sub {
         verify_fail("req2.tsq", "resp2.tsr", "tsa_cert2.pem", "tsaca.pem")
     };

     subtest 'verifying resp1 using wrong root should fail' => sub {
         verify_fail("req1.tsq", "resp1.tsr", "tsa_cert1.pem", "tsa_cert1.pem")
     };

     skip "failure", 2
         unless ok(run(app([@QUERY, "-data", $CAtsa,
                            "-no_nonce", "-out", "req3.tsq"])),
                   "creating req3.req time stamp request for file CAtsa.cnf");

     ok(run(app([@QUERY, "-in", "req3.tsq", "-text"])),
        'printing req3.req');

     subtest 'verifying resp1 against wrong req3 should fail' => sub {
         verify_fail("req3.tsq", "resp1.tsr", "tsa_cert1.pem", "tsaca.pem")
     };
    }

    # verifying response with two ESSCertIDs, referring to leaf cert
    # "sectigo-signer.pem" and intermediate cert "sectigo-time-stamping-ca.pem"
    # 1. validation chain contains these certs and root "user-trust-ca.pem"
    ok(run(app([@VERIFY, "-no_check_time",
                "-queryfile", data_file("all-zero.tsq"),
                "-in", data_file("sectigo-all-zero.tsr"),
                "-CAfile", data_file("user-trust-ca.pem")])),
     "validation with two ESSCertIDs and 3-element chain");
    # 2. validation chain contains these certs, a cross-cert, and different root
    ok(run(app([@VERIFY, "-no_check_time",
                "-queryfile", data_file("all-zero.tsq"),
                "-in", data_file("sectigo-all-zero.tsr"),
                "-untrusted", data_file("user-trust-ca-aaa.pem"),
                "-CAfile", data_file("comodo-aaa.pem")])),
     "validation with two ESSCertIDs and 4-element chain");

