]>
Commit | Line | Data |
---|---|---|
88b8a527 RL |
1 | #! /usr/bin/perl |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use POSIX; | |
7 | use File::Spec::Functions qw/splitdir curdir catfile/; | |
8 | use File::Compare; | |
42e0ccdf | 9 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; |
bec5e4ae | 10 | use OpenSSL::Test::Utils; |
88b8a527 RL |
11 | |
12 | setup("test_tsa"); | |
13 | ||
bec5e4ae RL |
14 | plan skip_all => "TS is not supported by this OpenSSL build" |
15 | if disabled("ts"); | |
16 | ||
88b8a527 RL |
17 | # All these are modified inside indir further down. They need to exist |
18 | # here, however, to be available in all subroutines. | |
19 | my $testtsa; | |
20 | my $CAtsa; | |
1c73c3bc | 21 | my @RUN = ("openssl", "ts"); |
88b8a527 RL |
22 | |
23 | sub create_tsa_cert { | |
24 | my $INDEX = shift; | |
25 | my $EXT = shift; | |
26 | my $r = 1; | |
1c73c3bc | 27 | $ENV{TSDNSECT} = "ts_cert_dn"; |
88b8a527 | 28 | |
1c73c3bc RL |
29 | ok(run(app(["openssl", "req", "-new", |
30 | "-out", "tsa_req${INDEX}.pem", | |
31 | "-keyout", "tsa_key${INDEX}.pem"]))); | |
88b8a527 | 32 | note "using extension $EXT"; |
1c73c3bc RL |
33 | ok(run(app(["openssl", "x509", "-req", |
34 | "-in", "tsa_req${INDEX}.pem", | |
35 | "-out", "tsa_cert${INDEX}.pem", | |
36 | "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", | |
37 | "-CAcreateserial", | |
38 | "-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT]))); | |
88b8a527 RL |
39 | } |
40 | ||
41 | sub create_time_stamp_response { | |
42 | my $queryfile = shift; | |
43 | my $outputfile = shift; | |
44 | my $datafile = shift; | |
45 | ||
1c73c3bc RL |
46 | ok(run(app([@RUN, "-reply", "-section", "$datafile", |
47 | "-queryfile", "$queryfile", "-out", "$outputfile"]))); | |
88b8a527 RL |
48 | } |
49 | ||
50 | sub verify_time_stamp_response { | |
51 | my $queryfile = shift; | |
52 | my $inputfile = shift; | |
53 | my $datafile = shift; | |
54 | ||
1c73c3bc RL |
55 | ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile", |
56 | "-in", "$inputfile", "-CAfile", "tsaca.pem", | |
57 | "-untrusted", "tsa_cert1.pem"]))); | |
58 | ok(run(app([@RUN, "-verify", "-data", "$datafile", | |
59 | "-in", "$inputfile", "-CAfile", "tsaca.pem", | |
60 | "-untrusted", "tsa_cert1.pem"]))); | |
88b8a527 RL |
61 | } |
62 | ||
63 | sub verify_time_stamp_response_fail { | |
64 | my $queryfile = shift; | |
65 | my $inputfile = shift; | |
66 | ||
1c73c3bc RL |
67 | ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile", |
68 | "-in", "$inputfile", "-CAfile", "tsaca.pem", | |
69 | "-untrusted", "tsa_cert1.pem"]))); | |
88b8a527 RL |
70 | } |
71 | ||
72 | # main functions | |
73 | ||
1c73c3bc | 74 | plan tests => 20; |
88b8a527 | 75 | |
1c73c3bc RL |
76 | note "setting up TSA test directory"; |
77 | indir "tsa" => sub | |
78 | { | |
42e0ccdf | 79 | $ENV{OPENSSL_CONF} = srctop_file("test", "CAtsa.cnf"); |
88b8a527 | 80 | # Because that's what ../apps/CA.pl really looks at |
b0700d2c | 81 | $ENV{OPENSSL_CONFIG} = "-config ".$ENV{OPENSSL_CONF}; |
25c78440 | 82 | $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); |
42e0ccdf RL |
83 | $testtsa = srctop_file("test", "recipes", "80-test_tsa.t"); |
84 | $CAtsa = srctop_file("test", "CAtsa.cnf"); | |
88b8a527 | 85 | |
1c73c3bc RL |
86 | SKIP: { |
87 | $ENV{TSDNSECT} = "ts_ca_dn"; | |
88 | skip "failed", 19 | |
89 | unless ok(run(app(["openssl", "req", "-new", "-x509", "-nodes", | |
90 | "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), | |
91 | 'creating a new CA for the TSA tests'); | |
92 | ||
93 | skip "failed", 18 | |
94 | unless subtest 'creating tsa_cert1.pem TSA server cert' => sub { | |
95 | create_tsa_cert("1", "tsa_cert") | |
96 | }; | |
97 | ||
98 | skip "failed", 17 | |
99 | unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { | |
100 | create_tsa_cert("2", "non_tsa_cert") | |
101 | }; | |
102 | ||
103 | skip "failed", 16 | |
