]>
Commit | Line | Data |
---|---|---|
88b8a527 RL |
1 | #! /usr/bin/perl |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use POSIX; | |
7 | use File::Spec::Functions qw/splitdir curdir catfile/; | |
8 | use File::Compare; | |
88b8a527 RL |
9 | use OpenSSL::Test qw/:DEFAULT cmdstr top_file/; |
10 | ||
11 | setup("test_tsa"); | |
12 | ||
13 | # All these are modified inside indir further down. They need to exist | |
14 | # here, however, to be available in all subroutines. | |
15 | my $testtsa; | |
16 | my $CAtsa; | |
17 | ||
18 | sub create_ca { | |
19 | $ENV{TSDNSECT} = "ts_ca_dn"; | |
20 | return | |
21 | ok(run(app(["openssl", "req", "-new", "-x509", "-nodes", | |
22 | "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), | |
23 | 'creating a new CA for the TSA tests'); | |
24 | } | |
25 | ||
26 | sub create_tsa_cert { | |
27 | my $INDEX = shift; | |
28 | my $EXT = shift; | |
29 | my $r = 1; | |
30 | $ENV{TSDNSECT} = "ts_ca_dn"; | |
31 | ||
32 | $r *= ok(run(app(["openssl", "req", "-new", | |
33 | "-out", "tsa_req${INDEX}.pem", | |
34 | "-keyout", "tsa_key${INDEX}.pem"]))); | |
35 | note "using extension $EXT"; | |
36 | $r *= ok(run(app(["openssl", "x509", "-req", | |
37 | "-in", "tsa_req${INDEX}.pem", | |
38 | "-out", "tsa_cert${INDEX}.pem", | |
39 | "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", | |
40 | "-CAcreateserial", | |
41 | "-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT]))); | |
42 | return $r; | |
43 | } | |
44 | ||
45 | sub print_request { | |
46 | my $input = shift; | |
47 | return ok(run(app(["openssl", "ts", "-query", "-in", $input, "-text"]))); | |
48 | } | |
49 | ||
50 | sub create_time_stamp_request1 { | |
51 | return | |
52 | ok(run(app(["openssl", "ts", "-query", "-data", $testtsa, "-policy", "tsa_policy1", "-cert", "-out", "req1.tsq"]))); | |
53 | } | |
54 | ||
55 | sub create_time_stamp_request2 { | |
56 | ||
57 | return | |
58 | ok(run(app(["openssl", "ts", "-query", "-data", $testtsa, "-policy", "tsa_policy2", "-no_nonce", "-out", "req2.tsq"]))); | |
59 | } | |
60 | ||
61 | sub create_time_stamp_request3 { | |
62 | ||
63 | return | |
64 | ok(run(app(["openssl", "ts", "-query", "-data", $CAtsa, "-no_nonce", "-out", "req3.tsq"]))) | |
65 | } | |
66 | ||
67 | sub print_response { | |
68 | my $inputfile = shift; | |
69 | ||
70 | return | |
71 | ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-text"]))); | |
72 | } | |
73 | ||
74 | sub create_time_stamp_response { | |
75 | my $queryfile = shift; | |
76 | my $outputfile = shift; | |
77 | my $datafile = shift; | |
78 | ||
79 | return | |
80 | ok(run(app(["openssl", "ts", "-reply", "-section", "$datafile", "-queryfile", "$queryfile", "-out", "$outputfile"]))); | |
81 | } | |
82 | ||
83 | sub time_stamp_response_token_test { | |
84 | my $queryfile = shift; | |
85 | my $inputfile = shift; | |
86 | my $RESPONSE2="$inputfile.copy.tsr"; | |
87 | my $TOKEN_DER="$inputfile.token.der"; | |
88 | ||
89 | ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-out", "$TOKEN_DER", "-token_out"]))); | |
90 | ok(run(app(["openssl", "ts", "-reply", "-in", "$TOKEN_DER", "-token_in", "-out", "$RESPONSE2"]))); | |
91 | is(compare($RESPONSE2, $inputfile), 0); | |
92 | ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-text", "-token_out"]))); | |
93 | ok(run(app(["openssl", "ts", "-reply", "-in", "$TOKEN_DER", "-token_in", "-text", "-token_out"]))); | |
94 | ok(run(app(["openssl", "ts", "-reply", "-queryfile", "$queryfile", "-text", "-token_out"]))); | |
95 | } | |
96 | ||
97 | sub verify_time_stamp_response { | |
98 | my $queryfile = shift; | |
99 | my $inputfile = shift; | |
100 | my $datafile = shift; | |
101 | ||
102 | ok(run(app(["openssl", "ts", "-verify", "-queryfile", "$queryfile", "-in", "$inputfile", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"]))); | |
103 | ok(run(app(["openssl", "ts", "-verify", "-data", "$datafile", "-in", "$inputfile", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"]))); | |
104 | } | |
105 | ||
106 | sub verify_time_stamp_token { | |
107 | my $queryfile = shift; | |
108 | my $inputfile = shift; | |
109 | my $datafile = shift; | |
110 | ||
111 | # create the token from the response first | |
