]>
Commit | Line | Data |
---|---|---|
8573552e UM |
1 | #!/bin/sh |
2 | ||
3 | # | |
4 | # A few very basic tests for the 'ts' time stamping authority command. | |
5 | # | |
6 | ||
7 | SH="/bin/sh" | |
28f7e60d RL |
8 | if test "$OSTYPE" = msdosdjgpp; then |
9 | PATH="../apps\;$PATH" | |
10 | else | |
11 | PATH="../apps:$PATH" | |
12 | fi | |
8573552e UM |
13 | export SH PATH |
14 | ||
15 | OPENSSL_CONF="../CAtsa.cnf" | |
16 | export OPENSSL_CONF | |
d505d1ef | 17 | # Because that's what ../apps/CA.sh really looks at |
7ce1d9e9 | 18 | SSLEAY_CONFIG="-config $OPENSSL_CONF" |
d505d1ef | 19 | export SSLEAY_CONFIG |
8573552e | 20 | |
9eb87941 | 21 | OPENSSL="`pwd`/../util/opensslwrap.sh" |
dc241103 UM |
22 | export OPENSSL |
23 | ||
8573552e UM |
24 | error () { |
25 | ||
4e397d07 | 26 | echo "TSA test failed!" >&2 |
8573552e UM |
27 | exit 1 |
28 | } | |
29 | ||
30 | setup_dir () { | |
31 | ||
32 | rm -rf tsa 2>/dev/null | |
33 | mkdir tsa | |
34 | cd ./tsa | |
35 | } | |
36 | ||
37 | clean_up_dir () { | |
38 | ||
39 | cd .. | |
40 | rm -rf tsa | |
41 | } | |
42 | ||
43 | create_ca () { | |
44 | ||
45 | echo "Creating a new CA for the TSA tests..." | |
cf32ad7f DSH |
46 | TSDNSECT=ts_ca_dn |
47 | export TSDNSECT | |
48 | ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \ | |
49 | -out tsaca.pem -keyout tsacakey.pem | |
8573552e UM |
50 | test $? != 0 && error |
51 | } | |
52 | ||
53 | create_tsa_cert () { | |
54 | ||
55 | INDEX=$1 | |
cf32ad7f | 56 | export INDEX |
8573552e | 57 | EXT=$2 |
cf32ad7f DSH |
58 | TSDNSECT=ts_cert_dn |
59 | export TSDNSECT | |
8573552e | 60 | |
cf32ad7f DSH |
61 | ../../util/shlib_wrap.sh ../../apps/openssl req -new \ |
62 | -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem | |
63 | test $? != 0 && error | |
64 | echo Using extension $EXT | |
65 | ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \ | |
66 | -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \ | |
67 | -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \ | |
68 | -extfile $OPENSSL_CONF -extensions $EXT | |
8573552e UM |
69 | test $? != 0 && error |
70 | } | |
71 | ||
72 | print_request () { | |
73 | ||
dc241103 | 74 | ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text |
8573552e UM |
75 | } |
76 | ||
77 | create_time_stamp_request1 () { | |
78 | ||
dc241103 | 79 | ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq |
8573552e UM |
80 | test $? != 0 && error |
81 | } | |
82 | ||
83 | create_time_stamp_request2 () { | |
84 | ||
dc241103 | 85 | ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \ |
8573552e UM |
86 | -out req2.tsq |
87 | test $? != 0 && error | |
88 | } | |
89 | ||
90 | create_time_stamp_request3 () { | |
91 | ||
dc241103 | 92 | ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq |
8573552e UM |
93 | test $? != 0 && error |
94 | } | |
95 | ||
96 | print_response () { | |
97 | ||
dc241103 | 98 | ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text |
8573552e UM |
99 | test $? != 0 && error |
100 | } | |
101 | ||
102 | create_time_stamp_response () { | |
103 | ||
dc241103 | 104 | ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2 |
8573552e UM |
105 | test $? != 0 && error |
106 | } | |
107 | ||
108 | time_stamp_response_token_test () { | |
109 | ||
110 | RESPONSE2=$2.copy.tsr | |
111 | TOKEN_DER=$2.token.der | |
dc241103 | 112 | ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out |
8573552e | 113 | test $? != 0 && error |
dc241103 | 114 | ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2 |
8573552e UM |
115 | test $? != 0 && error |
116 | cmp $RESPONSE2 $2 | |
117 | test $? != 0 && error | |
dc241103 | 118 | ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out |
8573552e | 119 | test $? != 0 && error |
dc241103 | 120 | ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out |
8573552e | 121 | test $? != 0 && error |
dc241103 | 122 | ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out |
8573552e UM |
123 | test $? != 0 && error |
124 | } | |
125 | ||
126 | verify_time_stamp_response () { | |
127 | ||
cf32ad7f | 128 | ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ |
8573552e UM |
129 | -untrusted tsa_cert1.pem |
