]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
c89fd035 | 2 | # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. |
596d6b7e | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
88b8a527 RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use POSIX; | |
14 | use File::Spec::Functions qw/splitdir curdir catfile/; | |
15 | use File::Compare; | |
c89fd035 | 16 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file data_file/; |
bec5e4ae | 17 | use OpenSSL::Test::Utils; |
88b8a527 RL |
18 | |
19 | setup("test_tsa"); | |
20 | ||
bec5e4ae RL |
21 | plan skip_all => "TS is not supported by this OpenSSL build" |
22 | if disabled("ts"); | |
23 | ||
88b8a527 RL |
24 | # All these are modified inside indir further down. They need to exist |
25 | # here, however, to be available in all subroutines. | |
83e0d090 | 26 | my $openssl_conf; |
88b8a527 RL |
27 | my $testtsa; |
28 | my $CAtsa; | |
c89fd035 DDO |
29 | my @QUERY = ("openssl", "ts", "-query"); |
30 | my @REPLY; | |
31 | my @VERIFY = ("openssl", "ts", "-verify"); | |
88b8a527 RL |
32 | |
33 | sub create_tsa_cert { | |
34 | my $INDEX = shift; | |
35 | my $EXT = shift; | |
36 | my $r = 1; | |
1c73c3bc | 37 | $ENV{TSDNSECT} = "ts_cert_dn"; |
88b8a527 | 38 | |
83e0d090 | 39 | ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new", |
1c73c3bc RL |
40 | "-out", "tsa_req${INDEX}.pem", |
41 | "-keyout", "tsa_key${INDEX}.pem"]))); | |
88b8a527 | 42 | note "using extension $EXT"; |
1c73c3bc RL |
43 | ok(run(app(["openssl", "x509", "-req", |
44 | "-in", "tsa_req${INDEX}.pem", | |
45 | "-out", "tsa_cert${INDEX}.pem", | |
46 | "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", | |
47 | "-CAcreateserial", | |
83e0d090 | 48 | "-extfile", $openssl_conf, "-extensions", $EXT]))); |
88b8a527 RL |
49 | } |
50 | ||
6b937ae3 DDO |
51 | sub create_resp { |
52 | my $config = shift; | |
53 | my $chain = shift; | |
88b8a527 RL |
54 | my $queryfile = shift; |
55 | my $outputfile = shift; | |
88b8a527 | 56 | |
6b937ae3 DDO |
57 | ok(run(app([@REPLY, "-section", $config, "-queryfile", $queryfile, |
58 | "-chain", $chain, # this overrides "certs" entry in config | |
59 | "-out", $outputfile]))); | |
88b8a527 RL |
60 | } |
61 | ||
6b937ae3 DDO |
62 | sub verify_ok { |
63 | my $datafile = shift; | |
88b8a527 RL |
64 | my $queryfile = shift; |
65 | my $inputfile = shift; | |
6b937ae3 | 66 | my $untrustedfile = shift; |
88b8a527 | 67 | |
6b937ae3 DDO |
68 | ok(run(app([@VERIFY, "-queryfile", $queryfile, "-in", $inputfile, |
69 | "-CAfile", "tsaca.pem", "-untrusted", $untrustedfile]))); | |
70 | ok(run(app([@VERIFY, "-data", $datafile, "-in", $inputfile, | |
71 | "-CAfile", "tsaca.pem", "-untrusted", $untrustedfile]))); | |
88b8a527 RL |
72 | } |
73 | ||
6b937ae3 | 74 | sub verify_fail { |
88b8a527 RL |
75 | my $queryfile = shift; |
76 | my $inputfile = shift; | |
6b937ae3 DDO |
77 | my $untrustedfile = shift; # is needed for resp2, but not for resp1 |
78 | my $cafile = shift; | |
88b8a527 | 79 | |
6b937ae3 DDO |
80 | ok(!run(app([@VERIFY, "-queryfile", $queryfile, "-in", $inputfile, |
81 | "-untrusted", $untrustedfile, "-CAfile", $cafile]))); | |
88b8a527 RL |
82 | } |
83 | ||
84 | # main functions | |
85 | ||
6b937ae3 | 86 | plan tests => 27; |
88b8a527 | 87 | |
1c73c3bc RL |
88 | note "setting up TSA test directory"; |
89 | indir "tsa" => sub | |
90 | { | |
83e0d090 | 91 | $openssl_conf = srctop_file("test", "CAtsa.cnf"); |
42e0ccdf RL |
92 | $testtsa = srctop_file("test", "recipes", "80-test_tsa.t"); |
93 | $CAtsa = srctop_file("test", "CAtsa.cnf"); | |
