7 use File
::Spec
::Functions qw
/splitdir curdir catfile/;
9 use OpenSSL
::Test qw
/:DEFAULT cmdstr srctop_file/;
10 use OpenSSL
::Test
::Utils
;
14 plan skip_all
=> "TS is not supported by this OpenSSL build"
17 # All these are modified inside indir further down. They need to exist
18 # here, however, to be available in all subroutines.
21 my @RUN = ("openssl", "ts");
27 $ENV{TSDNSECT
} = "ts_cert_dn";
29 ok
(run
(app
(["openssl", "req", "-new",
30 "-out", "tsa_req${INDEX}.pem",
31 "-keyout", "tsa_key${INDEX}.pem"])));
32 note
"using extension $EXT";
33 ok
(run
(app
(["openssl", "x509", "-req",
34 "-in", "tsa_req${INDEX}.pem",
35 "-out", "tsa_cert${INDEX}.pem",
36 "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
38 "-extfile", $ENV{OPENSSL_CONF
}, "-extensions", $EXT])));
41 sub create_time_stamp_response
{
42 my $queryfile = shift;
43 my $outputfile = shift;
46 ok
(run
(app
([@RUN, "-reply", "-section", "$datafile",
47 "-queryfile", "$queryfile", "-out", "$outputfile"])));
50 sub verify_time_stamp_response
{
51 my $queryfile = shift;
52 my $inputfile = shift;
55 ok
(run
(app
([@RUN, "-verify", "-queryfile", "$queryfile",
56 "-in", "$inputfile", "-CAfile", "tsaca.pem",
57 "-untrusted", "tsa_cert1.pem"])));
58 ok
(run
(app
([@RUN, "-verify", "-data", "$datafile",
59 "-in", "$inputfile", "-CAfile", "tsaca.pem",
60 "-untrusted", "tsa_cert1.pem"])));
63 sub verify_time_stamp_response_fail
{
64 my $queryfile = shift;
65 my $inputfile = shift;
67 ok
(!run
(app
([@RUN, "-verify", "-queryfile", "$queryfile",
68 "-in", "$inputfile", "-CAfile", "tsaca.pem",
69 "-untrusted", "tsa_cert1.pem"])));
76 note
"setting up TSA test directory";
79 $ENV{OPENSSL_CONF
} = srctop_file
("test", "CAtsa.cnf");
80 # Because that's what ../apps/CA.pl really looks at
81 $ENV{OPENSSL_CONFIG
} = "-config ".$ENV{OPENSSL_CONF
};
82 $ENV{OPENSSL
} = cmdstr
(app
(["openssl"]), display
=> 1);
83 $testtsa = srctop_file
("test", "recipes", "80-test_tsa.t");
84 $CAtsa = srctop_file
("test", "CAtsa.cnf");
87 $ENV{TSDNSECT
} = "ts_ca_dn";
89 unless ok
(run
(app
(["openssl", "req", "-new", "-x509", "-nodes",
90 "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
91 'creating a new CA for the TSA tests');
94 unless subtest
'creating tsa_cert1.pem TSA server cert' => sub {
95 create_tsa_cert
("1", "tsa_cert")
99 unless subtest
'creating tsa_cert2.pem non-TSA server cert' => sub {
100 create_tsa_cert
("2", "non_tsa_cert")
104 unless ok
(run
(app
([@RUN, "-query", "-data", $testtsa,
105 "-tspolicy", "tsa_policy1", "-cert",
106 "-out", "req1.tsq"])),
107 'creating req1.req time stamp request for file testtsa');
109 ok
(run
(app
([@RUN, "-query", "-in", "req1.tsq", "-text"])),
110 'printing req1.req');
112 subtest
'generating valid response for req1.req' => sub {
113 create_time_stamp_response
("req1.tsq", "resp1.tsr", "tsa_config1")
116 ok
(run
(app
([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
117 'printing response');
119 subtest
'verifying valid response' => sub {
120 verify_time_stamp_response
("req1.tsq", "resp1.tsr", $testtsa)
124 unless subtest
'verifying valid token' => sub {
125 ok
(run
(app
([@RUN, "-reply", "-in", "resp1.tsr",
126 "-out", "resp1.tsr.token", "-token_out"])));
127 ok
(run
(app
([@RUN, "-verify", "-queryfile", "req1.tsq",
128 "-in", "resp1.tsr.token", "-token_in",
129 "-CAfile", "tsaca.pem",
130 "-untrusted", "tsa_cert1.pem"])));
131 ok
(run
(app
([@RUN, "-verify", "-data", $testtsa,
132 "-in", "resp1.tsr.token", "-token_in",
133 "-CAfile", "tsaca.pem",
134 "-untrusted", "tsa_cert1.pem"])));
138 unless ok
(run
(app
([@RUN, "-query", "-data", $testtsa,
139 "-tspolicy", "tsa_policy2", "-no_nonce",
140 "-out", "req2.tsq"])),
141 'creating req2.req time stamp request for file testtsa');
143 ok
(run
(app
([@RUN, "-query", "-in", "req2.tsq", "-text"])),
144 'printing req2.req');
147 unless subtest
'generating valid response for req2.req' => sub {
148 create_time_stamp_response
("req2.tsq", "resp2.tsr", "tsa_config1")
152 unless subtest
'checking -token_in and -token_out options with -reply' => sub {
153 my $RESPONSE2="resp2.tsr.copy.tsr";
154 my $TOKEN_DER="resp2.tsr.token.der";
156 ok
(run
(app
([@RUN, "-reply", "-in", "resp2.tsr",
157 "-out", "$TOKEN_DER", "-token_out"])));
158 ok
(run
(app
([@RUN, "-reply", "-in", "$TOKEN_DER",
159 "-token_in", "-out", "$RESPONSE2"])));
160 is
(compare
($RESPONSE2, "resp2.tsr"), 0);
161 ok
(run
(app
([@RUN, "-reply", "-in", "resp2.tsr",
162 "-text", "-token_out"])));
163 ok
(run
(app
([@RUN, "-reply", "-in", "$TOKEN_DER",
164 "-token_in", "-text", "-token_out"])));
165 ok
(run
(app
([@RUN, "-reply", "-queryfile", "req2.tsq",
166 "-text", "-token_out"])));
169 ok
(run
(app
([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
170 'printing response');
172 subtest
'verifying valid response' => sub {
173 verify_time_stamp_response
("req2.tsq", "resp2.tsr", $testtsa)
176 subtest
'verifying response against wrong request, it should fail' => sub {
177 verify_time_stamp_response_fail
("req1.tsq", "resp2.tsr")
180 subtest
'verifying response against wrong request, it should fail' => sub {
181 verify_time_stamp_response_fail
("req2.tsq", "resp1.tsr")
185 unless ok
(run
(app
([@RUN, "-query", "-data", $CAtsa,
186 "-no_nonce", "-out", "req3.tsq"])),
187 "creating req3.req time stamp request for file CAtsa.cnf");
189 ok
(run
(app
([@RUN, "-query", "-in", "req3.tsq", "-text"])),
190 'printing req3.req');
192 subtest
'verifying response against wrong request, it should fail' => sub {
193 verify_time_stamp_response_fail
("req3.tsq", "resp1.tsr")
196 }, create
=> 1, cleanup
=> 1