130 | test $? != 0 && error | |
cf32ad7f | 131 | ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \ |
8573552e UM |
132 | -untrusted tsa_cert1.pem |
133 | test $? != 0 && error | |
134 | } | |
135 | ||
136 | verify_time_stamp_token () { | |
137 | ||
138 | # create the token from the response first | |
dc241103 | 139 | ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out |
8573552e | 140 | test $? != 0 && error |
dc241103 | 141 | ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \ |
cf32ad7f | 142 | -CAfile tsaca.pem -untrusted tsa_cert1.pem |
8573552e | 143 | test $? != 0 && error |
dc241103 | 144 | ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \ |
cf32ad7f | 145 | -CAfile tsaca.pem -untrusted tsa_cert1.pem |
8573552e UM |
146 | test $? != 0 && error |
147 | } | |
148 | ||
149 | verify_time_stamp_response_fail () { | |
150 | ||
cf32ad7f | 151 | ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ |
8573552e UM |
152 | -untrusted tsa_cert1.pem |
153 | # Checks if the verification failed, as it should have. | |
0209d160 | 154 | test $? = 0 && error |
4e397d07 | 155 | echo Ok |
8573552e UM |
156 | } |
157 | ||
158 | # main functions | |
159 | ||
160 | echo "Setting up TSA test directory..." | |
161 | setup_dir | |
162 | ||
163 | echo "Creating CA for TSA tests..." | |
164 | create_ca | |
165 | ||
166 | echo "Creating tsa_cert1.pem TSA server cert..." | |
167 | create_tsa_cert 1 tsa_cert | |
168 | ||
169 | echo "Creating tsa_cert2.pem non-TSA server cert..." | |
170 | create_tsa_cert 2 non_tsa_cert | |
171 | ||
172 | echo "Creating req1.req time stamp request for file testtsa..." | |
173 | create_time_stamp_request1 | |
174 | ||
175 | echo "Printing req1.req..." | |
176 | print_request req1.tsq | |
177 | ||
178 | echo "Generating valid response for req1.req..." | |
179 | create_time_stamp_response req1.tsq resp1.tsr tsa_config1 | |
180 | ||
181 | echo "Printing response..." | |
182 | print_response resp1.tsr | |
183 | ||
184 | echo "Verifying valid response..." | |
185 | verify_time_stamp_response req1.tsq resp1.tsr ../testtsa | |
186 | ||
187 | echo "Verifying valid token..." | |
188 | verify_time_stamp_token req1.tsq resp1.tsr ../testtsa | |
189 | ||
190 | # The tests below are commented out, because invalid signer certificates | |
191 | # can no longer be specified in the config file. | |
192 | ||
193 | # echo "Generating _invalid_ response for req1.req..." | |
194 | # create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2 | |
195 | ||
196 | # echo "Printing response..." | |
197 | # print_response resp1_bad.tsr | |
198 | ||
199 | # echo "Verifying invalid response, it should fail..." | |
200 | # verify_time_stamp_response_fail req1.tsq resp1_bad.tsr | |
201 | ||
202 | echo "Creating req2.req time stamp request for file testtsa..." | |
203 | create_time_stamp_request2 | |
204 | ||
205 | echo "Printing req2.req..." | |
206 | print_request req2.tsq | |
207 | ||
208 | echo "Generating valid response for req2.req..." | |
209 | create_time_stamp_response req2.tsq resp2.tsr tsa_config1 | |
210 | ||
211 | echo "Checking '-token_in' and '-token_out' options with '-reply'..." | |
212 | time_stamp_response_token_test req2.tsq resp2.tsr | |
213 | ||
214 | echo "Printing response..." | |
215 | print_response resp2.tsr | |
216 | ||
217 | echo "Verifying valid response..." | |
218 | verify_time_stamp_response req2.tsq resp2.tsr ../testtsa | |
219 | ||
220 | echo "Verifying response against wrong request, it should fail..." | |
221 | verify_time_stamp_response_fail req1.tsq resp2.tsr | |
222 | ||
223 | echo "Verifying response against wrong request, it should fail..." | |
224 | verify_time_stamp_response_fail req2.tsq resp1.tsr | |
225 | ||
226 | echo "Creating req3.req time stamp request for file CAtsa.cnf..." | |
227 | create_time_stamp_request3 | |
228 | ||
229 | echo "Printing req3.req..." | |
230 | print_request req3.tsq | |
231 | ||
232 | echo "Verifying response against wrong request, it should fail..." | |
233 | verify_time_stamp_response_fail req3.tsq resp1.tsr | |
234 | ||
235 | echo "Cleaning up..." | |
236 | clean_up_dir | |
237 | ||
238 | exit 0 |