[thirdparty/openssl.git] / test / recipes / 80-test_tsa.t

#! /usr/bin/perl

use strict;
use warnings;

use POSIX;
use File::Spec::Functions qw/splitdir curdir catfile/;
use File::Compare;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
use OpenSSL::Test::Utils;

setup("test_tsa");

plan skip_all => "TS is not supported by this OpenSSL build"
    if disabled("ts");

# All these are modified inside indir further down. They need to exist
# here, however, to be available in all subroutines.
my $testtsa;
my $CAtsa;
my @RUN = ("openssl", "ts");

sub create_tsa_cert {
    my $INDEX = shift;
    my $EXT = shift;
    my $r = 1;
    $ENV{TSDNSECT} = "ts_cert_dn";

    ok(run(app(["openssl", "req", "-new",
                "-out", "tsa_req${INDEX}.pem",
                "-keyout", "tsa_key${INDEX}.pem"])));
    note "using extension $EXT";
    ok(run(app(["openssl", "x509", "-req",
                "-in", "tsa_req${INDEX}.pem",
                "-out", "tsa_cert${INDEX}.pem",
                "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
                "-CAcreateserial",
                "-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT])));
}

sub create_time_stamp_response {
    my $queryfile = shift;
    my $outputfile = shift;
    my $datafile = shift;

    ok(run(app([@RUN, "-reply", "-section", "$datafile",
                "-queryfile", "$queryfile", "-out", "$outputfile"])));
}

sub verify_time_stamp_response {
    my $queryfile = shift;
    my $inputfile = shift;
    my $datafile = shift;

    ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
                "-in", "$inputfile", "-CAfile", "tsaca.pem",
                "-untrusted", "tsa_cert1.pem"])));
    ok(run(app([@RUN, "-verify", "-data", "$datafile",
                "-in", "$inputfile", "-CAfile", "tsaca.pem",
                "-untrusted", "tsa_cert1.pem"])));
}

sub verify_time_stamp_response_fail {
    my $queryfile = shift;
    my $inputfile = shift;

    ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
                 "-untrusted", "tsa_cert1.pem"])));
}

# main functions

plan tests => 20;

note "setting up TSA test directory";
indir "tsa" => sub
{
    $ENV{OPENSSL_CONF} = srctop_file("test", "CAtsa.cnf");
    # Because that's what ../apps/CA.pl really looks at
    $ENV{OPENSSL_CONFIG} = "-config ".$ENV{OPENSSL_CONF};
    $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
    $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
    $CAtsa = srctop_file("test", "CAtsa.cnf");

 SKIP: {
     $ENV{TSDNSECT} = "ts_ca_dn";
     skip "failed", 19
         unless ok(run(app(["openssl", "req", "-new", "-x509", "-nodes",
                            "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
                   'creating a new CA for the TSA tests');

     skip "failed", 18
         unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
             create_tsa_cert("1", "tsa_cert")
     };

     skip "failed", 17
         unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
             create_tsa_cert("2", "non_tsa_cert")
     };

     skip "failed", 16
         unless ok(run(app([@RUN, "-query", "-data", $testtsa,
                            "-tspolicy", "tsa_policy1", "-cert",
                            "-out", "req1.tsq"])),
                   'creating req1.req time stamp request for file testtsa');

     ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
        'printing req1.req');

     subtest 'generating valid response for req1.req' => sub {
         create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
     };

     ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
        'printing response');

     subtest 'verifying valid response' => sub {
         verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
     };

     skip "failed", 11
         unless subtest 'verifying valid token' => sub {
             ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
                         "-out", "resp1.tsr.token", "-token_out"])));
             ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
                         "-in", "resp1.tsr.token", "-token_in",
                         "-CAfile", "tsaca.pem",
                         "-untrusted", "tsa_cert1.pem"])));
             ok(run(app([@RUN, "-verify", "-data", $testtsa,
                         "-in", "resp1.tsr.token", "-token_in",
                         "-CAfile", "tsaca.pem",
                         "-untrusted", "tsa_cert1.pem"])));
     };

     skip "failed", 10
         unless ok(run(app([@RUN, "-query", "-data", $testtsa,
                            "-tspolicy", "tsa_policy2", "-no_nonce",
                            "-out", "req2.tsq"])),
                   'creating req2.req time stamp request for file testtsa');

     ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
        'printing req2.req');

     skip "failed", 8
         unless subtest 'generating valid response for req2.req' => sub {
             create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
     };

     skip "failed", 7
         unless subtest 'checking -token_in and -token_out options with -reply' => sub {
             my $RESPONSE2="resp2.tsr.copy.tsr";
             my $TOKEN_DER="resp2.tsr.token.der";

             ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
                         "-out", "$TOKEN_DER", "-token_out"])));
             ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
                         "-token_in", "-out", "$RESPONSE2"])));
             is(compare($RESPONSE2, "resp2.tsr"), 0);
             ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
                         "-text", "-token_out"])));
             ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
                         "-token_in", "-text", "-token_out"])));
             ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
                         "-text", "-token_out"])));
     };

     ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
        'printing response');

     subtest 'verifying valid response' => sub {
         verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
     };

     subtest 'verifying response against wrong request, it should fail' => sub {
         verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
     };

     subtest 'verifying response against wrong request, it should fail' => sub {
         verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
     };

     skip "failure", 2
         unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
                            "-no_nonce", "-out", "req3.tsq"])),
                   "creating req3.req time stamp request for file CAtsa.cnf");

     ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
        'printing req3.req');

     subtest 'verifying response against wrong request, it should fail' => sub {
         verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
     };
    }
}, create => 1, cleanup => 1
Commit	Line	Data
88b8a527 RL	1	#! /usr/bin/perl
	2
	3	use strict;
	4	use warnings;
	5
	6	use POSIX;
	7	use File::Spec::Functions qw/splitdir curdir catfile/;
	8	use File::Compare;
42e0ccdf	9	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
bec5e4ae	10	use OpenSSL::Test::Utils;
88b8a527 RL	11
	12	setup("test_tsa");
	13
bec5e4ae RL	14	plan skip_all => "TS is not supported by this OpenSSL build"
	15	if disabled("ts");
	16
88b8a527 RL	17	# All these are modified inside indir further down. They need to exist
	18	# here, however, to be available in all subroutines.
	19	my $testtsa;
	20	my $CAtsa;
1c73c3bc	21	my @RUN = ("openssl", "ts");
88b8a527 RL	22
	23	sub create_tsa_cert {
	24	my $INDEX = shift;
	25	my $EXT = shift;
	26	my $r = 1;
1c73c3bc	27	$ENV{TSDNSECT} = "ts_cert_dn";
88b8a527	28
1c73c3bc RL	29	ok(run(app(["openssl", "req", "-new",
	30	"-out", "tsa_req${INDEX}.pem",
	31	"-keyout", "tsa_key${INDEX}.pem"])));
88b8a527	32	note "using extension $EXT";
1c73c3bc RL	33	ok(run(app(["openssl", "x509", "-req",
	34	"-in", "tsa_req${INDEX}.pem",
	35	"-out", "tsa_cert${INDEX}.pem",
	36	"-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
	37	"-CAcreateserial",
	38	"-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT])));
88b8a527 RL	39	}
	40
	41	sub create_time_stamp_response {
	42	my $queryfile = shift;
	43	my $outputfile = shift;
	44	my $datafile = shift;
	45
1c73c3bc RL	46	ok(run(app([@RUN, "-reply", "-section", "$datafile",
1c73c3bc RL	47	"-queryfile", "$queryfile", "-out", "$outputfile"])));
88b8a527 RL	48	}
	49
	50	sub verify_time_stamp_response {
	51	my $queryfile = shift;
	52	my $inputfile = shift;
	53	my $datafile = shift;
	54
1c73c3bc RL	55	ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
	56	"-in", "$inputfile", "-CAfile", "tsaca.pem",
	57	"-untrusted", "tsa_cert1.pem"])));
	58	ok(run(app([@RUN, "-verify", "-data", "$datafile",
	59	"-in", "$inputfile", "-CAfile", "tsaca.pem",
	60	"-untrusted", "tsa_cert1.pem"])));
88b8a527 RL	61	}
	62
	63	sub verify_time_stamp_response_fail {
	64	my $queryfile = shift;
	65	my $inputfile = shift;
	66
1c73c3bc RL	67	ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
	68	"-in", "$inputfile", "-CAfile", "tsaca.pem",
	69	"-untrusted", "tsa_cert1.pem"])));
88b8a527 RL	70	}
	71
	72	# main functions
	73
1c73c3bc	74	plan tests => 20;
