]>
Commit | Line | Data |
---|---|---|
88b8a527 RL |
1 | #! /usr/bin/perl |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use POSIX; | |
7 | use File::Spec::Functions qw/splitdir curdir catfile/; | |
8 | use File::Compare; | |
fb921436 | 9 | use Test::More 0.96; |
88b8a527 RL |
10 | use OpenSSL::Test qw/:DEFAULT cmdstr top_file/; |
11 | ||
12 | setup("test_tsa"); | |
13 | ||
14 | # All these are modified inside indir further down. They need to exist | |
15 | # here, however, to be available in all subroutines. | |
16 | my $testtsa; | |
17 | my $CAtsa; | |
18 | ||
19 | sub create_ca { | |
20 | $ENV{TSDNSECT} = "ts_ca_dn"; | |
21 | return | |
22 | ok(run(app(["openssl", "req", "-new", "-x509", "-nodes", | |
23 | "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), | |
24 | 'creating a new CA for the TSA tests'); | |
25 | } | |
26 | ||
27 | sub create_tsa_cert { | |
28 | my $INDEX = shift; | |
29 | my $EXT = shift; | |
30 | my $r = 1; | |
31 | $ENV{TSDNSECT} = "ts_ca_dn"; | |
32 | ||
33 | $r *= ok(run(app(["openssl", "req", "-new", | |
34 | "-out", "tsa_req${INDEX}.pem", | |
35 | "-keyout", "tsa_key${INDEX}.pem"]))); | |
36 | note "using extension $EXT"; | |
37 | $r *= ok(run(app(["openssl", "x509", "-req", | |
38 | "-in", "tsa_req${INDEX}.pem", | |
39 | "-out", "tsa_cert${INDEX}.pem", | |
40 | "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", | |
41 | "-CAcreateserial", | |
42 | "-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT]))); | |
43 | return $r; | |
44 | } | |
45 | ||
46 | sub print_request { | |
47 | my $input = shift; | |
48 | return ok(run(app(["openssl", "ts", "-query", "-in", $input, "-text"]))); | |
49 | } | |
50 | ||
51 | sub create_time_stamp_request1 { | |
52 | return | |
53 | ok(run(app(["openssl", "ts", "-query", "-data", $testtsa, "-policy", "tsa_policy1", "-cert", "-out", "req1.tsq"]))); | |
54 | } | |
55 | ||
56 | sub create_time_stamp_request2 { | |
57 | ||
58 | return | |
59 | ok(run(app(["openssl", "ts", "-query", "-data", $testtsa, "-policy", "tsa_policy2", "-no_nonce", "-out", "req2.tsq"]))); | |
60 | } | |
61 | ||
62 | sub create_time_stamp_request3 { | |
63 | ||
64 | return | |
65 | ok(run(app(["openssl", "ts", "-query", "-data", $CAtsa, "-no_nonce", "-out", "req3.tsq"]))) | |
66 | } | |
67 | ||
68 | sub print_response { | |
69 | my $inputfile = shift; | |
70 | ||
71 | return | |
72 | ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-text"]))); | |
73 | } | |
74 | ||
75 | sub create_time_stamp_response { | |
76 | my $queryfile = shift; | |
77 | my $outputfile = shift; | |
78 | my $datafile = shift; | |
79 | ||
80 | return | |
81 | ok(run(app(["openssl", "ts", "-reply", "-section", "$datafile", "-queryfile", "$queryfile", "-out", "$outputfile"]))); | |
82 | } | |
83 | ||
84 | sub time_stamp_response_token_test { | |
85 | my $queryfile = shift; | |
86 | my $inputfile = shift; | |
87 | my $RESPONSE2="$inputfile.copy.tsr"; | |
88 | my $TOKEN_DER="$inputfile.token.der"; | |
89 | ||
90 | ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-out", "$TOKEN_DER", "-token_out"]))); | |
91 | ok(run(app(["openssl", "ts", "-reply", "-in", "$TOKEN_DER", "-token_in", "-out", "$RESPONSE2"]))); | |
92 | is(compare($RESPONSE2, $inputfile), 0); | |
93 | ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-text", "-token_out"]))); | |
94 | ok(run(app(["openssl", "ts", "-reply", "-in", "$TOKEN_DER", "-token_in", "-text", "-token_out"]))); | |
95 | ok(run(app(["openssl", "ts", "-reply", "-queryfile", "$queryfile", "-text", "-token_out"]))); | |
96 | } | |
97 | ||
98 | sub verify_time_stamp_response { | |
99 | my $queryfile = shift; | |
100 | my $inputfile = shift; | |
101 | my $datafile = shift; | |
102 | ||
103 | ok(run(app(["openssl", "ts", "-verify", "-queryfile", "$queryfile", "-in", "$inputfile", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"]))); | |
104 | ok(run(app(["openssl", "ts", "-verify", "-data", "$datafile", "-in", "$inputfile", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"]))); | |
105 | } | |
106 | ||
107 | sub verify_time_stamp_token { | |
108 | my $queryfile = shift; | |
109 | my $inputfile = shift; | |
110 | my $datafile = shift; | |
111 | ||
112 | # create the token from the response first | |
