]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
33388b44 | 2 | # Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. |
596d6b7e | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
88b8a527 RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use POSIX; | |
e9fd82f6 | 14 | use File::Path 2.00 qw/rmtree/; |
64713cb1 | 15 | use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/; |
51f5930a | 16 | use OpenSSL::Test::Utils; |
64713cb1 | 17 | use Time::Local qw/timegm/; |
88b8a527 RL |
18 | |
19 | setup("test_ca"); | |
20 | ||
25c78440 | 21 | $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); |
4e6e57cf RS |
22 | |
23 | my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';; | |
24 | my $std_openssl_cnf = '"' | |
25 | . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf") | |
26 | . '"'; | |
88b8a527 | 27 | |
e9fd82f6 | 28 | rmtree("demoCA", { safe => 0 }); |
88b8a527 | 29 | |
64713cb1 | 30 | plan tests => 15; |
88b8a527 | 31 | SKIP: { |
4e6e57cf | 32 | $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; |
a4c5f859 | 33 | skip "failed creating CA structure", 4 |
7d9b2d53 | 34 | if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)), |
88b8a527 RL |
35 | 'creating CA structure'); |
36 | ||
4e6e57cf | 37 | $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; |
a4c5f859 | 38 | skip "failed creating new certificate request", 3 |
9d5aca65 | 39 | if !ok(run(perlapp(["CA.pl","-newreq", |
4e6e57cf | 40 | '-extra-req', '-outform DER -section userreq'])), |
32804b04 | 41 | 'creating certificate request'); |
4e6e57cf | 42 | $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf; |
a4c5f859 | 43 | skip "failed to sign certificate request", 2 |
4e6e57cf | 44 | if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0, |
88b8a527 RL |
45 | 'signing certificate request'); |
46 | ||
7d9b2d53 | 47 | ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])), |
32804b04 | 48 | 'verifying new certificate'); |
caee75d2 | 49 | |
51f5930a RL |
50 | skip "CT not configured, can't use -precert", 1 |
51 | if disabled("ct"); | |
52 | ||
4e6e57cf RS |
53 | $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; |
54 | ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)), | |
caee75d2 | 55 | 'creating new pre-certificate'); |
88b8a527 RL |
56 | } |
57 | ||
bc42bd62 PY |
58 | SKIP: { |
59 | skip "SM2 is not supported by this OpenSSL build", 1 | |
60 | if disabled("sm2"); | |
61 | ||
62 | is(yes(cmdstr(app(["openssl", "ca", "-config", | |
4e6e57cf | 63 | $cnf, |
bc42bd62 PY |
64 | "-in", srctop_file("test", "certs", "sm2-csr.pem"), |
65 | "-out", "sm2-test.crt", | |
fda127be RL |
66 | "-sigopt", "distid:1234567812345678", |
67 | "-vfyopt", "distid:1234567812345678", | |
bc42bd62 PY |
68 | "-md", "sm3", |
69 | "-cert", srctop_file("test", "certs", "sm2-root.crt"), | |
70 | "-keyfile", srctop_file("test", "certs", "sm2-root.key")]))), | |
71 | 0, | |
72 | "Signing SM2 certificate request"); | |
73 | } | |
88b8a527 | 74 | |
64713cb1 CN |
75 | test_revoke('notimes', { |
76 | should_succeed => 1, | |
77 | }); | |
78 | test_revoke('lastupdate_invalid', { | |
79 | lastupdate => '1234567890', | |
80 | should_succeed => 0, | |
81 | }); | |
82 | test_revoke('lastupdate_utctime', { | |
83 | lastupdate => '200901123456Z', | |
84 | should_succeed => 1, | |
85 | }); | |
86 | test_revoke('lastupdate_generalizedtime', { | |
87 | lastupdate => '20990901123456Z', | |
88 | should_succeed => 1, | |
89 | }); | |
90 | test_revoke('nextupdate_invalid', { | |
91 | nextupdate => '1234567890', | |
92 | should_succeed => 0, | |
93 | }); | |
94 | test_revoke('nextupdate_utctime', { | |
95 | nextupdate => '200901123456Z', | |
96 | should_succeed => 1, | |
97 | }); | |
98 | test_revoke('nextupdate_generalizedtime', { | |
99 | nextupdate => '20990901123456Z', | |
100 | should_succeed => 1, | |
101 | }); | |
102 | test_revoke('both_utctime', { | |
103 | lastupdate => '200901123456Z', | |
104 | nextupdate => '200908123456Z', | |
105 | should_succeed => 1, | |
106 | }); | |
107 | test_revoke('both_generalizedtime', { | |
108 | lastupdate => '20990901123456Z', | |
109 | nextupdate => '20990908123456Z', | |
110 | should_succeed => 1, | |
111 | }); | |
112 | ||
113 | sub test_revoke { | |
114 | my ($filename, $opts) = @_; | |
115 | ||
116 | # Before Perl 5.12.0, the range of times Perl could represent was limited by | |
117 | # the size of time_t, so Time::Local was hamstrung by the Y2038 problem - | |
118 | # Perl 5.12.0 onwards use an internal time implementation with a guaranteed | |
119 | # >32-bit time range on all architectures, so the tests involving post-2038 | |
120 | # times won't fail provided we're running under that version or newer | |
121 | if ($] < 5.012000) { | |
122 | plan skip_all => 'Perl >= 5.12.0 required to run certificate revocation tests'; | |
123 | } | |
124 | ||
