]>
Commit | Line | Data |
---|---|---|
88b8a527 RL |
1 | #! /usr/bin/perl |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use POSIX; | |
7 | use File::Spec::Functions qw/splitdir curdir catfile/; | |
8 | use File::Compare; | |
88b8a527 RL |
9 | use OpenSSL::Test qw/:DEFAULT cmdstr top_file/; |
10 | ||
11 | setup("test_tsa"); | |
12 | ||
13 | # All these are modified inside indir further down. They need to exist | |
14 | # here, however, to be available in all subroutines. | |
15 | my $testtsa; | |
16 | my $CAtsa; | |
1c73c3bc | 17 | my @RUN = ("openssl", "ts"); |
88b8a527 RL |
18 | |
19 | sub create_tsa_cert { | |
20 | my $INDEX = shift; | |
21 | my $EXT = shift; | |
22 | my $r = 1; | |
1c73c3bc | 23 | $ENV{TSDNSECT} = "ts_cert_dn"; |
88b8a527 | 24 | |
1c73c3bc RL |
25 | ok(run(app(["openssl", "req", "-new", |
26 | "-out", "tsa_req${INDEX}.pem", | |
27 | "-keyout", "tsa_key${INDEX}.pem"]))); | |
88b8a527 | 28 | note "using extension $EXT"; |
1c73c3bc RL |
29 | ok(run(app(["openssl", "x509", "-req", |
30 | "-in", "tsa_req${INDEX}.pem", | |
31 | "-out", "tsa_cert${INDEX}.pem", | |
32 | "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", | |
33 | "-CAcreateserial", | |
34 | "-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT]))); | |
88b8a527 RL |
35 | } |
36 | ||
37 | sub create_time_stamp_response { | |
38 | my $queryfile = shift; | |
39 | my $outputfile = shift; | |
40 | my $datafile = shift; | |
41 | ||
1c73c3bc RL |
42 | ok(run(app([@RUN, "-reply", "-section", "$datafile", |
43 | "-queryfile", "$queryfile", "-out", "$outputfile"]))); | |
88b8a527 RL |
44 | } |
45 | ||
46 | sub verify_time_stamp_response { | |
47 | my $queryfile = shift; | |
48 | my $inputfile = shift; | |
49 | my $datafile = shift; | |
50 | ||
1c73c3bc RL |
51 | ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile", |
52 | "-in", "$inputfile", "-CAfile", "tsaca.pem", | |
53 | "-untrusted", "tsa_cert1.pem"]))); | |
54 | ok(run(app([@RUN, "-verify", "-data", "$datafile", | |
55 | "-in", "$inputfile", "-CAfile", "tsaca.pem", | |
56 | "-untrusted", "tsa_cert1.pem"]))); | |
88b8a527 RL |
57 | } |
58 | ||
59 | sub verify_time_stamp_response_fail { | |
60 | my $queryfile = shift; | |
61 | my $inputfile = shift; | |
62 | ||
1c73c3bc RL |
63 | ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile", |
64 | "-in", "$inputfile", "-CAfile", "tsaca.pem", | |
65 | "-untrusted", "tsa_cert1.pem"]))); | |
88b8a527 RL |
66 | } |
67 | ||
68 | # main functions | |
69 | ||
1c73c3bc | 70 | plan tests => 20; |
88b8a527 | 71 | |
1c73c3bc RL |
72 | note "setting up TSA test directory"; |
73 | indir "tsa" => sub | |
74 | { | |
88b8a527 RL |
75 | $ENV{OPENSSL_CONF} = top_file("test", "CAtsa.cnf"); |
76 | # Because that's what ../apps/CA.pl really looks at | |
b0700d2c | 77 | $ENV{OPENSSL_CONFIG} = "-config ".$ENV{OPENSSL_CONF}; |
88b8a527 RL |
78 | $ENV{OPENSSL} = cmdstr(app(["openssl"])); |
79 | $testtsa = top_file("test", "recipes", "80-test_tsa.t"); | |
80 | $CAtsa = top_file("test", "CAtsa.cnf"); | |
81 | ||
1c73c3bc RL |
82 | SKIP: { |
83 | $ENV{TSDNSECT} = "ts_ca_dn"; | |
84 | skip "failed", 19 | |
85 | unless ok(run(app(["openssl", "req", "-new", "-x509", "-nodes", | |
86 | "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), | |
87 | 'creating a new CA for the TSA tests'); | |
88 | ||
89 | skip "failed", 18 | |
90 | unless subtest 'creating tsa_cert1.pem TSA server cert' => sub { | |
91 | create_tsa_cert("1", "tsa_cert") | |
92 | }; | |
93 | ||
94 | skip "failed", 17 | |
95 | unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { | |
96 | create_tsa_cert("2", "non_tsa_cert") | |
97 | }; | |
98 | ||
99 | skip "failed", 16 | |
100 | unless ok(run(app([@RUN, "-query", "-data", $testtsa, | |
101 | "-policy", "tsa_policy1", "-cert", | |