112 | ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-out", "$inputfile.token", "-token_out"]))); | |
113 | ok(run(app(["openssl", "ts", "-verify", "-queryfile", "$queryfile", "-in", "$inputfile.token", "-token_in", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"]))); | |
114 | ok(run(app(["openssl", "ts", "-verify", "-data", "$datafile", "-in", "$inputfile.token", "-token_in", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"]))); | |
115 | } | |
116 | ||
117 | sub verify_time_stamp_response_fail { | |
118 | my $queryfile = shift; | |
119 | my $inputfile = shift; | |
120 | ||
121 | ok(!run(app(["openssl", "ts", "-verify", "-queryfile", "$queryfile", "-in", "$inputfile", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"]))); | |
122 | } | |
123 | ||
124 | # main functions | |
125 | ||
126 | indir "tsa" => sub { | |
127 | ||
128 | $ENV{OPENSSL_CONF} = top_file("test", "CAtsa.cnf"); | |
129 | # Because that's what ../apps/CA.pl really looks at | |
130 | $ENV{SSLEAY_CONFIG} = "-config ".$ENV{OPENSSL_CONF}; | |
131 | $ENV{OPENSSL} = cmdstr(app(["openssl"])); | |
132 | $testtsa = top_file("test", "recipes", "80-test_tsa.t"); | |
133 | $CAtsa = top_file("test", "CAtsa.cnf"); | |
134 | ||
135 | plan tests => 20; | |
136 | ||
137 | SKIP: { | |
138 | skip "failed", 19 | |
139 | if !subtest 'creating CA for TSA tests' => sub { create_ca }; | |
140 | ||
141 | skip "failed", 18 | |
142 | if !subtest 'creating tsa_cert1.pem TSA server cert' => sub { | |
143 | create_tsa_cert("1", "tsa_cert") | |
144 | }; | |
145 | ||
146 | skip "failed", 17 | |
147 | if !subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { | |
148 | create_tsa_cert("2", "non_tsa_cert") | |
149 | }; | |
150 | ||
151 | skip "failed", 16 | |
152 | if !subtest 'creating req1.req time stamp request for file testtsa' => sub { | |
153 | create_time_stamp_request1() | |
154 | }; | |
155 | ||
156 | subtest 'printing req1.req' => sub { | |
157 | print_request("req1.tsq") | |
158 | }; | |
159 | ||
160 | subtest 'generating valid response for req1.req' => sub { | |
161 | create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1") | |
162 | }; | |
163 | ||
164 | subtest 'printing response' => sub { | |
165 | print_response("resp1.tsr") | |
166 | }; | |
167 | ||
168 | subtest 'verifying valid response' => sub { | |
169 | verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa) | |
170 | }; | |
171 | ||
172 | subtest 'verifying valid token' => sub { | |
173 | verify_time_stamp_token("req1.tsq", "resp1.tsr", $testtsa) | |
174 | }; | |
175 | ||
176 | subtest 'creating req2.req time stamp request for file testtsa' => sub { | |
177 | create_time_stamp_request2() | |
178 | }; | |
179 | ||
180 | subtest 'printing req2.req' => sub { | |
181 | print_request("req2.tsq") | |
182 | }; | |
183 | ||
184 | subtest 'generating valid response for req2.req' => sub { | |
185 | create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1") | |
186 | }; | |
187 | ||
188 | subtest 'checking -token_in and -token_out options with -reply' => sub { | |
189 | time_stamp_response_token_test("req2.tsq", "resp2.tsr") | |
190 | }; | |
191 | ||
192 | subtest 'printing response' => sub { | |
193 | print_response("resp2.tsr") | |
194 | }; | |
195 | ||
196 | subtest 'verifying valid response' => sub { | |
197 | verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa) | |
198 | }; | |
199 | ||
200 | subtest 'verifying response against wrong request, it should fail' => sub { | |
201 | verify_time_stamp_response_fail("req1.tsq", "resp2.tsr") | |
202 | }; | |
203 | ||
204 | subtest 'verifying response against wrong request, it should fail' => sub { | |
205 | verify_time_stamp_response_fail("req2.tsq", "resp1.tsr") | |
206 | }; | |
207 | ||
208 | subtest 'creating req3.req time stamp request for file CAtsa.cnf' => sub { | |
209 | create_time_stamp_request3() | |
210 | }; | |
211 | ||
212 | subtest 'printing req3.req' => sub { | |
213 | print_request("req3.tsq") | |
214 | }; | |
215 | ||
216 | subtest 'verifying response against wrong request, it should fail' => sub { | |
217 | verify_time_stamp_response_fail("req3.tsq", "resp1.tsr") | |
218 | }; | |
219 | } | |
220 | }, cleanup => 1, create => 1; |