104 | unless ok(run(app([@RUN, "-query", "-data", $testtsa, | |
08538fc0 | 105 | "-tspolicy", "tsa_policy1", "-cert", |
1c73c3bc RL |
106 | "-out", "req1.tsq"])), |
107 | 'creating req1.req time stamp request for file testtsa'); | |
108 | ||
109 | ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])), | |
110 | 'printing req1.req'); | |
111 | ||
112 | subtest 'generating valid response for req1.req' => sub { | |
113 | create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1") | |
114 | }; | |
115 | ||
116 | ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])), | |
117 | 'printing response'); | |
118 | ||
119 | subtest 'verifying valid response' => sub { | |
120 | verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa) | |
121 | }; | |
122 | ||
123 | skip "failed", 11 | |
124 | unless subtest 'verifying valid token' => sub { | |
125 | ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", | |
126 | "-out", "resp1.tsr.token", "-token_out"]))); | |
127 | ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq", | |
128 | "-in", "resp1.tsr.token", "-token_in", | |
129 | "-CAfile", "tsaca.pem", | |
130 | "-untrusted", "tsa_cert1.pem"]))); | |
131 | ok(run(app([@RUN, "-verify", "-data", $testtsa, | |
132 | "-in", "resp1.tsr.token", "-token_in", | |
133 | "-CAfile", "tsaca.pem", | |
134 | "-untrusted", "tsa_cert1.pem"]))); | |
135 | }; | |
136 | ||
137 | skip "failed", 10 | |
138 | unless ok(run(app([@RUN, "-query", "-data", $testtsa, | |
08538fc0 | 139 | "-tspolicy", "tsa_policy2", "-no_nonce", |
1c73c3bc RL |
140 | "-out", "req2.tsq"])), |
141 | 'creating req2.req time stamp request for file testtsa'); | |
142 | ||
143 | ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])), | |
144 | 'printing req2.req'); | |
145 | ||
146 | skip "failed", 8 | |
147 | unless subtest 'generating valid response for req2.req' => sub { | |
148 | create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1") | |
149 | }; | |
150 | ||
151 | skip "failed", 7 | |
152 | unless subtest 'checking -token_in and -token_out options with -reply' => sub { | |
153 | my $RESPONSE2="resp2.tsr.copy.tsr"; | |
154 | my $TOKEN_DER="resp2.tsr.token.der"; | |
155 | ||
156 | ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", | |
157 | "-out", "$TOKEN_DER", "-token_out"]))); | |
158 | ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", | |
159 | "-token_in", "-out", "$RESPONSE2"]))); | |
160 | is(compare($RESPONSE2, "resp2.tsr"), 0); | |
161 | ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", | |
162 | "-text", "-token_out"]))); | |
163 | ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", | |
164 | "-token_in", "-text", "-token_out"]))); | |
165 | ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq", | |
166 | "-text", "-token_out"]))); | |
167 | }; | |
168 | ||
169 | ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])), | |
170 | 'printing response'); | |
171 | ||
172 | subtest 'verifying valid response' => sub { | |
173 | verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa) | |
174 | }; | |
175 | ||
176 | subtest 'verifying response against wrong request, it should fail' => sub { | |
177 | verify_time_stamp_response_fail("req1.tsq", "resp2.tsr") | |
178 | }; | |
179 | ||
180 | subtest 'verifying response against wrong request, it should fail' => sub { | |
181 | verify_time_stamp_response_fail("req2.tsq", "resp1.tsr") | |
182 | }; | |
183 | ||
184 | skip "failure", 2 | |
185 | unless ok(run(app([@RUN, "-query", "-data", $CAtsa, | |
186 | "-no_nonce", "-out", "req3.tsq"])), | |
187 | "creating req3.req time stamp request for file CAtsa.cnf"); | |
188 | ||
189 | ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])), | |
190 | 'printing req3.req'); | |
191 | ||
192 | subtest 'verifying response against wrong request, it should fail' => sub { | |
193 | verify_time_stamp_response_fail("req3.tsq", "resp1.tsr") | |
194 | }; | |
88b8a527 | 195 | } |
1c73c3bc | 196 | }, create => 1, cleanup => 1 |