c89fd035 | 94 | @REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply"); |
83e0d090 RL |
95 | |
96 | # ../apps/CA.pl needs these | |
97 | $ENV{OPENSSL_CONFIG} = "-config $openssl_conf"; | |
98 | $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); | |
88b8a527 | 99 | |
1c73c3bc RL |
100 | SKIP: { |
101 | $ENV{TSDNSECT} = "ts_ca_dn"; | |
102 | skip "failed", 19 | |
83e0d090 | 103 | unless ok(run(app(["openssl", "req", "-config", $openssl_conf, |
ef898017 | 104 | "-new", "-x509", "-noenc", |
1c73c3bc RL |
105 | "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), |
106 | 'creating a new CA for the TSA tests'); | |
107 | ||
108 | skip "failed", 18 | |
109 | unless subtest 'creating tsa_cert1.pem TSA server cert' => sub { | |
110 | create_tsa_cert("1", "tsa_cert") | |
111 | }; | |
112 | ||
113 | skip "failed", 17 | |
114 | unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { | |
115 | create_tsa_cert("2", "non_tsa_cert") | |
116 | }; | |
117 | ||
118 | skip "failed", 16 | |
c89fd035 | 119 | unless ok(run(app([@QUERY, "-data", $testtsa, |
08538fc0 | 120 | "-tspolicy", "tsa_policy1", "-cert", |
1c73c3bc RL |
121 | "-out", "req1.tsq"])), |
122 | 'creating req1.req time stamp request for file testtsa'); | |
123 | ||
c89fd035 | 124 | ok(run(app([@QUERY, "-in", "req1.tsq", "-text"])), |
1c73c3bc RL |
125 | 'printing req1.req'); |
126 | ||
127 | subtest 'generating valid response for req1.req' => sub { | |
6b937ae3 DDO |
128 | create_resp("tsa_config1", "tsaca.pem", "req1.tsq", "resp1.tsr") |
129 | }; | |
130 | ||
131 | subtest 'generating response with wrong 2nd certid for req1.req' => sub { | |
132 | create_resp("tsa_config1", "tsa_cert1.pem", "req1.tsq", | |
133 | "resp1_invalid.tsr") | |
1c73c3bc RL |
134 | }; |
135 | ||
c89fd035 | 136 | ok(run(app([@REPLY, "-in", "resp1.tsr", "-text"])), |
1c73c3bc RL |
137 | 'printing response'); |
138 | ||
139 | subtest 'verifying valid response' => sub { | |
6b937ae3 | 140 | verify_ok($testtsa, "req1.tsq", "resp1.tsr", "tsa_cert1.pem") |
1c73c3bc RL |
141 | }; |
142 | ||
143 | skip "failed", 11 | |
144 | unless subtest 'verifying valid token' => sub { | |
c89fd035 | 145 | ok(run(app([@REPLY, "-in", "resp1.tsr", |
1c73c3bc | 146 | "-out", "resp1.tsr.token", "-token_out"]))); |
c89fd035 | 147 | ok(run(app([@VERIFY, "-queryfile", "req1.tsq", |
1c73c3bc | 148 | "-in", "resp1.tsr.token", "-token_in", |
c89fd035 DDO |
149 | "-CAfile", "tsaca.pem"]))); |
150 | ok(run(app([@VERIFY, "-data", $testtsa, | |
1c73c3bc | 151 | "-in", "resp1.tsr.token", "-token_in", |
c89fd035 | 152 | "-CAfile", "tsaca.pem"]))); |
1c73c3bc RL |
153 | }; |
154 | ||
155 | skip "failed", 10 | |
c89fd035 | 156 | unless ok(run(app([@QUERY, "-data", $testtsa, |
08538fc0 | 157 | "-tspolicy", "tsa_policy2", "-no_nonce", |
1c73c3bc RL |
158 | "-out", "req2.tsq"])), |
159 | 'creating req2.req time stamp request for file testtsa'); | |
160 | ||
c89fd035 | 161 | ok(run(app([@QUERY, "-in", "req2.tsq", "-text"])), |
1c73c3bc RL |
162 | 'printing req2.req'); |
163 | ||
164 | skip "failed", 8 | |
165 | unless subtest 'generating valid response for req2.req' => sub { | |
6b937ae3 | 166 | create_resp("tsa_config1", "tsaca.pem", "req2.tsq", "resp2.tsr") |
1c73c3bc RL |
167 | }; |
168 | ||
169 | skip "failed", 7 | |
170 | unless subtest 'checking -token_in and -token_out options with -reply' => sub { | |
171 | my $RESPONSE2="resp2.tsr.copy.tsr"; | |
172 | my $TOKEN_DER="resp2.tsr.token.der"; | |
173 | ||
c89fd035 | 174 | ok(run(app([@REPLY, "-in", "resp2.tsr", |
1c73c3bc | 175 | "-out", "$TOKEN_DER", "-token_out"]))); |
