[thirdparty/openssl.git] / test / recipes / 80-test_tsa.t

#! /usr/bin/env perl
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


use strict;
use warnings;

use POSIX;
use File::Spec::Functions qw/splitdir curdir catfile/;
use File::Compare;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file data_file/;
use OpenSSL::Test::Utils;

setup("test_tsa");

plan skip_all => "TS is not supported by this OpenSSL build"
    if disabled("ts");

# All these are modified inside indir further down. They need to exist
# here, however, to be available in all subroutines.
my $openssl_conf;
my $testtsa;
my $CAtsa;
my @QUERY = ("openssl", "ts", "-query");
my @REPLY;
my @VERIFY = ("openssl", "ts", "-verify");

sub create_tsa_cert {
    my $INDEX = shift;
    my $EXT = shift;
    my $r = 1;
    $ENV{TSDNSECT} = "ts_cert_dn";

    ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
                "-out", "tsa_req${INDEX}.pem",
                "-keyout", "tsa_key${INDEX}.pem"])));
    note "using extension $EXT";
    ok(run(app(["openssl", "x509", "-req",
                "-in", "tsa_req${INDEX}.pem",
                "-out", "tsa_cert${INDEX}.pem",
                "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
                "-CAcreateserial",
                "-extfile", $openssl_conf, "-extensions", $EXT])));
}

sub create_time_stamp_response {
    my $queryfile = shift;
    my $outputfile = shift;
    my $datafile = shift;

    ok(run(app([@REPLY, "-section", "$datafile",
                "-queryfile", "$queryfile", "-out", "$outputfile"])));
}

sub verify_time_stamp_response {
    my $queryfile = shift;
    my $inputfile = shift;
    my $datafile = shift;

    ok(run(app([@VERIFY, "-queryfile", "$queryfile",
                "-in", "$inputfile", "-CAfile", "tsaca.pem",
                "-untrusted", "tsa_cert1.pem"])));
    ok(run(app([@VERIFY, "-data", "$datafile",
                "-in", "$inputfile", "-CAfile", "tsaca.pem",
                "-untrusted", "tsa_cert1.pem"])));
}

sub verify_time_stamp_response_fail {
    my $queryfile = shift;
    my $inputfile = shift;

    ok(!run(app([@VERIFY, "-queryfile", "$queryfile",
                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
                 "-untrusted", "tsa_cert1.pem"])));
}

# main functions

plan tests => 20;

note "setting up TSA test directory";
indir "tsa" => sub
{
    $openssl_conf = srctop_file("test", "CAtsa.cnf");
    $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
    $CAtsa = srctop_file("test", "CAtsa.cnf");
    @REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply");

    # ../apps/CA.pl needs these
    $ENV{OPENSSL_CONFIG} = "-config $openssl_conf";
    $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);

 SKIP: {
     $ENV{TSDNSECT} = "ts_ca_dn";
     skip "failed", 19
         unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
                            "-new", "-x509", "-noenc",
                            "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
                   'creating a new CA for the TSA tests');

     skip "failed", 18
         unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
             create_tsa_cert("1", "tsa_cert")
     };

     skip "failed", 17
         unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
             create_tsa_cert("2", "non_tsa_cert")
     };

     skip "failed", 16
         unless ok(run(app([@QUERY, "-data", $testtsa,
                            "-tspolicy", "tsa_policy1", "-cert",
                            "-out", "req1.tsq"])),
                   'creating req1.req time stamp request for file testtsa');

     ok(run(app([@QUERY, "-in", "req1.tsq", "-text"])),
        'printing req1.req');

     subtest 'generating valid response for req1.req' => sub {
         create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
     };

     ok(run(app([@REPLY, "-in", "resp1.tsr", "-text"])),
        'printing response');

     subtest 'verifying valid response' => sub {
         verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
     };

