]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
c89fd035 | 2 | # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. |
596d6b7e | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
88b8a527 RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use POSIX; | |
14 | use File::Spec::Functions qw/splitdir curdir catfile/; | |
15 | use File::Compare; | |
c89fd035 | 16 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file data_file/; |
bec5e4ae | 17 | use OpenSSL::Test::Utils; |
88b8a527 RL |
18 | |
19 | setup("test_tsa"); | |
20 | ||
bec5e4ae RL |
21 | plan skip_all => "TS is not supported by this OpenSSL build" |
22 | if disabled("ts"); | |
23 | ||
88b8a527 RL |
24 | # All these are modified inside indir further down. They need to exist |
25 | # here, however, to be available in all subroutines. | |
83e0d090 | 26 | my $openssl_conf; |
88b8a527 RL |
27 | my $testtsa; |
28 | my $CAtsa; | |
c89fd035 DDO |
29 | my @QUERY = ("openssl", "ts", "-query"); |
30 | my @REPLY; | |
31 | my @VERIFY = ("openssl", "ts", "-verify"); | |
88b8a527 RL |
32 | |
33 | sub create_tsa_cert { | |
34 | my $INDEX = shift; | |
35 | my $EXT = shift; | |
36 | my $r = 1; | |
1c73c3bc | 37 | $ENV{TSDNSECT} = "ts_cert_dn"; |
88b8a527 | 38 | |
83e0d090 | 39 | ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new", |
1c73c3bc RL |
40 | "-out", "tsa_req${INDEX}.pem", |
41 | "-keyout", "tsa_key${INDEX}.pem"]))); | |
88b8a527 | 42 | note "using extension $EXT"; |
1c73c3bc RL |
43 | ok(run(app(["openssl", "x509", "-req", |
44 | "-in", "tsa_req${INDEX}.pem", | |
45 | "-out", "tsa_cert${INDEX}.pem", | |
46 | "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", | |
47 | "-CAcreateserial", | |
83e0d090 | 48 | "-extfile", $openssl_conf, "-extensions", $EXT]))); |
88b8a527 RL |
49 | } |
50 | ||
51 | sub create_time_stamp_response { | |
52 | my $queryfile = shift; | |
53 | my $outputfile = shift; | |
54 | my $datafile = shift; | |
55 | ||
c89fd035 | 56 | ok(run(app([@REPLY, "-section", "$datafile", |
1c73c3bc | 57 | "-queryfile", "$queryfile", "-out", "$outputfile"]))); |
88b8a527 RL |
58 | } |
59 | ||
60 | sub verify_time_stamp_response { | |
61 | my $queryfile = shift; | |
62 | my $inputfile = shift; | |
63 | my $datafile = shift; | |
64 | ||
c89fd035 | 65 | ok(run(app([@VERIFY, "-queryfile", "$queryfile", |
1c73c3bc RL |
66 | "-in", "$inputfile", "-CAfile", "tsaca.pem", |
67 | "-untrusted", "tsa_cert1.pem"]))); | |
c89fd035 | 68 | ok(run(app([@VERIFY, "-data", "$datafile", |
1c73c3bc RL |
69 | "-in", "$inputfile", "-CAfile", "tsaca.pem", |
70 | "-untrusted", "tsa_cert1.pem"]))); | |
88b8a527 RL |
71 | } |
72 | ||
73 | sub verify_time_stamp_response_fail { | |
74 | my $queryfile = shift; | |
75 | my $inputfile = shift; | |
76 | ||
c89fd035 | 77 | ok(!run(app([@VERIFY, "-queryfile", "$queryfile", |
1c73c3bc RL |
78 | "-in", "$inputfile", "-CAfile", "tsaca.pem", |
79 | "-untrusted", "tsa_cert1.pem"]))); | |
88b8a527 RL |
80 | } |
81 | ||
82 | # main functions | |
83 | ||
1c73c3bc | 84 | plan tests => 20; |
88b8a527 | 85 | |
1c73c3bc RL |
86 | note "setting up TSA test directory"; |
87 | indir "tsa" => sub | |
88 | { | |
83e0d090 | 89 | $openssl_conf = srctop_file("test", "CAtsa.cnf"); |
42e0ccdf RL |
90 | $testtsa = srctop_file("test", "recipes", "80-test_tsa.t"); |
91 | $CAtsa = srctop_file("test", "CAtsa.cnf"); | |
c89fd035 | 92 | @REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply"); |
83e0d090 RL |
93 | |
94 | # ../apps/CA.pl needs these | |
95 | $ENV{OPENSSL_CONFIG} = "-config $openssl_conf"; | |
96 | $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); | |
88b8a527 | 97 | |
1c73c3bc RL |
98 | SKIP: { |
99 | $ENV{TSDNSECT} = "ts_ca_dn"; | |
100 | skip "failed", 19 | |
83e0d090 | 101 | unless ok(run(app(["openssl", "req", "-config", $openssl_conf, |
ef898017 | 102 | "-new", "-x509", "-noenc", |
1c73c3bc RL |
103 | "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), |
104 | 'creating a new CA for the TSA tests'); | |
105 | ||
106 | skip "failed", 18 | |
107 | unless subtest 'creating tsa_cert1.pem TSA server cert' => sub { | |
108 | create_tsa_cert("1", "tsa_cert") | |
109 | }; | |
110 | ||
111 | skip "failed", 17 | |