c89fd035 | 176 | ok(run(app([@REPLY, "-in", "$TOKEN_DER", |
1c73c3bc RL |
177 | "-token_in", "-out", "$RESPONSE2"]))); |
178 | is(compare($RESPONSE2, "resp2.tsr"), 0); | |
c89fd035 | 179 | ok(run(app([@REPLY, "-in", "resp2.tsr", |
1c73c3bc | 180 | "-text", "-token_out"]))); |
c89fd035 | 181 | ok(run(app([@REPLY, "-in", "$TOKEN_DER", |
1c73c3bc | 182 | "-token_in", "-text", "-token_out"]))); |
c89fd035 | 183 | ok(run(app([@REPLY, "-queryfile", "req2.tsq", |
1c73c3bc RL |
184 | "-text", "-token_out"]))); |
185 | }; | |
186 | ||
c89fd035 | 187 | ok(run(app([@REPLY, "-in", "resp2.tsr", "-text"])), |
1c73c3bc RL |
188 | 'printing response'); |
189 | ||
6b937ae3 DDO |
190 | subtest 'verifying valid resp1, wrong untrusted is not used' => sub { |
191 | verify_ok($testtsa, "req1.tsq", "resp1.tsr", "tsa_cert2.pem") | |
192 | }; | |
193 | ||
194 | subtest 'verifying invalid resp1 with wrong 2nd certid' => sub { | |
195 | verify_fail($testtsa, "req1.tsq", "resp1_invalid.tsr", "tsa_cert2.pem") | |
1c73c3bc RL |
196 | }; |
197 | ||
6b937ae3 DDO |
198 | subtest 'verifying valid resp2, correct untrusted being used' => sub { |
199 | verify_ok($testtsa, "req2.tsq", "resp2.tsr", "tsa_cert1.pem") | |
1c73c3bc RL |
200 | }; |
201 | ||
6b937ae3 DDO |
202 | subtest 'verifying resp2 against wrong req1 should fail' => sub { |
203 | verify_fail("req1.tsq", "resp2.tsr", "tsa_cert1.pem", "tsaca.pem") | |
204 | }; | |
205 | ||
206 | subtest 'verifying resp1 against wrong req2 should fail' => sub { | |
207 | verify_fail("req2.tsq", "resp1.tsr", "tsa_cert1.pem", "tsaca.pem") | |
208 | }; | |
209 | ||
210 | subtest 'verifying resp1 using wrong untrusted should fail' => sub { | |
211 | verify_fail("req2.tsq", "resp2.tsr", "tsa_cert2.pem", "tsaca.pem") | |
212 | }; | |
213 | ||
214 | subtest 'verifying resp1 using wrong root should fail' => sub { | |
215 | verify_fail("req1.tsq", "resp1.tsr", "tsa_cert1.pem", "tsa_cert1.pem") | |
1c73c3bc RL |
216 | }; |
217 | ||
218 | skip "failure", 2 | |
c89fd035 | 219 | unless ok(run(app([@QUERY, "-data", $CAtsa, |
1c73c3bc RL |
220 | "-no_nonce", "-out", "req3.tsq"])), |
221 | "creating req3.req time stamp request for file CAtsa.cnf"); | |
222 | ||
c89fd035 | 223 | ok(run(app([@QUERY, "-in", "req3.tsq", "-text"])), |
1c73c3bc RL |
224 | 'printing req3.req'); |
225 | ||
6b937ae3 DDO |
226 | subtest 'verifying resp1 against wrong req3 should fail' => sub { |
227 | verify_fail("req3.tsq", "resp1.tsr", "tsa_cert1.pem", "tsaca.pem") | |
1c73c3bc | 228 | }; |
88b8a527 | 229 | } |
6b937ae3 DDO |
230 | |
231 | # verifying response with two ESSCertIDs, referring to leaf cert | |
232 | # "sectigo-signer.pem" and intermediate cert "sectigo-time-stamping-ca.pem" | |
233 | # 1. validation chain contains these certs and root "user-trust-ca.pem" | |
234 | ok(run(app([@VERIFY, "-no_check_time", | |
235 | "-queryfile", data_file("all-zero.tsq"), | |
236 | "-in", data_file("sectigo-all-zero.tsr"), | |
237 | "-CAfile", data_file("user-trust-ca.pem")])), | |
238 | "validation with two ESSCertIDs and 3-element chain"); | |
239 | # 2. validation chain contains these certs, a cross-cert, and different root | |
240 | ok(run(app([@VERIFY, "-no_check_time", | |
241 | "-queryfile", data_file("all-zero.tsq"), | |
242 | "-in", data_file("sectigo-all-zero.tsr"), | |
243 | "-untrusted", data_file("user-trust-ca-aaa.pem"), | |
244 | "-CAfile", data_file("comodo-aaa.pem")])), | |
245 | "validation with two ESSCertIDs and 4-element chain"); | |
246 | ||
1c73c3bc | 247 | }, create => 1, cleanup => 1 |