113 | ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-out", "$inputfile.token", "-token_out"]))); | |
114 | ok(run(app(["openssl", "ts", "-verify", "-queryfile", "$queryfile", "-in", "$inputfile.token", "-token_in", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"]))); | |
115 | ok(run(app(["openssl", "ts", "-verify", "-data", "$datafile", "-in", "$inputfile.token", "-token_in", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"]))); | |
116 | } | |
117 | ||
118 | sub verify_time_stamp_response_fail { | |
119 | my $queryfile = shift; | |
120 | my $inputfile = shift; | |
121 | ||
122 | ok(!run(app(["openssl", "ts", "-verify", "-queryfile", "$queryfile", "-in", "$inputfile", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"]))); | |
123 | } | |
124 | ||
125 | # main functions | |
126 | ||
127 | indir "tsa" => sub { | |
128 | ||
129 | $ENV{OPENSSL_CONF} = top_file("test", "CAtsa.cnf"); | |
130 | # Because that's what ../apps/CA.pl really looks at | |
131 | $ENV{SSLEAY_CONFIG} = "-config ".$ENV{OPENSSL_CONF}; | |
132 | $ENV{OPENSSL} = cmdstr(app(["openssl"])); | |
133 | $testtsa = top_file("test", "recipes", "80-test_tsa.t"); | |
134 | $CAtsa = top_file("test", "CAtsa.cnf"); | |
135 | ||
136 | plan tests => 20; | |
137 | ||
138 | SKIP: { | |
139 | skip "failed", 19 | |
140 | if !subtest 'creating CA for TSA tests' => sub { create_ca }; | |
141 | ||
142 | skip "failed", 18 | |
143 | if !subtest 'creating tsa_cert1.pem TSA server cert' => sub { | |
144 | create_tsa_cert("1", "tsa_cert") | |
145 | }; | |
146 | ||
147 | skip "failed", 17 | |
148 | if !subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { | |
149 | create_tsa_cert("2", "non_tsa_cert") | |
150 | }; | |
151 | ||
152 | skip "failed", 16 | |
153 | if !subtest 'creating req1.req time stamp request for file testtsa' => sub { | |
154 | create_time_stamp_request1() | |
155 | }; | |
156 | ||
157 | subtest 'printing req1.req' => sub { | |
158 | print_request("req1.tsq") | |
159 | }; | |
160 | ||
161 | subtest 'generating valid response for req1.req' => sub { | |
162 | create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1") | |
163 | }; | |
164 | ||
165 | subtest 'printing response' => sub { | |
166 | print_response("resp1.tsr") | |
167 | }; | |
168 | ||
169 | subtest 'verifying valid response' => sub { | |
170 | verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa) | |
171 | }; | |
172 | ||
173 | subtest 'verifying valid token' => sub { | |
174 | verify_time_stamp_token("req1.tsq", "resp1.tsr", $testtsa) | |
175 | }; | |
176 | ||
177 | subtest 'creating req2.req time stamp request for file testtsa' => sub { | |
178 | create_time_stamp_request2() | |
179 | }; | |
180 | ||
181 | subtest 'printing req2.req' => sub { | |
182 | print_request("req2.tsq") | |
183 | }; | |
184 | ||
185 | subtest 'generating valid response for req2.req' => sub { | |
186 | create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1") | |
187 | }; | |
188 | ||
189 | subtest 'checking -token_in and -token_out options with -reply' => sub { | |
190 | time_stamp_response_token_test("req2.tsq", "resp2.tsr") | |
191 | }; | |
192 | ||
193 | subtest 'printing response' => sub { | |
194 | print_response("resp2.tsr") | |
195 | }; | |
196 | ||
197 | subtest 'verifying valid response' => sub { | |
198 | verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa) | |
199 | }; | |
200 | ||
201 | subtest 'verifying response against wrong request, it should fail' => sub { | |
202 | verify_time_stamp_response_fail("req1.tsq", "resp2.tsr") | |
203 | }; | |
204 | ||
205 | subtest 'verifying response against wrong request, it should fail' => sub { | |
206 | verify_time_stamp_response_fail("req2.tsq", "resp1.tsr") | |
207 | }; | |
208 | ||
209 | subtest 'creating req3.req time stamp request for file CAtsa.cnf' => sub { | |
210 | create_time_stamp_request3() | |
211 | }; | |
212 | ||
213 | subtest 'printing req3.req' => sub { | |
214 | print_request("req3.tsq") | |
215 | }; | |
216 | ||
217 | subtest 'verifying response against wrong request, it should fail' => sub { | |
218 | verify_time_stamp_response_fail("req3.tsq", "resp1.tsr") | |
219 | }; | |
220 | } | |
221 | }, cleanup => 1, create => 1; |