112 | unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { | |
113 | create_tsa_cert("2", "non_tsa_cert") | |
114 | }; | |
115 | ||
116 | skip "failed", 16 | |
c89fd035 | 117 | unless ok(run(app([@QUERY, "-data", $testtsa, |
08538fc0 | 118 | "-tspolicy", "tsa_policy1", "-cert", |
1c73c3bc RL |
119 | "-out", "req1.tsq"])), |
120 | 'creating req1.req time stamp request for file testtsa'); | |
121 | ||
c89fd035 | 122 | ok(run(app([@QUERY, "-in", "req1.tsq", "-text"])), |
1c73c3bc RL |
123 | 'printing req1.req'); |
124 | ||
125 | subtest 'generating valid response for req1.req' => sub { | |
126 | create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1") | |
127 | }; | |
128 | ||
c89fd035 | 129 | ok(run(app([@REPLY, "-in", "resp1.tsr", "-text"])), |
1c73c3bc RL |
130 | 'printing response'); |
131 | ||
132 | subtest 'verifying valid response' => sub { | |
133 | verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa) | |
134 | }; | |
135 | ||
136 | skip "failed", 11 | |
137 | unless subtest 'verifying valid token' => sub { | |
c89fd035 | 138 | ok(run(app([@REPLY, "-in", "resp1.tsr", |
1c73c3bc | 139 | "-out", "resp1.tsr.token", "-token_out"]))); |
c89fd035 | 140 | ok(run(app([@VERIFY, "-queryfile", "req1.tsq", |
1c73c3bc | 141 | "-in", "resp1.tsr.token", "-token_in", |
c89fd035 DDO |
142 | "-CAfile", "tsaca.pem"]))); |
143 | ok(run(app([@VERIFY, "-data", $testtsa, | |
1c73c3bc | 144 | "-in", "resp1.tsr.token", "-token_in", |
c89fd035 | 145 | "-CAfile", "tsaca.pem"]))); |
1c73c3bc RL |
146 | }; |
147 | ||
148 | skip "failed", 10 | |
c89fd035 | 149 | unless ok(run(app([@QUERY, "-data", $testtsa, |
08538fc0 | 150 | "-tspolicy", "tsa_policy2", "-no_nonce", |
1c73c3bc RL |
151 | "-out", "req2.tsq"])), |
152 | 'creating req2.req time stamp request for file testtsa'); | |
153 | ||
c89fd035 | 154 | ok(run(app([@QUERY, "-in", "req2.tsq", "-text"])), |
1c73c3bc RL |
155 | 'printing req2.req'); |
156 | ||
157 | skip "failed", 8 | |
158 | unless subtest 'generating valid response for req2.req' => sub { | |
159 | create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1") | |
160 | }; | |
161 | ||
162 | skip "failed", 7 | |
163 | unless subtest 'checking -token_in and -token_out options with -reply' => sub { | |
164 | my $RESPONSE2="resp2.tsr.copy.tsr"; | |
165 | my $TOKEN_DER="resp2.tsr.token.der"; | |
166 | ||
c89fd035 | 167 | ok(run(app([@REPLY, "-in", "resp2.tsr", |
1c73c3bc | 168 | "-out", "$TOKEN_DER", "-token_out"]))); |
c89fd035 | 169 | ok(run(app([@REPLY, "-in", "$TOKEN_DER", |
1c73c3bc RL |
170 | "-token_in", "-out", "$RESPONSE2"]))); |
171 | is(compare($RESPONSE2, "resp2.tsr"), 0); | |
c89fd035 | 172 | ok(run(app([@REPLY, "-in", "resp2.tsr", |
1c73c3bc | 173 | "-text", "-token_out"]))); |
c89fd035 | 174 | ok(run(app([@REPLY, "-in", "$TOKEN_DER", |
1c73c3bc | 175 | "-token_in", "-text", "-token_out"]))); |
c89fd035 | 176 | ok(run(app([@REPLY, "-queryfile", "req2.tsq", |
1c73c3bc RL |
177 | "-text", "-token_out"]))); |
178 | }; | |
179 | ||
c89fd035 | 180 | ok(run(app([@REPLY, "-in", "resp2.tsr", "-text"])), |
1c73c3bc RL |
181 | 'printing response'); |
182 | ||
183 | subtest 'verifying valid response' => sub { | |
184 | verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa) | |
185 | }; | |
186 | ||
187 | subtest 'verifying response against wrong request, it should fail' => sub { | |
188 | verify_time_stamp_response_fail("req1.tsq", "resp2.tsr") | |
189 | }; | |
190 | ||
191 | subtest 'verifying response against wrong request, it should fail' => sub { | |
192 | verify_time_stamp_response_fail("req2.tsq", "resp1.tsr") | |
193 | }; | |
194 | ||
195 | skip "failure", 2 | |
c89fd035 | 196 | unless ok(run(app([@QUERY, "-data", $CAtsa, |
1c73c3bc RL |
197 | "-no_nonce", "-out", "req3.tsq"])), |
198 | "creating req3.req time stamp request for file CAtsa.cnf"); | |
199 | ||
c89fd035 | 200 | ok(run(app([@QUERY, "-in", "req3.tsq", "-text"])), |
1c73c3bc RL |
201 | 'printing req3.req'); |
202 | ||
203 | subtest 'verifying response against wrong request, it should fail' => sub { | |
204 | verify_time_stamp_response_fail("req3.tsq", "resp1.tsr") | |
205 | }; | |
88b8a527 | 206 | } |
1c73c3bc | 207 | }, create => 1, cleanup => 1 |