88b8a527	75
1c73c3bc RL	76	note "setting up TSA test directory";
	77	indir "tsa" => sub
	78	{
42e0ccdf	79	$ENV{OPENSSL_CONF} = srctop_file("test", "CAtsa.cnf");
88b8a527	80	# Because that's what ../apps/CA.pl really looks at
b0700d2c	81	$ENV{OPENSSL_CONFIG} = "-config ".$ENV{OPENSSL_CONF};
25c78440	82	$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
42e0ccdf RL	83	$testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
42e0ccdf RL	84	$CAtsa = srctop_file("test", "CAtsa.cnf");
88b8a527	85
1c73c3bc RL	86	SKIP: {
	87	$ENV{TSDNSECT} = "ts_ca_dn";
	88	skip "failed", 19
	89	unless ok(run(app(["openssl", "req", "-new", "-x509", "-nodes",
	90	"-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
	91	'creating a new CA for the TSA tests');
	92
	93	skip "failed", 18
	94	unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
	95	create_tsa_cert("1", "tsa_cert")
	96	};
	97
	98	skip "failed", 17
	99	unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
	100	create_tsa_cert("2", "non_tsa_cert")
	101	};
	102
	103	skip "failed", 16
	104	unless ok(run(app([@RUN, "-query", "-data", $testtsa,
08538fc0	105	"-tspolicy", "tsa_policy1", "-cert",
1c73c3bc RL	106	"-out", "req1.tsq"])),
	107	'creating req1.req time stamp request for file testtsa');
	108
	109	ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
	110	'printing req1.req');
	111
	112	subtest 'generating valid response for req1.req' => sub {
	113	create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
	114	};
	115
	116	ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
	117	'printing response');
	118
	119	subtest 'verifying valid response' => sub {
	120	verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
	121	};
	122
	123	skip "failed", 11
	124	unless subtest 'verifying valid token' => sub {
	125	ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
	126	"-out", "resp1.tsr.token", "-token_out"])));
	127	ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
	128	"-in", "resp1.tsr.token", "-token_in",
	129	"-CAfile", "tsaca.pem",
	130	"-untrusted", "tsa_cert1.pem"])));
	131	ok(run(app([@RUN, "-verify", "-data", $testtsa,
	132	"-in", "resp1.tsr.token", "-token_in",
	133	"-CAfile", "tsaca.pem",
	134	"-untrusted", "tsa_cert1.pem"])));
	135	};
	136
	137	skip "failed", 10
	138	unless ok(run(app([@RUN, "-query", "-data", $testtsa,
08538fc0	139	"-tspolicy", "tsa_policy2", "-no_nonce",
1c73c3bc RL	140	"-out", "req2.tsq"])),
	141	'creating req2.req time stamp request for file testtsa');
	142
	143	ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
	144	'printing req2.req');
	145
	146	skip "failed", 8
	147	unless subtest 'generating valid response for req2.req' => sub {
	148	create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
	149	};
	150
	151	skip "failed", 7
	152	unless subtest 'checking -token_in and -token_out options with -reply' => sub {
	153	my $RESPONSE2="resp2.tsr.copy.tsr";
	154	my $TOKEN_DER="resp2.tsr.token.der";
	155
	156	ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
	157	"-out", "$TOKEN_DER", "-token_out"])));
	158	ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
	159	"-token_in", "-out", "$RESPONSE2"])));
	160	is(compare($RESPONSE2, "resp2.tsr"), 0);
	161	ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
	162	"-text", "-token_out"])));
	163	ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
	164	"-token_in", "-text", "-token_out"])));
	165	ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
	166	"-text", "-token_out"])));
	167	};
	168
	169	ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
	170	'printing response');
	171
	172	subtest 'verifying valid response' => sub {
	173	verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
	174	};
	175
	176	subtest 'verifying response against wrong request, it should fail' => sub {
	177	verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
	178	};
	179
	180	subtest 'verifying response against wrong request, it should fail' => sub {
	181	verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
	182	};
	183
	184	skip "failure", 2
	185	unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
	186	"-no_nonce", "-out", "req3.tsq"])),
	187	"creating req3.req time stamp request for file CAtsa.cnf");
	188
	189	ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
	190	'printing req3.req');
	191
	192	subtest 'verifying response against wrong request, it should fail' => sub {
	193	verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
	194	};
88b8a527	195	}
1c73c3bc	196	}, create => 1, cleanup => 1