     skip "failed", 11
         unless subtest 'verifying valid token' => sub {
             ok(run(app([@REPLY, "-in", "resp1.tsr",
                         "-out", "resp1.tsr.token", "-token_out"])));
             ok(run(app([@VERIFY, "-queryfile", "req1.tsq",
                         "-in", "resp1.tsr.token", "-token_in",
                         "-CAfile", "tsaca.pem"])));
             ok(run(app([@VERIFY, "-data", $testtsa,
                         "-in", "resp1.tsr.token", "-token_in",
                         "-CAfile", "tsaca.pem"])));
     };

     skip "failed", 10
         unless ok(run(app([@QUERY, "-data", $testtsa,
                            "-tspolicy", "tsa_policy2", "-no_nonce",
                            "-out", "req2.tsq"])),
                   'creating req2.req time stamp request for file testtsa');

     ok(run(app([@QUERY, "-in", "req2.tsq", "-text"])),
        'printing req2.req');

     skip "failed", 8
         unless subtest 'generating valid response for req2.req' => sub {
             create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
     };

     skip "failed", 7
         unless subtest 'checking -token_in and -token_out options with -reply' => sub {
             my $RESPONSE2="resp2.tsr.copy.tsr";
             my $TOKEN_DER="resp2.tsr.token.der";

             ok(run(app([@REPLY, "-in", "resp2.tsr",
                         "-out", "$TOKEN_DER", "-token_out"])));
             ok(run(app([@REPLY, "-in", "$TOKEN_DER",
                         "-token_in", "-out", "$RESPONSE2"])));
             is(compare($RESPONSE2, "resp2.tsr"), 0);
             ok(run(app([@REPLY, "-in", "resp2.tsr",
                         "-text", "-token_out"])));
             ok(run(app([@REPLY, "-in", "$TOKEN_DER",
                         "-token_in", "-text", "-token_out"])));
             ok(run(app([@REPLY, "-queryfile", "req2.tsq",
                         "-text", "-token_out"])));
     };

     ok(run(app([@REPLY, "-in", "resp2.tsr", "-text"])),
        'printing response');

     subtest 'verifying valid response' => sub {
         verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
     };

     subtest 'verifying response against wrong request, it should fail' => sub {
         verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
     };

     subtest 'verifying response against wrong request, it should fail' => sub {
         verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
     };

     skip "failure", 2
         unless ok(run(app([@QUERY, "-data", $CAtsa,
                            "-no_nonce", "-out", "req3.tsq"])),
                   "creating req3.req time stamp request for file CAtsa.cnf");

     ok(run(app([@QUERY, "-in", "req3.tsq", "-text"])),
        'printing req3.req');