}, create => 1, cleanup => 1
Commit	Line	Data
596d6b7e	1	#! /usr/bin/env perl
c89fd035	2	# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
596d6b7e	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
596d6b7e RS	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
88b8a527 RL	9
	10	use strict;
	11	use warnings;
	12
	13	use POSIX;
	14	use File::Spec::Functions qw/splitdir curdir catfile/;
	15	use File::Compare;
c89fd035	16	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file data_file/;
bec5e4ae	17	use OpenSSL::Test::Utils;
88b8a527 RL	18
	19	setup("test_tsa");
	20
bec5e4ae RL	21	plan skip_all => "TS is not supported by this OpenSSL build"
	22	if disabled("ts");
	23
88b8a527 RL	24	# All these are modified inside indir further down. They need to exist
88b8a527 RL	25	# here, however, to be available in all subroutines.
83e0d090	26	my $openssl_conf;
88b8a527	27	my $testtsa;
91f2b15f	28	my $tsacakey;
88b8a527	29	my $CAtsa;
c89fd035 DDO	30	my @QUERY = ("openssl", "ts", "-query");
	31	my @REPLY;
	32	my @VERIFY = ("openssl", "ts", "-verify");
88b8a527 RL	33
	34	sub create_tsa_cert {
	35	my $INDEX = shift;
	36	my $EXT = shift;
	37	my $r = 1;
1c73c3bc	38	$ENV{TSDNSECT} = "ts_cert_dn";
88b8a527	39
83e0d090	40	ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
1c73c3bc	41	"-out", "tsa_req${INDEX}.pem",
91f2b15f	42	"-key", srctop_file("test", "certs", "alt${INDEX}-key.pem"),
1c73c3bc	43	"-keyout", "tsa_key${INDEX}.pem"])));
88b8a527	44	note "using extension $EXT";
1c73c3bc RL	45	ok(run(app(["openssl", "x509", "-req",
	46	"-in", "tsa_req${INDEX}.pem",
	47	"-out", "tsa_cert${INDEX}.pem",
91f2b15f	48	"-CA", "tsaca.pem", "-CAkey", $tsacakey,
1c73c3bc	49	"-CAcreateserial",
83e0d090	50	"-extfile", $openssl_conf, "-extensions", $EXT])));
88b8a527 RL	51	}
88b8a527 RL	52
6b937ae3 DDO	53	sub create_resp {
	54	my $config = shift;
	55	my $chain = shift;
88b8a527 RL	56	my $queryfile = shift;
88b8a527 RL	57	my $outputfile = shift;
88b8a527	58
6b937ae3 DDO	59	ok(run(app([@REPLY, "-section", $config, "-queryfile", $queryfile,
	60	"-chain", $chain, # this overrides "certs" entry in config
	61	"-out", $outputfile])));
88b8a527 RL	62	}
88b8a527 RL	63
6b937ae3 DDO	64	sub verify_ok {
6b937ae3 DDO	65	my $datafile = shift;
88b8a527 RL	66	my $queryfile = shift;
88b8a527 RL	67	my $inputfile = shift;
6b937ae3	68	my $untrustedfile = shift;
88b8a527	69
6b937ae3 DDO	70	ok(run(app([@VERIFY, "-queryfile", $queryfile, "-in", $inputfile,
	71	"-CAfile", "tsaca.pem", "-untrusted", $untrustedfile])));
	72	ok(run(app([@VERIFY, "-data", $datafile, "-in", $inputfile,
	73	"-CAfile", "tsaca.pem", "-untrusted", $untrustedfile])));
88b8a527 RL	74	}
88b8a527 RL	75
6b937ae3	76	sub verify_fail {
88b8a527 RL	77	my $queryfile = shift;
88b8a527 RL	78	my $inputfile = shift;
6b937ae3 DDO	79	my $untrustedfile = shift; # is needed for resp2, but not for resp1
6b937ae3 DDO	80	my $cafile = shift;
88b8a527	81
6b937ae3 DDO	82	ok(!run(app([@VERIFY, "-queryfile", $queryfile, "-in", $inputfile,
6b937ae3 DDO	83	"-untrusted", $untrustedfile, "-CAfile", $cafile])));
88b8a527 RL	84	}
	85
	86	# main functions
	87
6b937ae3	88	plan tests => 27;
88b8a527	89
1c73c3bc RL	90	note "setting up TSA test directory";
	91	indir "tsa" => sub
	92	{
83e0d090	93	$openssl_conf = srctop_file("test", "CAtsa.cnf");
42e0ccdf	94	$testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
91f2b15f	95	$tsacakey = srctop_file("test", "certs", "ca-key.pem");
42e0ccdf	96	$CAtsa = srctop_file("test", "CAtsa.cnf");
c89fd035	97	@REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply");
83e0d090 RL	98
	99	# ../apps/CA.pl needs these
	100	$ENV{OPENSSL_CONFIG} = "-config $openssl_conf";
	101	$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
88b8a527	102
1c73c3bc RL	103	SKIP: {
	104	$ENV{TSDNSECT} = "ts_ca_dn";
	105	skip "failed", 19
83e0d090	106	unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
ef898017	107	"-new", "-x509", "-noenc",
91f2b15f	108	"-out", "tsaca.pem", "-key", $tsacakey])),
1c73c3bc RL	109	'creating a new CA for the TSA tests');
	110
	111	skip "failed", 18
	112	unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
	113	create_tsa_cert("1", "tsa_cert")
	114	};
	115
	116	skip "failed", 17
	117	unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
	118	create_tsa_cert("2", "non_tsa_cert")
	119	};
	120
	121	skip "failed", 16
c89fd035	122	unless ok(run(app([@QUERY, "-data", $testtsa,
08538fc0	123	"-tspolicy", "tsa_policy1", "-cert",
1c73c3bc RL	124	"-out", "req1.tsq"])),
	125	'creating req1.req time stamp request for file testtsa');
	126
c89fd035	127	ok(run(app([@QUERY, "-in", "req1.tsq", "-text"])),
1c73c3bc RL	128	'printing req1.req');
	129
	130	subtest 'generating valid response for req1.req' => sub {
6b937ae3 DDO	131	create_resp("tsa_config1", "tsaca.pem", "req1.tsq", "resp1.tsr")
	132	};
	133
	134	subtest 'generating response with wrong 2nd certid for req1.req' => sub {
	135	create_resp("tsa_config1", "tsa_cert1.pem", "req1.tsq",
