]>
git.ipfire.org Git - thirdparty/openssl.git/blob - test/recipes/80-test_ca.t
2 # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
14 use File
::Path
2.00 qw
/rmtree/;
15 use OpenSSL
::Test qw
/:DEFAULT cmdstr data_file srctop_file/;
16 use OpenSSL
::Test
::Utils
;
17 use Time
::Local qw
/timegm/;
21 $ENV{OPENSSL
} = cmdstr
(app
(["openssl"]), display
=> 1);
23 my $cnf = srctop_file
("test","ca-and-certs.cnf");
24 my $std_openssl_cnf = '"'
25 . srctop_file
("apps", $^O
eq "VMS" ?
"openssl-vms.cnf" : "openssl.cnf")
29 return srctop_file
("test", "certs", shift);
32 rmtree
("demoCA", { safe
=> 0 });
36 require_ok
(srctop_file
("test", "recipes", "tconversion.pl"));
39 my $cakey = src_file
("ca-key.pem");
40 $ENV{OPENSSL_CONFIG
} = qq(-config
"$cnf");
41 skip
"failed creating CA structure", 4
42 if !ok
(run
(perlapp
(["CA.pl","-newca",
43 "-extra-req", "-key $cakey"], stdin
=> undef)),
44 'creating CA structure');
46 my $eekey = src_file
("ee-key.pem");
47 $ENV{OPENSSL_CONFIG
} = qq(-config
"$cnf");
48 skip
"failed creating new certificate request", 3
49 if !ok
(run
(perlapp
(["CA.pl","-newreq",
50 '-extra-req', "-outform DER -section userreq -key $eekey"])),
51 'creating certificate request');
52 $ENV{OPENSSL_CONFIG
} = qq(-rand_serial
-inform DER
-config
"$std_openssl_cnf");
53 skip
"failed to sign certificate request", 2
54 if !is
(yes
(cmdstr
(perlapp
(["CA.pl", "-sign"]))), 0,
55 'signing certificate request');
57 ok
(run
(perlapp
(["CA.pl", "-verify", "newcert.pem"])),
58 'verifying new certificate');
60 skip
"CT not configured, can't use -precert", 1
63 my $eekey2 = src_file
("ee-key-3072.pem");
64 $ENV{OPENSSL_CONFIG
} = qq(-config
"$cnf");
65 ok
(run
(perlapp
(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr
=> undef)),
66 'creating new pre-certificate');
70 skip
"SM2 is not supported by this OpenSSL build", 1
73 is
(yes
(cmdstr
(app
(["openssl", "ca", "-config",
75 "-in", src_file
("sm2-csr.pem"),
76 "-out", "sm2-test.crt",
77 "-sigopt", "distid:1234567812345678",
78 "-vfyopt", "distid:1234567812345678",
80 "-cert", src_file
("sm2-root.crt"),
81 "-keyfile", src_file
("sm2-root.key")]))),
83 "Signing SM2 certificate request");
86 my $v3_cert = "v3-test.crt";
87 ok
(run
(app
(["openssl", "ca", "-batch", "-config", $cnf, "-extensions", "empty",
88 "-in", src_file
("x509-check.csr"), "-out", $v3_cert])));
89 # although no explicit extensions given:
90 has_version
($v3_cert, 3);
91 has_SKID
($v3_cert, 1);
92 has_AKID
($v3_cert, 1);
94 test_revoke
('notimes', {
97 test_revoke
('lastupdate_invalid', {
98 lastupdate
=> '1234567890',
101 test_revoke
('lastupdate_utctime', {
102 lastupdate
=> '200901123456Z',
105 test_revoke
('lastupdate_generalizedtime', {
106 lastupdate
=> '20990901123456Z',
109 test_revoke
('nextupdate_invalid', {
110 nextupdate
=> '1234567890',
113 test_revoke
('nextupdate_utctime', {
114 nextupdate
=> '200901123456Z',
117 test_revoke
('nextupdate_generalizedtime', {
118 nextupdate
=> '20990901123456Z',
121 test_revoke
('both_utctime', {
122 lastupdate
=> '200901123456Z',
123 nextupdate
=> '200908123456Z',
126 test_revoke
('both_generalizedtime', {
127 lastupdate
=> '20990901123456Z',
128 nextupdate