     subtest 'verifying response against wrong request, it should fail' => sub {
         verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
     };
    }
}, create => 1, cleanup => 1
Commit	Line	Data
596d6b7e	1	#! /usr/bin/env perl
c89fd035	2	# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
596d6b7e	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
596d6b7e RS	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
88b8a527 RL	9
	10	use strict;
	11	use warnings;
	12
	13	use POSIX;
	14	use File::Spec::Functions qw/splitdir curdir catfile/;
	15	use File::Compare;
c89fd035	16	use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file data_file/;
bec5e4ae	17	use OpenSSL::Test::Utils;
88b8a527 RL	18
	19	setup("test_tsa");
	20
bec5e4ae RL	21	plan skip_all => "TS is not supported by this OpenSSL build"
	22	if disabled("ts");
	23
88b8a527 RL	24	# All these are modified inside indir further down. They need to exist
88b8a527 RL	25	# here, however, to be available in all subroutines.
83e0d090	26	my $openssl_conf;
88b8a527 RL	27	my $testtsa;
88b8a527 RL	28	my $CAtsa;
c89fd035 DDO	29	my @QUERY = ("openssl", "ts", "-query");
	30	my @REPLY;
	31	my @VERIFY = ("openssl", "ts", "-verify");
88b8a527 RL	32
	33	sub create_tsa_cert {
	34	my $INDEX = shift;
	35	my $EXT = shift;
	36	my $r = 1;
1c73c3bc	37	$ENV{TSDNSECT} = "ts_cert_dn";
88b8a527	38
83e0d090	39	ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
1c73c3bc RL	40	"-out", "tsa_req${INDEX}.pem",
1c73c3bc RL	41	"-keyout", "tsa_key${INDEX}.pem"])));
88b8a527	42	note "using extension $EXT";
1c73c3bc RL	43	ok(run(app(["openssl", "x509", "-req",
	44	"-in", "tsa_req${INDEX}.pem",
	45	"-out", "tsa_cert${INDEX}.pem",
	46	"-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
	47	"-CAcreateserial",
83e0d090	48	"-extfile", $openssl_conf, "-extensions", $EXT])));
88b8a527 RL	49	}
	50
	51	sub create_time_stamp_response {
	52	my $queryfile = shift;
	53	my $outputfile = shift;
	54	my $datafile = shift;
	55
c89fd035	56	ok(run(app([@REPLY, "-section", "$datafile",
1c73c3bc	57	"-queryfile", "$queryfile", "-out", "$outputfile"])));
88b8a527 RL	58	}
	59
	60	sub verify_time_stamp_response {
	61	my $queryfile = shift;
	62	my $inputfile = shift;
	63	my $datafile = shift;
	64
c89fd035	65	ok(run(app([@VERIFY, "-queryfile", "$queryfile",
1c73c3bc RL	66	"-in", "$inputfile", "-CAfile", "tsaca.pem",
1c73c3bc RL	67	"-untrusted", "tsa_cert1.pem"])));
c89fd035	68	ok(run(app([@VERIFY, "-data", "$datafile",
1c73c3bc RL	69	"-in", "$inputfile", "-CAfile", "tsaca.pem",
1c73c3bc RL	70	"-untrusted", "tsa_cert1.pem"])));
88b8a527 RL	71	}
	72
	73	sub verify_time_stamp_response_fail {
	74	my $queryfile = shift;
	75	my $inputfile = shift;
	76
c89fd035	77	ok(!run(app([@VERIFY, "-queryfile", "$queryfile",
1c73c3bc RL	78	"-in", "$inputfile", "-CAfile", "tsaca.pem",
1c73c3bc RL	79	"-untrusted", "tsa_cert1.pem"])));
88b8a527 RL	80	}
	81
	82	# main functions
	83
1c73c3bc	84	plan tests => 20;
88b8a527	85
1c73c3bc RL	86	note "setting up TSA test directory";
	87	indir "tsa" => sub
	88	{
83e0d090	89	$openssl_conf = srctop_file("test", "CAtsa.cnf");
42e0ccdf RL	90	$testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
42e0ccdf RL	91	$CAtsa = srctop_file("test", "CAtsa.cnf");
c89fd035	92	@REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply");
83e0d090 RL	93
	94	# ../apps/CA.pl needs these
	95	$ENV{OPENSSL_CONFIG} = "-config $openssl_conf";
	96	$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
88b8a527	97
1c73c3bc RL	98	SKIP: {
	99	$ENV{TSDNSECT} = "ts_ca_dn";
	100	skip "failed", 19
83e0d090	101	unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
ef898017	102	"-new", "-x509", "-noenc",
1c73c3bc RL	103	"-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
	104	'creating a new CA for the TSA tests');
	105
	106	skip "failed", 18