	136	"resp1_invalid.tsr")
1c73c3bc RL	137	};
1c73c3bc RL	138
c89fd035	139	ok(run(app([@REPLY, "-in", "resp1.tsr", "-text"])),
1c73c3bc RL	140	'printing response');
	141
	142	subtest 'verifying valid response' => sub {
6b937ae3	143	verify_ok($testtsa, "req1.tsq", "resp1.tsr", "tsa_cert1.pem")
1c73c3bc RL	144	};
	145
	146	skip "failed", 11
	147	unless subtest 'verifying valid token' => sub {
c89fd035	148	ok(run(app([@REPLY, "-in", "resp1.tsr",
1c73c3bc	149	"-out", "resp1.tsr.token", "-token_out"])));
c89fd035	150	ok(run(app([@VERIFY, "-queryfile", "req1.tsq",
1c73c3bc	151	"-in", "resp1.tsr.token", "-token_in",
c89fd035 DDO	152	"-CAfile", "tsaca.pem"])));
c89fd035 DDO	153	ok(run(app([@VERIFY, "-data", $testtsa,
1c73c3bc	154	"-in", "resp1.tsr.token", "-token_in",
c89fd035	155	"-CAfile", "tsaca.pem"])));
1c73c3bc RL	156	};
	157
	158	skip "failed", 10
c89fd035	159	unless ok(run(app([@QUERY, "-data", $testtsa,
08538fc0	160	"-tspolicy", "tsa_policy2", "-no_nonce",
1c73c3bc RL	161	"-out", "req2.tsq"])),
	162	'creating req2.req time stamp request for file testtsa');
	163
c89fd035	164	ok(run(app([@QUERY, "-in", "req2.tsq", "-text"])),
1c73c3bc RL	165	'printing req2.req');
	166
	167	skip "failed", 8
	168	unless subtest 'generating valid response for req2.req' => sub {
6b937ae3	169	create_resp("tsa_config1", "tsaca.pem", "req2.tsq", "resp2.tsr")
1c73c3bc RL	170	};
	171
	172	skip "failed", 7
	173	unless subtest 'checking -token_in and -token_out options with -reply' => sub {
	174	my $RESPONSE2="resp2.tsr.copy.tsr";
	175	my $TOKEN_DER="resp2.tsr.token.der";
	176
c89fd035	177	ok(run(app([@REPLY, "-in", "resp2.tsr",
1c73c3bc	178	"-out", "$TOKEN_DER", "-token_out"])));
c89fd035	179	ok(run(app([@REPLY, "-in", "$TOKEN_DER",
1c73c3bc RL	180	"-token_in", "-out", "$RESPONSE2"])));
1c73c3bc RL	181	is(compare($RESPONSE2, "resp2.tsr"), 0);
c89fd035	182	ok(run(app([@REPLY, "-in", "resp2.tsr",
1c73c3bc	183	"-text", "-token_out"])));
c89fd035	184	ok(run(app([@REPLY, "-in", "$TOKEN_DER",
1c73c3bc	185	"-token_in", "-text", "-token_out"])));
c89fd035	186	ok(run(app([@REPLY, "-queryfile", "req2.tsq",
1c73c3bc RL	187	"-text", "-token_out"])));
	188	};
	189
c89fd035	190	ok(run(app([@REPLY, "-in", "resp2.tsr", "-text"])),
1c73c3bc RL	191	'printing response');
1c73c3bc RL	192
6b937ae3 DDO	193	subtest 'verifying valid resp1, wrong untrusted is not used' => sub {
	194	verify_ok($testtsa, "req1.tsq", "resp1.tsr", "tsa_cert2.pem")
	195	};
	196
	197	subtest 'verifying invalid resp1 with wrong 2nd certid' => sub {
	198	verify_fail($testtsa, "req1.tsq", "resp1_invalid.tsr", "tsa_cert2.pem")
1c73c3bc RL	199	};
1c73c3bc RL	200
6b937ae3 DDO	201	subtest 'verifying valid resp2, correct untrusted being used' => sub {
6b937ae3 DDO	202	verify_ok($testtsa, "req2.tsq", "resp2.tsr", "tsa_cert1.pem")
1c73c3bc RL	203	};
1c73c3bc RL	204
6b937ae3 DDO	205	subtest 'verifying resp2 against wrong req1 should fail' => sub {
	206	verify_fail("req1.tsq", "resp2.tsr", "tsa_cert1.pem", "tsaca.pem")
	207	};
	208
	209	subtest 'verifying resp1 against wrong req2 should fail' => sub {
	210	verify_fail("req2.tsq", "resp1.tsr", "tsa_cert1.pem", "tsaca.pem")
	211	};
	212
	213	subtest 'verifying resp1 using wrong untrusted should fail' => sub {
	214	verify_fail("req2.tsq", "resp2.tsr", "tsa_cert2.pem", "tsaca.pem")
	215	};
	216
	217	subtest 'verifying resp1 using wrong root should fail' => sub {
	218	verify_fail("req1.tsq", "resp1.tsr", "tsa_cert1.pem", "tsa_cert1.pem")
1c73c3bc RL	219	};
	220
	221	skip "failure", 2
c89fd035	222	unless ok(run(app([@QUERY, "-data", $CAtsa,
1c73c3bc RL	223	"-no_nonce", "-out", "req3.tsq"])),
	224	"creating req3.req time stamp request for file CAtsa.cnf");
	225
c89fd035	226	ok(run(app([@QUERY, "-in", "req3.tsq", "-text"])),
1c73c3bc RL	227	'printing req3.req');
1c73c3bc RL	228
6b937ae3 DDO	229	subtest 'verifying resp1 against wrong req3 should fail' => sub {
6b937ae3 DDO	230	verify_fail("req3.tsq", "resp1.tsr", "tsa_cert1.pem", "tsaca.pem")
1c73c3bc	231	};
88b8a527	232	}
6b937ae3 DDO	233
	234	# verifying response with two ESSCertIDs, referring to leaf cert
	235	# "sectigo-signer.pem" and intermediate cert "sectigo-time-stamping-ca.pem"
	236	# 1. validation chain contains these certs and root "user-trust-ca.pem"
	237	ok(run(app([@VERIFY, "-no_check_time",
	238	"-queryfile", data_file("all-zero.tsq"),
	239	"-in", data_file("sectigo-all-zero.tsr"),
	240	"-CAfile", data_file("user-trust-ca.pem")])),
	241	"validation with two ESSCertIDs and 3-element chain");
	242	# 2. validation chain contains these certs, a cross-cert, and different root
	243	ok(run(app([@VERIFY, "-no_check_time",
	244	"-queryfile", data_file("all-zero.tsq"),
	245	"-in", data_file("sectigo-all-zero.tsr"),
	246	"-untrusted", data_file("user-trust-ca-aaa.pem"),
	247	"-CAfile", data_file("comodo-aaa.pem")])),
	248	"validation with two ESSCertIDs and 4-element chain");
	249
1c73c3bc	250	}, create => 1, cleanup => 1