102 | "-out", "req1.tsq"])), | |
103 | 'creating req1.req time stamp request for file testtsa'); | |
104 | ||
105 | ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])), | |
106 | 'printing req1.req'); | |
107 | ||
108 | subtest 'generating valid response for req1.req' => sub { | |
109 | create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1") | |
110 | }; | |
111 | ||
112 | ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])), | |
113 | 'printing response'); | |
114 | ||
115 | subtest 'verifying valid response' => sub { | |
116 | verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa) | |
117 | }; | |
118 | ||
119 | skip "failed", 11 | |
120 | unless subtest 'verifying valid token' => sub { | |
121 | ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", | |
122 | "-out", "resp1.tsr.token", "-token_out"]))); | |
123 | ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq", | |
124 | "-in", "resp1.tsr.token", "-token_in", | |
125 | "-CAfile", "tsaca.pem", | |
126 | "-untrusted", "tsa_cert1.pem"]))); | |
127 | ok(run(app([@RUN, "-verify", "-data", $testtsa, | |
128 | "-in", "resp1.tsr.token", "-token_in", | |
129 | "-CAfile", "tsaca.pem", | |
130 | "-untrusted", "tsa_cert1.pem"]))); | |
131 | }; | |
132 | ||
133 | skip "failed", 10 | |
134 | unless ok(run(app([@RUN, "-query", "-data", $testtsa, | |
135 | "-policy", "tsa_policy2", "-no_nonce", | |
136 | "-out", "req2.tsq"])), | |
137 | 'creating req2.req time stamp request for file testtsa'); | |
138 | ||
139 | ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])), | |
140 | 'printing req2.req'); | |
141 | ||
142 | skip "failed", 8 | |
143 | unless subtest 'generating valid response for req2.req' => sub { | |
144 | create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1") | |
145 | }; | |
146 | ||
147 | skip "failed", 7 | |
148 | unless subtest 'checking -token_in and -token_out options with -reply' => sub { | |
149 | my $RESPONSE2="resp2.tsr.copy.tsr"; | |
150 | my $TOKEN_DER="resp2.tsr.token.der"; | |
151 | ||
152 | ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", | |
153 | "-out", "$TOKEN_DER", "-token_out"]))); | |
154 | ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", | |
155 | "-token_in", "-out", "$RESPONSE2"]))); | |
156 | is(compare($RESPONSE2, "resp2.tsr"), 0); | |
157 | ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", | |
158 | "-text", "-token_out"]))); | |
159 | ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", | |
160 | "-token_in", "-text", "-token_out"]))); | |
161 | ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq", | |
162 | "-text", "-token_out"]))); | |
163 | }; | |
164 | ||
165 | ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])), | |
166 | 'printing response'); | |
167 | ||
168 | subtest 'verifying valid response' => sub { | |
169 | verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa) | |
170 | }; | |
171 | ||
172 | subtest 'verifying response against wrong request, it should fail' => sub { | |
173 | verify_time_stamp_response_fail("req1.tsq", "resp2.tsr") | |
174 | }; | |
175 | ||
176 | subtest 'verifying response against wrong request, it should fail' => sub { | |
177 | verify_time_stamp_response_fail("req2.tsq", "resp1.tsr") | |
178 | }; | |
179 | ||
180 | skip "failure", 2 | |
181 | unless ok(run(app([@RUN, "-query", "-data", $CAtsa, | |
182 | "-no_nonce", "-out", "req3.tsq"])), | |
183 | "creating req3.req time stamp request for file CAtsa.cnf"); | |
184 | ||
185 | ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])), | |
186 | 'printing req3.req'); | |
187 | ||
188 | subtest 'verifying response against wrong request, it should fail' => sub { | |
189 | verify_time_stamp_response_fail("req3.tsq", "resp1.tsr") | |
190 | }; | |
88b8a527 | 191 | } |
1c73c3bc | 192 | }, create => 1, cleanup => 1 |