	107	unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
	108	create_tsa_cert("1", "tsa_cert")
	109	};
	110
	111	skip "failed", 17
	112	unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
	113	create_tsa_cert("2", "non_tsa_cert")
	114	};
	115
	116	skip "failed", 16
c89fd035	117	unless ok(run(app([@QUERY, "-data", $testtsa,
08538fc0	118	"-tspolicy", "tsa_policy1", "-cert",
1c73c3bc RL	119	"-out", "req1.tsq"])),
	120	'creating req1.req time stamp request for file testtsa');
	121
c89fd035	122	ok(run(app([@QUERY, "-in", "req1.tsq", "-text"])),
1c73c3bc RL	123	'printing req1.req');
	124
	125	subtest 'generating valid response for req1.req' => sub {
	126	create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
	127	};
	128
c89fd035	129	ok(run(app([@REPLY, "-in", "resp1.tsr", "-text"])),
1c73c3bc RL	130	'printing response');
	131
	132	subtest 'verifying valid response' => sub {
	133	verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
	134	};
	135
	136	skip "failed", 11
	137	unless subtest 'verifying valid token' => sub {
c89fd035	138	ok(run(app([@REPLY, "-in", "resp1.tsr",
1c73c3bc	139	"-out", "resp1.tsr.token", "-token_out"])));
c89fd035	140	ok(run(app([@VERIFY, "-queryfile", "req1.tsq",
1c73c3bc	141	"-in", "resp1.tsr.token", "-token_in",
c89fd035 DDO	142	"-CAfile", "tsaca.pem"])));
c89fd035 DDO	143	ok(run(app([@VERIFY, "-data", $testtsa,
1c73c3bc	144	"-in", "resp1.tsr.token", "-token_in",
c89fd035	145	"-CAfile", "tsaca.pem"])));
1c73c3bc RL	146	};
	147
	148	skip "failed", 10
c89fd035	149	unless ok(run(app([@QUERY, "-data", $testtsa,
08538fc0	150	"-tspolicy", "tsa_policy2", "-no_nonce",
1c73c3bc RL	151	"-out", "req2.tsq"])),
	152	'creating req2.req time stamp request for file testtsa');
	153
c89fd035	154	ok(run(app([@QUERY, "-in", "req2.tsq", "-text"])),
1c73c3bc RL	155	'printing req2.req');
	156
	157	skip "failed", 8
	158	unless subtest 'generating valid response for req2.req' => sub {
	159	create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
	160	};
	161
	162	skip "failed", 7
	163	unless subtest 'checking -token_in and -token_out options with -reply' => sub {
	164	my $RESPONSE2="resp2.tsr.copy.tsr";
	165	my $TOKEN_DER="resp2.tsr.token.der";
	166
c89fd035	167	ok(run(app([@REPLY, "-in", "resp2.tsr",
1c73c3bc	168	"-out", "$TOKEN_DER", "-token_out"])));
c89fd035	169	ok(run(app([@REPLY, "-in", "$TOKEN_DER",
1c73c3bc RL	170	"-token_in", "-out", "$RESPONSE2"])));
1c73c3bc RL	171	is(compare($RESPONSE2, "resp2.tsr"), 0);
c89fd035	172	ok(run(app([@REPLY, "-in", "resp2.tsr",
1c73c3bc	173	"-text", "-token_out"])));
c89fd035	174	ok(run(app([@REPLY, "-in", "$TOKEN_DER",
1c73c3bc	175	"-token_in", "-text", "-token_out"])));
c89fd035	176	ok(run(app([@REPLY, "-queryfile", "req2.tsq",
1c73c3bc RL	177	"-text", "-token_out"])));
	178	};
	179
c89fd035	180	ok(run(app([@REPLY, "-in", "resp2.tsr", "-text"])),
1c73c3bc RL	181	'printing response');
	182
	183	subtest 'verifying valid response' => sub {
	184	verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
	185	};
	186
	187	subtest 'verifying response against wrong request, it should fail' => sub {
	188	verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
	189	};
	190
	191	subtest 'verifying response against wrong request, it should fail' => sub {
	192	verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
	193	};
	194
	195	skip "failure", 2
c89fd035	196	unless ok(run(app([@QUERY, "-data", $CAtsa,
1c73c3bc RL	197	"-no_nonce", "-out", "req3.tsq"])),
	198	"creating req3.req time stamp request for file CAtsa.cnf");
	199
c89fd035	200	ok(run(app([@QUERY, "-in", "req3.tsq", "-text"])),
1c73c3bc RL	201	'printing req3.req');
	202
	203	subtest 'verifying response against wrong request, it should fail' => sub {
	204	verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
	205	};
88b8a527	206	}
1c73c3bc	207	}, create => 1, cleanup => 1