=> '20990908123456Z',
133 my ($filename, $opts) = @_;
135 subtest
"Revoke certificate and generate CRL: $filename" => sub {
136 # Before Perl 5.12.0, the range of times Perl could represent was
137 # limited by the size of time_t, so Time::Local was hamstrung by the
139 # Perl 5.12.0 onwards use an internal time implementation with a
140 # guaranteed >32-bit time range on all architectures, so the tests
141 # involving post-2038 times won't fail provided we're running under
142 # that version or newer
144 'Perl >= 5.12.0 required to run certificate revocation tests'
147 $ENV{CN2
} = $filename;
153 '-key', data_file
('revoked.key'),
154 '-out', "$filename-req.pem",
155 '-section', 'userreq',
166 '-in', "$filename-req.pem",
167 '-out', "$filename-cert.pem",
176 '-revoke', "$filename-cert.pem",
183 if (exists $opts->{lastupdate
}) {
184 push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate
};
187 if (exists $opts->{nextupdate
}) {
188 push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate
};
196 '-out', "$filename-crl.pem",
200 $opts->{should_succeed
},
203 my $crl_gentime = time;
205 # The following tests only need to run if the CRL was supposed to be
207 return unless $opts->{should_succeed
};
209 my $crl_lastupdate = crl_field
("$filename-crl.pem", 'lastUpdate');
210 if (exists $opts->{lastupdate
}) {
213 rfc5280_time
($opts->{lastupdate
}),
214 'CRL lastUpdate field has expected value'
217 diag
("CRL lastUpdate: $crl_lastupdate");
218 diag
("openssl run time: $crl_gentime");
220 # Is the CRL's lastUpdate time within a second of the time that
221 # `openssl ca -gencrl` was executed?
222 $crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1,
223 'CRL lastUpdate field has (roughly) expected value'
227 my $crl_nextupdate = crl_field
("$filename-crl.pem", 'nextUpdate');
228 if (exists $opts->{nextupdate
}) {
231 rfc5280_time
($opts->{nextupdate
}),
232 'CRL nextUpdate field has expected value'
235 diag
("CRL nextUpdate: $crl_nextupdate");
236 diag
("openssl run time: $crl_gentime");
238 # Is the CRL's lastUpdate time within a second of the time that
239 # `openssl ca -gencrl` was executed, taking into account the use
241 $crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61,
242 'CRL nextUpdate field has (roughly) expected value'
250 open(PIPE
, "|-", join(" ",@_));
251 local $SIG{PIPE
} = "IGNORE";
252 1 while $cntr-- > 0 && print PIPE
"y\n";
257 # Get the value of the lastUpdate or nextUpdate field from a CRL
259 my ($crl_path, $field_name) = @_;
266 '-' . lc($field_name),
269 statusvar
=> \
my $exit,
271 ok
($exit, "CRL $field_name field retrieved");
272 diag
("CRL $field_name: $out[0]");
274 $out[0] =~ s/^\Q$field_name\E=//;
276 my $time = human_time
($out[0]);
281 # Converts human-readable ASN1_TIME_print() output to Unix time
285 my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/;
288 Jan
=> 0, Feb
=> 1, Mar
=> 2, Apr
=> 3, May
=> 4, Jun
=> 5,
289 Jul
=> 6, Aug
=> 7, Sep
=> 8, Oct
=> 9, Nov
=> 10, Dec
=> 11,
292 return timegm
($s, $m, $h, $d, $months{$mo}, $y);
295 # Converts an RFC 5280 timestamp to Unix time
299 my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;
301 return timegm
($s, $m, $h, $d, $mo - 1, $y);