125 | subtest "Revoke certificate and generate CRL: $filename" => sub { | |
126 | $ENV{CN2} = $filename; | |
127 | ok( | |
128 | run(app(['openssl', | |
129 | 'req', | |
130 | '-config', $cnf, | |
131 | '-new', | |
132 | '-key', data_file('revoked.key'), | |
133 | '-out', "$filename-req.pem", | |
134 | '-section', 'userreq', | |
135 | ])), | |
136 | 'Generate CSR' | |
137 | ); | |
138 | delete $ENV{CN2}; | |
139 | ||
140 | ok( | |
141 | run(app(['openssl', | |
142 | 'ca', | |
143 | '-batch', | |
144 | '-config', $cnf, | |
145 | '-in', "$filename-req.pem", | |
146 | '-out', "$filename-cert.pem", | |
147 | ])), | |
148 | 'Sign CSR' | |
149 | ); | |
150 | ||
151 | ok( | |
152 | run(app(['openssl', | |
153 | 'ca', | |
154 | '-config', $cnf, | |
155 | '-revoke', "$filename-cert.pem", | |
156 | ])), | |
157 | 'Revoke certificate' | |
158 | ); | |
159 | ||
160 | my @gencrl_opts; | |
161 | ||
162 | if (exists $opts->{lastupdate}) { | |
163 | push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate}; | |
164 | } | |
165 | ||
166 | if (exists $opts->{nextupdate}) { | |
167 | push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate}; | |
168 | } | |
169 | ||
170 | is( | |
171 | run(app(['openssl', | |
172 | 'ca', | |
173 | '-config', $cnf, | |
174 | '-gencrl', | |
175 | '-out', "$filename-crl.pem", | |
176 | '-crlsec', '60', | |
177 | @gencrl_opts, | |
178 | ])), | |
179 | $opts->{should_succeed}, | |
180 | 'Generate CRL' | |
181 | ); | |
182 | my $crl_gentime = time; | |
183 | ||
184 | # The following tests only need to run if the CRL was supposed to be | |
185 | # generated: | |
186 | return unless $opts->{should_succeed}; | |
187 | ||
188 | my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate'); | |
189 | if (exists $opts->{lastupdate}) { | |
190 | is( | |
191 | $crl_lastupdate, | |
192 | rfc5280_time($opts->{lastupdate}), | |
193 | 'CRL lastUpdate field has expected value' | |
194 | ); | |
195 | } else { | |
196 | diag("CRL lastUpdate: $crl_lastupdate"); | |
197 | diag("openssl run time: $crl_gentime"); | |
198 | ok( | |
199 | # Is the CRL's lastUpdate time within a second of the time that | |
200 | # `openssl ca -gencrl` was executed? | |
201 | $crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1, | |
202 | 'CRL lastUpdate field has (roughly) expected value' | |
203 | ); | |
204 | } | |
205 | ||
206 | my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate'); | |
207 | if (exists $opts->{nextupdate}) { | |
208 | is( | |
209 | $crl_nextupdate, | |
210 | rfc5280_time($opts->{nextupdate}), | |
211 | 'CRL nextUpdate field has expected value' | |
212 | ); | |
213 | } else { | |
214 | diag("CRL nextUpdate: $crl_nextupdate"); | |
215 | diag("openssl run time: $crl_gentime"); | |
216 | ok( | |
217 | # Is the CRL's lastUpdate time within a second of the time that | |
218 | # `openssl ca -gencrl` was executed, taking into account the use | |
219 | # of '-crlsec 60'? | |
220 | $crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61, | |
221 | 'CRL nextUpdate field has (roughly) expected value' | |
222 | ); | |
223 | } | |
224 | }; | |
225 | } | |
226 | ||
88b8a527 | 227 | sub yes { |
4034c38b | 228 | my $cntr = 10; |
88b8a527 RL |
229 | open(PIPE, "|-", join(" ",@_)); |
230 | local $SIG{PIPE} = "IGNORE"; | |
4034c38b | 231 | 1 while $cntr-- > 0 && print PIPE "y\n"; |
88b8a527 RL |
232 | close PIPE; |
233 | return 0; | |
234 | } | |
42e0ccdf | 235 | |
64713cb1 CN |
236 | # Get the value of the lastUpdate or nextUpdate field from a CRL |
237 | sub crl_field { | |
238 | my ($crl_path, $field_name) = @_; | |
239 | ||
240 | my @out = run( | |
241 | app(['openssl', | |
242 | 'crl', | |
243 | '-in', $crl_path, | |
244 | '-noout', | |
245 | '-' . lc($field_name), | |
246 | ]), | |
247 | capture => 1, | |
248 | statusvar => \my $exit, | |
249 | ); | |
250 | ok($exit, "CRL $field_name field retrieved"); | |
251 | diag("CRL $field_name: $out[0]"); | |
252 | ||
253 | $out[0] =~ s/^\Q$field_name\E=//; | |
254 | $out[0] =~ s/\n?//; | |
255 | my $time = human_time($out[0]); | |
256 | ||
257 | return $time; | |
258 | } | |
259 | ||
260 | # Converts human-readable ASN1_TIME_print() output to Unix time | |
261 | sub human_time { | |
262 | my ($human) = @_; | |
263 | ||
264 | my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/; | |
265 | ||
266 | my %months = ( | |
267 | Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4, Jun => 5, | |
268 | Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11, | |
269 | ); | |
270 | ||
271 | return timegm($s, $m, $h, $d, $months{$mo}, $y); | |
272 | } | |
273 | ||
274 | # Converts an RFC 5280 timestamp to Unix time | |
275 | sub rfc5280_time { | |
276 | my ($asn1) = @_; | |
277 | ||
278 | my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/; | |
279 | ||
280 | return timegm($s, $m, $h, $d, $mo - 1, $y); | |
281 | } |